Wednesday, May 9, 2018

Penetration Tool Testing Guide: Recon with Nessus (Home edition)

I've been sitting on this for a while. I set up a Nessus home edition on my computer and have played around with it to a minimum extent. Normally I prefer a command line interface because they are easier in many ways. The biggest reason is a higher consistency. I get lost on GUIs quite often, and I am even worse with websites. This program uses a website interface. The positives for this are that the results are super easy to read and analyze, the negative is that there seems to be a lot of extra stuff and separation for setting up a scan.

As far as using the tool itself, I'm at a bit of a loss as to anything I personally could use it for. So let's take a very broad overview of what we have here.

So when we first get it up and running, there is not much of anything. On the top we have some tab-like choices of scans and settings. On the left hand toolbar we have folders and resources. Let's start with just doing some basic scan. On the top left, there is a blue button to create a new scan, and when we click it a bunch of boxes of different scan types open up. Depending on the edition you have depends on what is available. When we click on any, there will be up to four tabs consisting of settings, credentials, compliance, and plugins. For the sake of getting something on the board, let's go with a basic network scan.

So we need to name the scan and enter in some hosts to meet the requirements to run the scan. I'm going to call it "basic" and scan the hosts in 192.168.1.1/24. We can also add descriptions or change the folder, I don't care to worry about either right now. On the left hand toolbar, we can also see a setting for scheduling. Clicking on that we have the option to run scheduled scans. Personally, I'm not a fan of scheduled network scans because I've ran into some problems with network discovery scans taking too many resources, but for the sake of documentation it could be quite handy. I just prefer on-demand scanning which is what we get if we don't schedule it.

Underneath schedule we have a notification option. This states that we can send email notifications after we set up SMTP settings. This is something nice if I was using this on a larger scale. There are a few other settings, but most of it is not really worth messing with right now. So instead, let's look at the next tab, credentials!

Under credentials we see there is an option to add login information. Here we have Windows logins and SSH logins. I would imagine if you do not have remote access for Windows enabled that you won't be able to really get in, which makes that seem more like for a domain setup. In my case, I don't have any Windows machines that allow remote access, so I can't really test it. Now we do have a SSH credential option. So I entered the SSH credentials for my router.

Now let's move on to the plugin tab. Here we have a category list of what we are checking and when we click on it, it will list all the plugins. Clicking on the plugins gives you description of what it does and all that stuff.

So let's get on to the fun part, click on the save button. Now we see a list of our one scan that says it's scheduled on demand. So let's hist that play button and wait for the magic to happen. After a bit of time we should have results.

Click on that scan and we can check out our results. We get a blend of graphics and information. The majority of the "Vulnerabilities" I see listed are often just informational. This includes things like service available or any generic recon information that helps us know what we are looking at and what's available. There is also a list of potential vulnerabilities.

We also have a history so we can see previous scans and the like. With these results, we can export or import results under many different formats. In a professional environment or multi-user environment, this has a lot of use for making quick and comprehensible reports. One thing I noticed is that I cannot currently import a scan from Nikto and with my setup I can find no current way to integrate Nikto into Nessus.

So let's just check a quick overview of what other types of scans are currently available. We have Badlock Detection, Bash Shellshock Detection, Basic Network Scan, Credential Patch Audit, DROWN Detection, Host Discovery, Intel AMT Security Bypass, Malware Scan, Shadow Broker Scan, Spectre and Meltdown, WannaCry Ransomeware, Web Application Tests, a bunch of stuff I'd have to pay for, and of course the thing I skipped over Advanced Scan. This is quite a lot, but let's focus on the best one to customize, that being the Advanced Scan.

The Advanced Scan gives us a lot of options to work with. The basic settings are all the same, but the Discovery options have a lot opened up. We can fine-tune host discovery which is useful in cases where a host may be set to ignore common host discovery methods. Port scanning options have just enough customizing to make sure you hit everything you may need to, including options for UDP ports. Below that we have service discovery which adds a little bit extra for dealing with SSL/TLS connections. Under credentials we can setup SSH, SNMPv3, and Windows. Following this we have a tab for compliance. That's good if you need to check compliance.

The next tab is the most important part, Plugins. This lets us pick specifically what scans we want to do and create a fully customized scan. Now there are... a lot of options here. We might not have the time to go through each and every one, and that's okay. With the Policies option on the left-hand side, we can set up as many custom scans to choose from quickly, export them to save them or transfer elsewhere, or just ignore it all together like I'm doing for now because I don't think my brain can handle all of this at the moment. Either way, take the time I won't to try and setup some custom scans.

All-in-all, Nessus seems like a very useful tool for multiple people, large environments, and generating comprehensible reports. I may setup one at work just to check it out on a larger scale. Due to the ease of use, for now I am going to spend more time focusing on more specific tools and probably revisit this with more of a grasp on the options.

Wednesday, April 25, 2018

Comptia PenTest+ Beta

So I recently took the beta exam for the new Comptia PenTest+ certification. It was only $50 to take it and I figured it would be worth trying even though I'm almost positive I failed. So now that I had some time to reflect on it, I shall describe in detail my opinion of the test with an attempt not to divulge details of the questions.

The first thing I looked at was the list of objectives. Let me start by saying that there were a lot of objectives. I could tell just from looking through it that there was no way they could cover all of it. So I expected at least 50% of it covered. In the end, I'd have to say it was more like 5%-10%. It seemed to focus mostly on procedure with a sprinkling of questions so specific I would doubt anyone would be able to answer unless they do it on a daily basis. I thought that most of the procedure should be left in the Security+ and the PenTest+ should focus more on application like most certifications of this kind.

Another problem I had with the test is the same problem I have with most other test. In cases in the real world where you have at the very least the option to read the -?/-h/--help information on a command, you are left to remember some obscure flag. I feel the need to be specific here in a nit-picky way. Take for example the nmap flag -O compared to -A. In every instant, I use -A which gives more information and forget that -O is even a thing. So if I look at a question about using nmap to identify an OS and don't see -A, I get a little confused. On a side note, in checking the nmap flags to make sure I was thinking about that correctly, I realized a question I got horribly wrong because of something I've never used yet.

While I cannot fault entirely including options I never use, I think it is justified to get angry when the test seems to make no attempt to cover the information outlined for it. I will also always fault tests having a lack of realism when they want something most would Google or at the very least check the man pages. There's an idea, get a terminal in the side with only man pages available, then you can ask more detailed questions that cover more.

Originally the plan was that should I fail that I can just simply use what I saw, get any study material available when it goes fully available, and use that to ace a retake. The problem is that the test didn't cover enough or vary enough for me to come out of it with anything useful. It felt like a test in highschool where you dump the information from your brain after it's over because you forgot you still have a final exam at the end of the year.

So now let's compare it to the two I already have, the A+ and Security+. The A+ I actually did get some useful information from that I still use, despite it being so basic. The main problem with the A+ was the terrible simulation questions that were still better than the PenTest+. The Security+ was pure theory with a lot of memorizing. I know someone who has a Security+ who... well let's just say he makes a script kid look pro. Don't get me wrong, I'm mostly useless when it comes to hacking with just some basic cracking, debugging, and session hijacking under my belt but at least I can get some basic stuff done. Now when I already have credentials, I can move through the system pretty freely knowing a few tools I can crack deeper into things with. I found myself pretty lucky to know how to get a system level shell open on a botched Windows installation I needed to sysprep. Back on topic, the PenTest+ was mostly theory with curve-balls of what could have been good practical questions. The problem is the lack of practicality and flexibility that went hand in hand with the rigid testing style.

In conclusion, I think the PenTest+ is too ambitious for what they intended. They need to do a lot of ironing. I'd even recommend breaking it down to a web based and system/networking based penetration testing. While the networking portion tends to bridge the sides, web applications just use too many different technologies and possibilities. If by some miracle I do actually pass, I will post about it alongside a rant of everything pentesting-wise that I am absolutely abysmal at. If I fail, I'll post my score so everyone can get a good laugh.

Friday, March 23, 2018

Techs from the Crypt: Holiday Network Nightmare

During the Christmas break at my work, the tech department continues working for a good portion of it. We work almost as long as the gremlins that cause the problems, it seems like most of the time. Normally, I enjoy working with no one in the buildings because that means not only can I get stuff done at my own leisure, but no more work orders come in. Normally, it's a good time to work, however it's not just the people who's computers I fix that can be a major problem. A good portion of the time, some of my worst experiences come from those I work with. In this case, my boss set me up for quite a bit of anger and as I am writing this, problems still persist. So sit back and get some popcorn while I spin you the tale of my network nightmare!

For some background, we had contractors running a new Cat6 network along side the old Cat5 and Cat5e network that was currently in place. This alone was riddled with headaches due to them unplugging network cables of inept teachers, leaving behind particulate from the drop down ceiling, leaving doors unlocked, and even leaving behind empty pizza boxes. I dealt with those problems as they were presented. In the meantime, our Network Administrator was learning how to use Brocade Ruckus switches. All of our current infrastructure was HP Procurves of all various time periods and Ubiquiti edge switches that had a problem with POE burning up the onboard fuses on cards we could not get replaced and could not send the switches back for repair because the warranty was so short. The end goal was to replace all the Ubiquity with Brocade Ruckus switches, stick in new HP Procurves where we need extra connections with no POE in rooms that were air conditioned because all the current equipment were in electrical rooms. Since I am an IT Specialist, I was not involved in the major networking choices or configurations.

One of the days when getting ready for our big cutover, the Network Manager had a heart attack and went to the hospital to be put into a chemically induced coma because of a 90% blockage in his heart. So now we have a half configured network, equipment everywhere and the ONLY network person and only person who knew what was going on with the network was not only hospitalized, but unable to in anyway tell us where his notes were to get this stuff going. So as we inch closer to the break to do the cutover, my boss decides to have me check everything over and try to work out what was going on and figure out where everything was. I reluctantly did so.

As I found a saved half-working configuration, I grabbed an extra switch and began to mess with it to try and make a generic configuration that would suffice for a quick copy-paste deployment to get us started. A few days before we went into the break, another tech had to leave because of a death in the family and would not be back until the end of the break.

Already by now you are probably thinking that all the signs are saying to not do the cutover now. The fates are all stacked against it. However, it continues to get even worse. It gets so bad that I contemplated just simply walking out.

Now we get to the last day before the Christmas break. My boss had decided to come with me to the location and review everything so we could set it up for the cutover. At this point, I am highly against trying to do the cutover because of the ramifications should we screw up and not be able to correct it before the break is over. Ramifications that I am now suffering. So we go through everything we can, I install and configure as much as I possibly can in a forlorn hope to not be eaten alive by the project. At the end of the day, before we left, I was told something that I am still flabbergasted by. As my boss was on his way out and we were chatting...

"Well, I won't be able to help with this next week. My wife said I need to clean the house because we have guests coming over. Could you work on it the following week (this is the week OF Christmas, just FYI) when I am available to help?"

Not only is that excuse one of the most irritating things I have ever heard uttered, seemingly a slap in the proverbial face of work-ethic, logic, and common decency, but the reason I was making sure to keep those days clear was specifically because HE PUT IT ON OUR WORK CALENDAR TO DO IT THAT WEEK. I know what you might be thinking. It's horrible, but can it really get any worse? Well, get ready to cringe so bad that your face may just stick in that position for days to come.

The next day, I show up to work and wandered around like a lost puppy trying to find some guidance or shelter. The assistant coordinator, the second in command, asked me a question.

"Is <boss> coming in to work today? You were the last one to talk to him and I haven't seen him yet today."

ARE YOU KIDDING ME? How is it that my boss can have the audacity to not only excuse himself from a task that he himself scheduled, but he doesn't have the balls to even inform the other workers that his wife said he couldn't come out to play for the day. His wife must have his spine and balls in her purse under lock and key. By now, I'm fuming inside. I'm pretty sure I have a brain tumor and a few ulcers from this. I let the assistant boss know what I was told. She asked if I was going to need help doing the cutover, like I actually was project planning and all that, to which I said no because I don't even know what I'm doing.

Shortly after that, I guess my boss' wife let him run free for a few minutes, as he showed up. This was not to do work, but instead to leave the assistant boss with a list of what I needed to get done with the help of what was left of an 11 person department that was down 5 people, as two were already taking there vacation as well. Shortly after, he leaves and we all hop in our cars and drive on down.

We all get there and I'm still lost because I got thrown into a project already started without myself. As we walk into the building, the assistant boss who I would have assumed would take the role of boss and delegate roles, instead asks me what I want everyone to do. Some may have viewed it as them putting their faith in my abilities. I, however, viewed it as people looking for ways to absolve themselves of responsibility for the impending and certain failure that will (and has) occur. After taking a guess and just scattering people in hopes maybe someone would get something right, I took one of the other techs I consider a friend with me to listen to me complain while he helped me do my guess work. I would have grabbed another one of the techs, but I didn't want it to be obvious that I was just trying to keep my sanity and complain than working on something I had only guess work with.

So after day one of hooking up equipment, I had assumed it was all good and we all left. Oh boy was I wrong. We got network alerts galore! So on to day two. I grabbed a couple of techs to help me stare at stuff in hopes divine intervention may happen to fix the problem. Eventually we called in the ISP fiber engineer person to help us to see if the fiber may be the problem. When he got there, he assured us that he was as lost as we were. So we talked, tested, and fought the network. Day three was more of the same. With some luck, the network went up for a bit and I hightailed it out of there for a week Holiday vacation. The whole week was email alert after email alert that it wasn't working.

Over that week, my boss went in to try to fix the problem. It was never fixed while he was there. The week I got back, we tried to figure it out more. I got spanning tree set up and that seemed to get parts of the network working, so I took it at that and left. After school was back in session, I faced many work orders about network stuff not working. A couple of weeks later, I disabled all rapid spanning tree because the HP Procurves refused to accept a new root for RSTP, and just did plain old legacy STP. Over the course of the next couple of weeks, I found not one, not two, but three loops that were created by the cabling guys who helped move devices over after the cutover. I also found out that because of the change in contractors, there was a 50% failure rate when they were certifying the work that they had to redo.

I was swallowed up and now seem to live in the belly of the beast. Despite everything appearing fine, the network still has problems with VOIP quality randomly failing, WiFi connections dropping, fluctuating speeds when checking with speedtest.net, and a general disdain for work at the moment. On the lighter side, our Network Administrator is alive, awake, and back at work with plans to retire as soon as he hits the mark he needs.

I think the moral to the story is quite simply to not let work get to you, because then you have stress and problems at work. Or something like that. I'm not really good at morals.

Thursday, March 22, 2018

Penetration Tool Testing Guide: Recon with Nikto

It's all great to find a web server on a machine you are trying to test, but just knowing what port and web server version is only the start. Now when we are talking about web servers, there are so many potential points of attack that could be open. Testing everything yourself could take a very long time without more information. Nikto is a tool that made to scan web servers for potential vulnerabilities and outdated software.

I have never played around with Nikto before this, so I had to read through the documentation a few times. As a whole, it is pretty easy to use but takes a bit to understand it. To make sure I get some good results, I ran the scan against a live CD of Damn Vulnerable Linux. To start with, let's take a look at the help information from the command, run with nikto -H.

   Options:
       -ask+               Whether to ask about submitting updates
                               yes   Ask about each (default)
                               no    Don't ask, don't send
                               auto  Don't ask, just send
       -Cgidirs+           Scan these CGI dirs: "none", "all", or values like "/cgi/ /cgi-a/"
       -config+            Use this config file
       -Display+           Turn on/off display outputs:
                               1     Show redirects
                               2     Show cookies received
                               3     Show all 200/OK responses
                               4     Show URLs which require authentication
                               D     Debug output
                               E     Display all HTTP errors
                               P     Print progress to STDOUT
                               S     Scrub output of IPs and hostnames
                               V     Verbose output
       -dbcheck           Check database and other key files for syntax errors
       -evasion+          Encoding technique:
                               1     Random URI encoding (non-UTF8)
                               2     Directory self-reference (/./)
                               3     Premature URL ending
                               4     Prepend long random string
                               5     Fake parameter
                               6     TAB as request spacer
                               7     Change the case of the URL
                               8     Use Windows directory separator (\)
                               A     Use a carriage return (0x0d) as a request spacer
                               B     Use binary value 0x0b as a request spacer
        -Format+           Save file (-o) format:
                               csv   Comma-separated-value
                               htm   HTML Format
                               nbe   Nessus NBE format
                               sql   Generic SQL (see docs for schema)
                               txt   Plain text
                               xml   XML Format
                               (if not specified the format will be taken from the file extension passed to -output)
       -Help              Extended help information
       -host+             Target host
       -404code           Ignore these HTTP codes as negative responses (always). Format is "302,301".
       -404string         Ignore this string in response body content as negative response (always). Can be a regular expression.
       -id+               Host authentication to use, format is id:pass or id:pass:realm
       -key+              Client certificate key file
       -list-plugins      List all available plugins, perform no testing
       -maxtime+          Maximum testing time per host (e.g., 1h, 60m, 3600s)
       -mutate+           Guess additional file names:
                               1     Test all files with all root directories
                               2     Guess for password file names
                               3     Enumerate user names via Apache (/~user type requests)
                               4     Enumerate user names via cgiwrap (/cgi-bin/cgiwrap/~user type requests)
                               5     Attempt to brute force sub-domain names, assume that the host name is the parent domain
                               6     Attempt to guess directory names from the supplied dictionary file
       -mutate-options    Provide information for mutates
       -nointeractive     Disables interactive features
       -nolookup          Disables DNS lookups
       -nossl             Disables the use of SSL
       -no404             Disables nikto attempting to guess a 404 page
       -Option            Over-ride an option in nikto.conf, can be issued multiple times
       -output+           Write output to this file ('.' for auto-name)
       -Pause+            Pause between tests (seconds, integer or float)
       -Plugins+          List of plugins to run (default: ALL)
       -port+             Port to use (default 80)
       -RSAcert+          Client certificate file
       -root+             Prepend root value to all requests, format is /directory
       -Save              Save positive responses to this directory ('.' for auto-name)
       -ssl               Force ssl mode on port
       -Tuning+           Scan tuning:
                               1     Interesting File / Seen in logs
                               2     Misconfiguration / Default File
                               3     Information Disclosure
                               4     Injection (XSS/Script/HTML)
                               5     Remote File Retrieval - Inside Web Root
                               6     Denial of Service
                               7     Remote File Retrieval - Server Wide
                               8     Command Execution / Remote Shell
                               9     SQL Injection
                               0     File Upload
                               a     Authentication Bypass
                               b     Software Identification
                               c     Remote Source Inclusion
                               d     WebService
                               e     Administrative Console
                               x     Reverse Tuning Options (i.e., include all except specified)
       -timeout+          Timeout for requests (default 10 seconds)
       -Userdbs           Load only user databases, not the standard databases
                               all   Disable standard dbs and load only user dbs
                               tests Disable only db_tests and load udb_tests
       -useragent         Over-rides the default useragent
       -until             Run until the specified time or duration
       -update            Update databases and plugins from CIRT.net
       -useproxy          Use the proxy defined in nikto.conf, or argument http://server:port
       -Version           Print plugin and database versions
       -vhost+            Virtual host (for Host header)
           + requires a value

As we can see, there are a lot of options to tweak your scan. So let's try starting with how to do a basic scan. I'll use the IP I have of DVL.

~$ nikto -h 192.168.1.101
- Nikto v2.1.6
---------------------------------------------------------------------------
v+ nmap Input Queued: 192.168.1.101:80
+ Target IP:          192.168.1.101
+ Target Hostname:    192.168.1.101
+ Target Port:        80
+ Start Time:         2018-03-17 14:38:16 (GMT-4)
---------------------------------------------------------------------------
+ Server: Apache/1.3.37 (Unix) PHP/4.4.4
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ OSVDB-3268: /: Directory indexing found.
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ Apache/1.3.37 appears to be outdated (current is at least Apache/2.4.12). Apache 2.0.65 (final release) and 2.2.29 are also current.
+ PHP/4.4.4 appears to be outdated (current is at least 5.6.9). PHP 5.5.25 and 5.4.41 are also current.
v+ Allowed HTTP Methods: GET, HEAD, OPTIONS, TRACE
+ OSVDB-877: HTTP TRACE method is active, suggesting the host is vulnerable to XST
+ OSVDB-3268: /./: Directory indexing found.
+ OSVDB-3268: /?mod=node&nid=some_thing&op=view: Directory indexing found.
+ OSVDB-3268: /?mod=some_thing&op=browse: Directory indexing found.
+ /./: Appending '/./' to a directory allows indexing
+ OSVDB-3268: //: Directory indexing found.
+ //: Apache on Red Hat Linux release 9 reveals the root directory listing by default if there is no index page.
+ OSVDB-3268: /?Open: Directory indexing found.
+ OSVDB-3268: /?OpenServer: Directory indexing found.
+ OSVDB-3268: /%2e/: Directory indexing found.
+ OSVDB-576: /%2e/: Weblogic allows source code or directory listing, upgrade to v6.0 SP1 or higher. http://www.securityfocus.com/bid/2513.
+ OSVDB-3268: /?mod=<script>alert(document.cookie)</script>&op=browse: Directory indexing found.
+ OSVDB-3268: /?sql_debug=1: Directory indexing found.
+ OSVDB-3268: ///: Directory indexing found.
+ OSVDB-3268: /?=PHPB8B5F2A0-3C92-11d3-A3A9-4C7B08C10000: Directory indexing found.
+ OSVDB-3268: /?=PHPE9568F36-D428-11d2-A769-00AA001ACF42: Directory indexing found.
+ OSVDB-3268: /?=PHPE9568F34-D428-11d2-A769-00AA001ACF42: Directory indexing found.
+ OSVDB-3268: /?=PHPE9568F35-D428-11d2-A769-00AA001ACF42: Directory indexing found.
+ OSVDB-3268: /?PageServices: Directory indexing found.
+ OSVDB-119: /?PageServices: The remote server may allow directory listings through Web Publisher by forcing the server to show all files via 'open directory browsing'. Web Publisher should be disabled. http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0269.
+ OSVDB-3268: /?wp-cs-dump: Directory indexing found.
+ OSVDB-119: /?wp-cs-dump: The remote server may allow directory listings through Web Publisher by forcing the server to show all files via 'open directory browsing'. Web Publisher should be disabled. http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0269.
v+ Retrieved x-powered-by header: PHP/4.4.4
+ /info/: Output from the phpinfo() function was found.
+ OSVDB-3092: /info/: This might be interesting...
+ OSVDB-3092: /phpmyadmin/changelog.php: phpMyAdmin is for managing MySQL databases, and should be protected or limited to authorized hosts.
+ Server leaks inodes via ETags, header found with file /phpmyadmin/ChangeLog, inode: 20743, size: 10992, mtime: Sun Jan 18 16:58:12 2009
+ OSVDB-3092: /phpmyadmin/ChangeLog: phpMyAdmin is for managing MySQL databases, and should be protected or limited to authorized hosts.
+ Uncommon header 'tcn' found, with contents: choice
+ OSVDB-3092: /manual/: Web server manual found.
+ /info.php: Output from the phpinfo() function was found.
+ OSVDB-3233: /info.php: PHP is installed, and a test script which runs phpinfo() was found. This gives a lot of system information.
+ OSVDB-3268: /icons/: Directory indexing found.
+ OSVDB-3268: /manual/images/: Directory indexing found.
+ OSVDB-3268: ///////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////: Directory indexing found.
+ OSVDB-3288: ///////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////: Abyss 1.03 reveals directory listing when      /'s are requested.
+ OSVDB-3268: /?pattern=/etc/*&sort=name: Directory indexing found.
+ OSVDB-3268: /?D=A: Directory indexing found.
+ OSVDB-3268: /?N=D: Directory indexing found.
+ OSVDB-3268: /?S=A: Directory indexing found.
+ OSVDB-3268: /?M=A: Directory indexing found.
+ OSVDB-3268: /?\"><script>alert('Vulnerable');</script>: Directory indexing found.
+ OSVDB-3233: /icons/README: Apache default file found.
+ OSVDB-3268: /?_CONFIG[files][functions_page]=http://cirt.net/rfiinc.txt?: Directory indexing found.
+ OSVDB-3268: /?npage=-1&content_dir=http://cirt.net/rfiinc.txt?&cmd=ls: Directory indexing found.
+ OSVDB-3268: /?npage=1&content_dir=http://cirt.net/rfiinc.txt?&cmd=ls: Directory indexing found.
+ OSVDB-3268: /?show=http://cirt.net/rfiinc.txt??: Directory indexing found.
+ /info.php?file=http://cirt.net/rfiinc.txt?: Output from the phpinfo() function was found.
+ OSVDB-5292: /info.php?file=http://cirt.net/rfiinc.txt?: RFI from RSnake's list (http://ha.ckers.org/weird/rfi-locations.dat) or from http://osvdb.org/
+ /phpmyadmin/: phpMyAdmin directory found
+ OSVDB-3268: /?-s: Directory indexing found.
+ OSVDB-3268: /?q[]=x: Directory indexing found.
+ OSVDB-3092: /phpmyadmin/Documentation.html: phpMyAdmin is for managing MySQL databases, and should be protected or limited to authorized hosts.
+ OSVDB-3268: /?sc_mode=edit: Directory indexing found.
+ OSVDB-3268: /?xmlcontrol=body%20onload=alert(123): Directory indexing found.
+ OSVDB-3268: /?admin: Directory indexing found.
+ 7536 requests: 0 error(s) and 63 item(s) reported on remote host
+ End Time:           2018-03-17 14:38:27 (GMT-4) (11 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested

Oh boy, that is a lot of information to take in. Let's break down what the basics of what the output is saying. Some of these are straight-forward, but let's focus on the OSVDB. OSVDB stands for Open Source Vulnerability Database and the problem now is that is has shut down. So the reference number with it does not exactly help us. After that reference is some request information and then some information as to what is is. With this information, we can fine tune your attack vectors to hone in on more viable holes.

Okay, so that was a basic scan. Let's scan a whole network! Now the problem is need to scan a whole network to find all web servers then scan the web servers for vulnerabilities. So can we use nmap output to automate a Nikto scan? Yes! It's actually very easy.

~$ nmap 192.168.1.1/24 -oG - | nikto -h -

Now this output I am not going to show because one, there is a lot, and two, I just don't want people to see all the stuff on my network just because. Either way, now you can fly relatively blind and gather a starting picture of the web servers on your network. Now keep in mind, you can add any other ports to check that may be there. I do have some devices running web servers on three different ports for various services.

So now let's look at some of these options and see what we can use. Most are self-explanatory, so let's focus on the larger choices.

The -Display option has a few interesting things to add. There are a few more things we can show, but keep in mind this can expand quite a bit and make finding what you want rather hard. Showing things like redirects, cookies, and HTTP errors could help reveal some additional information that may prove useful. Other than that, for my current means, it just seemed to clutter my terminal.

Moving down the line, we have an -evasion option. This allows different options to alter the encoding for the URI being used.  The added obfuscation could maybe somewhat help prevent gaining the attention of a NIDS (network intrusion detection system). The other possibility is maybe slipping past some poorly designed filters if things are filtered.

Skipping on down a bit further, we see a -mutate option. This, according to the documentation is depreciated, so let's focus on the -Plugins option. To get an idea of what we have to work with using the -list-plugins option.

~$ nikto -list-plugins

The output has quite a lot, so let's pull one that has a good variety of everything.

Plugin: apacheusers
 Apache Users - Checks whether we can enumerate usernames directly from the web server
 Written by Javier Fernandez-Sanguinoi Pena, Copyright (C) 2008 CIRT Inc.
 Options:
  cgiwrap: User cgi-bin/cgiwrap to enumerate
  home: Look for ~user to enumerate
  size: Maximum size of username if bruteforcing
  dictionary: Filename for a dictionary file of users

  enumerate: Flag to indicate whether to attempt to enumerate users

The plugins have a name, synopsis, author, and optionally some options. On top of these options, there is also verbose and debug. If the option does not get an argument, is is just a flag where using it is true and omitting it is false. So it could look something like:

~$ nikto -Plugins "apacheusers(enumerate,dictionary:users.txt);report_xml"

That gives us a glimpse into the syntax.

Another thing to note is there are macro definitions near the bottom of the -list-plugins option, there are macros that define things like what to do by default. In the end, there are a lot of options and customizing that can be done. As I learn more, I may expand upon this later.

After -Plugins, we have the -Tuning option. This one is a lot simpler to figure out, you can tune what vulnerabilities to check for or not check for. This can speed things up if there is stuff you don't want to spend the time for everything or if the results of certain scans are undesirable. To exclude things specifically, you proceed the specific scan identifier with an x.

Lastly, there is the -Format option that goes hand in hand with the -o option to get your output to a desired file and format. As seen at the beginning, formatting output allows porting and/or usability to other tools. One that stands out is a format explicitly for the Nessus tool, the nbe format. While it is not essential, knowing how to get output is great for documenting and expanding your recon to either do recon or fine-tune your tools with little manual interference. You can live your life like in the movies, maybe hack into somewhere with a few simple rapid commands.

In conclusion, I am still learning this tool, but it's pretty easy to dive into a lot of results. As far as recon goes, the more information we get, the better a picture we can paint.

Wednesday, March 14, 2018

Techs from the Crypt: I don't understand!

Realistically, I have not been a tech for very long, however I work on four different sites normally and interact with quite a lot of people. In my travels, I have come across some humorous, horrifying, and down right strange scenarios. I will now share them with you as part of an attempt at a running series I am calling "Techs from the Crypt" as homage to a favorite show of mine as a kid, Tales from the Crypt! Get it? Did I really need to explain it?

Moving on, I will make up names where needed, not so much to protect the people involved, but more so because I don't care enough to remember anyone's name. Luckily my time in retail has taught me how to cover up my anti-social nature and severe anger towards the more remedial tasks I'm expected to perform.

As a tech, I often come across a lot of people who say something along the lines of "I don't know," or "I don't understand." I often feel myself rewording what I say many times over to make a point or even get some acknowledgement that there is thought behind the vacant stare and hysterical smile of someone completely distraught because "the Internet is broken," or "I didn't do anything and it's no longer working." I'm sure almost every field you can be in has some variation of this interaction, be it with co-workers or clients. So now I submit to you a story about a lady who even when I think back on it, I find hard to believe she actually did all the things she did.

I work for a school system, so most of the people I help are teachers, those we trust to educate our youths. This particular case was at an elementary school. I received a work order about a teacher, we shall call her Mrs. Lego (part of an inside joke I may mention later), could not log into her Google account. Now when an account is setup on our system, a Google account is created. The problem is that you cannot log on to the account until after you change your password and then it gets synchronized with Google. I was quite confident in dealing with these cases as it was the beginning of the year and a lot of new teachers sent in identical work orders. With that, I marched off to the school to get the new teacher squared away.

So far it all seemed routine, and then I met the teacher. Now, let me be clear, she was and is a very nice lady who has never been intentionally rude to me even when I almost lost my temper. However, I would not say Mrs. Lego is the most receptive of people. After explaining to me her problem, I explained to her that she needed to change her password and showed her how. Now, our passwords have complexity requirements that are more strong than some of the other unconnected systems certain groups of staff need to use, usually due to just software limitations. Mrs. Lego tried to change her password to one she had previously setup on one of these particular systems. After it rejected her twice, I asked her to tell me the password. I then explained to her that because of the complexity requirements, it needs more to it, like a special character, maybe an exclamation mark at the end or something simple to remember like punctuation.

"But I want it to be the same password for everything," stated Mrs. Lego quite adamantly.

"Well, I understand that, but I cannot change these requirements. To access Google through your account, it's required to change your password."

"But I need them to be the same, or else what's the point?"

"To access Google, you NEED to change your password."

"Well, why can't I use this one?"

"Because there are requirements that need to be met."

"I don't think you're understanding me. I have my password for that set. I want them to be the same passwords."

"I get that, but unless you change both passwords, we can't make this one the same."

"No, you don't understand, I want my password-"

"To be the same as the other one, I get what you're saying but I cannot do that for you."

"Oh... well then there is no point in changing my password, how do I go back?"

"To access your Google account you HAVE to change your password."

"But I don't want to unless they can match."

This is the shortened version, as this conversation then continued on for some more time. Finally, my patients were gone. She was convinced I couldn't understand what she wanted so now she wants everything back but wants to access her Google account. I was so fed up, I did the only thing I could within my power. I fired up Google Admin Console and manually entered her default password and reluctantly left that be. However, it does not end there, oh no my friends. You see, she was a new teacher and had questions. Many questions. We have instructional people for such questions, but I was nice enough (dumb enough is more like it) to attempt to help to the best of my ability.

You see, at one point they thought it was a good idea to try to continue the use of old outdated computer by installing Ubuntu on them. As a Linux user, I informed them many times after I started and came across this that Ubuntu os a full featured OS, it is not lightweight or good for repurposing old computers. Mrs. Lego had two and one with Windows still on it. The Ubuntu computer log in automatically and the Windows they are recommended to use a class login. After explaining to her the class login and showing her the Windows computer, we discussed the Ubuntu. I explained to her they really are just there for web browsing, there is no Microsoft office or the like on them.

"So, they're not real computers?"

"No, they are just older computers that the schools are trying to reuse to save money."

"At the school system I come from, they stripped out the guts of old computers and called them Linux machines."

"...uh... yeah... same thing?..."

"Well, can I get real computers instead?"

"... uh... tell you what... put... put in a work order and... I'll see if I can scrap together some parts and get Windows on them..."

"Oh, that would be great, what do I put down?"

So I gave her word for word what to put down and then made a mental note to upgrade the RAM so it could handle Windows and try to get this wonderful woman out of my hair.

Then for a bit, we talked about the tech and differences between school systems. I thought it was over and I had weathered the storm, then while I was mid-sentence, she walked over to the door and said she needed to go pick up the kids... and walked out before I could even respond.

It's at times like those that I wonder how people get there in life, or how they often seem better off than me. Perhaps it's just the chipping away of my soul that makes the other side seem so much better. Mrs. Lego went on to terrorize our instructional techs after I told her to submit a work order for them to come by and walk her through the tech.

You see, when one of them was talking to her, he passed the comment that this stuff is easy, jut plug it together, like Lego...

"But I don't have any Legos."

And that, my friends, is the story of Mrs. Lego and why I don't understand. I hope you enjoyed. I have a few other stories I hope to get down before I forget too much detail and make it hard to put in a decent story form.

Tag Cloud

.NET (1) A+ (2) addon (6) Android (3) anonymous functions (5) application (10) arduino (1) artificial intelligence (2) bash (4) c (7) camera (1) certifications (4) cobol (1) comptia (4) computing (2) css (2) customize (16) encryption (2) error (19) exploit (17) ftp (3) funny (2) gadget (2) games (2) Gtk (1) GUI (5) hardware (6) haskell (15) help (8) HTML (6) irc (2) java (5) javascript (21) Linux (19) Mac (4) malware (2) math (8) network (9) objects (2) OCaml (1) perl (4) php (9) plugin (7) programming (42) python (24) radio (1) regex (3) security (25) sound (1) speakers (1) ssh (3) story (1) Techs from the Crypt (2) telnet (2) tools (14) troubleshooting (5) Ubuntu (4) Unix (4) virtualization (1) web design (14) Windows (7) wx (2)