Monday, August 12, 2013

Application Testing part 1

So I went through the application and noticed some interesting findings:

One of the test I try is the HTML everything test. I try every HTML tag to see if any show up in the response. This gives an idea on what tags could be used for injection techniques.


I narrowed it down to these tags but could not get a xss condition, that was not filtered.

But XSS is possible if it is directly put into the database as shown below.


So, if an attacker could gain access to the database the possibility to inject XSS is there due to the fact that WordPress does not sanitize the data presented to the browser.

Posted by at No comments:
Labels:

Sunday, August 4, 2013

Vulnerability Scanners are not the greatest for Web Applications

So today was vulnerability scanner day.

So penetration testers rely only on commercial vulnerability scanners to do their job today will be proof on how they do no good on web applications.

So using the commercial version of Metasploit and Nexpose.

Starting off with Metasploit and redoing the scans using Metasploit instead of the nmap result previously gathered.

Here are the results from Metasploit using the nmap commands by default:

[*] [2013.08.04-08:52:57] Scan initiated: Speed: 5, Max: 300m (Portscanning) (UDP probes) (Finger enumeration) (H.323 probes)
[+] [2013.08.04-08:52:57] Workspace:Webtest Progress:1/133 (0%) Sweeping 192.168.1.9-192.168.1.200 with Nmap4 probes
[*] [2013.08.04-08:52:57] Scanning 2 hosts...
[*] [2013.08.04-08:54:04] Nmap Command (data:/opt/metasploit/common/share/nmap): /opt/metasploit/common/bin/nmap -sS -T5 -PP -PE -PM -PI -PA20,53,80,113,443,5060,10043 --host-timeout=300m -O --max-rtt-timeout=3000ms --initial-rtt-timeout=1000ms --min-rtt-timeout=1000ms --max-retries=2 --stats-every 10s --traceroute --min-hostgroup=64 -PS1,7,9,13,21-23,25,37,42,49,53,69,79-81,85,105,109-111,113,123,135,137-139,143,161,179,222,264,384,389,407,443-446,465,500,502,512-515,523-524,540,548,554,587,617,623,689,705,771,783,888,902,910,912,921,993,995,998,1000,1024,1030,1035,1090,1098-1103,1128-1129,1158,1199,1211,1220,1234,1241,1300,1311,1352,1433-1435,1440,1494,1521,1530,1533,1581-1582,1604,1720,1723,1755,1811,1900,2000-2001,2049,2100,2103,2121,2199,2207,2222,2323,2362,2380-2381,2525,2533,2598,2638,2809,2947,2967,3000,3037,3050,3057,3128,3200,3217,3273,3299,3306,3389,3460,3500,3628,3632,3690,3780,3790,3817,4000,4322,4444-4445,4659,4679,4848,5038,5051,5060-5061,5093,5168,5250,5351,5353,5355,5400,5405,5432-5433,5498,5520-5521,5554-5555,5560,5580,5631-5632,5666,5800,5900-5910,5920,5984-5986,6000,6050,6060,6070,6080,6101,6106,6112,6262,6379,6405,6502-6504,6660-6661,6667,6905,6988,7001,7021,7080,7144,7181,7210,7510,7579-7580,7700,7777,7787,7800-7801,7879,7902,8000-8001,8008,8014,8028,8030,8080-8082,8087,8090,8095,8161,8180,8205,8222,8300,8303,8333,8400,8443-8444,8503,8800,8812,8834,8880,8888-8890,8899,8901-8903,9000,9080-9081,9084,9090,9099-9100,9111,9152,9390-9391,9495,9809-9815,9999-10001,10008,10050-10051,10098,10162,10202-10203,10443,10616,10628,11000,11099,11211,11234,11333,12174,12203,12345,12397,12401,13364,13500,13838,14330,15200,16102,17185,17200,18881,19300,19810,20031,20034,20101,20222,22222,23472,23791,23943,25000,25025,26000,26122,27000,27017,27888,28222,28784,30000,30718,31001,31099,32913,34443,37718,38080,38292,41025,41080,41523-41524,44334,44818,45230,46823-46824,47001-47002,48899,50000-50004,50013,50500-50504,55553,57772,62078,62514,65535 --min-rate=500 -PU48105 -iL /tmp/nmap20130804-2901-1ps7glt -p1,7,9,13,21-23,25,37,42,49,53,69,79-81,85,105,109-111,113,123,135,137-139,143,161,179,222,264,384,389,407,443-446,465,500,502,512-515,523-524,540,548,554,587,617,623,689,705,771,783,888,902,910,912,921,993,995,998,1000,1024,1030,1035,1090,1098-1103,1128-1129,1158,1199,1211,1220,1234,1241,1300,1311,1352,1433-1435,1440,1494,1521,1530,1533,1581-1582,1604,1720,1723,1755,1811,1900,2000-2001,2049,2100,2103,2121,2199,2207,2222,2323,2362,2380-2381,2525,2533,2598,2638,2809,2947,2967,3000,3037,3050,3057,3128,3200,3217,3273,3299,3306,3389,3460,3500,3628,3632,3690,3780,3790,3817,4000,4322,4444-4445,4659,4679,4848,5038,5051,5060-5061,5093,5168,5250,5351,5353,5355,5400,5405,5432-5433,5498,5520-5521,5554-5555,5560,5580,5631-5632,5666,5800,5900-5910,5920,5984-5986,6000,6050,6060,6070,6080,6101,6106,6112,6262,6379,6405,6502-6504,6660-6661,6667,6905,6988,7001,7021,7080,7144,7181,7210,7510,7579-7580,7700,7777,7787,7800-7801,7879,7902,8000-8001,8008,8014,8028,8030,8080-8082,8087,8090,8095,8161,8180,8205,8222,8300,8303,8333,8400,8443-8444,8503,8800,8812,8834,8880,8888-8890,8899,8901-8903,9000,9080-9081,9084,9090,9099-9100,9111,9152,9390-9391,9495,9809-9815,9999-10001,10008,10050-10051,10098,10162,10202-10203,10443,10616,10628,11000,11099,11211,11234,11333,12174,12203,12345,12397,12401,13364,13500,13838,14330,15200,16102,17185,17200,18881,19300,19810,20031,20034,20101,20222,22222,23472,23791,23943,25000,25025,26000,26122,27000,27017,27888,28222,28784,30000,30718,31001,31099,32913,34443,37718,38080,38292,41025,41080,41523-41524,44334,44818,45230,46823-46824,47001-47002,48899,50000-50004,50013,50500-50504,55553,57772,62078,62514,65535
[*] [2013.08.04-08:54:11] Nmap Output:
[*] [2013.08.04-08:54:11] Nmap Output: Starting Nmap 6.25 ( http://nmap.org ) at 2013-08-04 08:54 EDT
[*] [2013.08.04-08:54:29] Nmap Output: Nmap scan report for 192.168.1.200
[*] [2013.08.04-08:54:29] Nmap Output: Host is up (0.00062s latency).
[*] [2013.08.04-08:54:29] Nmap Output: Not shown: 363 closed ports
[*] [2013.08.04-08:54:29] Nmap Output: PORT    STATE SERVICE
[*] [2013.08.04-08:54:29] Nmap Output: 22/tcp  open  ssh
[*] [2013.08.04-08:54:29] Nmap Output: 80/tcp  open  http
[*] [2013.08.04-08:54:29] Nmap Output: 443/tcp open  https
[*] [2013.08.04-08:54:29] Nmap Output: MAC Address: 00:0C:29:F8:C7:0B (VMware)
[*] [2013.08.04-08:54:29] Nmap Output: Aggressive OS guesses: Linux 2.6.32 - 2.6.35 (97%), Linux 2.6.32 - 3.6 (96%), Netgear DG834G WAP or Western Digital WD TV media player (96%), Linux 2.6.17 - 2.6.36 (96%), Linux 2.6.23 - 2.6.38 (95%), Linux 2.6.18 - 2.6.21 (95%), Linux 2.6.32 (95%), AXIS 210A or 211 Network Camera (Linux 2.6) (95%), Linux 2.6.31 (95%), Linux 2.6.22 (95%)
[*] [2013.08.04-08:54:29] Nmap Output: No exact OS matches for host (test conditions non-ideal).
[*] [2013.08.04-08:54:29] Nmap Output: Network Distance: 1 hop
[*] [2013.08.04-08:54:29] Nmap Output:
[*] [2013.08.04-08:54:29] Nmap Output: TRACEROUTE
[*] [2013.08.04-08:54:29] Nmap Output: HOP RTT     ADDRESS
[*] [2013.08.04-08:54:29] Nmap Output: 1   0.62 ms 192.168.1.200
[*] [2013.08.04-08:54:29] Nmap Output:
[*] [2013.08.04-08:54:29] Nmap Output: Nmap scan report for 192.168.1.9
[*] [2013.08.04-08:54:29] Nmap Output: Host is up (0.0067s latency).
[*] [2013.08.04-08:54:29] Nmap Output: Not shown: 364 filtered ports
[*] [2013.08.04-08:54:29] Nmap Output: PORT     STATE SERVICE
[*] [2013.08.04-08:54:29] Nmap Output: 80/tcp   open  http
[*] [2013.08.04-08:54:29] Nmap Output: 5985/tcp open  wsman
[*] [2013.08.04-08:54:29] Nmap Output: MAC Address: 00:0C:29:78:F9:BA (VMware)
[*] [2013.08.04-08:54:29] Nmap Output: Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
[*] [2013.08.04-08:54:29] Nmap Output: Device type: general purpose|phone
[*] [2013.08.04-08:54:29] Nmap Output: Running (JUST GUESSING): Microsoft Windows 7|Phone|2008|Vista (93%)
[*] [2013.08.04-08:54:29] Nmap Output: OS CPE: cpe:/o:microsoft:windows_7::-:professional cpe:/o:microsoft:windows cpe:/o:microsoft:windows_server_2008::beta3 cpe:/o:microsoft:windows_vista::- cpe:/o:microsoft:windows_vista::sp1
[*] [2013.08.04-08:54:29] Nmap Output: Aggressive OS guesses: Microsoft Windows 7 Professional (93%), Microsoft Windows Phone 7.5 (92%), Microsoft Windows Server 2008 Beta 3 (92%), Microsoft Windows Vista SP0 or SP1, Windows Server 2008 SP1, or Windows 7 (92%), Microsoft Windows Vista SP2, Windows 7 SP1, or Windows Server 2008 (92%), Microsoft Windows Server 2008 SP1 (89%), Microsoft Windows Vista Home Premium SP1 (89%), Microsoft Windows Vista SP0 - SP1 (86%)
[*] [2013.08.04-08:54:29] Nmap Output: No exact OS matches for host (test conditions non-ideal).
[*] [2013.08.04-08:54:29] Nmap Output: Network Distance: 1 hop
[*] [2013.08.04-08:54:29] Nmap Output:
[*] [2013.08.04-08:54:29] Nmap Output: TRACEROUTE
[*] [2013.08.04-08:54:29] Nmap Output: HOP RTT     ADDRESS
[*] [2013.08.04-08:54:29] Nmap Output: 1   6.74 ms 192.168.1.9
[*] [2013.08.04-08:54:29] Nmap Output:
[*] [2013.08.04-08:54:29] Nmap Output: OS detection performed. Please report any incorrect results at http://nmap.org/submit/ .
[*] [2013.08.04-08:54:29] Nmap Output: Nmap done: 2 IP addresses (2 hosts up) scanned in 22.92 seconds
[*] [2013.08.04-08:54:29] Nmap Results: Importing scan data.
[+] [2013.08.04-08:54:37] Workspace:Webtest Progress:3/133 (2%) Sweeping 192.168.1.9-192.168.1.200 with UDP probes
[*] [2013.08.04-08:54:37] Sending 12 probes to 192.168.1.9->192.168.1.200 (2 hosts)
[+] [2013.08.04-08:54:52] Workspace:Webtest Progress:5/133 (3%) Sweeping 192.168.1.9-192.168.1.200 with HTTP probes
[*] [2013.08.04-08:54:54] 192.168.1.200:80 Apache/2.2.16 (Debian) ( Powered by PHP/5.3.3-7+squeeze15 )
[*] [2013.08.04-08:54:54] 192.168.1.9:80 Microsoft-IIS/8.0
[*] [2013.08.04-08:54:55] 192.168.1.200:443 Apache/2.2.16 (Debian) ( Powered by PHP/5.3.3-7+squeeze15 )
[+] [2013.08.04-08:54:57] Workspace:Webtest Progress:45/133 (33%) Sweeping 192.168.1.200 with SSH probes
[*] [2013.08.04-08:55:02] 192.168.1.200:22, SSH server version: SSH-2.0-OpenSSH_5.5p1 Debian-6+squeeze3
[+] [2013.08.04-08:55:03] Workspace:Webtest Progress:63/133 (47%) Sweeping 192.168.1.9-192.168.1.200 with VxWorks probes
[+] [2013.08.04-08:55:13] Workspace:Webtest Progress:124/133 (93%) Sweeping 192.168.1.9-192.168.1.200 with WinRM probes
[-] [2013.08.04-08:55:13] 192.168.1.9:80 Does not appear to be a WinRM server
[-] [2013.08.04-08:55:14] 192.168.1.200:80 Does not appear to be a WinRM server
[-] [2013.08.04-08:55:15] 192.168.1.200:443 Does not appear to be a WinRM server
[+] [2013.08.04-08:55:16] 192.168.1.9:5985: Negotiate protocol supported
[+] [2013.08.04-08:55:16] Workspace:Webtest Progress:128/133 (96%) Normalizing system information
[+] [2013.08.04-08:55:17] Workspace:Webtest Progress:1/3 (33%) Normalizing 192.168.1.9
[+] [2013.08.04-08:55:17] Workspace:Webtest Progress:2/3 (66%) Normalizing 192.168.1.200
[+] [2013.08.04-08:55:17] Workspace:Webtest Progress:3/3 (100%) Normalization complete
[+] [2013.08.04-08:55:17] Workspace:Webtest Progress:129/133 (96%) Identifying unknown services
[+] [2013.08.04-08:55:18] Workspace:Webtest Progress:130/133 (97%) Normalizing system information for newly identified services
[+] [2013.08.04-08:55:18] Workspace:Webtest Progress:1/3 (33%) Normalizing 192.168.1.9
[+] [2013.08.04-08:55:18] Workspace:Webtest Progress:2/3 (66%) Normalizing 192.168.1.200
[+] [2013.08.04-08:55:18] Workspace:Webtest Progress:3/3 (100%) Normalization complete
[+] [2013.08.04-08:55:18] Workspace:Webtest Progress:131/133 (98%) Sweeping newly found services
[+] [2013.08.04-08:55:18] Workspace:Webtest Progress:132/133 (99%) Normalizing system information for newly identified services
[+] [2013.08.04-08:55:19] Workspace:Webtest Progress:1/3 (33%) Normalizing 192.168.1.9
[+] [2013.08.04-08:55:19] Workspace:Webtest Progress:2/3 (66%) Normalizing 192.168.1.200
[+] [2013.08.04-08:55:19] Workspace:Webtest Progress:3/3 (100%) Normalization complete
[+] [2013.08.04-08:55:20] Discovered Host: 192.168.1.9 (192.168.1.9)
[+] [2013.08.04-08:55:20] Discovered Host: 192.168.1.200 (192.168.1.200)
[+] [2013.08.04-08:55:20] Discovered Port: 192.168.1.9:5985 (winrm)
[+] [2013.08.04-08:55:20] Discovered Port: 192.168.1.9:80 (http)
[+] [2013.08.04-08:55:20] Discovered Port: 192.168.1.200:443 (https)
[+] [2013.08.04-08:55:20] Discovered Port: 192.168.1.200:80 (http)
[+] [2013.08.04-08:55:20] Discovered Port: 192.168.1.200:22 (ssh)

[+] [2013.08.04-08:55:20] Workspace:Webtest Progress:133/133 (100%) Sweep of 192.168.1.9-192.168.1.200 complete 2 new hosts, 5 new services)



After Metasploit was done I ran Nexpose.


Here is the results after that:




So Nexpose said it found some stuff, not web related but system vulnerabilities.


Of course all found items were tested to verify if the vulnerabilities were valid or not.


Then I moved onto the Web application scanner of Metasploit.




and that resulted in:


Really on one vulnerability as shown here:



So not much in help with the findings provided.



Next round will be just actually using application and reviewing how the application works and handles request. Then we will look at the common files and some important ones.
Posted by at No comments:
Labels: , , , ,

Thursday, August 1, 2013

Identify what is really on those Servers...

Yesterday we identified we have servers running web services on them.

I am going to use Nikto to get a sense of what is running on the servers (yes I already know) and identify default or identifiable web files and vulnerabilities.

Now before I begin an older version of wordpress was installed on the TurnKey server just to show differences in how the tools report vulnerabilities and such.

So the results for TurnKey:

nikto -Format htm -host 192.168.1.200 -o ~/Desktop/wordpress/turnkey_nikto
- Nikto v2.1.4
---------------------------------------------------------------------------
+ Target IP:          192.168.1.200
+ Target Hostname:    192.168.1.200
+ Target Port:        80
+ Start Time:         2013-07-32 19:41:27
---------------------------------------------------------------------------
+ Server: Apache/2.2.16 (Debian)
+ Retrieved x-powered-by header: PHP/5.3.3-7+squeeze15
+ Apache/2.2.16 appears to be outdated (current is at least Apache/2.2.19). Apache 1.3.42 (final release) and 2.0.64 are also current.
+ OSVDB-630: IIS may reveal its internal or real IP in the Location header via a request to the /images directory. The value is "http://127.0.1.1/images/".
+ DEBUG HTTP verb may show server debugging information. See http://msdn.microsoft.com/en-us/library/e8z01xdh%28VS.80%29.aspx for details.
+ OSVDB-3233: /phpinfo.php: Contains PHP configuration information
+ OSVDB-12184: /index.php?=PHPB8B5F2A0-3C92-11d3-A3A9-4C7B08C10000: PHP reveals potentially sensitive information via certain HTTP requests that contain specific QUERY strings.
+ OSVDB-561: /server-status: This reveals Apache information. Comment out appropriate line in httpd.conf or restrict access to allowed hosts.
+ OSVDB-3092: /cgi-bin/test.cgi: This might be interesting...
+ OSVDB-3268: /icons/: Directory indexing found.
+ OSVDB-3268: /images/: Directory indexing found.
+ OSVDB-3268: /images/?pattern=/etc/*&sort=name: Directory indexing found.
+ OSVDB-3233: /icons/README: Apache default file found.
+ /wordpress/: A Wordpress installation was found.
+ 6456 items checked: 0 error(s) and 13 item(s) reported on remote host
+ End Time:           2013-07-32 19:41:53 (26 seconds)
---------------------------------------------------------------------------

+ 1 host(s) tested

The Windows host results:

nikto -Format htm -host 192.168.1.9 -o ~/Desktop/wordpress/iis_nikto
- Nikto v2.1.4
---------------------------------------------------------------------------
+ Target IP:          192.168.1.9
+ Target Hostname:    WIN-LFGTTR6DO5G.home
+ Target Port:        80
+ Start Time:         2013-07-32 19:42:06
---------------------------------------------------------------------------
+ Server: Microsoft-IIS/8.0
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ Allowed HTTP Methods: OPTIONS, TRACE, GET, HEAD, POST
+ Public HTTP Methods: OPTIONS, TRACE, GET, HEAD, POST
+ Server banner has changed from Microsoft-IIS/8.0 to Microsoft-HTTPAPI/2.0, this may suggest a WAF or load balancer is in place
+ Retrieved x-powered-by header: PHP/5.3.24
+ /wordpress/: A Wordpress installation was found.
+ 6456 items checked: 0 error(s) and 4 item(s) reported on remote host
+ End Time:           2013-07-32 19:42:53 (47 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested



I went ahead and scanned both servers with wpscan after Nikto identified WordPress being installed on them.

Lets look at the TurnKey results:

wpscan --url 192.168.1.200/wordpress/ --enumerate ptu
____________________________________________________
 __          _______   _____                 
 \ \        / /  __ \ / ____|                
  \ \  /\  / /| |__) | (___   ___  __ _ _ __ 
   \ \/  \/ / |  ___/ \___ \ / __|/ _` | '_ \
    \  /\  /  | |     ____) | (__| (_| | | | |
     \/  \/   |_|    |_____/ \___|\__,_|_| |_| v2.1rNA

    WordPress Security Scanner by the WPScan Team
 Sponsored by the RandomStorm Open Source Initiative
_____________________________________________________

| URL: http://192.168.1.200/wordpress/
| Started on Wed Jul 31 19:54:04 2013

[!] The WordPress 'http://192.168.1.200/wordpress/readme.html' file exists
[+] XML-RPC Interface available under http://192.168.1.200/wordpress/xmlrpc.php
[+] WordPress version 3.3 identified from meta generator

[!] We have identified 4 vulnerabilities from the version number :
 |
 | * Title: Reflected Cross-Site Scripting in WordPress 3.3
 | * Reference: http://oldmanlab.blogspot.com/2012/01/wordpress-33-xss-vulnerability.html
 |
 | * Title: XSS vulnerability in swfupload in WordPress
 | * Reference: http://seclists.org/fulldisclosure/2012/Nov/51
 |
 | * Title: XMLRPC Pingback API Internal/External Port Scanning
 | * Reference: https://github.com/FireFart/WordpressPingbackPortScanner
 |
 | * Title: WordPress XMLRPC pingback additional issues
 | * Reference: http://lab.onsec.ru/2013/01/wordpress-xmlrpc-pingback-additional.html

[+] The WordPress theme in use is twentyeleven v1.3

 | Name: twentyeleven v1.3
 | Location: http://192.168.1.200/wordpress/wp-content/themes/twentyeleven/
 | Readme: http://192.168.1.200/wordpress/wp-content/themes/twentyeleven/readme.txt

[+] Enumerating plugins from passive detection ...
No plugins found :(

[+] Finished at Wed Jul 31 19:54:09 2013
[+] Elapsed time: 00:00:05

And the Windows results:

wpscan --url 192.168.1.9/wordpress --enumerate ptu
____________________________________________________
 __          _______   _____                 
 \ \        / /  __ \ / ____|                
  \ \  /\  / /| |__) | (___   ___  __ _ _ __ 
   \ \/  \/ / |  ___/ \___ \ / __|/ _` | '_ \
    \  /\  /  | |     ____) | (__| (_| | | | |
     \/  \/   |_|    |_____/ \___|\__,_|_| |_| v2.1rNA

    WordPress Security Scanner by the WPScan Team
 Sponsored by the RandomStorm Open Source Initiative
_____________________________________________________

| URL: http://192.168.1.9/wordpress/
| Started on Wed Jul 31 19:58:43 2013

[!] The WordPress 'http://192.168.1.9/wordpress/readme.html' file exists
[+] XML-RPC Interface available under http://localhost/wordpress/xmlrpc.php
[+] WordPress version 3.5.1 identified from meta generator

[!] We have identified 1 vulnerabilities from the version number :
 |
 | * Title: CVE-2013-2173: WordPress 3.4-3.5.1 DoS in class-phpass.php
 | * Reference: http://seclists.org/fulldisclosure/2013/Jun/65
 | * Reference: http://secunia.com/advisories/53676/
 | * Reference: http://osvdb.org/94235

[+] The WordPress theme in use is twentytwelve

 | Name: twentytwelve
 | Location: http://192.168.1.9/wordpress/wp-content/themes/twentytwelve/

[+] Enumerating plugins from passive detection ...
No plugins found :(

[+] Finished at Wed Jul 31 19:58:46 2013
[+] Elapsed time: 00:00:02




Now it is time to review all the results from today.

Turnkey:

Nikto told us some important findings:
  • It confirmed the server is Apache 2.2.16
  • It found some identifiable files:/phpinfo.php, /index.php?=PHPB8B5F2A0-3C92-11d3-A3A9-4C7B08C10000, /server-status, cgi-bin/test.cgi
  • It also found some directories with indexing turned on:/icons/, /images/, /images/?pattern=/etc/*&sort=name
  • Lastly it of course it identified a /wordpress/ directory.
Time to review the the WPScan results:
  •  Wordpress 3.3 was identified.  
    • 4 vulnerabilities were identified:
    • Reflected Cross-Site Scripting
    • XSS vulnerability in swfupload
    • XMPRPC Pingback API
    • WordPress XMLRPC pingback



Now for the Windows Server:

Nikto results:
  • It confirmed the server is Microsoft-IIS/8.0
  • Allowed HTTP Methods: OPTIONS, TRACE, GET, HEAD, POST
  • PHP/5.3.24 is running on the server.
  • And of course /wordpress/
What about wpscan:
  • Wordpress 3.5.1 was identified.
    • 1 vulnerability was identified:
    • DoS in class-phpass.php


This is some really good findings. Now remember TurnKey server had an older version of wordpress but even with the WordPress version that the WP installer installed it still had a vulnerability that wpscan detected. Tomorrow both servers will get scanned with Vulnerability scanners.


Posted by at No comments:
Labels: , , , ,

Wednesday, July 31, 2013

Scanning the hosts

So first up is scanning the host to see what is running on them. Now remember I have not changed anything more than what was need to run wordpress.

So lets look at the results from the TurnKey box using nmap:

nmap -A -sC 192.168.1.200 -oA ~/Desktop/wordpress/turnkey_nmap_init

Starting Nmap 6.25 ( http://nmap.org ) at 2013-07-31 19:35 EDT
Nmap scan report for 192.168.1.200
Host is up (0.00047s latency).
Not shown: 997 closed ports
PORT    STATE SERVICE  VERSION
22/tcp  open  ssh      OpenSSH 5.5p1 Debian 6+squeeze3 (protocol 2.0)
| ssh-hostkey: 1024 81:12:e6:73:39:90:78:d2:8b:30:57:85:42:dd:e3:0d (DSA)
|_2048 af:76:4b:f1:8f:cf:76:68:88:67:2c:3a:84:c7:8f:32 (RSA)
80/tcp  open  http     Apache httpd 2.2.16 ((Debian))
|_http-methods: No Allow or Public header in OPTIONS response (status code 200)
|_http-title: TurnKey LAMP
443/tcp open  ssl/http Apache httpd 2.2.16 ((Debian))
|_http-methods: No Allow or Public header in OPTIONS response (status code 200)
|_http-title: TurnKey LAMP
| ssl-cert: Subject: organizationName=TurnKey Linux
| Not valid before: 2013-07-29T21:34:26+00:00
|_Not valid after:  2023-07-27T21:34:26+00:00
|_ssl-date: 2013-07-31T23:36:15+00:00; 0s from local time.
MAC Address: 00:0C:29:F8:C7:0B (VMware)
No exact OS matches for host (If you know what OS is running on it, see http://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=6.25%E=4%D=7/31%OT=22%CT=1%CU=35089%PV=Y%DS=1%DC=D%G=Y%M=000C29%T
OS:M=51F99F6F%P=i686-pc-linux-gnu)SEQ(SP=107%GCD=1%ISR=10C%TI=Z%CI=Z%II=I%T
OS:S=8)OPS(O1=M5B4ST11NW4%O2=M5B4ST11NW4%O3=M5B4NNT11NW4%O4=M5B4ST11NW4%O5=
OS:M5B4ST11NW4%O6=M5B4ST11)WIN(W1=16A0%W2=16A0%W3=16A0%W4=16A0%W5=16A0%W6=1
OS:6A0)ECN(R=Y%DF=Y%T=40%W=16D0%O=M5B4NNSNW4%CC=Y%Q=)T1(R=Y%DF=Y%T=40%S=O%A
OS:=S+%F=AS%RD=0%Q=)T2(R=N)T3(R=N)T4(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%
OS:Q=)T5(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0%S=
OS:A%A=Z%F=R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R=
OS:Y%DF=N%T=40%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N%
OS:T=40%CD=S)

Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

TRACEROUTE
HOP RTT     ADDRESS
1   0.47 ms 192.168.1.200

OS and Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 28.35 seconds

And the Windows host using nmap:

nmap -A -sC 192.168.1.9 -oA ~/Desktop/wordpress/iis_nmap_init

Starting Nmap 6.25 ( http://nmap.org ) at 2013-07-31 19:37 EDT
Nmap scan report for WIN-LFGTTR6DO5G.home (192.168.1.9)
Host is up (0.0013s latency).
Not shown: 999 filtered ports
PORT   STATE SERVICE VERSION
80/tcp open  http    Microsoft IIS httpd 8.0
| http-methods: Potentially risky methods: TRACE
|_See http://nmap.org/nsedoc/scripts/http-methods.html
|_http-title: Microsoft Internet Information Services 8
MAC Address: 00:0C:29:78:F9:BA (VMware)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose|phone
Running (JUST GUESSING): Microsoft Windows 7|Phone|2008|Vista (93%)
OS CPE: cpe:/o:microsoft:windows_7::-:professional cpe:/o:microsoft:windows cpe:/o:microsoft:windows_server_2008::beta3 cpe:/o:microsoft:windows_vista::- cpe:/o:microsoft:windows_vista::sp1
Aggressive OS guesses: Microsoft Windows 7 Professional (93%), Microsoft Windows Phone 7.5 (92%), Microsoft Windows Server 2008 Beta 3 (92%), Microsoft Windows Vista SP0 or SP1, Windows Server 2008 SP1, or Windows 7 (92%), Microsoft Windows Vista SP2, Windows 7 SP1, or Windows Server 2008 (92%), Microsoft Windows Vista Home Premium SP1 (91%), Microsoft Windows Server 2008 SP1 (89%), Microsoft Windows Vista SP0 - SP1 (86%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 1 hop
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

TRACEROUTE
HOP RTT     ADDRESS
1   1.31 ms WIN-LFGTTR6DO5G.home (192.168.1.9)

OS and Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 17.15 seconds


Let's review what the results are telling you first by looking at the TurnKey host:
It identified three ports running on the host: 22, 80, 443. This makes sense running a web server.
Nmap told me the versions of the software on those ports:
Port 22 is running OpenSSH 5.5p1
Port 80 & 443 is running Apache 2.2.16 with No Allow or Public header in OPTIONS response


I'll use this information later to see if there are any exploits that are remote based. But first need to analyze the Windows Server.

Windows Server:
Nmap on identified one port open: 80.
Port 80 is running Microsoft IIS httpd 8.0 with Potentially risky methods: TRACE

This is it for today. Tomorrow will look at running Nikto to see if it identifies any default or identifiable files running on those servers.


Posted by at No comments:
Labels: , , , ,
Subscribe to: Posts (Atom)