Sunday, August 4, 2013

Vulnerability Scanners are not the greatest for Web Applications

So today was vulnerability scanner day.

So penetration testers rely only on commercial vulnerability scanners to do their job today will be proof on how they do no good on web applications.

So using the commercial version of Metasploit and Nexpose.

Starting off with Metasploit and redoing the scans using Metasploit instead of the nmap result previously gathered.

Here are the results from Metasploit using the nmap commands by default:

[*] [2013.08.04-08:52:57] Scan initiated: Speed: 5, Max: 300m (Portscanning) (UDP probes) (Finger enumeration) (H.323 probes)
[+] [2013.08.04-08:52:57] Workspace:Webtest Progress:1/133 (0%) Sweeping 192.168.1.9-192.168.1.200 with Nmap4 probes
[*] [2013.08.04-08:52:57] Scanning 2 hosts...
[*] [2013.08.04-08:54:04] Nmap Command (data:/opt/metasploit/common/share/nmap): /opt/metasploit/common/bin/nmap -sS -T5 -PP -PE -PM -PI -PA20,53,80,113,443,5060,10043 --host-timeout=300m -O --max-rtt-timeout=3000ms --initial-rtt-timeout=1000ms --min-rtt-timeout=1000ms --max-retries=2 --stats-every 10s --traceroute --min-hostgroup=64 -PS1,7,9,13,21-23,25,37,42,49,53,69,79-81,85,105,109-111,113,123,135,137-139,143,161,179,222,264,384,389,407,443-446,465,500,502,512-515,523-524,540,548,554,587,617,623,689,705,771,783,888,902,910,912,921,993,995,998,1000,1024,1030,1035,1090,1098-1103,1128-1129,1158,1199,1211,1220,1234,1241,1300,1311,1352,1433-1435,1440,1494,1521,1530,1533,1581-1582,1604,1720,1723,1755,1811,1900,2000-2001,2049,2100,2103,2121,2199,2207,2222,2323,2362,2380-2381,2525,2533,2598,2638,2809,2947,2967,3000,3037,3050,3057,3128,3200,3217,3273,3299,3306,3389,3460,3500,3628,3632,3690,3780,3790,3817,4000,4322,4444-4445,4659,4679,4848,5038,5051,5060-5061,5093,5168,5250,5351,5353,5355,5400,5405,5432-5433,5498,5520-5521,5554-5555,5560,5580,5631-5632,5666,5800,5900-5910,5920,5984-5986,6000,6050,6060,6070,6080,6101,6106,6112,6262,6379,6405,6502-6504,6660-6661,6667,6905,6988,7001,7021,7080,7144,7181,7210,7510,7579-7580,7700,7777,7787,7800-7801,7879,7902,8000-8001,8008,8014,8028,8030,8080-8082,8087,8090,8095,8161,8180,8205,8222,8300,8303,8333,8400,8443-8444,8503,8800,8812,8834,8880,8888-8890,8899,8901-8903,9000,9080-9081,9084,9090,9099-9100,9111,9152,9390-9391,9495,9809-9815,9999-10001,10008,10050-10051,10098,10162,10202-10203,10443,10616,10628,11000,11099,11211,11234,11333,12174,12203,12345,12397,12401,13364,13500,13838,14330,15200,16102,17185,17200,18881,19300,19810,20031,20034,20101,20222,22222,23472,23791,23943,25000,25025,26000,26122,27000,27017,27888,28222,28784,30000,30718,31001,31099,32913,34443,37718,38080,38292,41025,41080,41523-41524,44334,44818,45230,46823-46824,47001-47002,48899,50000-50004,50013,50500-50504,55553,57772,62078,62514,65535 --min-rate=500 -PU48105 -iL /tmp/nmap20130804-2901-1ps7glt -p1,7,9,13,21-23,25,37,42,49,53,69,79-81,85,105,109-111,113,123,135,137-139,143,161,179,222,264,384,389,407,443-446,465,500,502,512-515,523-524,540,548,554,587,617,623,689,705,771,783,888,902,910,912,921,993,995,998,1000,1024,1030,1035,1090,1098-1103,1128-1129,1158,1199,1211,1220,1234,1241,1300,1311,1352,1433-1435,1440,1494,1521,1530,1533,1581-1582,1604,1720,1723,1755,1811,1900,2000-2001,2049,2100,2103,2121,2199,2207,2222,2323,2362,2380-2381,2525,2533,2598,2638,2809,2947,2967,3000,3037,3050,3057,3128,3200,3217,3273,3299,3306,3389,3460,3500,3628,3632,3690,3780,3790,3817,4000,4322,4444-4445,4659,4679,4848,5038,5051,5060-5061,5093,5168,5250,5351,5353,5355,5400,5405,5432-5433,5498,5520-5521,5554-5555,5560,5580,5631-5632,5666,5800,5900-5910,5920,5984-5986,6000,6050,6060,6070,6080,6101,6106,6112,6262,6379,6405,6502-6504,6660-6661,6667,6905,6988,7001,7021,7080,7144,7181,7210,7510,7579-7580,7700,7777,7787,7800-7801,7879,7902,8000-8001,8008,8014,8028,8030,8080-8082,8087,8090,8095,8161,8180,8205,8222,8300,8303,8333,8400,8443-8444,8503,8800,8812,8834,8880,8888-8890,8899,8901-8903,9000,9080-9081,9084,9090,9099-9100,9111,9152,9390-9391,9495,9809-9815,9999-10001,10008,10050-10051,10098,10162,10202-10203,10443,10616,10628,11000,11099,11211,11234,11333,12174,12203,12345,12397,12401,13364,13500,13838,14330,15200,16102,17185,17200,18881,19300,19810,20031,20034,20101,20222,22222,23472,23791,23943,25000,25025,26000,26122,27000,27017,27888,28222,28784,30000,30718,31001,31099,32913,34443,37718,38080,38292,41025,41080,41523-41524,44334,44818,45230,46823-46824,47001-47002,48899,50000-50004,50013,50500-50504,55553,57772,62078,62514,65535
[*] [2013.08.04-08:54:11] Nmap Output:
[*] [2013.08.04-08:54:11] Nmap Output: Starting Nmap 6.25 ( http://nmap.org ) at 2013-08-04 08:54 EDT
[*] [2013.08.04-08:54:29] Nmap Output: Nmap scan report for 192.168.1.200
[*] [2013.08.04-08:54:29] Nmap Output: Host is up (0.00062s latency).
[*] [2013.08.04-08:54:29] Nmap Output: Not shown: 363 closed ports
[*] [2013.08.04-08:54:29] Nmap Output: PORT    STATE SERVICE
[*] [2013.08.04-08:54:29] Nmap Output: 22/tcp  open  ssh
[*] [2013.08.04-08:54:29] Nmap Output: 80/tcp  open  http
[*] [2013.08.04-08:54:29] Nmap Output: 443/tcp open  https
[*] [2013.08.04-08:54:29] Nmap Output: MAC Address: 00:0C:29:F8:C7:0B (VMware)
[*] [2013.08.04-08:54:29] Nmap Output: Aggressive OS guesses: Linux 2.6.32 - 2.6.35 (97%), Linux 2.6.32 - 3.6 (96%), Netgear DG834G WAP or Western Digital WD TV media player (96%), Linux 2.6.17 - 2.6.36 (96%), Linux 2.6.23 - 2.6.38 (95%), Linux 2.6.18 - 2.6.21 (95%), Linux 2.6.32 (95%), AXIS 210A or 211 Network Camera (Linux 2.6) (95%), Linux 2.6.31 (95%), Linux 2.6.22 (95%)
[*] [2013.08.04-08:54:29] Nmap Output: No exact OS matches for host (test conditions non-ideal).
[*] [2013.08.04-08:54:29] Nmap Output: Network Distance: 1 hop
[*] [2013.08.04-08:54:29] Nmap Output:
[*] [2013.08.04-08:54:29] Nmap Output: TRACEROUTE
[*] [2013.08.04-08:54:29] Nmap Output: HOP RTT     ADDRESS
[*] [2013.08.04-08:54:29] Nmap Output: 1   0.62 ms 192.168.1.200
[*] [2013.08.04-08:54:29] Nmap Output:
[*] [2013.08.04-08:54:29] Nmap Output: Nmap scan report for 192.168.1.9
[*] [2013.08.04-08:54:29] Nmap Output: Host is up (0.0067s latency).
[*] [2013.08.04-08:54:29] Nmap Output: Not shown: 364 filtered ports
[*] [2013.08.04-08:54:29] Nmap Output: PORT     STATE SERVICE
[*] [2013.08.04-08:54:29] Nmap Output: 80/tcp   open  http
[*] [2013.08.04-08:54:29] Nmap Output: 5985/tcp open  wsman
[*] [2013.08.04-08:54:29] Nmap Output: MAC Address: 00:0C:29:78:F9:BA (VMware)
[*] [2013.08.04-08:54:29] Nmap Output: Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
[*] [2013.08.04-08:54:29] Nmap Output: Device type: general purpose|phone
[*] [2013.08.04-08:54:29] Nmap Output: Running (JUST GUESSING): Microsoft Windows 7|Phone|2008|Vista (93%)
[*] [2013.08.04-08:54:29] Nmap Output: OS CPE: cpe:/o:microsoft:windows_7::-:professional cpe:/o:microsoft:windows cpe:/o:microsoft:windows_server_2008::beta3 cpe:/o:microsoft:windows_vista::- cpe:/o:microsoft:windows_vista::sp1
[*] [2013.08.04-08:54:29] Nmap Output: Aggressive OS guesses: Microsoft Windows 7 Professional (93%), Microsoft Windows Phone 7.5 (92%), Microsoft Windows Server 2008 Beta 3 (92%), Microsoft Windows Vista SP0 or SP1, Windows Server 2008 SP1, or Windows 7 (92%), Microsoft Windows Vista SP2, Windows 7 SP1, or Windows Server 2008 (92%), Microsoft Windows Server 2008 SP1 (89%), Microsoft Windows Vista Home Premium SP1 (89%), Microsoft Windows Vista SP0 - SP1 (86%)
[*] [2013.08.04-08:54:29] Nmap Output: No exact OS matches for host (test conditions non-ideal).
[*] [2013.08.04-08:54:29] Nmap Output: Network Distance: 1 hop
[*] [2013.08.04-08:54:29] Nmap Output:
[*] [2013.08.04-08:54:29] Nmap Output: TRACEROUTE
[*] [2013.08.04-08:54:29] Nmap Output: HOP RTT     ADDRESS
[*] [2013.08.04-08:54:29] Nmap Output: 1   6.74 ms 192.168.1.9
[*] [2013.08.04-08:54:29] Nmap Output:
[*] [2013.08.04-08:54:29] Nmap Output: OS detection performed. Please report any incorrect results at http://nmap.org/submit/ .
[*] [2013.08.04-08:54:29] Nmap Output: Nmap done: 2 IP addresses (2 hosts up) scanned in 22.92 seconds
[*] [2013.08.04-08:54:29] Nmap Results: Importing scan data.
[+] [2013.08.04-08:54:37] Workspace:Webtest Progress:3/133 (2%) Sweeping 192.168.1.9-192.168.1.200 with UDP probes
[*] [2013.08.04-08:54:37] Sending 12 probes to 192.168.1.9->192.168.1.200 (2 hosts)
[+] [2013.08.04-08:54:52] Workspace:Webtest Progress:5/133 (3%) Sweeping 192.168.1.9-192.168.1.200 with HTTP probes
[*] [2013.08.04-08:54:54] 192.168.1.200:80 Apache/2.2.16 (Debian) ( Powered by PHP/5.3.3-7+squeeze15 )
[*] [2013.08.04-08:54:54] 192.168.1.9:80 Microsoft-IIS/8.0
[*] [2013.08.04-08:54:55] 192.168.1.200:443 Apache/2.2.16 (Debian) ( Powered by PHP/5.3.3-7+squeeze15 )
[+] [2013.08.04-08:54:57] Workspace:Webtest Progress:45/133 (33%) Sweeping 192.168.1.200 with SSH probes
[*] [2013.08.04-08:55:02] 192.168.1.200:22, SSH server version: SSH-2.0-OpenSSH_5.5p1 Debian-6+squeeze3
[+] [2013.08.04-08:55:03] Workspace:Webtest Progress:63/133 (47%) Sweeping 192.168.1.9-192.168.1.200 with VxWorks probes
[+] [2013.08.04-08:55:13] Workspace:Webtest Progress:124/133 (93%) Sweeping 192.168.1.9-192.168.1.200 with WinRM probes
[-] [2013.08.04-08:55:13] 192.168.1.9:80 Does not appear to be a WinRM server
[-] [2013.08.04-08:55:14] 192.168.1.200:80 Does not appear to be a WinRM server
[-] [2013.08.04-08:55:15] 192.168.1.200:443 Does not appear to be a WinRM server
[+] [2013.08.04-08:55:16] 192.168.1.9:5985: Negotiate protocol supported
[+] [2013.08.04-08:55:16] Workspace:Webtest Progress:128/133 (96%) Normalizing system information
[+] [2013.08.04-08:55:17] Workspace:Webtest Progress:1/3 (33%) Normalizing 192.168.1.9
[+] [2013.08.04-08:55:17] Workspace:Webtest Progress:2/3 (66%) Normalizing 192.168.1.200
[+] [2013.08.04-08:55:17] Workspace:Webtest Progress:3/3 (100%) Normalization complete
[+] [2013.08.04-08:55:17] Workspace:Webtest Progress:129/133 (96%) Identifying unknown services
[+] [2013.08.04-08:55:18] Workspace:Webtest Progress:130/133 (97%) Normalizing system information for newly identified services
[+] [2013.08.04-08:55:18] Workspace:Webtest Progress:1/3 (33%) Normalizing 192.168.1.9
[+] [2013.08.04-08:55:18] Workspace:Webtest Progress:2/3 (66%) Normalizing 192.168.1.200
[+] [2013.08.04-08:55:18] Workspace:Webtest Progress:3/3 (100%) Normalization complete
[+] [2013.08.04-08:55:18] Workspace:Webtest Progress:131/133 (98%) Sweeping newly found services
[+] [2013.08.04-08:55:18] Workspace:Webtest Progress:132/133 (99%) Normalizing system information for newly identified services
[+] [2013.08.04-08:55:19] Workspace:Webtest Progress:1/3 (33%) Normalizing 192.168.1.9
[+] [2013.08.04-08:55:19] Workspace:Webtest Progress:2/3 (66%) Normalizing 192.168.1.200
[+] [2013.08.04-08:55:19] Workspace:Webtest Progress:3/3 (100%) Normalization complete
[+] [2013.08.04-08:55:20] Discovered Host: 192.168.1.9 (192.168.1.9)
[+] [2013.08.04-08:55:20] Discovered Host: 192.168.1.200 (192.168.1.200)
[+] [2013.08.04-08:55:20] Discovered Port: 192.168.1.9:5985 (winrm)
[+] [2013.08.04-08:55:20] Discovered Port: 192.168.1.9:80 (http)
[+] [2013.08.04-08:55:20] Discovered Port: 192.168.1.200:443 (https)
[+] [2013.08.04-08:55:20] Discovered Port: 192.168.1.200:80 (http)
[+] [2013.08.04-08:55:20] Discovered Port: 192.168.1.200:22 (ssh)

[+] [2013.08.04-08:55:20] Workspace:Webtest Progress:133/133 (100%) Sweep of 192.168.1.9-192.168.1.200 complete 2 new hosts, 5 new services)



After Metasploit was done I ran Nexpose.


Here is the results after that:




So Nexpose said it found some stuff, not web related but system vulnerabilities.


Of course all found items were tested to verify if the vulnerabilities were valid or not.


Then I moved onto the Web application scanner of Metasploit.




and that resulted in:


Really on one vulnerability as shown here:



So not much in help with the findings provided.



Next round will be just actually using application and reviewing how the application works and handles request. Then we will look at the common files and some important ones.
Posted by at
Labels: , , , ,

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)