A server by definition is a dedicated computing system running services to users and other computers on a network. Examples of service range from public services such as online gaming to sharing sensitive files inside a large organization. In the context of client-server architecture, a servers is a computer program running to serve the requests of other programs, known as the “clients”. Thus, the server performs some computational task on behalf of “clients”. The clients either run on the same computer, or connect through the network. For example, a server would host a game to the world while clients would access the game remotely. There are various forms of providing services to clients such as an Apache Web Server limited to HTTP or a BEA WebLogic Application Server that does HTTP plus more.
Network servers are typically configured to handle the load of servicing large volumes of clients. This means adding additional processing, memory and storage making these assets valuable targets for hackers. Organizations typically manage servers remotely and don’t actively monitor activity, meaning small hits in performance or other indicators of being compromised may go unnoticed. It’s common to find malicious users have accessed compromised servers for long periods of time prior to the owners identifying the vulnerability used to access the system.
We will start out with showcasing tools available in Kali used to identify vulnerabilities. Next, we willfocus on exploiting vulnerabilities to gain access to web application servers. We will conclude with other methods to access web application services.
Let’s take a look at some tools available in Kali for identifying vulnerabilities on servers.
Webshag
Webshag is a multi-threaded, multi-platform tool used to audit web servers. Webshag gathers commonly useful functionalities for web servers such as port scanning, URL scanning and file fuzzing. It can be used to scan a web server in HTTP or HTTPS, through a proxy and using HTTP authentication (basic or digest). In addition, Webshag can use IDS evasion capabilities aimed at making correlation between requests more complicated.
Webshag provides additional innovative capabilities such as retrieving the list of domain names hosted on a target machine as well as fuzzing using dynamically generated filenames. Webshag can perform fingerprinting of web pages while being resistant to content changes. This feature is designed as a false positive removal algorithm aimed at dealing with “soft 404″ server responses. Webshag is accessed through a GUI or a command-line console and available with the Linux and Windows platforms. Webshag can be found under Web Applications | Web Vulnerability Scanners as webshag-gui.
Webshag is easy to use. Each feature has a tab on the top. Select the desired feature tab, enter in your target URL under the target space and click on OK to execute. You can run multiple tabs simultaneously. Features include Port Scanning, Spider, URL Scan, and Fuzzing. The next four screenshots show Webshag performing a port scan, web spider crawl, URL scan, and file Fuzz of www.thesecurityblogger.com:
Webshag offers exporting all data found during an audit in the XML, HTML, and TXT file formats. Webshag’s final report is organized in a logical format making it worthy of use as a standalone document or article of reference for a Penetration Test delivery report. The next two screenshots show exporting options and the top of a audit report:
Skipfish
Skipfish is a web application security Reconnaissance tool. Skipfish prepares an interactive sitemap for the target using recursive crawl and dictionary-based probes. The resulting map provides output after being scanned by security checks. Skipfish can be found under Web Applications | Web Vulnerability Scanners as skipfish. When you first open Skipfish, a Terminal window will pop up showcasing the Skipfish commands. Skipfish can use built-in or customizable dictionaries for vulnerability assessment.
The available dictionaries are located in the dictionary file.
There are various command options available in Skipfish. To run Skipfish against a target website using a custom wordlist, enter skipfish, select your wordlist using the -W option followed by the location of the wordlist, select your output directory using -o followed by the location, and finally the target website.
Skipfish –o (output location) –W (location of wordlist) (target website)
The following example shows a scan using a wordlist called complete.wl on securityblogger.com. Skipfish will create a folder called Skipfishoutput on the desktop. This is run using the keyword skipfish, –o /root/Desktop/Skipfishoutput to specify the location to which send the output, -W /root/Desktop/complete.wl to specify the location of the dictionary and http://www.thesecuirtyblogger.com as the target to scan against.
Note that the default skipfish dictionaries will not run when using the –W command. You can copy a default wordlist and remove the read-only in the first line of the list (#ro) to run as a custom wordlist.
This is shown in the following screenshot:
If there are no compiling errors, you will be presented with a launch screen that states the scan will start in 60 seconds or on pressing any key.
You can press the Spacebar to see the details on the scan or watch the default numbers run. Scanning a target can take anywhere from 30 seconds to a few hours to complete the process. You can end a scan early by typing Ctrl + C.
Once the scan is complete or if you end it early, Skipfish will generate a ton of output files in the location specified when using the –o option to designate an output folder. To see the results, click on the index.html file, which will bring up an Internet browser. You can click through the drop-down boxes to see your results. See the example reports section for more information.
ProxyStrike
ProxyStrike is a web application proxy built to identify vulnerabilities while browsing an application. It runs like a proxy listening on port 8008 by default, meaning you have to configure your Internet browser to run through ProxyStrike so that it can analyze all the parameters in the background while your surf the target’s website.
The proxy features are great for identifying, intercepting, and modifying requests. To configure an Internet browser such as Firefox to use ProxyStrike, select in FireFox Preferences | Advanced | Network and select Settings. Select Manual Proxy and enter the IP address of your Kali server followed by the port of 8008 (unless you plan to change the ProxyStrike default port).
To use ProxyStrike, go to Web Applications | Web Vulnerability Scanners and select ProxyStrike. Assuming your Internet browser is sending traffic to ProxyStrike, you should see captured traffic in the Comms tab. We will spend more time using Proxies in Chapter 6, Web Attacks.
The crawler features are an easy way to scan a target website for SQL or SSL and XSS plugin vulnerabilities. You do not have to have ProxyStrike set up as a proxy to use the crawler features. To run the crawler feature on a website with XSS plugins,click on the Plugins tab, scroll to the XSS plugs, and select to enable the plugins using the checkbox. Next, select the crawler tab. Enter the target website including http://, check the crawl using the plugins box and click on the large Stop button to change it to Running. Adding the plugins will increase the time to complete a scan. ProxyStrike will display a status bar providing an estimate on how long a scan should take.
The Plugins tab shows the results of a crawl after a scan is launched. Attacks identified can be exported via HTML or XML.
The Log tab shows what tasks are being run against the target website and the level of success for each attack. This file can be copied into a text file for a final deliverable. The Crawler tab lists out all the identified unique web links associated to a target.
No comments:
Post a Comment