NIKTO A Vulnerability Assessment Information Networking Security and Assurance Lab

Download Report

Transcript NIKTO A Vulnerability Assessment Information Networking Security and Assurance Lab 

A Vulnerability Assessment
NIKTO
1
Information Networking Security and Assurance Lab
National Chung Cheng University
Description
Nikto is a web server scanner which performs
comprehensive tests against web server for
multiple items
2600 potentially dangerous files/CGIs
Versions on over 625 servers
Version specific problems on over 230 servers
Nikto support for LibWhisker’s anti-IDS
methods (IDS evasion)
2
Information Networking Security and Assurance Lab
National Chung Cheng University
Description
Nikto perform security or information checks
Misconfigurations
Default files and scripts
Insecure files and scripts
Outdate software
3
Information Networking Security and Assurance Lab
National Chung Cheng University
Purpose
To understand what is vulnerability scanner,
and why we need it
To family with the operation of the Nikto
vulnerability scanner.
4
Information Networking Security and Assurance Lab
National Chung Cheng University
Principle and Pre-study
A look at whisker's anti-IDS tactics
an HTTP request defined by RFC 1945
Types of IDS
Smart
Raw
5
Information Networking Security and Assurance Lab
National Chung Cheng University
IDS evasion
Evasion type
Evasion method
1
Method matching
GET /cgi-bin/some.cgi  HEAD /cgi-bin/some.cgi
2
URL encoding
cgi-bin  %63%67%69%2d%62%69%6e
3
Double slashes
/cgi-bin/some.cgi  //cgi-bin//some.cgi
4
Reverse traversal
/cgi-bin/some.cgi 
5
Self-reference directories
cgi-bin/phf  /./cgi-bin/./phf
6
Premature request ending
GET /%20HTTP/1.0%0d%0aHeader:%20/../../cgi-bin/some.cgi HTTP/1.0\r\n\r\n
7
Parameter hiding
GET /index.htm%3fparam=/../cgi-bin/some.cgi HTTP/1.0
8
HTTP mis-formatting
Method<space>URI<space>HTTP/Version CRLF CRLF ->
Method<tab>URI<tab>HTTP/ Version CRLF CRLF
9
Long URLs
GET /rfprfp<lots of characters>rfprfp/../cgi-bin/some.cgi HTTP/1.0
10
DOS/Win directory syntax
"/cgi-bin/some.cgi“  "/cgi-bin\some.cgi"
11
NULL method processing
GET%00 /cgi-bin/some.cgi HTTP/1.0
12
Case sensitivity
/cgi-bin/some.cgi  /CGI-BIN/SOME.CGI
13
Session splicing
"GET / HTTP/1.0“  "GE", "T ", "/", " H", "T", "TP", "/1", ".0"
Information Networking Security and Assurance Lab
14
In summary
National Chung Cheng University
GET /cgi-bin/blahblah/../some.cgi HTTP/1.0
Combine multiple tactics together
6
Required Facilities
 Permission
Do not proceed without receiving the necessary
permissions
 Hardware:
PC or Workstation with UNIX-based OS
 Software
Perl 5.004
Nikto 1.32
NET::SSLeay
LibWhisker
OpenSSL
7
Information Networking Security and Assurance Lab
National Chung Cheng University
Step (I): install Nikto
Install nikto with port tree
After install nikto,
patch /usr/local/bin/nikto.pl to indicate the config.txt
patch /usr/local/etc/nikto/config.txt to indicate the plugin directory
8
Information Networking Security and Assurance Lab
National Chung Cheng University
IDS evasion
option
mutate checks
option
IDS evasion
method
9
Information Networking Security and Assurance Lab
National Chung Cheng University
Basic scan information
Web server banner and
basic function
Report some
vulnerability and
suggest the solution
Information Networking Security and Assurance Lab
National Chung Cheng University
Report the result
10
Step (II): execute nikto
Basic scan
information
Web server banner
and basic function
Report some
vulnerability and
suggest the solution
Report the result
11
Information Networking Security and Assurance Lab
National Chung Cheng University
Step (III): IDS evasion
Detection with IDS
evasion method 1 2
on target
140.123.113.86
12
Information Networking Security and Assurance Lab
National Chung Cheng University
Summary
CGI exploits are everywhere. It is most
important that you scan your own site so that
you can see what attackers might see.
Nikto is a PERL, open source web server
scanner which supports SSL. It checks for
remote web server vulnerabilities and
misconfigurations.
13
Information Networking Security and Assurance Lab
National Chung Cheng University
Reference
Nikto
http://www.cirt.net/code/nikto.html
Comprehensive Perl Archive Network
http://www.cpan.org
LibWhisker
http://www.wiretrip.net/rfp/lw.asp
A look at whisker’s anti-IDS tactics
http://www.wiretrip.net/rfp/txt/whiskerids.html
14
Information Networking Security and Assurance Lab
National Chung Cheng University
Outline
A Real World Attack: wu-ftp
Vulnerability Scanners
All-Purpose Tools
Application Inspection
TRIPWIRE & MD5
15
Information Networking Security and Assurance Lab
National Chung Cheng University