Tuesday, February 18, 2014

Testing for HTTP TRACE PUT DELETE methods on web server using Nikto

Intro

Since I received useful feedback on the article on SSL scanning tools. Here is another useful tool "nikto" that I use frequently to check the common security related misconfigurations on my Apache httpd web server. Basically a lot of times we try fixing a web server for security problems, most of the times we are not sure if we fixed the issue. Using a light weight scanner to quickly test your results could be extremely useful as you dont want to wait for those bulky Qualys and Nessus scan reports.

Nikto is a perl script and requires you to have a perl setup installed. It is a web based vulnerability scanner that tests your web server for common misconfigurations. Read more on its homepage.

Download


Get it from here:

http://cirt.net/nikto2

Use cases

My favorite use of Nikto is to test three very important things on my web server:

  1. The HTTP methods that are allowed on my web server
  2. Is directory listing enabled ?
  3. How much information my server is revealing about itself, the version numbers, modules being loaded etc.

Short info on those 3 points:
As a short rule, you should not have methods other than HEAD/GET/POST and OPTIONS allowed on your web server. Why? Because the other methods like TRACE/PUT/DELETE etc are rarely used these days and it is a good practice to turn them off.   


Directory listing is when the web server starts displaying the contents of a directory.

Information revealed: Your web server might be reporting some information to an attacker that could be of use for further attacks. Like the following HTTP headers reveal that an Apache is running version 2.2.3 and the platform is RedHat linux.


https://1x.xx.xx.xx/RSA-Crypto/
GET /RSA-Crypto/ HTTP/1.1
Host: 1x.xx.xx.xx
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:21.0) Gecko/20100101 Firefox/21.0
Accept:text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: https://1x.xx.xx.xx/
Connection: keep-alive

HTTP/1.1 200 OK
Date: Mon, 24 Jun 2013 04:01:47 GMT
Server: Apache/2.2.3 (Red Hat)
Content-Length: 1118
Connection: close
Content-Type: text/html;charset=ISO-8859-1

Trial Run


Now suppose after enabling enough of security settings on your web server, you quickly want to test how does it look from the outside:
So you fire up Nikto:

root@bt:/pentest/web/nikto# perl nikto.pl -host https://xx.xx.xx.xx
- Nikto v2.1.4
---------------------------------------------------------------------------
+ Target IP: xx.xx.xx.xx
+ Target Hostname: xx.xx.xx.xx
+ Target Port: 443
---------------------------------------------------------------------------
+ SSL Info: Subject: /C=--/ST=SomeState/L=SomeCity/O=SomeOrganization/OU=SomeOrganizationalUnit/CN=localhost.localdomain/emailAddress=root@localhost.localdomain
Ciphers: DHE-RSA-AES256-SHA
Issuer: /C=--/ST=SomeState/L=SomeCity/O=SomeOrganization/OU=SomeOrganizationalUnit/CN=localhost.localdomain/emailAddress=root@localhost.localdomain
+ Start Time: 2013-06-22 10:36:12
---------------------------------------------------------------------------
+ Server: Apache/2.2.3 (Red Hat)
+ OSVDB-3268: /: Directory indexing found.
+ Hostname 'xx.xx.xx.xx' does not match certificate's CN 'localhost.localdomain/emailAddress=root@localhost.localdomain'
+ Apache/2.2.3 appears to be outdated (current is at least Apache/2.2.17). Apache 1.3.42 (final release) and 2.0.64 are also current.
+ Allowed HTTP Methods: GET, HEAD, POST, OPTIONS, TRACE
+ OSVDB-877: HTTP TRACE method is active, suggesting the host is vulnerable to XST
+ OSVDB-3268: /./: Directory indexing found.
+ OSVDB-3268: /?mod=node&nid=some_thing&op=view: Directory indexing found.
+ OSVDB-3268: /?mod=some_thing&op=browse: Directory indexing found.
+ /./: Appending '/./' to a directory allows indexing
+ OSVDB-3268: //: Directory indexing found.
+ //: Apache on Red Hat Linux release 9 reveals the root directory listing by default if there is no index page.
+ OSVDB-3268: /?Open: Directory indexing found.
+ OSVDB-3268: /?OpenServer: Directory indexing found.
+ OSVDB-3268: /%2e/: Directory indexing found.
+ OSVDB-576: /%2e/: Weblogic allows source code or directory listing, upgrade to v6.0 SP1 or higher. http://www.securityfocus.com/bid/2513.
+ OSVDB-3268: /?mod=&op=browse: Directory indexing found.
+ OSVDB-3268: /?sql_debug=1: Directory indexing found.
Check out the following lines:

+ Server: Apache/2.2.3 (Red Hat)
+ OSVDB-3268: /: Directory indexing found.
+ Hostname 'xx.xx.xx.xx' does not match certificate's CN 'localhost.localdomain/emailAddress=root@localhost.localdomain'
+ Apache/2.2.3 appears to be outdated (current is at least Apache/2.2.17). Apache 1.3.42 (final release) and 2.0.64 are also current.
+ Allowed HTTP Methods: GET, HEAD, POST, OPTIONS, TRACE
+ OSVDB-877: HTTP TRACE method is active, suggesting the host is vulnerable to XST


So Nikto tells us that it found the directory listing enabled on this server, it found an undesirable method enabled on this server i.e TRACE and it tells us about the Apache version and its platform. It also tells you are running a very old apache version and the latest available version is 2.2.17.

Now you are sure that the changes you placed in apache config worked or not.


[Update++]
Want SSL support on Nikto?
Use cpan to install SSLeay module in perl. I hope you already have perl installed.

cpan[5]> install Net::SSLeay

SSL/TLS Cipher testing: Using SSLScan and ssl_tests

I came to know about the following good tools to check the ciphers running on you SSL service and SSL vulnerabilities.
Often we have this situation where we have various SSL enabled services running on the product, but we do not have a way of verifying the SSL cipher quality.

Use SSLScan and ssl_tests to test for weak ciphers running on your SSL service. I tested it for Apache httpd (443), tomcat (8443).
ssl_tests also tests for common SSL vulnerabilities like the SSL/TLS cipher renegotiation. sslscan primarily does a brute force for Low, medium and high grade ciphers and lists their status as 'Accepted' or 'Rejected' depending on the SSL service's response.

ssl_tests is a shell script that relies on the sslscan tool for making the checks.

Compiling sslscan is generally easy and straight forward but in case you face errors like the one I faced:

gcc -g -Wall -lssl -o sslscan sslscan.c
sslscan.c: In function ‘getCertificate’:sslscan.c:992: warning: implicit declaration of function ‘EC_KEY_print’sslscan.c:992: error: ‘union ’ has no member named ‘ec’sslscan.c:995: error: ‘union ’ has no member named ‘ec’make: *** [all] Error 1

You can tweak the source code to comment out the lines related to EC keys in sslscan.c (most probably you wont be using EC keys) :

//EC_KEY_print(stdoutBIO, publicKey->pkey.ec, 6);
//EC_KEY_print(fileBIO, publicKey->pkey.ec, 4);

Reference:

https://www.owasp.org/index.php/Testing_for_SSL-TLS_(OWASP-CM-001)