Fingerprinting Web Servers

Fingerprinting web servers is a technique for finding more information about the server for further testing. When I say fingerprinting, it's basically just identifying the server based around the information it gives you, allowing you to know what kind of software it is running.

Identifying Versions

With simple requests to the server we can find out what software it is using. GET or POST requests will do. Requesting objects (files) that are not there or making requests for options that the server does (and does not) support are good places to start.

The pink color are the requests made after I connected.

1:  aichi@home# nc 127.0.0.1 81  
2:  head / http/1.0  
3:  HTTP/1.1 501 Method Not Implemented  
4:  Date: Fri, 22 Mar 2013 04:13:18 GMT  
5:  Server: Apache/2.2.17 (Win32) mod_ssl/2.2.17 OpenSSL/0.9.8q PHP/5.3.5  
6:  Allow: GET,HEAD,POST,OPTIONS,TRACE  
7:  Content-Length: 206  
8:  Connection: close  
9:  Content-Type: text/html; charset=iso-8859-1  
10:  <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">  
11:  <html><head>  
12:  <title>501 Method Not Implemented</title>  
13:  </head><body>  
14:  <h1>Method Not Implemented</h1>  
15:  <p>head to / not supported.<br />  
16:  </p>  
17:  </body></html>  

The above is an output of the netcat command and a GET request to a local server here. HTTP requests are case sensitive. The server tried to process the option head and found that there was none. However it does show us all the options it allows: GET, HEAD, POST, OPTIONS and TRACE. We now also know the software the server is running, Apache, and it's version, 2.2.1.7. The operating system and even some of the other software is also listed (PHP, ModSSL and OenSSL).

1:  aichi@home# nc 127.0.0.1 81  
2:  HEAD / AICHI/6.6.6  
3:  HTTP/1.1 200 OK  
4:  Date: Fri, 22 Mar 2013 04:19:29 GMT  
5:  Server: Apache/2.2.17 (Win32) mod_ssl/2.2.17 OpenSSL/0.9.8q PHP/5.3.5  
6:  Connection: close  
7:  Content-Type: text/html;charset=UTF-8  

Using other methods supported by the server we can even get a listing (assuming there is not index file in place). Let's try the GET method.

1:  aichi@home# nc 127.0.0.1 81  
2:  GET / AICHI/6.6.6  
3:  HTTP/1.1 200 OK  
4:  Date: Fri, 22 Mar 2013 04:23:28 GMT  
5:  Server: Apache/2.2.17 (Win32) mod_ssl/2.2.17 OpenSSL/0.9.8q PHP/5.3.5  
6:  Connection: close  
7:  Content-Type: text/html;charset=UTF-8  
8:  <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">  
9:  <html>  
10:   <head>  
11:   <title>Index of /</title>  
12:   </head>  
13:   <body>  
14:  <h1>Index of /</h1>  
15:  <table><tr><th><img src="/icons/blank.gif" alt="[ICO]"></th><th><a href="?C=N;O=D">Name</a></th><th><a href="?C=M;O=A">Last modified</a></th><th><a href="?C=S;O=A">Size</a></th><th><a href="?C=D;O=A">Description</a></th></tr><tr><th colspan="5"><hr></th></tr>  
16:  <tr><td valign="top"><img src="/icons/folder.gif" alt="[DIR]"></td><td><a href="0fees/">0fees/</a>         </td><td align="right">12-Feb-2013 19:56 </td><td align="right"> - </td><td>&nbsp;</td></tr>  
17:  <tr><td valign="top"><img src="/icons/folder.gif" alt="[DIR]"></td><td><a href="ForwardElectric%20Backup/">ForwardElectric Backup/</a></td><td align="right">07-May-2012 08:31 </td><td align="right"> - </td><td>&nbsp;</td></tr>  

I supplied an invalid version (aichi/6.6.6) and it still listed the directory contents, and yes, there was no index file. Let's see what it looks like with a blank index file.

1:  aichi@home# nc 127.0.0.1 81  
2:  GET / AICHI/6.6.6  
3:  HTTP/1.1 200 OK  
4:  Date: Fri, 22 Mar 2013 04:27:39 GMT  
5:  Server: Apache/2.2.17 (Win32) mod_ssl/2.2.17 OpenSSL/0.9.8q PHP/5.3.5  
6:  Last-Modified: Fri, 22 Mar 2013 04:27:17 GMT  
7:  ETag: "700000006ae2f-0-4d87bded2357a"  
8:  Accept-Ranges: bytes  
9:  Content-Length: 0  
10:  Connection: close  
11:  Content-Type: text/html  

Sooo.. something like...

1:  aichi@home# nc 127.0.0.1 81  
2:  TRACE / HTTP/1.1  
3:  host:localhost  
4:  X-Header: <script>alert(1)</script>  
5:  HTTP/1.1 200 OK  
6:  Date: Fri, 22 Mar 2013 04:31:48 GMT  
7:  Server: Apache/2.2.17 (Win32) mod_ssl/2.2.17 OpenSSL/0.9.8q PHP/5.3.5  
8:  Transfer-Encoding: chunked  
9:  Content-Type: message/http  
10:  4a  
11:  TRACE / HTTP/1.1  
12:  host: localhost  
13:  X-Header: <script>alert(1)</script>  
14:  0  

Defeating Level01 on Smash The Stack Wargames

Defeating the first level on IO is really not difficult at all. I am going to show you how I did it the first time I even tried, MANY years ago. This is something that will hopefully help you excel into defeating other levels. This level isn't the only one that utilizes this technique so pay attention.

We will be connecting to the wargame via PuTTy. When you visit the io wargame page it explains how to connect to the wargame. (see below)

ssh level1@io.smashthestack.org
password: level1

The username is level1 and the password is level1. If you couldn't figure that out for yourself you should probably stop reading and start reading about SSH and connecting remotely to machines/servers/etc. For everyone else, let's continue.

Once logged in navigate to the levels directory, this will list all the levels.

So let's now give it a password, as an argument.

Fail, huh? Ok, let's open gdb and see what's inside this program. Type gdb ./level01 to launch gdb with level01 ready for debugging. The first thing you should do is disassemble main, since all C applications have a Main function.

This is the main function disassembled. We can see function names, let's focus on pass, which is one of the functions in this application. You can see all the function in gdb by typing info fun and pressing enter, this will list all the other functions in the app.

Just like we disassembled main, type disas pass to disassemble the pass function. When we disassemble it we can see a bunch of addresses, let's look and see what's under the addresses. You can read bytes, strings, etc, with gdb. Let's check one of the addresses (preferably near the top).

Typing x/s then the address will show us what's there. As you can see it's a string, just get all the letters then go back and input the string you found. I would give it to you here but then how would I know you actually tried to do it yourself?

SecurityOverride Privilege Escalation Challenges

These challenges looked promising at first until you actually poke around on their "terminal" (http://securityoverride.org/challenges/privilege_escalation/terminal.php). It's obvious that it's JQuery, so let's start there. View the source of the page and you won't find any other javascript files attached to the source. You can see that it is actually JQuery (as I thought).

So, let's click the jquery.js file and see what's in it, I bet they hid it somewhere in there. In fact, it's right at the very bottom of the file, not hard to locate at all.

Looks a bit obfuscated, this may be difficult. Here is a pastiebin link to the obfuscated code. I did a quick Google search and found an online javascript "beautifier", pasted the code and it deobfuscated it. Awesome. So now looking through the code you can clearly see the passwords for the levels.

1:  Filesystem_etcL5a = {  
2:    'passwd': {  
3:      type: 'file',  
4:      read: function (terminal) {  
5:        terminal.print();  
6:        $.each([  
7:          'level1:533V18k:1001:1001:level1:home/level1:/bin/bash',  
8:          'level2:24o23tD:1002:1002:level2:home/level2:/bin/bash',  
9:          'level3:test123:1003:1003:level3:home/level3:/bin/bash',  
10:          'level4:SLIv5V1:1004:1004:level4:home/level4:/bin/bash',  
11:          'level5:14261Rc:1005:1005:level5:home/level5:/bin/bash',  
12:          'level6:8654TRC:1005:1005:level6:home/level6:/bin/bash', ], function (num, line) {  
13:          terminal.print(line);  
14:        });  
15:      }  
16:    },  

It seems they jumped the gun on this one, maybe more planning or even a proper wargame box might prevent this and even give securityoverride.org more member base and respect.

SecurityOverride Challenge: Programming Level 1

Code

 #!/usr/bin/python  
 uinput = raw_input("input: ");  
 backwards = uinput[::-1]  
 last_letter = backwards[-1]  
 print last_letter + backwards  

References

• http://stackoverflow.com/questions/931092/reverse-a-string-in-python
• http://stackoverflow.com/questions/70797/python-and-user-input

Getting a Website's PHP Version

 mod_ssl/2.2.23Another simple task that gives out some nice information is using Telnet or PuTTy. I prefer using PuTTy sicne it supports multiple protocols and Windows 7 doesn't come with Telnet installed (as far as I know). Connect to the web server and request a page that is not there, I just like the 404 error, but whatever floats your boat.

Once you open the connection request a page that isn't there, or a page that may not be there. I typed GET /index.php HTTP/1.1\r\n

As you can see in the image above we have a few nice pieces of information about the remote web server such as it's versions of software it's running.

•  Apache/2.2.23 (Unix)
•  PHP/5.3.18

We can also see some of the modules installed:

• mod_ssl/2.2.23
• OpenSSL/0.9.8e-fips-rhel5
• mod_auth_passthrough/2.1
• mod_bwlimited/1.4
• FrontPage/5.0.2.2635

Packet Capture Forensics with WireShark

WireShark is a network protocol analyzer. This software allows you to monitor and capture and analyze network traffic. I will show you some easy simple tips and tricks for filtering through tons of data to get what your looking for. With all of this raw dump data it can be a very daunting task of filtering the data to get the best results.

Always remember to put it in order, you can do that by making sure the start time is at the top. Simply click the Time column to sort the data by time.

Another thing to do would be to filter the data by the appropriate protocol. The box at the top that says "Filter:" you can start typing the protocol you wish to filter and it may find it for you, click the Apply button on the right and your new filtered data should appear.

If you are looking for a specific string in your data you can search the bytes. In the top menu of WireShark select Edit then Find Packet. Or you can use the shortcut keys Ctfl+F. In the popup box select string from the radio buttons and type your string in the box.

Looking Up Name Servers in Windows

Looking up nameservers is simple. Open a Windows Command Prompt window, type nslookup and hit enter. When you come to a prompt that looks like a grater than sign type set querytype=ns and press enter again. Now type the name of the domain you would like to lookup.

1. Open Windows Command Prompt
2. Type nslookup, press enter
3. Type set querytype=ns, press enter
4. Type the name of the domain to lookup, for example google.