Thursday, July 24, 2008

Penetration testing tools - Nikto

| Armando Romeo |

Nikto is a web server security assessment tool. It is designed to find various default and insecure files, configurations and programs on any type of web server. Definately one of the most preferred free web app scanners available.

After a small vacation I'm back on the series of the best tools for web application penetration testers. Last time we gave a look at dirbuster in the category of information gathering. It was hard to pick one among all the nice tools around to fuzz and discover hidden parts of a web site.

Another similar tool I like is wfuzz, that works both through dictionary and brute force.

But this time I'm going to talk about nikto as it is one of the most known and used web application security scanners.

Quoting from the author's website

Nikto checks for 3500 potentially dangerous files/CGIs, versions on over 900 servers, and version specific problems on over 250 servers.

A good thing is that nikto database of vulnerabilities can be updated easily from the command line (it's a command line tool written in perl btw).

Nikto is especially good once we have discovered what's running on the target web server and we want to know what's vulnerable.

Nikto is not meant as an attacking tool. It is more a vulnerability assessment tool that tries known exploits against the target to trigger known behaviours. When this happens it is reported to the user.
Nikto is not only useful in case the target has some off the shelf code known to be vulnerable to some publicly available exploit. But also helps at discovering known web server misconfigurations.

First useful thing that Nikto does when launched against a web site is to fingerprint the web server version.
Then tries all the signature database against the website according to the enabled tests (all by default).
This causes a big "noise" in the website log as it doesn't seem to narrow down the type of attacks according to the type of software found on the webserver, but this shouldn't be a problem for an authorized penetration testing job.
Joomla is a nice example: Nikto tries all the known exploits against joomla components even if these components are not installed on the Joomla distro it is assessing.
So 90% of the trials are non-sense while a more intelligent way to do it would have been to recognize what is installed and then try the exploits accordingly. But yeah, nikto is open source and anyone can adjust its functioning.

Nikto provides a good degree of flexibility by allowing the pen tester to tune the scan enabling only certain kinds of vulnerabilities to be tested such as Misconfiguration/default files, Information disclosure, Interesting file/seen in logs etc.

These can be enabled/disabled easily using the -Tuning switch followed by the reference number you can find in the nikto manual in the package.

This is an example that will trigger the tests of Remote File Retrieval and Command execution only:

perl -h -T 58

with the "x" we exclude the two and enable all the rest:

perl -h -T 58x

My favourite test is the number 1 : "Interesting File / Seen in logs" , it sometimes shows interesting stuff that can be very helpful for the whole penetration testing endeavours.

As a last note, false positive is probably the only problem affecting nikto. It sometimes reports completely meaninlgess threats so manual verification must be taken to validate the scan results.

Wednesday, July 9, 2008

Penetration testing tools - DirBuster

| Armando Romeo |
I decided to take a break from giving my two cents about the hot topics in the security industry and write some posts about the best tools for a web application penetration tester.

The selected tools are the ones I personally use every day and know better.
Comments are welcome on alternatives available in the open source area since I'm not going through commercial tools.

The tools order will follow the natural order of use: Information gathering tools, Proxy tools (for manual exploration/exploitation), Attacking tools.

Among the information gathering tools DirBuster is one of the most effective (surprising sometimes) when trying to widen the attacking surface.

A penetration tester must ensure, before any attacking attempt, to have the widest "sight" of the application and find out all the hidden features that the developer may have left somewhere in the web site root.
This is just the purpose of DirBuster.

The difference between a simple spider and DirBuster is that DirBuster sees what a spider can't !

DirBuster is an OWASP project aimed at discovering all those directories or files that a spider/crawler is not able to pick. It works using a wordlist of different sizes to check the existence of such files or as a fuzzer/brute forcer.

Web application developers tend to give common names to files or folders meant to be hidden relying on the fact that these files or folders are not linked and as such hidden from crawlers.

Wrong developers! Never play security by obscurity!

Folders like /admin, /administrator or /private and similar are included in the directory names lists provided with the tool.
In my personal experience the use of just the small directory names lists will discover a lot of interesting stuff while using the fuzzer you can exploit business logic flaws as well.

Another nice usage of this tool is when you encounter a password protected folder. In one of my recent penetration testing efforts I had a password protected /admin directory. The use of DirBuster fuzzer found out the existence of a bunch of files, in that directory, not being protected (the loggedin status hence the session var was not checked) and as such freely available without bruteforcing the authentication

The fuzzer sometimes hangs, the project is still in beta. I hope they can improve it because it is essential and very easy to use.
As an altearnative to path fuzzer/brute forcer I use webscarab or webshag.

DirBuster addons are:

- capability of using custom headers (you can use your own cookie)
- capability of using a proxy
- adding new HTML elemtns to extract links from

This is one of the first tool I fire up when starting a new job. It's extremely useful, lightweight and surprising!

Next time: Nikto/Wikto

Free Security Magazines