work on mapping and discovery sections.

3 files changed, 178 insertions, 5 deletions

diff --git a/report/discovery-webapp.csv b/report/discovery-webapp.csv
new file mode 100644
index 0000000..091ad40
--- /dev/null
+++ b/report/discovery-webapp.csv
@@ -0,0 +1 @@
+hostname,web app,vulnerability,exploitable
diff --git a/report/discovery.csv b/report/discovery.csv
new file mode 100644
index 0000000..77c9638
--- /dev/null
+++ b/report/discovery.csv
@@ -0,0 +1,28 @@
+hostname,ip,vulnerability,exploitable
+bwa,10.2.1.8,/phpmyadmin/: phpMyAdmin directory found,
+bwa,10.2.1.8,/wordpress/: A Wordpress installation was found.,
+bwa,10.2.1.8,OSVDB-3233: /icons/README: Apache default file found.,
+bwa,10.2.1.8,OSVDB-3268: /images/: Directory indexing found.,
+bwa,10.2.1.8,OSVDB-3268: /images/?pattern=/etc/\*\&sort=name: Directory indexing found.,
+bwa,10.2.1.8,OSVDB-40478: TikiWiki contains a vulnerability which allows remote attackers to execute arbitrary PHP code.,
+metasploitable,10.2.1.1,/phpMyAdmin/: phpMyAdmin directory found,
+metasploitable,10.2.1.1,OSVDB-12184: /index.php?=PHPB8B5F2A0-3C92-11d3-A3A9-4C7B08C10000: PHP reveals potentially sensitive information via certain HTTP requests that contain specific QUERY strings.,
+metasploitable,10.2.1.1,OSVDB-3092: /phpMyAdmin/: phpMyAdmin is for managing MySQL databases and should be protected or limited to authorized hosts.,
+metasploitable,10.2.1.1,OSVDB-3092: /phpMyAdmin/changelog.php: phpMyAdmin is for managing MySQL databases and should be protected or limited to authorized hosts.,
+metasploitable,10.2.1.1,OSVDB-3092: /test/: This might be interesting...,
+metasploitable,10.2.1.1,OSVDB-3233: /icons/README: Apache default file found.,
+metasploitable,10.2.1.1,OSVDB-3233: /phpinfo.php: Contains PHP configuration information,
+metasploitable,10.2.1.1,OSVDB-3268: /doc/: Directory indexing found.,
+metasploitable,10.2.1.1,OSVDB-3268: /icons/: Directory indexing found.,
+metasploitable,10.2.1.1,OSVDB-3268: /test/: Directory indexing found.,
+metasploitable,10.2.1.1,OSVDB-48: /doc/: The /doc/ directory is browsable. This may be /usr/doc.,
+metasploitable,10.2.1.1,OSVDB-877: HTTP TRACE method is active suggesting the host is vulnerable to XST,
+tomcat-apache,10.2.1.6,Apache/2.2.16 appears to be outdated (current is at least Apache/2.2.19). Apache 1.3.42 (final release) and 2.0.64 are also current.,
+tomcat-apache,10.2.1.6,OSVDB-3233: /icons/README: Apache default file found.,
+tomcat-apache,10.2.1.6,OSVDB-3268: /icons/: Directory indexing found.,
+ultimatelamp,10.2.1.3,OSVDB-3268: /images/: Directory indexing found.,
+ultimatelamp,10.2.1.3,OSVDB-3268: /images/?pattern=/etc/\*\&sort=name: Directory indexing found.,
+ultimatelamp,10.2.1.3,OSVDB-3233: /icons/README: Apache default file found.,
+ultimatelamp,10.2.1.3,OSVDB-40478: TikiWiki contains a vulnerability which allows remote attackers to execute arbitrary PHP code.,
+ultimatelamp,10.2.1.3,/wordpress/: A Wordpress installation was found.,
+ultimatelamp,10.2.1.3,/phpmyadmin/: phpMyAdmin directory found,
diff --git a/report/template.tex b/report/template.tex
index da296ff..a65dc1c 100644
--- a/report/template.tex
+++ b/report/template.tex
@@ -172,11 +172,22 @@ Below is a list of open ports and services running. This list was put together u
 
 \csvautotabular{ports.csv}
 
-\newpage
+My main focus was to identify ports used for hosting web applications and databases. 
+The significant open ports to note are 80, 443, 8080, 3306, 5432.
 
-\noindent The following command :
-\begin{lstlisting}[language=bash]
-$ nmap -sV localhost
+Ports 80, 443 are typically used by web servers for serving HTTP traffic.
+8080 is usually used by backend application servers and typically bind to the 127.0.0.1
+interface. In the table above we can see that on the bwa host Apache Tomcat is binding 
+to interface 0.0.0.0 making it directly accessible from outside the host.
+
+3306 is the default port used by mysql database.
+5432 is the default port used by the postgresql database.
+Gaining direct access to the database would give us access to the backend data
+that the web applications serve data from.
+
+\noindent The following command was used against each host:
+\begin{lstlisting}[language=bash, firstline=1, lastline=3]
+$ nmap -sV <hostname>
 
 Starting Nmap 7.01 ( https://nmap.org ) at 2016-02-08 12:02 MST
 Nmap scan report for localhost (127.0.0.1)
@@ -192,14 +203,147 @@ Nmap done: 1 IP address (1 host up) scanned in 8.78 seconds
 
 \end{lstlisting}
 
+\subsubsection{metasploitable.sait230.ca}
+
+I chose to spider the metasploitable website to analyze the full site locally 
+to try to identify and information leakage in the website.
+
+\begin{lstlisting}[language=bash, firstline=1, lastline=1]
+$ wget -r metasploitable.sait230.ca
+\end
+
+The above command will recursively download the full metasploitable website. I ran grep
+on the downloaded source to try to find some keywords like password.
+
+\begin{lstlisting}[language=bash, firstline=1, lastline=1]
+$ grep -rn password metasploitable.sait230.ca/
+\end
+
+Here's one snippet that i discovered:
+
+\begin{lstlisting}[language=bash]
+metasploitable.sait230.ca/mutillidae/index.php?do=toggle-security&page=user-info.php:2:                 <!-- I think the database password is set to blank or perhaps samurai.
+\end{lstlisting}
+
+The above text shows then a client side html comment was left in the code that hints at a possible password for the database.
+
+Another example:
+
+\begin{lstlisting}[language=Bash]
+metasploitable.sait230.ca/mutillidae/index.php?page=site-footer-xss-discussion.php:5: It is ok to put the password in HTML comments because no user will ever see 
+\end{lstlisting}
+
+The above statement is incorrect. Serverside comments will be rendered on the server
+and will be ommitted by most templating engines when producing html. However, it will
+not strip out html comments. Html comments can be easily viewed by all browsers. Passwords
+and information that gives away details about the backend system should never be
+writtin in a code comment.
+
+Next, I opened up the file metasploitable.sait230.ca/mutillidae/index.php and 
+found the following code comment at the top of the HTML document.
+
+\begin{lstlisting}[language=HTML]
+<!-- I think the database password is set to blank or perhaps samurai.
+It depends on whether you installed this web app from irongeeks site or
+are using it inside Kevin Johnsons Samurai web testing framework. 
+It is ok to put the password in HTML comments because no user will ever see 
+this comment. I remember that security instructor saying we should use the
+framework comment symbols (ASP.NET, JAVA, PHP, Etc.) 
+rather than HTML comments, but we all know those security instructors are 
+just making all this up. -->
+<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" 
+"http://www.w3.org/TR/19 99/REC-html401-19991224/loose.dtd">
+\end{lstlisting}
+
+Next, I ran a nessus scan against this host:
+
+\subsubsection{bwa.sait230.ca}
+
 \subsection{Exploits Available}
 
 \newpage
 \section{Discovery}
+
+System vulnerabilities discovered
+
+\csvautotabular{discovery.csv}
+
+Web Application vulnerabilities discovered
+
+\csvautotabular{discovery-webapp.csv}
+
+\subsection{Vulnerabilities for bwa.sait230.ca}
+
+nikto scan:
+
+\begin{lstlisting}[language=Bash]
++ OSVDB-3268: /images/: Directory indexing found.
++ OSVDB-3268: /images/?pattern=/etc/*&sort=name: Directory indexing found.
++ OSVDB-3233: /icons/README: Apache default file found.
++ OSVDB-40478: /tikiwiki/tiki-graph_formula.php?w=1&h=1&s=1&min=1&max=2&f[]=x.tan.phpinfo()&t=png&title=http://cirt.net/rfiinc.txt?: TikiWiki contains a vulnerability which allows remote attackers to execute arbitrary PHP code.
++ /wordpress/: A Wordpress installation was found.
++ /phpmyadmin/: phpMyAdmin directory found
++ 6474 items checked: 2 error(s) and 23 item(s) reported on remote host
++ End Time:           2016-02-12 11:16:58 (GMT-5) (58 seconds)
+---------------------------------------------------------------------------
++ 1 host(s) tested
+\end{lstlisting}[language=Bash]
+
 \subsection{Vulnerabilities for metasploitable.sait230.ca}
+
+nikto scan:
+
+\begin{lstlisting}[language=Bash]
++ OSVDB-877: HTTP TRACE method is active, suggesting the host is vulnerable to XST
++ OSVDB-3233: /phpinfo.php: Contains PHP configuration information
++ OSVDB-3268: /doc/: Directory indexing found.
++ OSVDB-48: /doc/: The /doc/ directory is browsable. This may be /usr/doc.
++ OSVDB-12184: /index.php?=PHPB8B5F2A0-3C92-11d3-A3A9-4C7B08C10000: PHP reveals potentially sensitive information via certain HTTP requests that contain specific QUERY strings.
++ OSVDB-3092: /phpMyAdmin/changelog.php: phpMyAdmin is for managing MySQL databases, and should be protected or limited to authorized hosts.
++ OSVDB-3092: /phpMyAdmin/: phpMyAdmin is for managing MySQL databases, and should be protected or limited to authorized hosts.
++ OSVDB-3268: /test/: Directory indexing found.
++ OSVDB-3092: /test/: This might be interesting...
++ OSVDB-3268: /icons/: Directory indexing found.
++ OSVDB-3233: /icons/README: Apache default file found.
++ /phpMyAdmin/: phpMyAdmin directory found
++ 6474 items checked: 1 error(s) and 15 item(s) reported on remote host
++ End Time:           2016-02-12 11:16:54 (GMT-5) (54 seconds)
+---------------------------------------------------------------------------
++ 1 host(s) tested
+\end{lstlisting}
+
 \subsection{Vulnerabilities for tomcat-apache.sait230.ca}
-\subsection{Vulnerabilities for bwa.sait230.ca}
+nikto scan:
+
+\begin{lstlisting}[language=Bash]
++ Server: Apache/2.2.16 (Debian)
++ Root page / redirects to: http://tomcat-apache.sait230.ca/cp
++ No CGI Directories found (use '-C all' to force check all possible dirs)
++ Apache/2.2.16 appears to be outdated (current is at least Apache/2.2.19). Apache 1.3.42 (final release) and 2.0.64 are also current.
++ OSVDB-3268: /icons/: Directory indexing found.
++ OSVDB-3233: /icons/README: Apache default file found.
++ 6474 items checked: 0 error(s) and 3 item(s) reported on remote host
++ End Time:           2016-02-12 11:16:21 (GMT-5) (21 seconds)
+---------------------------------------------------------------------------
++ 1 host(s) tested
+\end{lstlisting}
+
 \subsection{Vulnerabilities for ultimatelamp.sait230.ca}
+nikto scan:
+
+\begin{lstlisting}[language=Bash]
++ OSVDB-3268: /images/: Directory indexing found.
++ OSVDB-3268: /images/?pattern=/etc/*&sort=name: Directory indexing found.
++ OSVDB-3233: /icons/README: Apache default file found.
++ OSVDB-40478: /tikiwiki/tiki-graph_formula.php?w=1&h=1&s=1&min=1&max=2&f[]=x.tan.phpinfo()&t=png&title=http://cirt.net/rfiinc.txt?: TikiWiki contains a vulnerability which allows remote attackers to execute arbitrary PHP code.
++ /wordpress/: A Wordpress installation was found.
++ /phpmyadmin/: phpMyAdmin directory found
++ 6474 items checked: 3 error(s) and 23 item(s) reported on remote host
++ End Time:           2016-02-12 11:17:30 (GMT-5) (90 seconds)
+---------------------------------------------------------------------------
++ 1 host(s) tested
+\end{lstlisting}
+
 \subsection{Tools}
 
 * nikto