1. Information Networking Security and Assurance Lab National Chung Cheng University 1 A Vulnerability Assessment NIKTO

2. Information Networking Security and Assurance Lab National Chung Cheng University 2 Description Nikto is a web server scanner which performs comprehensive tests against web server for multiple items  2600 potentially dangerous files/CGIs  Versions on over 625 servers  Version specific problems on over 230 servers Nikto support for LibWhisker’s anti-IDS methods (IDS evasion)

3. Information Networking Security and Assurance Lab National Chung Cheng University 3 Description Nikto perform security or information checks  Misconfigurations  Default files and scripts  Insecure files and scripts  Outdate software

4. Information Networking Security and Assurance Lab National Chung Cheng University 4 Purpose To understand what is vulnerability scanner, and why we need it To family with the operation of the Nikto vulnerability scanner.

5. Information Networking Security and Assurance Lab National Chung Cheng University 5 Principle and Pre-study A look at whisker's anti-IDS tactics  an HTTP request defined by RFC 1945 Types of IDS  Smart  Raw

6. Information Networking Security and Assurance Lab National Chung Cheng University 6 IDS evasion Evasion typeEvasion method 1Method matching GET /cgi-bin/some.cgi  HEAD /cgi-bin/some.cgi 2URL encoding cgi-bin  %63%67%69%2d%62%69%6e 3Double slashes /cgi-bin/some.cgi  //cgi-bin//some.cgi 4Reverse traversal /cgi-bin/some.cgi  GET /cgi-bin/blahblah/../some.cgi HTTP/1.0 5Self-reference directories cgi-bin/phf  /./cgi-bin/./phf 6Premature request endingGET /%20HTTP/1.0%0d%0aHeader:%20/../../cgi-bin/some.cgi HTTP/1.0\r\n\r\n 7Parameter hidingGET /index.htm%3fparam=/../cgi-bin/some.cgi HTTP/1.0 8HTTP mis-formattingMethod URI HTTP/Version CRLF CRLF -> Method URI HTTP/ Version CRLF CRLF 9Long URLsGET /rfprfp rfprfp/../cgi-bin/some.cgi HTTP/1.0 10DOS/Win directory syntax "/cgi-bin/some.cgi“  "/cgi-bin\some.cgi" 11NULL method processingGET%00 /cgi-bin/some.cgi HTTP/1.0 12Case sensitivity /cgi-bin/some.cgi  /CGI-BIN/SOME.CGI 13Session splicing "GET / HTTP/1.0“  "GE", "T ", "/", " H", "T", "TP", "/1", ".0" 14In summaryCombine multiple tactics together

7. Information Networking Security and Assurance Lab National Chung Cheng University 7 Required Facilities Permission  Do not proceed without receiving the necessary permissions Hardware:  PC or Workstation with UNIX-based OS Software  Perl 5.004  Nikto 1.32  NET::SSLeay  LibWhisker  OpenSSL

8. Information Networking Security and Assurance Lab National Chung Cheng University 8 Step (I): install Nikto Install nikto with port tree After install nikto, patch /usr/local/bin/nikto.pl to indicate the config.txt patch /usr/local/etc/nikto/config.txt to indicate the plugin directory

9. Information Networking Security and Assurance Lab National Chung Cheng University 9 IDS evasion option mutate checks option IDS evasion method

10. Information Networking Security and Assurance Lab National Chung Cheng University 10 Basic scan information Report the result Web server banner and basic function Report some vulnerability and suggest the solution

11. Information Networking Security and Assurance Lab National Chung Cheng University 11 Step (II): execute nikto Basic scan information Report the result Web server banner and basic function Report some vulnerability and suggest the solution

12. Information Networking Security and Assurance Lab National Chung Cheng University 12 Step (III): IDS evasion Detection with IDS evasion method 1 2 on target 140.123.113.86

13. Information Networking Security and Assurance Lab National Chung Cheng University 13 Summary CGI exploits are everywhere. It is most important that you scan your own site so that you can see what attackers might see. Nikto is a PERL, open source web server scanner which supports SSL. It checks for remote web server vulnerabilities and misconfigurations.

14. Information Networking Security and Assurance Lab National Chung Cheng University 14 Reference Nikto  http://www.cirt.net/code/nikto.html http://www.cirt.net/code/nikto.html Comprehensive Perl Archive Network  http://www.cpan.org http://www.cpan.org LibWhisker  http://www.wiretrip.net/rfp/lw.asp http://www.wiretrip.net/rfp/lw.asp A look at whisker’s anti-IDS tactics  http://www.wiretrip.net/rfp/txt/whiskerids.html http://www.wiretrip.net/rfp/txt/whiskerids.html

15. Information Networking Security and Assurance Lab National Chung Cheng University 15 Outline A Real World Attack: wu-ftp Vulnerability Scanners All-Purpose Tools Application Inspection TRIPWIRE & MD5