Tester la sécurité de son site

Machine attaquante :

  • Hostname : hacker
  • FQDN : hacker.opensharing.priv
  • Aliases pour Apache :
    • openvas.opensharing.priv
    • arachni.opensharing.priv
  • IP : 192.168.0.15
  • OS : Debian 10 Buster 64 bits

Machine cible :

  • Hostname : mysite
  • FQDN : mysite.opensharing.priv
  • IP : 192.168.0.10
  • OS : Debian 10 Buster 64 bits

Fichier /etc/hosts de la machine d’attaque :

127.0.0.1       localhost.localdomain                   localhost
192.168.0.15    hacker.opensharing.priv                 hacker
192.168.0.15    openvas.opensharing.priv                openvas
192.168.0.15    arachni.opensharing.priv                arachni
192.168.0.10    mysite.opensharing.priv                 mysite

OPENVAS

OpenVAS (Greeenbone Security Manager)

  • http://www.openvas.org/
  • https://www.greenbone.net/en/community-edition/
  • https://www.greenbone.net/en/install_use_gce/

Installation

sudo apt-get install -y openvas
sudo openvas-setup

Noter le mot de passe fourni en fin d’installation (admin account), par exemple ci-dessous :

User created with password 'b190e718-ee07-4932-a16a-049a8fd1534d'.

Vérification des ports en écoute :

ss -4lntu

Normalement, le port de l’application GSM est le 9392, on peut s’y connecter localement via le navigateur :

Première connexion

https://localhost:9392

Accepter l’exception de sécurité du certificat et se connecter avec les identifiants fournis (admin/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx).

Changer le mot de passe fourni (généré aléatoirement).

Connexion distante

Pour la connexion distante (par défaut restreinte à localhost), modifier les fichiers de service (cf ci-dessous).

Au préalable, lancer un test (fichiers non modifiés) :

sudo sed -e 's/127.0.0.1/0.0.0.0/g' /lib/systemd/system/{greenbone-security-assistant.service,openvas-manager.service}

Pour valider les changement (même commande sed avec l’option -i à la fin pour appliquer la substitution) :

sudo sed -e 's/127.0.0.1/0.0.0.0/g' /lib/systemd/system/{greenbone-security-assistant.service,openvas-manager.service} -i

Définir le nom du serveur Web pour la connexion distante (ici openvas.opensharing.priv) :

sudo nano /lib/systemd/system/greenbone-security-assistant.service

Modifier la ligne suivante :

ExecStart=/usr/sbin/gsad --foreground --listen=0.0.0.0 --port=9392 --mlisten=0.0.0.0 --mport=9390 --allow-header-host=openvas.opensharing.priv --timeout=1440

Redémarrer le démon et le service :

sudo systemctl daemon-reload
sudo openvas-stop
sudo openvas-start

On peut maintenant se connecter depuis un hôte distant :

https://openvas.opensharing.priv:9392

Scan de la machine cible

Assets > Hosts > New Host
Name : 192.168.0.10
Create Target from Host
Name : MySite
SSH > Create a credential
      Name : MySite SSH Connection
      Type : Username + Password
      Username : sysadmin
      Password : sysadmin
Scans > Tasks >New Task
Name : MySite Scan
Scan Targets : MySite
Scan Config : Full and very deep ultimate
MySite Scan > Start

Définir la fréquence de rafraichissement de la page, par ex :

Refresh every 30 Sec.

ARACHNI

Arachni

  • https://www.arachni-scanner.com/
  • https://www.arachni-scanner.com/download/

Installation

mkdir ~/arachni
wget -qO - https://github.com/Arachni/arachni/releases/download/v1.5.1/arachni-1.5.1-0.5.12-linux-x86_64.tar.gz | tar zxv -C ~/arachni/ --strip-components 1
echo "export OPENSSL_CONF=/etc/ssl/" >> ~/arachni/system/environment

Lancement du service

~/arachni/bin/arachni_web

Usage

To launch the Web interface:
    bin/arachni_web

Default account details:

    Administrator:
        E-mail address: admin@admin.admin
        Password:       administrator

    User:
        E-mail address: user@user.user
        Password:       regular_user

For a quick scan: via the command-line interface:
    bin/arachni http://test.com

To see the available CLI options:
    bin/arachni -h

Première connexion

http://localhost:9292

Connexion distante

sudo apt-get install -y apache2 apache2-doc
sudo nano /etc/apache2/sites-available/arachni.conf
<VirtualHost *:8080>

   ProxyPreserveHost On
   ProxyRequests Off
   ProxyPass / http://localhost:9292/
   ProxyPassReverse / http://localhost:9292/

   ErrorLog /var/log/apache2/arachni.error.log
   CustomLog /var/log/apache2/arachni.access.log combined

</VirtualHost>
sudo a2dissite 000-default
sudo a2ensite arachni
sudo a2enmod proxy
sudo a2enmod proxy_http
sudo nano /etc/apache2/ports.conf
#Listen 80
Listen 8080
sudo systemctl restart apache2

On peut maintenant se connecter depuis un hôte distant :

http://arachni.opensharing.priv:8080/

NIKTO

Nikto

  • https://cirt.net/Nikto2
  • https://github.com/sullo/nikto

Installation sans Docker

mkdir ~/nikto/
wget -qO - https://github.com/sullo/nikto/archive/2.1.6.tar.gz | tar zxv -C ~/nikto/ --strip-components 1

Lancement du scan de la machine cible :

perl ~/nikto/program/nikto.pl -h http://mysite.opensharing.priv
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP:          192.168.0.10
+ Target Hostname:    mysite.opensharing.priv
+ Target Port:        80
+ Start Time:         2019-09-02 11:23:03 (GMT2)
---------------------------------------------------------------------------
+ Server: Apache/2.4.38 (Debian)
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ Uncommon header 'link' found, with contents: <http://mysite.opensharing.priv/wp-json/>; rel="https://api.w.org/"
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ Uncommon header 'x-redirect-by' found, with contents: WordPress
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ Entry '/wp-admin/' in robots.txt returned a non-forbidden or redirect HTTP code (302)
+ "robots.txt" contains 2 entries which should be manually viewed.
+ Web Server returns a valid response with junk HTTP methods, this may cause false positives.
+ Server leaks inodes via ETags, header found with file /readme, fields: 0x238f 0x58f6d60099040;591872ea8b28a 
+ Uncommon header 'tcn' found, with contents: choice
+ OSVDB-3092: /readme: This might be interesting...
+ OSVDB-3092: /manual/: Web server manual found.
+ OSVDB-3268: /manual/images/: Directory indexing found.
+ OSVDB-3233: /icons/README: Apache default file found.
+ /wp-links-opml.php: This WordPress script reveals the installed version.
+ OSVDB-3092: /license.txt: License file found may identify site software.
+ /wp-app.log: WordPress' wp-app.log may leak application/system details.
+ /wordpress/: A WordPress installation was found.
+ Cookie wordpress_test_cookie created without the httponly flag
+ 7505 requests: 0 error(s) and 19 item(s) reported on remote host
+ End Time:           2019-09-02 11:28:36 (GMT2) (333 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested

Installation avec Docker et Git

Installation de Docker :

sudo apt-get install -y apt-transport-https ca-certificates curl software-properties-common gnupg2
curl -fsSL https://download.docker.com/linux/debian/gpg | sudo apt-key add -
echo "deb [arch=amd64] https://download.docker.com/linux/debian $(lsb_release -cs) stable" | sudo tee -a /etc/apt/sources.list.d/docker.list
sudo apt-get update
sudo apt-get install -y docker-ce
sudo systemctl enable docker
sudo usermod sysadmin -aG docker
reboot

Installation de Nikto par clonage du dépôt GitHub :

sudo apt-get install -y git
git clone https://github.com/sullo/nikto.git
cd nikto/

Construction d’une image :

docker build -t sullo/nikto .

Afficher l’aide :

docker run --rm sullo/nikto

Utilisation basique :

docker run --rm sullo/nikto -h http://mysite.opensharing.priv

Sauvegarder le résultat du scan dans un fichier de sortie :

docker run --rm -v $(pwd):/tmp sullo/nikto -h http://mysite.opensharing.priv -o /tmp/out.json

WPSCAN

WPScan (WordPress Vulnerability Scanner) :

  • https://github.com/wpscanteam/wpscan

Installation de Ruby

sudo apt-get install -y ruby-full libz-dev
echo '# Install Ruby Gems to ~/gems' >> ~/.bashrc
echo 'export GEM_HOME="$HOME/gems"' >> ~/.bashrc
echo 'export PATH="$HOME/gems/bin:$PATH"' >> ~/.bashrc
source ~/.bashrc

Installation de WPScan

gem install wpscan

Usage

Scanner les utilisateurs, les thèmes et les plugins installés :

wpscan --url http://mysite.opensharing.priv -e u,t,p -o result.txt

Scanner les utilisateurs, les thèmes vulnérables et les plugins vulnérables :

wpscan --url http://mysite.opensharing.priv -e u,vt,vp -o result.txt

Force brute à partir des identifiants scannés :

wpscan --url http://mysite.opensharing.priv -P passwordslist.txt -U mysiteadmin -o result.txt
wpscan --url http://mysite.opensharing.priv -P passwordslist.txt -U usernameslist.txt -o result.txt

Note : Le scan par force brute est extrêmement gourmand en mémoire et peut prendre énormément de temps.

Mettre à jour la base de données :

wpscan --update

Afficher les options disponibles :

wpscan --help

APACHE2BUDDY

Apache2buddy : Tester la configuration Apache d’un site Web

  • https://github.com/richardforth/apache2buddy/
curl -sL https://raw.githubusercontent.com/richardforth/apache2buddy/master/apache2buddy.pl | sudo perl

Ou, alternativement, si l’OS n’est pas supporté :

curl -sL https://raw.githubusercontent.com/richardforth/apache2buddy/master/apache2buddy.pl | sudo perl - --skip-os-version-check

#################################################################
apache2buddy.pl report for mysite.opensharing.priv (85.203.13.29)
#################################################################
[ OK ] This script is being run as root.
[ OK ] The utility ‘pmap’ exists and is available for use: /usr/bin/pmap
[ OK ] The utility ‘netstat’ exists and is available for use: /usr/bin/netstat
[ OK ] ‘php’ exists and is available for use: /usr/bin/php
[ OK ] The utility ‘apachectl’ exists and is available for use: /usr/sbin/apachectl
[ OK ] The ‘python’ binary exists and is available for use: /usr/bin/python
[ OK ] The port (port 80) is a valid port.
[ ] We are attempting to discover the operating system type and version number …
[ ] Distro: debian
[ ] Version: 10.1
[ ] Codename:
[ >> ] OS Version Checks were skipped by user directive, you may get errors.
[ ] Hostname: mysite.opensharing.priv
[ ] Primary IP: 85.203.13.29
[ ] We are checking the service running on port 80
[ ] The process listening on port 80 is /usr/sbin/apache2
[ ] The process running on port 80 is Apache/2.4.38 (Debian).
[ ] The full path to the Apache config file is: /etc/apache2/apache2.conf
[ ] Apache is using prefork model.
[ ] pidfile setting is /var/run/apache2$SUFFIX/apache2.pid.
[ ] Actual pidfile is /var/run/apache2/apache2.pid.
[ ] Parent PID: 730.
[ OK ] Memory usage of parent PID is less than 50MB: 9448 Kilobytes.
[ ] Apache has been running 0d 0h 13m 26s.
[ !! ] *** LOW UPTIME ***.
[ @@ ] The following recommendations may be misleading – apache has been restarted within the last 24 hours.
[ ] Your server has 1995 MB of PHYSICAL memory.
[ >> ] ServerLimit directive not found, assuming default values.
[ ] Your ServerLimit setting is 256.
[ ] Your MaxRequestWorkers setting is 150.
[ OK ] Current Apache Process Count is 6, including the parent PID.
[ ] Number of vhosts detected: 0.
[ OK ] Current Apache vHost Count is less than maxrequestworkers.
[ @@ ] vHost Count works only when we have NameVirtualHosting enabled, check config manually, they may only have the default vhost.
[ >> ] MaxRequestsPerChild directive not found.
[ ] This server is NOT running Plesk.
[ ] This server is NOT running cPanel.
[ ] This server is NOT running Virtualmin.
Use of uninitialized value $real_config in concatenation (.) or string at – line 1212 (#1)

(W uninitialized) An undefined value was used as if it were already defined. It was interpreted as a «  » or a 0, but maybe it was a mistake.
To suppress this warning assign a defined value to your variables.

To help you figure out what was undefined, perl will try to tell you the name of the variable (if any) that was undefined. In some cases it cannot do this, so it also tells you what operation you used the undefined value in. Note, however, that perl optimizes your program and the operation displayed in the warning may not necessarily appear literally in your program. For example, « that $foo » is usually optimized into « that  » . $foo, and the warning will refer to the concatenation (.) operator, even though there is no . in your program.

Use of uninitialized value $apache_proc_php in concatenation (.) or string at – line 2366 (#1)
[ ] Your PHP Memory Limit (Per-Process) is .
Use of uninitialized value $apache_proc_php in string eq at – line 2367 (#1)
[ ] MySQL Detected => Using 89.91 MB of memory.

[ OK ] No large log files were found in /var/log/apache2.
[ OK ] MaxClients has not been hit recently.
[ >> ] Apache only logs maxclients/maxrequestworkers hits once in a lifetime, if no restart has happened this event may have been rotated away.
[ >> ] As a backup check, please compare number of running apache processes (minus 1 for parent) against maxclients/maxrequestworkers.
[ >> ] For more information see
https://github.com/apache/httpd/blob/0b61edca6cdda2737aa1d84a4526c5f9d2e23a8c/server/mpm/prefork/prefork.c#L809
[ OK ] No PHP Fatal Errors were found.
[ OK ] No package updates found.
[ ] apache2 is currently using 125.35 MB of memory.
[ ] The smallest apache process is using 9.27 MB of memory
[ ] The average apache process is using 9.27 MB of memory
[ ] The largest apache process is using 9.27 MB of memory
[ OK ] Going by the average Apache process, Apache can potentially use 1390.51 MB RAM:
Without considering services: 69.70 % of total installed RAM
Considering extra services: 72.99 % of remaining RAM
[ OK ] Going by the largest Apache process, Apache can potentially use 1390.51 MB RAM:
Without considering services: 69.70 % of total installed RAM
Considering extra services: 72.99 % of remaining RAM


——————————————————————————–
### GENERAL FINDINGS & RECOMMENDATIONS ###
——————————————————————————–
Apache2buddy.pl report for server: mysite.opensharing.priv (85.203.13.29):

Settings considered for this report:
[ !! ] *** LOW UPTIME ***.
[ @@ ] The following recommendations may be misleading – apache has been restarted within the last 24 hours.

Your server’s physical RAM: 1995 MB
Remaining Memory after other services considered: 1905 MB
Apache’s MaxRequestWorkers directive: 150 <——— Current Setting
Apache MPM Model: prefork
Largest Apache process (by memory): 9 MB
[ !! ] Your MaxRequestWorkers setting is too low.
Your recommended MaxRequestWorkers setting is between 184 and 205. <——- Acceptable Range (10% of MAX)
Max potential memory usage: 1390 MB
Percentage of TOTAL RAM allocated to Apache: 69.70 %
Percentage of REMAINING RAM allocated to Apache: 72.99 %
——————————————————————————–
A log file entry has been made in: /var/log/apache2buddy.log for future reference.

Last 5 entries:

2019/10/26 18:39:56 Uptime: « 0d 0h 26m 10s » Model: « Prefork » Memory: « 1995 MB » MaxRequestWorkers: « 150 » Recommended: « 206 » Smallest: « 9.27 MB » Avg: « 9.27 MB » Largest: « 9.27 MB » Highest Pct Remaining RAM: « 72.80% » (69.70% TOTAL RAM)
2019/10/26 23:55:48 Uptime: « 0d 05h 42m 03s » Model: « Prefork » Memory: « 1995 MB » MaxRequestWorkers: « 150 » Recommended: « 206 » Smallest: « 9.27 MB » Avg: « 9.27 MB » Largest: « 9.27 MB » Highest Pct Remaining RAM: « 72.80% » (69.70% TOTAL RAM)
2019/10/26 23:56:45 Uptime: « 0d 05h 43m 00s » Model: « Prefork » Memory: « 1995 MB » MaxRequestWorkers: « 150 » Recommended: « 206 » Smallest: « 9.27 MB » Avg: « 9.27 MB » Largest: « 9.27 MB » Highest Pct Remaining RAM: « 72.80% » (69.70% TOTAL RAM)
2019/10/27 11:27:53 Uptime: « 0d 0h 13m 18s » Model: « Prefork » Memory: « 1995 MB » MaxRequestWorkers: « 150 » Recommended: « 205 » Smallest: « 9.27 MB » Avg: « 9.27 MB » Largest: « 9.27 MB » Highest Pct Remaining RAM: « 72.99% » (69.70% TOTAL RAM)
2019/10/27 11:27:59 Uptime: « 0d 0h 13m 26s » Model: « Prefork » Memory: « 1995 MB » MaxRequestWorkers: « 150 » Recommended: « 205 » Smallest: « 9.27 MB » Avg: « 9.27 MB » Largest: « 9.27 MB » Highest Pct Remaining RAM: « 72.99% » (69.70% TOTAL RAM)


Fermer le menu