Machine attaquante :
- Hostname : hacker
- FQDN : hacker.opensharing.priv
- Aliases pour Apache :
- openvas.opensharing.priv
- arachni.opensharing.priv
- IP : 192.168.0.15
- OS : Debian 10 Buster 64 bits
Machine cible :
- Hostname : mysite
- FQDN : mysite.opensharing.priv
- IP : 192.168.0.10
- OS : Debian 10 Buster 64 bits
Fichier /etc/hosts de la machine d’attaque :
127.0.0.1 localhost.localdomain localhost 192.168.0.15 hacker.opensharing.priv hacker 192.168.0.15 openvas.opensharing.priv openvas 192.168.0.15 arachni.opensharing.priv arachni 192.168.0.10 mysite.opensharing.priv mysite
OPENVAS
OpenVAS (Greeenbone Security Manager)
- http://www.openvas.org/
- https://www.greenbone.net/en/community-edition/
- https://www.greenbone.net/en/install_use_gce/
Installation
sudo apt-get install -y openvas sudo openvas-setup
Noter le mot de passe fourni en fin d’installation (admin account), par exemple ci-dessous :
User created with password 'b190e718-ee07-4932-a16a-049a8fd1534d'.
Vérification des ports en écoute :
ss -4lntu
Normalement, le port de l’application GSM est le 9392, on peut s’y connecter localement via le navigateur :
Première connexion
https://localhost:9392
Accepter l’exception de sécurité du certificat et se connecter avec les identifiants fournis (admin/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx).
Changer le mot de passe fourni (généré aléatoirement).
Connexion distante
Pour la connexion distante (par défaut restreinte à localhost), modifier les fichiers de service (cf ci-dessous).
Au préalable, lancer un test (fichiers non modifiés) :
sudo sed -e 's/127.0.0.1/0.0.0.0/g' /lib/systemd/system/{greenbone-security-assistant.service,openvas-manager.service}
Pour valider les changement (même commande sed avec l’option -i à la fin pour appliquer la substitution) :
sudo sed -e 's/127.0.0.1/0.0.0.0/g' /lib/systemd/system/{greenbone-security-assistant.service,openvas-manager.service} -i
Définir le nom du serveur Web pour la connexion distante (ici openvas.opensharing.priv) :
sudo nano /lib/systemd/system/greenbone-security-assistant.service
Modifier la ligne suivante :
ExecStart=/usr/sbin/gsad --foreground --listen=0.0.0.0 --port=9392 --mlisten=0.0.0.0 --mport=9390 --allow-header-host=openvas.opensharing.priv --timeout=1440
Redémarrer le démon et le service :
sudo systemctl daemon-reload sudo openvas-stop sudo openvas-start
On peut maintenant se connecter depuis un hôte distant :
https://openvas.opensharing.priv:9392
Scan de la machine cible
Assets > Hosts > New Host
Name : 192.168.0.10
Create Target from Host
Name : MySite
SSH > Create a credential
Name : MySite SSH Connection
Type : Username + Password
Username : sysadmin
Password : sysadmin
Scans > Tasks >New Task
Name : MySite Scan Scan Targets : MySite Scan Config : Full and very deep ultimate
MySite Scan > Start
Définir la fréquence de rafraichissement de la page, par ex :
Refresh every 30 Sec.
ARACHNI
Arachni
- https://www.arachni-scanner.com/
- https://www.arachni-scanner.com/download/
Installation
mkdir ~/arachni wget -qO - https://github.com/Arachni/arachni/releases/download/v1.5.1/arachni-1.5.1-0.5.12-linux-x86_64.tar.gz | tar zxv -C ~/arachni/ --strip-components 1 echo "export OPENSSL_CONF=/etc/ssl/" >> ~/arachni/system/environment
Lancement du service
~/arachni/bin/arachni_web
Usage
To launch the Web interface:
bin/arachni_web
Default account details:
Administrator:
E-mail address: admin@admin.admin
Password: administrator
User:
E-mail address: user@user.user
Password: regular_user
For a quick scan: via the command-line interface:
bin/arachni http://test.com
To see the available CLI options:
bin/arachni -h
Première connexion
http://localhost:9292
Connexion distante
sudo apt-get install -y apache2 apache2-doc sudo nano /etc/apache2/sites-available/arachni.conf
<VirtualHost *:8080> ProxyPreserveHost On ProxyRequests Off ProxyPass / http://localhost:9292/ ProxyPassReverse / http://localhost:9292/ ErrorLog /var/log/apache2/arachni.error.log CustomLog /var/log/apache2/arachni.access.log combined </VirtualHost>
sudo a2dissite 000-default sudo a2ensite arachni sudo a2enmod proxy sudo a2enmod proxy_http sudo nano /etc/apache2/ports.conf
#Listen 80 Listen 8080
sudo systemctl restart apache2
On peut maintenant se connecter depuis un hôte distant :
http://arachni.opensharing.priv:8080/
NIKTO
Nikto
- https://cirt.net/Nikto2
- https://github.com/sullo/nikto
Installation sans Docker
mkdir ~/nikto/ wget -qO - https://github.com/sullo/nikto/archive/2.1.6.tar.gz | tar zxv -C ~/nikto/ --strip-components 1
Lancement du scan de la machine cible :
perl ~/nikto/program/nikto.pl -h http://mysite.opensharing.priv
- Nikto v2.1.6 --------------------------------------------------------------------------- + Target IP: 192.168.0.10 + Target Hostname: mysite.opensharing.priv + Target Port: 80 + Start Time: 2019-09-02 11:23:03 (GMT2) --------------------------------------------------------------------------- + Server: Apache/2.4.38 (Debian) + The anti-clickjacking X-Frame-Options header is not present. + The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS + Uncommon header 'link' found, with contents: <http://mysite.opensharing.priv/wp-json/>; rel="https://api.w.org/" + The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type + Uncommon header 'x-redirect-by' found, with contents: WordPress + No CGI Directories found (use '-C all' to force check all possible dirs) + Entry '/wp-admin/' in robots.txt returned a non-forbidden or redirect HTTP code (302) + "robots.txt" contains 2 entries which should be manually viewed. + Web Server returns a valid response with junk HTTP methods, this may cause false positives. + Server leaks inodes via ETags, header found with file /readme, fields: 0x238f 0x58f6d60099040;591872ea8b28a + Uncommon header 'tcn' found, with contents: choice + OSVDB-3092: /readme: This might be interesting... + OSVDB-3092: /manual/: Web server manual found. + OSVDB-3268: /manual/images/: Directory indexing found. + OSVDB-3233: /icons/README: Apache default file found. + /wp-links-opml.php: This WordPress script reveals the installed version. + OSVDB-3092: /license.txt: License file found may identify site software. + /wp-app.log: WordPress' wp-app.log may leak application/system details. + /wordpress/: A WordPress installation was found. + Cookie wordpress_test_cookie created without the httponly flag + 7505 requests: 0 error(s) and 19 item(s) reported on remote host + End Time: 2019-09-02 11:28:36 (GMT2) (333 seconds) --------------------------------------------------------------------------- + 1 host(s) tested
Installation avec Docker et Git
Installation de Docker :
sudo apt-get install -y apt-transport-https ca-certificates curl software-properties-common gnupg2 curl -fsSL https://download.docker.com/linux/debian/gpg | sudo apt-key add - echo "deb [arch=amd64] https://download.docker.com/linux/debian $(lsb_release -cs) stable" | sudo tee -a /etc/apt/sources.list.d/docker.list sudo apt-get update sudo apt-get install -y docker-ce sudo systemctl enable docker sudo usermod sysadmin -aG docker reboot
Installation de Nikto par clonage du dépôt GitHub :
sudo apt-get install -y git git clone https://github.com/sullo/nikto.git cd nikto/
Construction d’une image :
docker build -t sullo/nikto .
Afficher l’aide :
docker run --rm sullo/nikto
Utilisation basique :
docker run --rm sullo/nikto -h http://mysite.opensharing.priv
Sauvegarder le résultat du scan dans un fichier de sortie :
docker run --rm -v $(pwd):/tmp sullo/nikto -h http://mysite.opensharing.priv -o /tmp/out.json
WPSCAN
WPScan (WordPress Vulnerability Scanner) :
- https://github.com/wpscanteam/wpscan
Installation de Ruby
sudo apt-get install -y ruby-full libz-dev echo '# Install Ruby Gems to ~/gems' >> ~/.bashrc echo 'export GEM_HOME="$HOME/gems"' >> ~/.bashrc echo 'export PATH="$HOME/gems/bin:$PATH"' >> ~/.bashrc source ~/.bashrc
Installation de WPScan
gem install wpscan
Usage
Scanner les utilisateurs, les thèmes et les plugins installés :
wpscan --url http://mysite.opensharing.priv -e u,t,p -o result.txt
Scanner les utilisateurs, les thèmes vulnérables et les plugins vulnérables :
wpscan --url http://mysite.opensharing.priv -e u,vt,vp -o result.txt
Force brute à partir des identifiants scannés :
wpscan --url http://mysite.opensharing.priv -P passwordslist.txt -U mysiteadmin -o result.txt
wpscan --url http://mysite.opensharing.priv -P passwordslist.txt -U usernameslist.txt -o result.txt
Note : Le scan par force brute est extrêmement gourmand en mémoire et peut prendre énormément de temps.
Mettre à jour la base de données :
wpscan --update
Afficher les options disponibles :
wpscan --help
APACHE2BUDDY
Apache2buddy : Tester la configuration Apache d’un site Web
- https://github.com/richardforth/apache2buddy/
curl -sL https://raw.githubusercontent.com/richardforth/apache2buddy/master/apache2buddy.pl | sudo perl
Ou, alternativement, si l’OS n’est pas supporté :
curl -sL https://raw.githubusercontent.com/richardforth/apache2buddy/master/apache2buddy.pl | sudo perl - --skip-os-version-check
#################################################################
apache2buddy.pl report for mysite.opensharing.priv (85.203.13.29)
#################################################################
[ OK ] This script is being run as root.
[ OK ] The utility ‘pmap’ exists and is available for use: /usr/bin/pmap
[ OK ] The utility ‘netstat’ exists and is available for use: /usr/bin/netstat
[ OK ] ‘php’ exists and is available for use: /usr/bin/php
[ OK ] The utility ‘apachectl’ exists and is available for use: /usr/sbin/apachectl
[ OK ] The ‘python’ binary exists and is available for use: /usr/bin/python
[ OK ] The port (port 80) is a valid port.
[ — ] We are attempting to discover the operating system type and version number …
[ — ] Distro: debian
[ — ] Version: 10.1
[ — ] Codename:
[ >> ] OS Version Checks were skipped by user directive, you may get errors.
[ — ] Hostname: mysite.opensharing.priv
[ — ] Primary IP: 85.203.13.29
[ — ] We are checking the service running on port 80…
[ — ] The process listening on port 80 is /usr/sbin/apache2
[ — ] The process running on port 80 is Apache/2.4.38 (Debian).
[ — ] The full path to the Apache config file is: /etc/apache2/apache2.conf
[ — ] Apache is using prefork model.
[ — ] pidfile setting is /var/run/apache2$SUFFIX/apache2.pid.
[ — ] Actual pidfile is /var/run/apache2/apache2.pid.
[ — ] Parent PID: 730.
[ OK ] Memory usage of parent PID is less than 50MB: 9448 Kilobytes.
[ — ] Apache has been running 0d 0h 13m 26s.
[ !! ] *** LOW UPTIME ***.
[ @@ ] The following recommendations may be misleading – apache has been restarted within the last 24 hours.
[ — ] Your server has 1995 MB of PHYSICAL memory.
[ >> ] ServerLimit directive not found, assuming default values.
[ — ] Your ServerLimit setting is 256.
[ — ] Your MaxRequestWorkers setting is 150.
[ OK ] Current Apache Process Count is 6, including the parent PID.
[ — ] Number of vhosts detected: 0.
[ OK ] Current Apache vHost Count is less than maxrequestworkers.
[ @@ ] vHost Count works only when we have NameVirtualHosting enabled, check config manually, they may only have the default vhost.
[ >> ] MaxRequestsPerChild directive not found.
[ — ] This server is NOT running Plesk.
[ — ] This server is NOT running cPanel.
[ — ] This server is NOT running Virtualmin.
Use of uninitialized value $real_config in concatenation (.) or string at – line 1212 (#1)
(W uninitialized) An undefined value was used as if it were already defined. It was interpreted as a « » or a 0, but maybe it was a mistake.
To suppress this warning assign a defined value to your variables.
To help you figure out what was undefined, perl will try to tell you the name of the variable (if any) that was undefined. In some cases it cannot do this, so it also tells you what operation you used the undefined value in. Note, however, that perl optimizes your program and the operation displayed in the warning may not necessarily appear literally in your program. For example, « that $foo » is usually optimized into « that » . $foo, and the warning will refer to the concatenation (.) operator, even though there is no . in your program.
Use of uninitialized value $apache_proc_php in concatenation (.) or string at – line 2366 (#1)
[ — ] Your PHP Memory Limit (Per-Process) is .
Use of uninitialized value $apache_proc_php in string eq at – line 2367 (#1)
[ — ] MySQL Detected => Using 89.91 MB of memory.
[ OK ] No large log files were found in /var/log/apache2.
[ OK ] MaxClients has not been hit recently.
[ >> ] Apache only logs maxclients/maxrequestworkers hits once in a lifetime, if no restart has happened this event may have been rotated away.
[ >> ] As a backup check, please compare number of running apache processes (minus 1 for parent) against maxclients/maxrequestworkers.
[ >> ] For more information see
https://github.com/apache/httpd/blob/0b61edca6cdda2737aa1d84a4526c5f9d2e23a8c/server/mpm/prefork/prefork.c#L809
[ OK ] No PHP Fatal Errors were found.
[ OK ] No package updates found.
[ — ] apache2 is currently using 125.35 MB of memory.
[ — ] The smallest apache process is using 9.27 MB of memory
[ — ] The average apache process is using 9.27 MB of memory
[ — ] The largest apache process is using 9.27 MB of memory
[ OK ] Going by the average Apache process, Apache can potentially use 1390.51 MB RAM:
Without considering services: 69.70 % of total installed RAM
Considering extra services: 72.99 % of remaining RAM
[ OK ] Going by the largest Apache process, Apache can potentially use 1390.51 MB RAM:
Without considering services: 69.70 % of total installed RAM
Considering extra services: 72.99 % of remaining RAM
——————————————————————————–
### GENERAL FINDINGS & RECOMMENDATIONS ###
——————————————————————————–
Apache2buddy.pl report for server: mysite.opensharing.priv (85.203.13.29):
Settings considered for this report:
[ !! ] *** LOW UPTIME ***.
[ @@ ] The following recommendations may be misleading – apache has been restarted within the last 24 hours.
Your server’s physical RAM: 1995 MB
Remaining Memory after other services considered: 1905 MB
Apache’s MaxRequestWorkers directive: 150 <——— Current Setting
Apache MPM Model: prefork
Largest Apache process (by memory): 9 MB
[ !! ] Your MaxRequestWorkers setting is too low.
Your recommended MaxRequestWorkers setting is between 184 and 205. <——- Acceptable Range (10% of MAX)
Max potential memory usage: 1390 MB
Percentage of TOTAL RAM allocated to Apache: 69.70 %
Percentage of REMAINING RAM allocated to Apache: 72.99 %
——————————————————————————–
A log file entry has been made in: /var/log/apache2buddy.log for future reference.
Last 5 entries:
2019/10/26 18:39:56 Uptime: « 0d 0h 26m 10s » Model: « Prefork » Memory: « 1995 MB » MaxRequestWorkers: « 150 » Recommended: « 206 » Smallest: « 9.27 MB » Avg: « 9.27 MB » Largest: « 9.27 MB » Highest Pct Remaining RAM: « 72.80% » (69.70% TOTAL RAM)
2019/10/26 23:55:48 Uptime: « 0d 05h 42m 03s » Model: « Prefork » Memory: « 1995 MB » MaxRequestWorkers: « 150 » Recommended: « 206 » Smallest: « 9.27 MB » Avg: « 9.27 MB » Largest: « 9.27 MB » Highest Pct Remaining RAM: « 72.80% » (69.70% TOTAL RAM)
2019/10/26 23:56:45 Uptime: « 0d 05h 43m 00s » Model: « Prefork » Memory: « 1995 MB » MaxRequestWorkers: « 150 » Recommended: « 206 » Smallest: « 9.27 MB » Avg: « 9.27 MB » Largest: « 9.27 MB » Highest Pct Remaining RAM: « 72.80% » (69.70% TOTAL RAM)
2019/10/27 11:27:53 Uptime: « 0d 0h 13m 18s » Model: « Prefork » Memory: « 1995 MB » MaxRequestWorkers: « 150 » Recommended: « 205 » Smallest: « 9.27 MB » Avg: « 9.27 MB » Largest: « 9.27 MB » Highest Pct Remaining RAM: « 72.99% » (69.70% TOTAL RAM)
2019/10/27 11:27:59 Uptime: « 0d 0h 13m 26s » Model: « Prefork » Memory: « 1995 MB » MaxRequestWorkers: « 150 » Recommended: « 205 » Smallest: « 9.27 MB » Avg: « 9.27 MB » Largest: « 9.27 MB » Highest Pct Remaining RAM: « 72.99% » (69.70% TOTAL RAM)
