Firewall IDS and ECommerce - Web Server Assessment with Nikto and N-Stealth (August2004)

8/7/2019 Firewall IDS and ECommerce - Web Server Assessment with Nikto and N-Stealth (August2004)

http://slidepdf.com/reader/full/firewall-ids-and-ecommerce-web-server-assessment-with-nikto-and-n-stealth 1/20

January 24, 2002 Copyright 2002 All Rights Reserved

Firewall, IDS and ECommerce

WebServer Assessment

WithNikto & N-Stealth

(1 August, 2004)

Linux/Windows Lab

1




Web Server Assessment Laboratory

Laboratory OverviewThis laboratory will be composed of two parts.Part One will involve installing and using Nikto on a

Linux system. Nikto can be downloaded fromwww.cirt.net .

Part Two will involve installing and using N-Stealth

on a Windows system. N-Stealth can be downloaded fromwww.nstalker.com .Laboratory Objective

The student will be able to(1). Understand the purpose of automated tools to assessWeb Server vulnerabilities.(2). Understand how to install and use Nikto, an automatedWeb Server assessment tool.(3). Understand how to install and use N-Stealth, anautomated Web server assessment tool.

Class Preparation(1) The student should review the lecture associated with

Web server vulnerabilities.(2) The student should review this laboratory.

Estimated Completion Time60 Minutes

2

http://www.cirt.net/

http://www.nstalker.com/






1. Information for LaboratoryA. The students will utilize both Nikto and N-Stealth as

automated web server vulnerability assessment tools.Prior to the start of the laboratory the instructor will

discuss web server assessment and automated web server assessment tools. In addition, prior to the exercise theinstructors should have downloaded Nikto onto a Linux boxand N-Stealth onto Windows systems.

B. Web Server Vulnerabilities.The first step in assessing the vulnerability of a web

site, after performing web server reconnaissance, is to assessthe vulnerability of the web server. This step is primarilyconcerned with exposing the vulnerabilities that exists in theserver which handles the interface between the user and theprocess logic.

2. Part 1 – Web Assessment w/Nikto

3

Nikto is an Open Source ( GPL ) web server scanner which performs comprehensive tests against web

servers for multiple items, including over 2600 potentially dangerous files/CGIs, versions on over 625servers, and version specific problems on over 230 servers. Scan items and plugins are frequentlyupdated and can be automatically updated (if desired).

Nikto is not designed as an overly stealthy tool. It will test a web server in the shortest timespanpossible, and it's fairly obvious in log files. However, there is support for LibWhisker's anti-IDSmethods in case you want to give it a try (or test your IDS system).

Not every check is a security problem, though most are. There are some items that are "info only" typechecks that look for items that may not have a security flaw, but the webmaster or security engineer may not know are present on the server. These items are usually marked appropriately in theinformation printed. There are also some checks for unknown items which have been seen scanned for in lo files.

http://www.gnu.org/licenses/licenses.html#GPL

http://www.gnu.org/licenses/licenses.html#GPL




You will now use Nikto to scan and analyzea web server identified by your instructor. Theweb site scanned in this exercise was previously

mirrored and installed on a class lab server. Inaddition, the instructor will have previouslydownloaded Nikto on the Linux box.

A. Nikto Document exploration(1) At the Linux Redhat 9.0 KDE desktop use the

Konqueror to open /root by clicking on the root desktop Icon.

(2) Now click on nikto-1.32 > nikto_usage.html . Ascreen similar to the following should be displayed. Explorethis screen in coordination with your instructor. Look especially at the documentation on evasion techniques.

(3). Now close Konqueror and return to the linuxdesktop.

4




B. The Basic Scan(1) Click on the shell terminal. Now input the

command:cd nikto-1.32perl nikto.pl -h www.nvcc.edu

A screen similar to one shown below should be present.Explore this screen in coordination with your instructor.

5




C. The Scan w/IDS(1). Nikto is especially noisy and will most certainly bedetected and logged by any reputable IDS. Nikto hasincorporated certain IDS countermeasures that can beemployed to attempt to evade logging or at least to bypasssimple string matching.

(2). Open the shell terminal and input the followingcommand:

cd nikto-1.32perl nikto.pl -h www.nvcc.edu -p 80 -e 167

6

IDS evasion techniques. This enables the intrusion detection evasion in LibWhisker. Multiple

options can be used by stringing the numbers together, i.e. to enable methods 1 and 5, use "-e 15". Thevalid options are (use the number preceding each description):1 Random URI encoding (non-UTF8)2 Add directory self-reference /./3 Premature URL ending4 Prepend long random string to request5 Fake parameters to files6 TAB as request spacer instead of spaces7 Random case sensitivity8 Use Windows directory separator \ instead of /9 Session splicing




A screen similar to the following should be displayed.Explore this screen in coordination with your instructor.

7




D. Updating Nikto

(1). Open the shell terminal an input the following command:cd nikto-1.32perl nikto.pl -update

(2). A screen similar to the following should appear.Examine this screen in coordination with your instructor.

(3). This concludes the Nikto exercise. Exit the shell terminaland power down the Linux box.

2. Part 2 – N-Stealth

8

Nikto is a two piece tool: engine and vunerability database. The database is aseries of "plugins" that contains exploit information. They hold information for over 100 unique web servers and more than 2,000 known vulnerabilities among the webservers and CGI applications.

The latest plugins should be retrieved prior to running Nikto.




You will now use N-Stealth to scan and analyzea web server identified by your instructor. Theweb site scanned in this exercise was previouslymirrored and installed on a class lab server. Inaddition, the instructor will have previouslyinstalled N-Stealth on a Windows box.

A. Phase 1 - Installation(1) Using Explorer go to the following directory:

C:\Program Files\Security Toolbox\Assessment Tools . Ascreen similar to the following should appear.

9

N-Stealth is a vulnerability-assessment product that scans web servers to identifysecurity problems and weaknesses that may allow an attacker to gain privilegedaccess. The software comes with an extensive database of over 30,000vulnerabilities and exploits. N-Stealth is more actively maintained than the networksecurity scanners and consequently has a larger database of vulnerabilities. N-Stealth is a comprehensive web server security-auditing tool that scans for over 30,000 vulnerabilities. It is ideal for system administrators, security consultant andIT professionals. The software's wide array of scanning techniques and extensivesecurity-hole database make it the best available program for locking down webservers




(2). Double click Nstealth-Free-5-2b24.exe . Now

select English . A screen similar to the following shouldappear.

(2) Click Next . A screen similar to the followingshould appear.

10




(3). Read the License agreement and select I Agree .The following screen should appear.

(4). Elect the defaults and click Next . The followingscreen should appear.

11




(5). Elect the default and click Install . The followingscreen should appear.

6. Click Finish . N-Stealth has now been successfullyinstalled.

12




B. Phase Two – Web Assessment w/ N-StealthYou will now use N-Stealth to scan and

analyze a web site identified by your instructor.

The web site scanned in this exercise waspreviously mirrored and installed on a class labserver.

(1) Click Start > Programs > N-Stealth > Nstealth . A screensimilar to the following should appear.

13




(2). Set English as your default language and click OK . Thefollowing screen should appear.

(3). Enter a url specified by your instructor and click Start Scanand select No at the next pop-up screen. A screen similar to thefollowing should appear. Explore this screen in coordinationwith your instructor.

14




(4). At the instructor's discretion either stop the scan or let it runto completion. If it runs to completion the scan may take severalminutes since over 16,000 items will be checked. If the scan isstopped a screen similar to the following should be present.

Explore the screen in coordination with your instructor.

(5) Select Report Manager . A screen similar to the followingshould be present.

15




(6). Highlight the URL just scanned and select Generate . Thefollowing screen should appear.

(7). Click OK . The following screen should appear.

16




(8). Select Report Directory tab, highlight the URL justscanned and click Open . The following report should appear.Examine this report in coordination with your instructor.

(9). This concludes the formal portion of the exercise. Thestudent should now. on their own, explore the capabilities of N-Stealth.

(10). At the conclusion of the exercise, the student should deletethe report, close all files and uninstall N-Stealth.

17




CONGRATULATIONS . You have just finished theWindows Web Server Vulnerability Assessmentlaboratory.

18




Instructors Appendix

1. Nikto .

The current version of Nikto is 1.32 can bedownloaded from www.cirt.net onto a Linux box.Nikto is a perl script written by Chris Sullo and is styledafter RFP's Whisker. Nikto uses RFP's Libwhisker library for HTTP/socket functionality. It has a reputationof being one of the best free Web server scanners.

It has two major functions that are noteworthy. First,since it is exceptionally noisy and will undoubtedly belogged, it can employ IDS techniques. Nikto, whenemploying IDS evasion, uses nine different techniques toformat the URL request to bypass simple string matchingIDSs. Second, it has the capability of being automaticallythrough the use of the -update command.

a. I downloaded and installed Nikto onto a Redhat9.0 box.b. Nikto can be installed onto any directory,however, I choose to install it into /root .c. The following commands were used tounzip/untar nikto-current.tar.gz in the /rootdirectory

gunzip nikto-curretn.tar.gz tar -xvf nikto-current.tar cd nikto-1.32

2. N-Stealth .WebSleuth can be downloaded from www.nstalker.com .

a. Download N-Stealth onto a Widows box.

19








b. N-Stealth can be downloaded into anydirectory, however, I choose to download it intoC :\Program Files\Security Toolbox\Assessment

Tools .

3. Web Site .A web site should only be analyzed if permission has

be been granted. For this exercise I mirrored the NVCCweb site onto a classroom Server composed of aWindows 2003 machine running IIS.

Firewall IDS and ECommerce - Web Server Assessment with Nikto and N-Stealth (August2004)

Documents

Transcript of Firewall IDS and ECommerce - Web Server Assessment with Nikto and N-Stealth (August2004)