Web Scanning Walkthrough

Web Scanning or scanning in general is one of the most important steps in penetration testing or any other security procedure. It let’s check what systems are running, which software is in use and which versions for each software, what ports are open and many more information that will help you later on.

You can access the web scanning machine from here and let’s deploy the machine.

Task 2 – …I’m supposed to scan with that?

first, we will learn about a scanning tool called Nikto , which is a command line tool that performs tests against servers to see which software is running, and which version, and many things.

Before we start with the options, here’s a list of the help page for Nikto, to ease up the process to solve the problems

So let’s start with the second task questions:

First and foremost, what switch do we use to set the target host?

you can see that Nikto has the option “-host” to specify the host, but since -host starts with small character h, and help with capital H, so we can conclude the above answer easily

-h

Websites don’t always properly redirect to their secure transport port and can sometimes have different issues depending on the manner in which they are scanned. How do we disable secure transport?

but what is secure transport? Well, secure transport is a system that allows files exchanging between a user and another system where it sets in the middle to make sure that files are being exchanged securely.

This can be achieved by using SSL, which you can see an example from official Apple docs

and to disable the SSL forcing option, we use the following flag

-nossl

How about the opposite, how do we force secure transport?

just like the previous one but in opposite, where you choose SSL option to be forced.

-ssl

What if we want to set a specific port to scan?

as always and in many programs you can use the following for port flag, you can also use “port” if you want the longer version

-p

As the web is constantly evolving, so is Nikto. A database of vulnerabilities represents a core component to this web scanner, how do we verify that this database is working and free from error?

this is a very important step, we need to make sure that our database is working and error free, luckily there is a very simple argument to verify the database for us.

-dbcheck

If instructed to, Nikto will attempt to guess and test both files within directories as well as usernames. Which switch and numerical value do we use to set Nikto to enumerate usernames in Apache? Keep in mind, this option is deprecated in favor of plugins, however, it’s still a great option to be aware of for situational usage.

The question is very simple, but to solve it you need to access the expanded help menu, by using

nikto -H

and if you read the docs, almost half way, you should see the following “3 Enumerate usernames via Apache (/~user type requests)” which is what we’re looking for.

-mutate 3

Suppose we know the username and password for a web forum, how do we set Nikto to do a credentialed check? Suppose the username is admin and the password is PrettyAwesomePassword1234

This is fairly simple and self explanatory.

-id admin:PrettyAwesomePassword1234

Let’s scan our target machine, what web server do we discover and what version is it?

Just like the question we solved above, let’s run the following command

nikto -h machine_IP

and let’s wait a little bit until the scan finishes, you should get the following results.

as you can see in the first line “Server”, our target machine is running Apache server with version 2.4.7 which is our answer

Apache/2.4.7

This box is vulnerable to very poor directory control due to its web server version, what directory is indexed that really shouldn’t be?

This questions requires the previous scan to run a little bit until you get the following output:

Where you can see that nikto detected “config” directory as something might be available

config

Nikto scans can take a while to fully complete, which switch do we set in order to limit the scan to end at a certain time?

as you noticed, the scan took too much time, in order to limit the time, you can use the following to limit the time to run (you can find the option in the expanded help page)

This question in my opinion is poorly formatted, you might think that “maxtime” is the answer or “timeout” since one define that maximum time to run and the other one specify the timeout for each request.

But the answer is “until” which allows nikto to run for a specific time value ( it can be used for duration also ) and not a duration unlike the previous two options.

-until

But wait, there’s more! How do we list all of the plugins are available?

this is a direct option that is found in the help page

list-plugins 

On the flip-side of the database, plugins represent another core component to Nikto. Which switch do we use to instruct Nikto to use plugin checks to find out of date software on the target host? Keep in mind that when testing this command we need to specify the host we intend to run this against. For submitting your answer, use only the base command with the out of date option.

To solve this question, we need to list all the plugins first just like we did with the previous question, then we can grep a search value to get the plugin.

we’re searching for “date” software, so let’s grep that value

nikto -list-plugins | grep date

and we would get the following plugins

outdated

Now to solve the question, we need to construct the command, by specifying the previous plugin to be used

-Plugins outdated

Finally, what if we’d like to use our plugins to run a series of standard tests against the target host?

This will require you to read a little bit in list of plugins in nikto, until you reach to a plugin called “tests” which allows you to run a list of standard tests on web host

tests

so just like the previous question, we run the command with tests plugin

-Plugins tests

Task 3 -Zip ZAP!

Let’s start with the second part of this machine.

you can get a more detailed information about OWASP Zap Scanner From Wikipedia.

You probably won’t have it on your own machine and you need to install it, first you need to download the file from zapproxy.org.

Then choose which OS, you can choose Linux Installer as it eases up the process.

Then you can change the permission to enable the execution permission

chmod +x ZAP_x_x_x_unix.sh

and then you run the application in terminal and just follow the instructions

./ZAP_x_x_x_unix.sh

Then you can search for OWASP ZAP and you can start it.

After you launch successfully, let’s choose Automated Scan Option.

and you should get the following screen

and here stands our next question.

Launch ZAP, what option to we set in order to specify what we are attacking?

As you can see in the image, the option we need to specify is “URL to attack”

URL to attack

Launch the attack against our target! Throughout the course of this attack you may notice this is very similar to Nikto. Similar to Nessus vs. OpenVAS, Nikto and ZAP and both offer different perspectives on a host and, as such, it’s useful to know how to leverage both scanning tools in order to maximize your own visibility in a situation wherein ‘noise’ doesn’t particularly matter.

Now let’s set our target machine and start the scan.

The Scan will take sometime, but while the scan is running we can solve some of the questions.

ZAP will discover a file that typically contains pages which well-behaved web indexing engines will read in order to know which sections of a site to avoid. What is the name of this file? (Lucky for us, our scanner isn’t what we would call ‘well-behaved’!)

this is not something ZAP specific, as if you have general knowledge about how search engines work and how they crawl the site, you would know about “robots.txt” file.

You can learn more about robots.txt file and how it works from Google

robots.txt

One entry is included in the disallow section of this file, what is it?

let’s access the robots.txt file for the machine.

machine_ip/robots.txt

so you know that the home directory

/

ZAP will find a directory that contains images for our application, what is the path for that directory? (This is what will follows the name/ip of the website)

you can open the ZAP scan results and you choose the “directory browsing”

Which we can see that the selected directory is the one that contains images.

/dvwa/images

This website doesn’t force a secure connection by default and ZAP isn’t pleased with it. Which related cookie is ZAP upset about?

Let’s expand the Cookies alert that ZAP is warning us about.

We can see that the site doesn’t set HttpOnly Flag in the cookies, which is important to prevent cross site scripting and to steal the session cookie for the user.

You can get more information from OWASP

httponly

Featured in various rooms on TryHackMe, Cross-Site Scripting is a vicious attack that is becoming ever more common on the open web. What Alert does ZAP produce to let us know that this site is vulnerable to XSS? Note, there are often a couple warnings produced for this, look for one more so directly related to the web client.

The problem with this question is that the error message will not show, and this is because it’s been deprecated by ZAP.

But you can copy and paste the following solution, but don’t worry if you don’t have it as it won’t show

Web Browser XSS Protection Not Enabled

The ZAP proxy spider represents the component responsible for ‘crawling’ the site. What site is found to be out of scope?

Let’s select the spider tab and see which errors we get.

and from here we can see the selected link is the one out of scope

http://www.dvwa.co.uk

ZAP will use primarily two methods in order to scan a website, which of these two HTTP methods requests content?

For this, you can see with HTTP methods ZAP used by clicking on “sites” icon and checking all the request.

you can see that ZAP is using only GET and POST, you can navigate through them and you will notice that POST doesn’t get any content, which means that GET is our answer

GET

Which option attempts to submit content to the website?

as we said earlier, GET is used to Get the content, and generally POST is used to submit data and to create content.

it’s not always the case, as you can use PUT method only, but ZAP uses POST to create content on the site, which is generally used for forms.

POST

and Finally we finish solving web scanning Machine.