Red Primer: Web Scanning

Today, I am going to make this write-up of Web Scanning challenge on TryHackMe. This is a write-up on Web Scanning tools named as Nikto and OWASP ZAP.


[Task 1] Pull the lever, Kronk!

Web scanning represents one of the core constructs of modern pentesting. Quite simply, most of what we interact with on a daily basis is the internet, and therein there is a multitude of ever-widening number of vulnerabilities. Within this room, we will investigate two of the most common scanners: Nikto and Zap.

Deploy the machine.

[Task 2] ...I'm supposed to scan with that?

A short quiz over the various switches used with Nikto as well as a quick scan against our target. All you'll need for this is the help menu for Nikto. Include all parts of the switch unless otherwise specified, this includes -

#1. First and foremost, what switch do we use to set the target host?

-h


As per help, the answer should be -host but as per background hint answer will be of 2 letters so for this check out this Cheatsheet.

#2. Websites don't always properly redirect to their secure transport port and can sometimes have different issues depending on the manner in which they are scanned. How do we disable secure transport?
-nossl
Check help menu -

#3. How about the opposite, how do we force secure transport?
-ssl
Check help menu -

#4. What if we want to set a specific port to scan?
-p
Similarly first question, its answer will be -p or -port.


#5. As the web is constantly evolving, so is Nikto. A database of vulnerabilities represents a core component to this web scanner, how do we verify that this database is working and free from error?
-dbcheck
Check help menu -


#6. If instructed to, Nikto will attempt to guess and test both files within directories as well as usernames. Which switch and numerical value do we use to set Nikto to enumerate usernames in Apache? Keep in mind, this option is deprecated in favor of plugins, however, it's still a great option to be aware of for situational usage.
-mutate 3
Check help menu -
Here, we need to use mutate flag with option 3.

#7. Suppose we know the username and password for a web forum, how do we set Nikto to do a credentialed check? Suppose the username is admin and the password is PrettyAwesomePassword1234
-id admin:PrettyAwesomePassword1234
Her, we can use id flag with username and password for the credential check.

#8. Let's scan our target machine, what web server do we discover and what version is it?
Apache/2.4.7
We can run the scan using the following command -
nikto -h <machine ip>
After a few seconds, results will be like this - 


#9. This box is vulnerable to very poor directory control due to it's web server version, what directory is indexed that really shouldn't be?
config
After a few minutes of the scan, Nikto will return the hidden directory.

#10. Nikto scans can take a while to fully complete, which switch do we set in order to limit the scan to end at a certain time?
-until
Check help menu -

#11. But wait, there's more! How do we list all of the plugins are available?
-list-plugins

#12. On the flip-side of the database, plugins represent another core component to Nikto. Which switch do we use to instruct Nikto to use plugin checks to find out of date software on the target host? Keep in mind that when testing this command we need to specify the host we intend to run this against. For submitting your answer, use only the base command with the out of date option.
-Plugins outdated
For this, check the plugins list using the following command -
nikto -list-plugins

#13. Finally, what if we'd like to use our plugins to run a series of standard tests against the target host?
-Plugins tests
Similarly, as previously, we can find this.

[Task 3] Zip ZAP!

A brief quiz and tutorial over using the OWASP Zap Scanner

#1. Let's start simple and launch zap. This can be done in a number of ways (Commands: owasp-zap, zaproxy) or through launching it in the Kali gui.
No answer needed
Here, simply run the OWASP ZAP using any of the following commands -
owasp-zap
OR
zaproxy

#2. Launch ZAP, what option to we set in order to specify what we are attacking?
URL to attack

#3. Launch the attack against our target! Throughout the course of this attack you may notice this is very similar to Nikto. Similar to Nessus vs. OpenVAS, Nikto and ZAP and both offer different perspectives on a host and, as such, it's useful to know how to leverage both scanning tools in order to maximize your own visibility in a situation wherein 'noise' doesn't particularly matter.
No answer needed
Just start the attack after putting the IP you got in the "URL to attack" option.

#4. ZAP will discover a file that typically contains pages which well-behaved web indexing engines will read in order to know which sections of a site to avoid. What is the name of this file? (Lucky for us, our scanner isn't what we would call 'well-behaved'!)
robots.txt 
After starting the attack, you will notice this file.
 
#5. One entry is included in the disallow section of this file, what is it?
/
For this, check the response tab of the robots.txt file, you will find "/" is disallowed.

Here, you may find different IP from Nikto section, as I solved this challenge in two days, yet it was easy.

#6. ZAP will find a directory that contains images for our application, what is the path for that directory? (This is what will follows the name/ip of the website)
/dvwa/images/
For this, check the Spider tab in the bottom frame.


#7. This website doesn't force a secure connection by default and ZAP isn't pleased with it. Which related cookie is ZAP upset about?
HttpOnly
For this, check the Alerts tab in the bottom frame.

#8. Featured in various rooms on TryHackMe, Cross-Site Scripting is a vicious attack that is becoming ever more common on the open web. What Alert does ZAP produce to let us know that this site is vulnerable to XSS? Note, there are often a couple warnings produced for this, look for one more so directly related to the web client.
Web Browser XSS Protection Not Enabled
For this, check the Alerts tab in the bottom frame.

#9. The ZAP proxy spider represents the component responsible for 'crawling' the site. What site is found to be out of scope?
http://www.dvwa.co.uk
Similarly for this, check the Spider tab in the bottom frame.


#10. ZAP will use primarily two methods in order to scan a website, which of these two HTTP methods requests content?
GET
 
#11. Which option attempts to submit content to the website?
POST
There are two types of HTTP request method - POST and GET.  These are used to send any information to the webserver like username, password, page id, etc.

The example of GET and POST is -

  • GET - http://example.com/page.php?id=1
  • POST - http://example.com/page.php
Both GET and POST method is used to transfer data from client to server in HTTP protocol but the main difference between the POST and GET method is that GET carries request parameter appended in URL string while POST carries request parameter in message body which makes it more secure way of transferring data.


TryHackMe

I hope, this post helped you to learn the basics of Nikto and OWASP ZAP scanning tools.

Stay tuned for more such posts!!!


Comments

  1. jackielabarMarch 4, 2022 at 9:21 AM

    Harrah's Casino and Racetrack in Laughlin, Nevada
    Get directions, reviews and information 충청북도 출장샵 for Harrah's Casino and 안산 출장마사지 Racetrack in Laughlin, NV. 777 Harrahs Boulevard, 동두천 출장마사지 Laughlin, NV 89109. (775) 의왕 출장안마 427-7877. 경상남도 출장샵

    ReplyDelete

Post a Comment

Popular posts from this blog

VirSecCon CTF Steganography Writeups

Image
1) Stegosaurus (70) DESCRIPTION- Scientists are struggling with a new mystery: we thought the dinosaurs were gone, but this one has returned! Hmmm... can you solve this mystery? Download the file below: stegosaurus.png SOLUTION:: → Use commands -           ⇒ Use website https://georgeom.net/StegOnline/image to convert the color palette of this image           ⇒ Use the LSB Half option to change color palette                                              OR           ⇒ Install tool stegsolve.jar using commands                     wget http://www.caesum.com/handbook/Stegsolve.jar -O stegsolve.jar                     chmod +x stegsolve.jar                     mv stegsolve.jar /bin           ⇒ Execute it using command- stegsolve.jar , use File option, choose image, use arrows to see the text by changing colors → Flag - LLS{you_stegsolved_the_mystery} 2) Winter Wonderland (80) DESCRIPTION- It’s the holiday season! But hmm… they must be hi
Read more

Kali Linux in Docker Container in Windows 10

Image
Background Docker is a tool designed to make it easier to create, deploy, and run applications by using containers. Docker is a great alternative to virtualization when dealing with various tools or for creating isolated environments. Docker is lightweight. Offensive Security has created an official Kali Linux Docker image named kalilinux/kali-rolling , which we’ll be using below. Install Docker Go to the following link and install Docker  -  https://docs.docker.com/docker-for-windows/install/ Setting up a Kali Linux Docker Image Pull the Kali Linux image using following command -  docker pull kalilinux/kali-rolling Running Kali  Run Kali using following command -  docker run -t -i kalilinux/kali-rolling /bin/bash First Things First The first thing we need to do is to update Kali packages and install the tools we’ll be using. Run following commands in Kali shell -  apt update apt dist-upgrade apt autoremove apt clean We can now run any Linux command in this Docker image but now you hav
Read more