miércoles, 2 de septiembre de 2015

Auditando con Uniscan. Parte 2

Compartir este artículo:
Muy buenas a todos, en el post de hoy continuaremos hablando de la herramienta Uniscan, y os mostraré un ejemplo real de análisis realizado con esta interesante utilidad.

Por recordar lo que vimos el pasado martes, estuvimos analizando lo sencillo que era realizar un análisis con Uniscan y vimos las 8 opciones que permitía configurar:

  1. Check Directory
  2. Check Files
  3. Check /robots.txt
  4. Dynamic tests
  5. Static tests
  6. Stress tests
  7. Web Fingerprint
  8. Server Fingerprint


A excepción de las pruebas de stress, he lanzado todas contra uno de nuestros sitios web y os he generado un reporte para que podáis ver los resultados que es capaz de obtener:

####################################
# Uniscan project                  #
# http://uniscan.sourceforge.net/  #
####################################
V. 6.2


New version 6.3 is avaliable
More details in http://uniscan.sourceforge.net/


| [*] Uniscan has updated to newest version
####################################
# Uniscan project                  #
# http://uniscan.sourceforge.net/  #
####################################
V. 6.3


Scan date: 21-5-2015 2:7:55
===================================================================================================
| Domain: http://www.XXXXX.com/
| Server: Apache
| IP: 111.222.333.444
===================================================================================================
===================================================================================================
| Looking for Drupal plugins/modules
|
| GET,HEAD,POST,OPTIONS
===================================================================================================
===================================================================================================
| WEB SERVICES
|
===================================================================================================
| FAVICON.ICO
|
===================================================================================================
| ERROR INFORMATION
|
|  404 Not Found Not Found The requested URL /+^{BO'/-BPz"j;6Z<zFN was not found on this server. Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.
|  404 Not Found Not Found The requested URL /,HRzUBxc!hdxDzZ-\u was not found on this server. Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.
===================================================================================================
| TYPE ERROR
|
===================================================================================================
| SERVER MOBILE
|
===================================================================================================
| LANGUAGE
|
===================================================================================================
| INTERESTING STRINGS IN HTML
|
| a class="twitter-timeline" href="https://twitter.com/XXXXX" data-widget-id="">Tweets por @XXXXX
| script>!function(d,s,id){var js,fjs=d.getElementsByTagName(s)[0],p=/^http:/.test(d.location)?'http':'https';if(!d.getElementById(id)){js=d.createElement(s);js.id=id;js.src=p+"://platform.twitter.com/widgets.js";fjs.parentNode.insertBefore(js,fjs);}}(document,"script","twitter-wjs");
| a href="https://twitter.com/XXXXX" target="_blank">
| a href="https://www.facebook.com/pages/XXXXXYYYYYY/" target="_blank">
| a href="http://XXXXX.com/XXXXXlogin.php">Inicio sesión K-IT
| a data-toggle="modal" href="http://XXXXX.com/XXXXXlogin.php">
| a href="mailto:info@XXXXX.com" target="_blank">
===================================================================================================
| WHOIS
|
|
|
| Whois Server Version 2.0
|
|
|
|
|
|
|
|
|
|
|
| No match for "WWW.XXXXX.COM".
|
| >>> Last update of whois database: Thu, 13 Aug 2015 18:06:49 GMT <<<
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| Registrars.
|
|
|
| For more information on Whois status codes, please visit
|
| https://www.icann.org/resources/pages/epp-status-codes-2014-06-16-en.
|
===================================================================================================
| BANNER GRABBING:
===================================================================================================
===================================================================================================
| PING
|
| PING www.XXXXX.com (111.222.333.444) 56(84) bytes of data.
|
| --- www.XXXXX.com ping statistics ---
| 4 packets transmitted, 0 received, 100% packet loss, time 3022ms
|
===================================================================================================
| TRACEROUTE
|
| traceroute to www.XXXXX.com (111.222.333.444), 30 hops max, 60 byte packets
|  1  * * *
|  2  * * *
|  3  * * *
|  4  * * *
|  5  * * *
|  6  * * *
|  7  * * *
|  8  * * *
|  9  * * *
| 10  * * *
| 11  * * *
| 12  * * *
| 13  * * *
| 14  * * *
| 15  * * *
| 16  * * *
| 17  * * *
| 18  * * *
| 19  * * *
| 20  * * *
| 21  * * *
| 22  * * *
| 23  * * *
| 24  * * *
| 25  * * *
| 26  * * *
| 27  * * *
| 28  * * *
| 29  * * *
| 30  * * *
===================================================================================================
| NSLOOKUP
|
| Server:        8.8.8.8
| Address:    8.8.8.8#53
|
| Non-authoritative answer:
| *** Can't find www.XXXXX.com: No answer
| Authoritative answers can be found from:
| XXXXX.com
|     origin = ns3.XXXXX.com
|     mail addr = hostmaster.XXXXX.com
|     serial = 2014021122
|     refresh = 21600
|     retry = 3600
|     expire = 2419200
|     minimum = 60
| Name:    www.XXXXX.com
| Address: 111.222.333.444
===================================================================================================
| NMAP
|
|
| Starting Nmap 6.40 ( http://nmap.org ) at 2015-05-21 02:09 UTC
| NSE: Loaded 110 scripts for scanning.
| NSE: Script Pre-scanning.
| Initiating Ping Scan at 02:09
| Scanning www.XXXXX.com (111.222.333.444) [4 ports]
| Completed Ping Scan at 02:09, 0.01s elapsed (1 total hosts)
| Initiating Parallel DNS resolution of 1 host. at 02:09
| Completed Parallel DNS resolution of 1 host. at 02:09, 0.06s elapsed
| Initiating SYN Stealth Scan at 02:09
| Scanning www.XXXXX.com (111.222.333.444) [1000 ports]
| Increasing send delay for 111.222.333.444 from 0 to 5 due to 11 out of 11 dropped probes since last increase.
| Increasing send delay for 111.222.333.444 from 5 to 10 due to 11 out of 11 dropped probes since last increase.
| SYN Stealth Scan Timing: About 15.60% done; ETC: 02:12 (0:02:48 remaining)
| Increasing send delay for 111.222.333.444 from 10 to 20 due to 11 out of 11 dropped probes since last increase.
| Increasing send delay for 111.222.333.444 from 20 to 40 due to 11 out of 11 dropped probes since last increase.
| SYN Stealth Scan Timing: About 29.40% done; ETC: 02:12 (0:02:26 remaining)
| Increasing send delay for 111.222.333.444 from 40 to 80 due to 11 out of 11 dropped probes since last increase.
| SYN Stealth Scan Timing: About 45.10% done; ETC: 02:12 (0:01:51 remaining)
| Increasing send delay for 111.222.333.444 from 80 to 160 due to 11 out of 27 dropped probes since last increase.
| SYN Stealth Scan Timing: About 57.00% done; ETC: 02:12 (0:01:31 remaining)
| Increasing send delay for 111.222.333.444 from 160 to 320 due to 11 out of 11 dropped probes since last increase.
| Increasing send delay for 111.222.333.444 from 320 to 640 due to 11 out of 11 dropped probes since last increase.
| SYN Stealth Scan Timing: About 67.45% done; ETC: 02:14 (0:01:43 remaining)
| Increasing send delay for 111.222.333.444 from 640 to 1000 due to 11 out of 14 dropped probes since last increase.
| SYN Stealth Scan Timing: About 73.50% done; ETC: 02:16 (0:01:55 remaining)
| SYN Stealth Scan Timing: About 78.85% done; ETC: 02:18 (0:01:57 remaining)
| SYN Stealth Scan Timing: About 84.15% done; ETC: 02:20 (0:01:44 remaining)
| SYN Stealth Scan Timing: About 88.90% done; ETC: 02:21 (0:01:22 remaining)
| SYN Stealth Scan Timing: About 92.70% done; ETC: 02:22 (0:00:58 remaining)
| SYN Stealth Scan Timing: About 95.45% done; ETC: 02:23 (0:00:38 remaining)
| Completed SYN Stealth Scan at 02:24, 904.29s elapsed (1000 total ports)
| Initiating Service scan at 02:24
| Initiating OS detection (try #1) against www.XXXXX.com (111.222.333.444)
| Initiating Traceroute at 02:24
| Completed Traceroute at 02:24, 0.01s elapsed
| NSE: Script scanning 111.222.333.444.
| Initiating NSE at 02:24
| Completed NSE at 02:24, 0.00s elapsed
| Nmap scan report for www.XXXXX.com (111.222.333.444)
| Host is up (0.00011s latency).
| rDNS record for 111.222.333.444: ZZZZZZZ.XXXXX.com
| All 1000 scanned ports on www.XXXXX.com (111.222.333.444) are filtered
| Too many fingerprints match this host to give specific OS details
| Network Distance: 1 hop
|
| TRACEROUTE (using port 80/tcp)
| HOP RTT     ADDRESS
| 1   0.07 ms slgi246.XXXXX.com (111.222.333.444)
|
| NSE: Script Post-scanning.
| Read data files from: /usr/bin/../share/nmap
| OS and Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
| Nmap done: 1 IP address (1 host up) scanned in 907.03 seconds
|            Raw packets sent: 2211 (98.748KB) | Rcvd: 130 (5.236KB)
===================================================================================================
|
| Directory check:
| [+] CODE: 200 URL: http://www.XXXXX.com/blog/
| [+] CODE: 200 URL: http://www.XXXXX.com/en/
===================================================================================================
|                                                                                                  
| File check:
| [+] CODE: 200 URL: http://www.XXXXX.com/config.php
===================================================================================================
|
| Check robots.txt:
|
| Check sitemap.xml:
===================================================================================================
|
| Crawler Started:
| Plugin name: FCKeditor upload test v.1 Loaded.
| Plugin name: Timthumb <= 1.32 vulnerability v.1 Loaded.
| Plugin name: Upload Form Detect v.1.1 Loaded.
| Plugin name: Code Disclosure v.1.1 Loaded.
| Plugin name: E-mail Detection v.1.1 Loaded.
| Plugin name: External Host Detect v.1.2 Loaded.
| Plugin name: phpinfo() Disclosure v.1 Loaded.
| Plugin name: Web Backdoor Disclosure v.1.1 Loaded.
| [+] Crawling finished, 1 URL's found!
|
| FCKeditor File Upload:
|
| Timthumb:
|
| File Upload Forms:
|
| Source Code Disclosure:
|
| E-mails:
|
| External hosts:
|
| PHPinfo() Disclosure:
|
| Web Backdoors:
|
| Ignored Files:
===================================================================================================
| Dynamic tests:
| Plugin name: Learning New Directories v.1.2 Loaded.
| Plugin name: FCKedior tests v.1.1 Loaded.
| Plugin name: Timthumb <= 1.32 vulnerability v.1 Loaded.
| Plugin name: Find Backup Files v.1.2 Loaded.
| Plugin name: Blind SQL-injection tests v.1.3 Loaded.
| Plugin name: Local File Include tests v.1.1 Loaded.
| Plugin name: PHP CGI Argument Injection v.1.1 Loaded.
| Plugin name: Remote Command Execution tests v.1.1 Loaded.
| Plugin name: Remote File Include tests v.1.2 Loaded.
| Plugin name: SQL-injection tests v.1.2 Loaded.
| Plugin name: Cross-Site Scripting tests v.1.2 Loaded.
| Plugin name: Web Shell Finder v.1.3 Loaded.
| [+] 0 New directories added
|                                                                                                  
|                                                                                                  
| FCKeditor tests:
|                                                                                                  
|                                                                                                  
| Timthumb < 1.33 vulnerability:
|                                                                                                  
|                                                                                                  
| Backup Files:
|                                                                                                  
|                                                                                                  
| Blind SQL Injection:
|                                                                                                  
|                                                                                                  
| Local File Include:
|                                                                                                  
|                                                                                                  
| PHP CGI Argument Injection:
|                                                                                                  
|                                                                                                  
| Remote Command Execution:
|                                                                                                  
|                                                                                                  
| Remote File Include:
|                                                                                                  
|                                                                                                  
| SQL Injection:
|                                                                                                  
|                                                                                                  
| Cross-Site Scripting (XSS):
|                                                                                                  
|                                                                                                  
| Web Shell Finder:
===================================================================================================
| Static tests:
| Plugin name: Local File Include tests v.1.1 Loaded.
| Plugin name: Remote Command Execution tests v.1.1 Loaded.
| Plugin name: Remote File Include tests v.1.1 Loaded.
|                                                                                                  
|                                                                                                  
| Local File Include:
|                                                                                                  
|                                                                                                  
| Remote Command Execution:
|                                                                                                  
|                                                                                                  
| Remote File Include:
===================================================================================================
Scan end date: 21-5-2015 3:23:24



HTML report saved in: report/www.XXXXX.com.html


Como veis, no ha identificado vulnerabilidades de inyección porque se trataba de una página bien bastionada, pero sí que ha obtenido información sobre la huella del servidor, tecnologías utilizadas y algún string que considera interesante por contener links y emails.

Este tipo de software son útiles en las primeras fases de un test de intrusión, footprint y fingerprint, pero no podemos basar completamente una auditoría en herramientas automáticas, porque sino las pruebas serán un fracaso. Si hay algo que la experiencia nos va enseñando, es que cada vez existen más medidas de seguridad, firewalls e IPS más inteligentes, SIEMs, WAFs, antivirus, etc. lo que hace que cada vez estas herramientas basadas en prueba y error sean menos eficaces, y por tanto, más que nunca los conocimientos, experiencias y destrezas de un buen hacker ético son más necesarias si cabe.

Saludos!


No hay comentarios:

Publicar un comentario en la entrada

Related Posts Plugin for WordPress, Blogger...