Skip to main content

Tornado Webserver Recon Basics

 Tornado Web Server Recon Basics    Tornado is a python web server framework developed by FriendFeed . It can can scale to tens of thousands of open connections, making it ideal for long polling , WebSockets , and other applications that require a long-lived connection to each user. So this means it's an highly performant and companies like Facebook with scaling SaaS projects uses it for serving clients' needs. The labs I would be discussing in this post are provided by Attack Defense: Tornado Recon: Basics Tornado: Basic Authentication Tornado: Digest Authentication So let's begin Tornado Recon: Basics In this lab my ip is 192.96.75.3 Which web server software is running on the target server? Also find out the version. Use nmap. Execute the command by replacing <IP> with the one you have been assigned with nmap -sS -sV <IP> It is serving Tornado server on port 80 and version of the server is 5.1.1 What content is returned when a query is made to the base d...

Apache Server Recon Basics

 

 Apache Server Recon Basics

 

Recon Begins...

In my case the IP 192.9.249.3. You can find the IP by running ipconfig and replacing last part of IP with 3 in eth1 interface

What is the version of the running web server?

So this is very straightforward and easy. Using nmap you can find this.

nmap -sS -sV 192.9.249.3

The -sS flag tells nmap to scan the service on open port and -sV tells to find the version of it

The version of Apache here is 2.4.18

What page is hosted on the running web server?

Hmm, this is also easy. Let's try curl-ing the webpage

curl http://192.9.249.3:80 -s | grep title

By default curl will make request on port 80 and / path

So, it is serving the Default index.html Page

Perform bruteforce on web server directories and list the names of directories found. Use brute_dirs metasploit module.

The brute_dirs module can be found in auxiliary/scanner/http/brute_dirs. Configure it as per your rhost requirements.

After running it for ~3 mins, it managed to find only 2 directories dir and poc. So I am assuming there are only two directories in the server

Flags are kept in both the directories. Try to retrieve the flag from “dir” directory using curl.

Well it doesn't seem to be challenging though. Let's try out by cur-ling /dir/ path this time

curl http://192.9.249.3:80/dir/ -s

The directory is protected. You can't access it without username and password. There is no sql server to exploit, you need to bruteforce the username and password. Before all of this you need to get what type of authentication does this directory use

The “dir” directory is using some kind of protection. What protection is that?

Everytime there is unauthenticated access to protected resource, web servers sends some information about how client should send the credentials for verification in WWW-Authenticate header.

Simply add -I to the curl request. This will use HEAD http verb instead of GET which will return the only the response headers. 

 curl http://192.9.249.3:80/dir/ -Is

Directory /dir/ uses Basic authentication. Working of this authentication type is well documented in RFC 7617

Find the authentication type for /poc/ directory as well.

Based of previous task, I am assuming /poc/ is also protected. Let's find out which authentication it uses

 curl http://192.9.249.3:80/poc/ -Is

Directory /poc/ is protected via Digest authentication. Read more about it from Wikipedia

Brute-force the password for /dir/ and /poc/ directory with usernames alice and bob

In this you can use metasploit http_login module to bruteforce for the password using /usr/share/metasploit-framework/data/wordlists/unix_passwords.txt file.

First, create a new file with user names

Now run metasploit and load auxiliary/scanner/http/http_login module

Password for /dir/ is bob:qwerty and /poc/ is alice:password1

Retrive the flags from the directories

To send username password with http request, you need to pass -u argument. 

curl http://192.9.249.3:80/dir/ -s -u bob:qwerty
curl http://192.9.249.3:80/poc/ -s -u alice:password1 --digest

By default curl uses Basic authentication. To enforce the Digest type, you must pass --digest flag

Done.

Labels:

Popular posts from this blog

Using cURL For Recon!

   Using cURL For Recon! (client URL) is a command-line tool and library which primarily supports HTTP along with many other protocols. This makes it a good candidate for scripts as well as automation. The tool takes in at least one argument, i.e., the resource to fetch. GET Request The default HTTP requests made by cURL are GET requests. Let's try requesting the page from the GET section. cURL - GET Request cURL - GET Request $ curl http://inlanefreight.com/ <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>401 Unauthorized</title> </head><body> <h1>Unauthorized</h1> <p>This server could not verify that you are authorized to access the document  requested.</p>   <hr> <address>Apache/2.4.41 (Ubuntu) Server at inlanefreight.com Port 80<...
Read more

MSSQL Recon Using Nmap Scripts

 MSSQL Recon Using Nmap Scripts You can find this lab here – https://attackdefense.com/challengedetails?cid=2313 First of all, on what port MS-SQL is running. This can be done by simple Nmap command with -sV and --top-ports 65535 . Scanning the entire port range is useful because for security reasons infra teams change the default ports nmap -sV --top-ports 65535 10.4.16.254 Well in this case it running on default port 1433. Q1. Gather information from the MS-SQL server with NTLM. There are two modules to get information about the ms-sql server: ms-sql-info and ms-sql-ntlm-info Since the question it is explicitly asked for NTLM, the second script will be used here. Feel free to read about them: I found one juicy piece of information about the server, the version number. Once running query you can use this to search for specific exploits (if available): Let's use normal script, just being curious what information this will give: nmap 10.4.16.254 -p1433 --script ms-sql-ntlm-info...
Read more