Skip to main content

Tornado Webserver Recon Basics

 Tornado Web Server Recon Basics    Tornado is a python web server framework developed by FriendFeed . It can can scale to tens of thousands of open connections, making it ideal for long polling , WebSockets , and other applications that require a long-lived connection to each user. So this means it's an highly performant and companies like Facebook with scaling SaaS projects uses it for serving clients' needs. The labs I would be discussing in this post are provided by Attack Defense: Tornado Recon: Basics Tornado: Basic Authentication Tornado: Digest Authentication So let's begin Tornado Recon: Basics In this lab my ip is 192.96.75.3 Which web server software is running on the target server? Also find out the version. Use nmap. Execute the command by replacing <IP> with the one you have been assigned with nmap -sS -sV <IP> It is serving Tornado server on port 80 and version of the server is 5.1.1 What content is returned when a query is made to the base dir

Nginx Recon Basics

 Nginx Recon Basics

 

You can find this Lab here 

 

Nginx is a web server like Apache, its a multipurpose opensource server mainly used for serving cached contents, load balancers or reverse proxy. Like Apache, it can also serve PHP or static contents.

So, why Nginx if you have apache? Well, Nginx performs better than Apache in some scenarios and many big companies are using it to serve their clients. Here are few of them https://www.nginx.com/resources/wiki/community/why_use_it/

You get the idea why Nginx is so important now, so let's dive into this

Let the Recon Begin

In my case the ip is 192.14.197.3. You can find the ip by running `ifconfig` and the change the last part from 2 to 3 eth1 interface

Not asked but, What is version of nginx version running?

Using nmap tool to find the version

nmap -sS -sV 192.14.197.3

It is running nginx v1.15.4

What are the authentication types being used for /Admin and /Administrator folder?

Using authentication recon tip from previous post, sending unauthenticated request deliberately to get the authentication type and scheme

curl 192.14.197.3/Admin -Is
curl 192.14.197.3/Administrator -Is

Find the password of user “admin” which is required to access the /Admin directory using metasploit.

In this you need to use the http_login module, that you used in previous part to find the password for the directory

The http auth credentials for /Admin is admin:57chevy

Find the password of user “alice” which is required to access the /Administrator directory.

Same thing as above with different user, auth_uri and password file

The http auth credentials for /Administrator is alice:sunshine1

Note: Regarding hydra brute forcing, I am leaving this to you. Here is an awesome resource for a headstart -> http://tylerrockwell.github.io/defeating-basic-auth-with-hydra/

Retrieve flags from /Admin and /Administrator directories

Alright, so you have the authentication type and credentials. Use it with the curl to get the details

Now you got the flags, submit it!

Labels:

Popular posts from this blog

Apache Server Recon Basics

   Apache Server Recon Basics   Recon Begins... In my case the IP 192.9.249.3 . You can find the IP by running ipconfig and replacing last part of IP with 3 in eth1 interface What is the version of the running web server? So this is very straightforward and easy. Using nmap you can find this. nmap -sS -sV 192.9.249.3 The -sS flag tells nmap to scan the service on open port and -sV tells to find the version of it The version of Apache here is 2.4.18 What page is hosted on the running web server? Hmm, this is also easy. Let's try curl-ing the webpage curl http://192.9.249.3:80 -s | grep title By default curl will make request on port 80 and / path So, it is serving the Default index.html Page Perform bruteforce on web server directories and list the names of directories found. Use brute_dirs metasploit module. The brute_dirs module can be found in auxiliary/scanner/http/brute_dirs . Configure it as per your rhost requirements. After running it for ~3 mins, it managed to fin
Read more

MSSQL Recon Using Nmap Scripts

 MSSQL Recon Using Nmap Scripts You can find this lab here – https://attackdefense.com/challengedetails?cid=2313 First of all, on what port MS-SQL is running. This can be done by simple Nmap command with -sV and --top-ports 65535 . Scanning the entire port range is useful because for security reasons infra teams change the default ports nmap -sV --top-ports 65535 10.4.16.254 Well in this case it running on default port 1433. Q1. Gather information from the MS-SQL server with NTLM. There are two modules to get information about the ms-sql server: ms-sql-info and ms-sql-ntlm-info Since the question it is explicitly asked for NTLM, the second script will be used here. Feel free to read about them: I found one juicy piece of information about the server, the version number. Once running query you can use this to search for specific exploits (if available): Let's use normal script, just being curious what information this will give: nmap 10.4.16.254 -p1433 --script ms-sql-ntlm-info
Read more