From Paul's Security Weekly
Jump to: navigation, search
ProXPN 186x46.jpg
The SANS Institute
Black Hills Information Security
Tenable Network Security
Pwnie Express

Episode Media


Tech Segment - Apache Hardening

Last week's segment focused on how to use the newly updated web server testing tool called nikto. This week we will look at some nikto results and cover how to secure, or harden, your Apache server such that it will be much harder for attackers to glean information and attack. I will go into some really cool Rewrite rules, then show you how to modify Nikto to bypass them. I believe it is important to know how to run the tools, how to defend against them, and what limiations you have in your defenses. So lets start by scanning our web server with Nikto:

- Nikto 2.01/2.01     -     cirt.net
+ Target IP:
+ Target Hostname: web.yourdomain.com
+ Target Port:     80
+ Start Time:      2008-01-04 12:52:03
+ Server: Apache/1.3.34 Ben-SSL/1.55 (Debian)
+ /robots.txt - contains 1 'disallow' entry which should be manually viewed (added to mutation file lists) (GET).
+ Allowed HTTP Methods: GET, HEAD, OPTIONS, TRACE 
+ OSVDB-877: HTTP method ('Allow' Header): 'TRACE' is typically only used for debugging and should be disabled. This message does not mean it is vulnerable to XST.
+ Apache/1.3.34 appears to be outdated (current is at least Apache/2.2.6). Apache 1.3.39 and 2.0.61 are also current.
+ Ben-SSL/1.55 appears to be outdated (current is at least 1.57)
+ OSVDB-877: TRACK / : TRACK option ('TRACE' alias) appears to allow XSS or credential theft. See http://www.cgisecurity.com/whitehat-mirror/WhitePaper_screen.pdf for details
+ OSVDB-877: TRACE / : TRACE option appears to allow XSS or credential theft. See http://www.cgisecurity.com/whitehat-mirror/WhitePaper_screen.pdf for details
+ OSVDB-3092: GET /downloads/ : This might be interesting...
+ OSVDB-3268: GET /icons/ : Directory indexing is enabled: /icons
+ 4345 items checked: 9 item(s) reported on remote host
+ End Time:        2008-01-04 13:00:51 (528 seconds)
+ 1 host(s) tested

As you can see, Houston we have a problem. Our web server is vulnerable to XST, or Cross-Site Request Tracking, which could potentially allow attackers to steal cookies or perform XSS attacks. Our web server also gives away important information to the attacker in the form of the Apache and Mod_SSL version. Lets start with some basic hardening and configure our directory settings to be very restrictive:

<Directory /var/www/>

# Prevents TRACE from allowing attackers to find a
# path through cache or proxy servers.
<LimitExcept GET POST>
deny from all

# FollowSymLinks allows a user to navigate outside the doc tree, 
# and Indexes will reveal the contents of any directory in your doc tree.
# Includes allows .shtml pages, which use server-side includes (potentially 
# allowing access to the host).  If you really need SSI, use IncludesNoExec instead.

Options -FollowSymLinks -Includes -Indexes  -MultiViews

# AllowOverride None will prevent developers from overriding these 
# specifications in other parts of the doc tree.
AllowOverride None

Order allow,deny
Allow from all


To minimize the information given out to attackers we can prevent the server from giving version information in headers and in error pages using the following configuration:

ServerSignature Off

ServerTokens Prod

Then put in a custom 404 and 500 message:

ErrorDocument 500 "The server encountered an error with your request
ErrorDocument 404 /error.html

The more generic, the better.

Implement the following Rewrite rule in each virtual host to prevent the bad HTTP methods, like TRACE and TRACK. Also, restrict the user agents to prevent scanning (Thanks to http://www.0x000000.com/index.php?i=473 for the excellent tips):

RewriteEngine on
RewriteLogLevel 3
RewriteLog /var/log/apache-ssl/rewrite.log
RewriteCond %{HTTP_USER_AGENT} ^(.*)(java|libwww-perl|libwwwperl|snoopy|curl|wget|python|nikto|scan)(.*) [NC,OR]
RewriteRule .* - [F]

The above rules do neat stuff like block the bad HTTP methods and User Agents. I like to enable logging on my rewrite rules for further analysis. Now when you scan with Nikto, you get:

- Nikto 2.01/2.01     -     cirt.net
+ Target IP:
+ Target Hostname: web.yourdomain.com
+ Target Port:     80
+ Start Time:      2008-01-04 15:07:27
+ Server: Apache
+ All CGI directories 'found', use '-C none' to test none
+ OSVDB-6659: GET /ZP50b6fssDgjmdHOFjfhLGNfUJFzj9q2MFx5EHk24DfYqfu0HOPXV51l5zcHNk4bmE7UVwjpAQ2OOhzeBLQ83OIaKFSEc4EUjcIwPPzZgLNIxqW9A1Cq94i2UEjf3O5knE6VzbGX4H4aUTNvppzNc3vaoltuDpfZavPSn9bUadIdJbFCux4jivoSoVxbhGmJOk59djTdwNIzIs8ifppk1YWOfKTX3ba<font%20size=50>DEFACED<!--//-- : MyWebServer 1.0.2 is vulnerable to HTML injection. Upgrade to a later version.
+ 17455 items checked: 1 item(s) reported on remote host
+ End Time:        2008-01-04 15:16:11 (524 seconds)
+ 1 host(s) tested

Which is a false positive for some odd reason that I have not figured out. Notice that the results are totaly bogus too, as we should have at least found the robots.txt file. This is because every single one of our requests has been blocked by the rewrite rule. You will see something like the following in your Apache access.log: - - [03/Jan/2008:15:14:09 -0500] "GET /demo/sql/index.jsp HTTP/1.0" 403 216 "-" "Mozilla/4.75 (Nikto/2.01 )" "-" - - [03/Jan/2008:15:14:09 -0500] "GET /cgi-perl/.htaccess HTTP/1.0" 403 216 "-" "Mozilla/4.75 (Nikto/2.01 )" "-" - - [03/Jan/2008:15:14:09 -0500] "GET /cgi-perl/.htaccess.old HTTP/1.0" 403 220 "-" "Mozilla/4.75 (Nikto/2.01 )" "-" - - [03/Jan/2008:15:14:09 -0500] "GET /cgi-perl/.htaccess.save HTTP/1.0" 403 221 "-" "Mozilla/4.75 (Nikto/2.01 )" "-" - - [03/Jan/2008:15:14:10 -0500] "GET /cgi-perl/.htaccess~ HTTP/1.0" 403 217 "-" "Mozilla/4.75 (Nikto/2.01 )" "-"

Note that we are sending 403 Forbidden messages back to the client in response to triggering the rewrite rule. If you turned on rewrite rule logging, you will see stuff like this in your rewrite.log: - - [03/Jan/2008:15:16:10 -0500] [web.yourdomain.com/sid#80ac3cc][rid#8104ed4/initial] (2) forcing '/sites/default/settings.php' to be forbidden - - [03/Jan/2008:15:16:10 -0500] [web.yourdomain.com/sid#80ac3cc][rid#8104ed4/initial] (2) init rewrite engine with requested uri /cgi-perl/c32web.exe/GetImage - - [03/Jan/2008:15:16:10 -0500] [web.yourdomain.com/sid#80ac3cc][rid#8104ed4/initial] (3) applying pattern '.*' to uri '/cgi-perl/c32web.exe/GetImage'

Well, if you a pen tester this really stinks. So just go into the nikto code and change your user agent. Its located in the nikto directory in plugins/nikto_core.plugin, here's the change that I made:

#$NIKTO{useragent}="Mozilla/4.75 ($NIKTO{name}/$NIKTO{version} $request{'User-Agent'})"; # This was the old line

$NIKTO{useragent}="Mozilla/4.75 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.04506.30; .NET CLR 3.0.04506.648) $request{'User-Agent'})";

Now you will appear as if you are using IE 7 when running Nikto, which has a much better chance of slipping through filters, and our scan now looks like this:

- Nikto 2.01/2.01     -     cirt.net
+ Target IP:
+ Target Hostname: web.yourdomain.com
+ Target Port:     80
+ Start Time:      2008-01-04 15:24:32
+ Server: Apache
+ /robots.txt - contains 1 'disallow' entry which should be manually viewed (added to mutation file lists) (GET).
+ OSVDB-3092: GET /downloads/ : This might be interesting...
+ 4345 items checked: 2 item(s) reported on remote host
+ End Time:        2008-01-04 15:33:20 (528 seconds)
+ 1 host(s) tested

W00t! We slipped past the filters and found a robots.txt file and an interesting folder called downloads. Here's my final tip, use robots.txt as a honeypot and forbid a directory in there that contains nothing. Then watch all attempts to access that directory and even go so far as to actively ban those IP addresses.


Stories Of Interest

Wireless router virus epidemic - [Larry,Paul] - We talked about this last week. Seems to be similar research. Thanks for the reminder mmiller! [Paul] - We did talk about this last week, however the paper comes from Indiana University, and is well, somewhat bogus. Basically they are saying that there are enough wireless routers in close enough proximity that if malware were to spread, it could. They fail to address some of the issues such as:

  • How do you get xplatform malware to run on different devices?
  • Honing in on one common, or most common, platform such as the WRT54G will not yield the worlds largest botnet or even be worthwhile. Think about it, you have many factors:
    • The router must have the processor architecture that supports your code
    • The password must be set to the default
    • It must be an open, broadcast SSID
    • It can run WEP, but you would have to crack the key and hope someone with WEP left the default password set
    • The management interface must be running and on the default port
    • It must be running firmware that supports your code (i.e. not vxworks)
    • Even if you replace the firmware, you need a method to do so and some way to test what type of hardware it is

UK Hacker Tool ban - [Larry] - why do these laws always go sideways? the UK is looking to ban the development of "hacker tools", however as we all know those same tools are used by black, white and grey has, as well as system admins and the like to help audit their own systems. The lawmakers claim that it is intended to eliminate the tools created with malicious intent, which is absurd! They also leave the law open to go after the distributors of tools - for say, nmap!

Botnets, coming to co console near you - [Larry,Paul] - Paul talked about game consoles becoming botnet zombies. Well, now the Wii has been hacked to run unsigned code without a modchip... [Paul] - W00t, now here is a much more solid model for botnet building. You have one platform, the Wii, and even if you expanded that to PS3 and Xbox, thats only three. I think that this is far more likely than a botnet that attacks Wifi routers, maybe you use Wifi routers to attack Wii's, which is more beneficial.

Even the Swedes lose USB sticks - [Larry] - This time with classified NATO information on forces in afghanistan.

Phishing On Facbook and Becoming an Insider - [Paul] - Remember we said that becoming an insider was a cool thing and was brought to our attention by Gnucitizen? Well, here is a great way to become an insider. This phishing attack would fool most, and what a nice way to gain access to someone's facebook identity. If you're sneaky enough, you could use someone else's identitiy to gain the trust of another and steal not only internal company secrets, but other company secrets as well. I think this goes along with the general trend that we've seen by attackers to take real world crime and use the same methods in the digital world.

PI licenses redux - [Larry] - South Carolina is toying with legislation that will require Forensic analysts as consultants to posses a PI license, as well as some certification.

Two students suspended after hacking teacher's computer [byte_bucket, Security Weekly - "Two students at Louisville’s top public high school are facing suspensions after at least one hacked into a teacher’s computer to boost grades and erase absences, while another posted coming quizzes and tests on a Web site. At least one of the pair of DuPont Manual high seniors, who were not named by Jefferson County Public Schools, installed software on their teacher’s computer that recorded each keystroke to help determine passwords, district officials said." So installing keystroke loggers to change your grades should not be called "hacking", I mean really. Its more like "espianage" than hacking. Now, if the kid "hackers" found an XSS vulnerability and used it to obtain the list of quizes that were coming up, they would get an "A" in my class, provided they followed some sort of responsible disclosure :)

Hidden Browser in Windows Calc.exe Help - [Paul] - I've gotten a lot of feedback on the secure kiosk topic we mentioned a few shows back, and I get it! Windows SteadyState is a free tool from Microsoft that lets you manage the config of Kiosk computers, so go use it. I thought that this was a neat hack to get around a "Secure" kiosk that does not all IE. It works too, I tested it on Windows XP SP 2 with IE 6. Interesting that flash won't run...But I wonder if this can be blocked with SteadyState, as I am certain that you can just block certain applications. Is steadystate the answer or are there group policy settings that work better or in conjunction with steadystate?

More VLC Exploits - [Larry] - this time they are not in the wild - they are only available to CORE Impact customers. Remote exploitation is fun!

Barcode Hacking - [Larry] - 24CCC presentation on abusing barcodes, from access control to inventory. Think about how many times barcodes are used for access control, and with open formats this can be all sorts of fun. Insert bob story here.

We Love Metadata - [Paul] - Great posting from GNucitizens on metadata. I like some of the tools and methods that he describes, the most basic being Bash! Check out his listing of scripts here. Also, he likes Maltego, which I ran out of time to setup, which is formerly Paterva. They have a GUI that runs on all platforms which looks really neat, but requires some registration and setup.

Dangers of getting famous - [Larry] - It is a bad thing when folks you have never met recognize you, especially when you are known for being a Penetration tester. you show up at a facility, are recognized, and a staff member says, oh crap, we're being pen-tested (even if you are just there for something routine). This is why doing on site social engineering/pen testing to your own company can be darned near impossible.

WVE Editors at SharkFest 08 - [Larry] - Josh Wright and Mike Kershaw both presenting at the Wireshark Conference on using Wireshark for analyze wireless networks. I hope their slides get posted, as I can always learn a few tricks from the masters.

Mifare Crypto1 RFID pwned - [Larry] Yet more good stuff out of 24CCC, as reported by our friend Eliot over at Hack-A-Day. Looks like the crypto securing the RFID tags used in most car keys has been broken. The random number generator appears to only have been 16 bits, and seeded with the length of time the card has been operational. I wish I, er, Bob, had this last summer, when Bob had a mifare car key from Nissan in his posession.

Other Stories Of Interest

Porn With Subtitles - [Paul] - Thought this was a neat usage of technology "Through subtitles, sign language, cartoonish thought bubbles, full audio and blatant use of technology, anyone can understand the complex plot and tangled relationships portrayed in the company's first DVD release, Naughty Deaf Roommates."

Build A Mac Pro For 1/3 Cost - [Paul] - Good link if you are planning to build a new PC.

Listener Submitted Stories