SlideShare a Scribd company logo

project_docs

Download as DOCX, PDF
A
Andrey Lavrinovic

The document describes an automated tool called ipsnapshoter that detects misconfigured HTTP services. It scans IP addresses and ports, uses Nmap to find available hosts, takes screenshots of server responses using EyeWitness, and publishes results in an HTML report. The tool is designed to help security testers identify vulnerabilities by visually exploring misconfigurations before malicious actors. It is written in Python and uses libraries like Nmap, EyeWitness, and a simple HTTP server to efficiently scan thousands of addresses and generate consolidated reports.

1 of 9
DETECTION OF MISCONFIGURED HTTP SERVICES Author: Andrej Lavrinovic Supervisor: Sean Boylan AUGUST 1, 2016 SYNCHRONOSS TECHNOLOGY Galway GIS
Tableof Contents Detection of misconfigured HTTP services...............................................................................3 Introduction.............................................................................................................................3 Technologies............................................................................................................................3 Structure .................................................................................................................................4 Performance............................................................................................................................5 Scheduling........................................................................................................................... 5 Input....................................................................................................................................5 Nmapping............................................................................................................................ 6 Scanning.............................................................................................................................. 7 Publishing............................................................................................................................ 8 Features..................................................................................................................................8 Conclusion...............................................................................................................................9
Detection of misconfigured HTTP services. Introduction Configuration of web servers and web application is playing key role in the security, as these servers are responsible for serving its content and invoking applications that generate content. Misconfiguration of HTTP services may be the cause of leakage of the sensitive information, that can be used in malicious purpose later. There wide range of IP addresses are owned or assigned to Synchronoss Technology, which are maintained by Network team. It’s important to keep all servers configured and to detect vulnerabilities before malicious people. One of the way is to request content from HTTP servers and check response for information availability. Consider the number of hosts and the huge range of ports that may be opened it is very hard to check them manually. So ipsnapshoter tool are created to automatically scan each IP address with number of available ports. As result the html page is generated with list of snapshots for all available accesses and with all related information. The final goal is to notify the responsible people by rising tickets if any vulnerability is detected. Technologies Utility have been written in Python v.2.7 as this programming language are very powerful and suitable to reach all assigned goals. At the same time Python is interactive, with various programming approaches (such as OOP, scripting or functional), high-level language which very easy to use. Several Python libraries have been used such as:  subprocess (to run sub-processes)  xml.etree (to work with xml structured file)  SimpleHTTPServer (to publish reports)  re (to use regular expression patterns)  argparse (to configure execution) and etc. for different purposes. External projects and utilities are also used to detect vulnerabilities:  Nmap is used to find all available ports and generate nmap xml output file.  EyeWitness project is used for snapshots and generating of report.html page.  Crontab is used to schedule the execution of script.
Structure Diagramabove is showing the structure of a script. The top box ‘makeout.py’ is a main file that perform execution. Using argparse library it can accept some configuration that will affect on following process. Process is controlled by ‘fout’ class. This class is used within makeout.py (composition). Depend of initial configuration one or another methods of fout class are called for execution. As script is using input and output resources the appropriate paths need to be configured. ‘Fp’ (file paths) class is responsible for this. Using os.path library ‘fp’ defines its root location and builds paths to the resources, which are used in ‘fout’ (agrigation). Resources represented by ‘fls’ (files) instances that accept two attributes: file name and mode (agrigation). ‘fls’ instances are used then to open file objects for its following utilisation. ‘fls’ components - file name and mode - are represented by fl class which in its turn includes ‘flmd’ class to specify mode. (composition) During script performance some intermediated files are generating using some data components. ‘ipp’ (ip ports) class is maintaining this process. Its used by ‘fout’ (composition)
Pretty much of work is given to ‘Ipconv’ by ‘fout’ (composition). Its responsible for matching, converting, file reading and writing and more. Some algorithms are used by ‘Ipconv’. Performance Scheduling Misconfiguration detector execution need to be performed from command line. Crontab utility is scheduling and automating performances process. Cron is a daemon that executes scheduled commands. It wakes up every minute, examining all stored crontabs. Crontab, in its turn, contain those commands and structured time point at which commands assigned to be executed. Cron scheduler is set to be performed weekly every Sunday at 12pm. Input As an input source, script is using txt file with a list of IP addresses. Different formats of IPs are accepted:  Original IPv4 address (such as 192.168.1.0)
 CIDR notation (such as 192.168.1.0/24)  Block of last 8 bits renge (such as 192.168.0-255)  Block of all bits range (such as 192.168.1.0 – 192.168.1.255) Ipconverter module of the script is responsible for understanding notation, translating all IP notations into original IPv4 and listing all IPs in initial format. If source file has heading it used by script later to specify report’s name. It is important to know that source file must contain very last line blanked. It is necessary for detecting last IP properly as it recognized by new line character ‘n’. As it was mentioned above, the output is a text file with all IP addressed listed in initial format, suitable to be handled further. Nmapping It is a big chance that list of IP addresses can contain thousands and thousands records. There are thousands of TCP ports that potentially may be opened. With simple maths we can calculate how many GET requests we need to make to check every possibility of vulnerability. Assume we have 1000 of IPs that need to be checked. Even if we’ll try to access top 1000 of most common TCP ports, we need to send 1000000 of GET request, and wait some while for each response. We can never end in this way especially that list may consist of much more than 1000 of IPs. Nmap tool is used by script to solve this problem. Its determine what hosts are available on the network by sending specially crafted packets to the target host and then analyses the responses. The number of features provide the flexibility in choosing of way to scan with specifying all necessary ports. As an output nmap returns xml file with structured information about availability of given hosts. This file is used to retrieve all hosts with open ports to further scanning. There nmapconverter module in the script is dealing with nmap tool. It is also responsible for:  Preparing input instance  Preparing all necessary state flags and other data that may be used by nmap  Creating sub-process that runs nmap  Scanning nmap output file  Filtering and retrieving all useful data from nmap output file  Converting retrieved data into list of all available IP address in initial format for further handling by next module. After nmapconverter module is performed we got filtered list of available hosts with available ports for access only. It is very effective way to increase performance and reduce scanning time.
Scanning Scan module performs the final stage in whole process. It is using another project called EyeWitness for capturing screenshots and generating reports. The tasks that are assigned to scan are:  To prepare input instance and prepare all necessary attributes for EyeWitness execution  To run and monitor process of scanning through all available hosts  To brake scanning process if it to large to reduce the risk of unexpected program crash  To manage output reports and to exclude the chance of conflict of the same report’s names Output is a final result of performance of ipsnapshoter utility, in the form of a report in html format. It contains the relative information about HTTP server with appropriate screenshot of a GET response.
Consider the output report tester may analyse each HTTP service that is public, and can decide if there leakage or server’s misconfiguration is found. Based on decision tester made, he/she can rise a tickets for particular issue Publishing To get suitable access to all reports the SimpleHTTPServer was established using appropriate python library. It creates a socket with specified port and give an access to the directory where reports are stored. Any browser can be used. Features Ipsnapshoter is created to be performed in certain ways. There are few flags are configured to chose how tool need to be used:  -p allows to specify ports to scan with. Ports need to be separated by comas with no white spaces. Port range are acceptable, for example: ./makeout.py –p 20,22,25,80-85 will run tool using default file with IPs with given ports 20, 22, 25, 80, 81, 82, 83, 84, and 85  -a required to give a file.txt with list of IPs with no nmap scanning. For example: ./makeout.put –a /root/file/ips.txt –p 20,22,25,80-85 will run tool using given file ‘ips.txt’ with list of IPs with given ports 20, 22, 25, 80, 81, 82, 83, 84, and 85  -c is using to make nmap scan for checking host availability. For example: ./makeout.py –c /root/file/ips.txt will scan all available hosts with opened ports only To reach the goals that emphasized in Introduction section is recommended to use -c flag. This configuration is using nmap scanner which scans for available hosts by exploring 2000 most commonly used TCP ports.
Conclusion Server Misconfiguration attacks exploit configuration weaknesses found in web and application servers. Many servers come with unnecessary default and sample files, including application files, scripts and web pages. They may also have unnecessary services enabled, such as content management, and remote administration functionality. Debugging functions may be enabled or administrative functions may be accessible to anonymous user. These features may provide a means for a hacker to bypass authentication methods and gain access to sensitive information, perhaps with elevated privileges. Servers may include well-known default account and passwords. Failure to fully lock down or harden the server may leave improperly set file and directory permissions. Verbose and informative error messages may result in data leakage, and the information revealed could be used to formulate the next level of attack. Incorrect configurations in the server software may permit directory indexing and path traversal attacks. The script is designed to help testers detect misconfigured HTTP servers by visually exploring received reports. Detector can handle thousands of IP addresses and response with well designed html pages that contain listed screenshots with relevant information about each available host. Its allow to security testers to find weaknesses before people with malicious intensions. Tool was developed for specific tasks that have been assigned by Global Information Security Team in Synchronoss Technology and have been designed in particular way. However considering of architecture of the script there is possibility to improve the functionality, to add new features, to make exploitation of a detector on another platforms (Windows, X OS etc.)

Recommended

Nmap Hacking Guide
Nmap Hacking GuideNmap Hacking Guide
Nmap Hacking GuideAryan G
 
Hacking With Nmap - Scanning Techniques
Hacking With Nmap - Scanning TechniquesHacking With Nmap - Scanning Techniques
Hacking With Nmap - Scanning Techniquesamiable_indian
 
Nmap scripting engine
Nmap scripting engineNmap scripting engine
Nmap scripting enginen|u - The Open Security Community
 
Training Slides: 153 - Working with the CLI
Training Slides: 153 - Working with the CLITraining Slides: 153 - Working with the CLI
Training Slides: 153 - Working with the CLIContinuent
 
Nmap and metasploitable
Nmap and metasploitableNmap and metasploitable
Nmap and metasploitableMohammed Akbar Shariff
 
NMAP by Shrikant Antre & Shobhit Gautam
NMAP by Shrikant Antre & Shobhit GautamNMAP by Shrikant Antre & Shobhit Gautam
NMAP by Shrikant Antre & Shobhit Gautamn|u - The Open Security Community
 
Claire protorpc
Claire protorpcClaire protorpc
Claire protorpcFan Robbin
 
Traffic monitoring
Traffic monitoringTraffic monitoring
Traffic monitoringRadu Galbenu
 

Recommended

Nmap Hacking Guide
Nmap Hacking GuideNmap Hacking Guide
Nmap Hacking GuideAryan G
 
Hacking With Nmap - Scanning Techniques
Hacking With Nmap - Scanning TechniquesHacking With Nmap - Scanning Techniques
Hacking With Nmap - Scanning Techniquesamiable_indian
 
Nmap scripting engine
Nmap scripting engineNmap scripting engine
Nmap scripting enginen|u - The Open Security Community
 
Training Slides: 153 - Working with the CLI
Training Slides: 153 - Working with the CLITraining Slides: 153 - Working with the CLI
Training Slides: 153 - Working with the CLIContinuent
 
Nmap and metasploitable
Nmap and metasploitableNmap and metasploitable
Nmap and metasploitableMohammed Akbar Shariff
 
NMAP by Shrikant Antre & Shobhit Gautam
NMAP by Shrikant Antre & Shobhit GautamNMAP by Shrikant Antre & Shobhit Gautam
NMAP by Shrikant Antre & Shobhit Gautamn|u - The Open Security Community
 
Claire protorpc
Claire protorpcClaire protorpc
Claire protorpcFan Robbin
 
Traffic monitoring
Traffic monitoringTraffic monitoring
Traffic monitoringRadu Galbenu
 
Tutorial of SF-TAP Flow Abstractor
Tutorial of SF-TAP Flow AbstractorTutorial of SF-TAP Flow Abstractor
Tutorial of SF-TAP Flow AbstractorYuuki Takano
 
Anti disassembly using cryptographic hash functions
Anti disassembly using cryptographic hash functionsAnti disassembly using cryptographic hash functions
Anti disassembly using cryptographic hash functionsUltraUploader
 
NMap
NMapNMap
NMapPritesh Raka
 
SF-TAP: Scalable and Flexible Traffic Analysis Platform (USENIX LISA 2015)
SF-TAP: Scalable and Flexible Traffic Analysis Platform (USENIX LISA 2015)SF-TAP: Scalable and Flexible Traffic Analysis Platform (USENIX LISA 2015)
SF-TAP: Scalable and Flexible Traffic Analysis Platform (USENIX LISA 2015)Yuuki Takano
 
Nmap for Scriptors
Nmap for ScriptorsNmap for Scriptors
Nmap for Scriptorsn|u - The Open Security Community
 
2016 NCTU P4 Workshop
2016 NCTU P4 Workshop2016 NCTU P4 Workshop
2016 NCTU P4 WorkshopYi Tseng
 
Zen map
Zen mapZen map
Zen mapharisnaved
 
Nmap
NmapNmap
NmapSreekanth Narendran
 
NMAP - The Network Scanner
NMAP - The Network ScannerNMAP - The Network Scanner
NMAP - The Network Scannern|u - The Open Security Community
 
Network scanning with nmap
Network scanning with nmapNetwork scanning with nmap
Network scanning with nmapAshish Jha
 
Nmap commands
Nmap commandsNmap commands
Nmap commandsKailash Kumar
 
Packet sniffing in switched LANs
Packet sniffing in switched LANsPacket sniffing in switched LANs
Packet sniffing in switched LANsIshraq Al Fataftah
 
DEF CON 27 - MAKSIM SHUDRAK - zero bugs found hold my beer afl how to improve...
DEF CON 27 - MAKSIM SHUDRAK - zero bugs found hold my beer afl how to improve...DEF CON 27 - MAKSIM SHUDRAK - zero bugs found hold my beer afl how to improve...
DEF CON 27 - MAKSIM SHUDRAK - zero bugs found hold my beer afl how to improve...Felipe Prado
 
CNIT 50: 6. Command Line Packet Analysis Tools
CNIT 50: 6. Command Line Packet Analysis ToolsCNIT 50: 6. Command Line Packet Analysis Tools
CNIT 50: 6. Command Line Packet Analysis ToolsSam Bowne
 
Wireshar training
Wireshar trainingWireshar training
Wireshar trainingLuke Luo
 
Network Penetration Testing Toolkit - Nmap, Netcat, and Metasploit Basics
Network Penetration Testing Toolkit - Nmap, Netcat, and Metasploit BasicsNetwork Penetration Testing Toolkit - Nmap, Netcat, and Metasploit Basics
Network Penetration Testing Toolkit - Nmap, Netcat, and Metasploit BasicsBishop Fox
 
Wireshark ppt
Wireshark pptWireshark ppt
Wireshark pptbala150985
 
Monit
MonitMonit
MonitAbhishek Singh
 
Backtrack Manual Part3
Backtrack Manual Part3Backtrack Manual Part3
Backtrack Manual Part3Nutan Kumar Panda
 
Wireshark tutorial
Wireshark tutorialWireshark tutorial
Wireshark tutorialPiyush Mittal
 
Medico
MedicoMedico
MedicoSussyLerma
 
Bynature video
Bynature videoBynature video
Bynature videoBy Nature AS
 

More Related Content

What's hot

Tutorial of SF-TAP Flow Abstractor
Tutorial of SF-TAP Flow AbstractorTutorial of SF-TAP Flow Abstractor
Tutorial of SF-TAP Flow AbstractorYuuki Takano
 
Anti disassembly using cryptographic hash functions
Anti disassembly using cryptographic hash functionsAnti disassembly using cryptographic hash functions
Anti disassembly using cryptographic hash functionsUltraUploader
 
SF-TAP: Scalable and Flexible Traffic Analysis Platform (USENIX LISA 2015)
SF-TAP: Scalable and Flexible Traffic Analysis Platform (USENIX LISA 2015)SF-TAP: Scalable and Flexible Traffic Analysis Platform (USENIX LISA 2015)
SF-TAP: Scalable and Flexible Traffic Analysis Platform (USENIX LISA 2015)Yuuki Takano
 
2016 NCTU P4 Workshop
2016 NCTU P4 Workshop2016 NCTU P4 Workshop
2016 NCTU P4 WorkshopYi Tseng
 
Network scanning with nmap
Network scanning with nmapNetwork scanning with nmap
Network scanning with nmapAshish Jha
 
Packet sniffing in switched LANs
Packet sniffing in switched LANsPacket sniffing in switched LANs
Packet sniffing in switched LANsIshraq Al Fataftah
 
DEF CON 27 - MAKSIM SHUDRAK - zero bugs found hold my beer afl how to improve...
DEF CON 27 - MAKSIM SHUDRAK - zero bugs found hold my beer afl how to improve...DEF CON 27 - MAKSIM SHUDRAK - zero bugs found hold my beer afl how to improve...
DEF CON 27 - MAKSIM SHUDRAK - zero bugs found hold my beer afl how to improve...Felipe Prado
 
CNIT 50: 6. Command Line Packet Analysis Tools
CNIT 50: 6. Command Line Packet Analysis ToolsCNIT 50: 6. Command Line Packet Analysis Tools
CNIT 50: 6. Command Line Packet Analysis ToolsSam Bowne
 
Wireshar training
Wireshar trainingWireshar training
Wireshar trainingLuke Luo
 
Network Penetration Testing Toolkit - Nmap, Netcat, and Metasploit Basics
Network Penetration Testing Toolkit - Nmap, Netcat, and Metasploit BasicsNetwork Penetration Testing Toolkit - Nmap, Netcat, and Metasploit Basics
Network Penetration Testing Toolkit - Nmap, Netcat, and Metasploit BasicsBishop Fox
 

What's hot (20)

Tutorial of SF-TAP Flow Abstractor
Tutorial of SF-TAP Flow AbstractorTutorial of SF-TAP Flow Abstractor
Tutorial of SF-TAP Flow Abstractor
 
Anti disassembly using cryptographic hash functions
Anti disassembly using cryptographic hash functionsAnti disassembly using cryptographic hash functions
Anti disassembly using cryptographic hash functions
 
NMap
NMapNMap
NMap
 
SF-TAP: Scalable and Flexible Traffic Analysis Platform (USENIX LISA 2015)
SF-TAP: Scalable and Flexible Traffic Analysis Platform (USENIX LISA 2015)SF-TAP: Scalable and Flexible Traffic Analysis Platform (USENIX LISA 2015)
SF-TAP: Scalable and Flexible Traffic Analysis Platform (USENIX LISA 2015)
 
Nmap for Scriptors
Nmap for ScriptorsNmap for Scriptors
Nmap for Scriptors
 
2016 NCTU P4 Workshop
2016 NCTU P4 Workshop2016 NCTU P4 Workshop
2016 NCTU P4 Workshop
 
Zen map
Zen mapZen map
Zen map
 
Nmap
NmapNmap
Nmap
 
NMAP - The Network Scanner
NMAP - The Network ScannerNMAP - The Network Scanner
NMAP - The Network Scanner
 
Network scanning with nmap
Network scanning with nmapNetwork scanning with nmap
Network scanning with nmap
 
Nmap commands
Nmap commandsNmap commands
Nmap commands
 
Packet sniffing in switched LANs
Packet sniffing in switched LANsPacket sniffing in switched LANs
Packet sniffing in switched LANs
 
DEF CON 27 - MAKSIM SHUDRAK - zero bugs found hold my beer afl how to improve...
DEF CON 27 - MAKSIM SHUDRAK - zero bugs found hold my beer afl how to improve...DEF CON 27 - MAKSIM SHUDRAK - zero bugs found hold my beer afl how to improve...
DEF CON 27 - MAKSIM SHUDRAK - zero bugs found hold my beer afl how to improve...
 
CNIT 50: 6. Command Line Packet Analysis Tools
CNIT 50: 6. Command Line Packet Analysis ToolsCNIT 50: 6. Command Line Packet Analysis Tools
CNIT 50: 6. Command Line Packet Analysis Tools
 
Wireshar training
Wireshar trainingWireshar training
Wireshar training
 
Network Penetration Testing Toolkit - Nmap, Netcat, and Metasploit Basics
Network Penetration Testing Toolkit - Nmap, Netcat, and Metasploit BasicsNetwork Penetration Testing Toolkit - Nmap, Netcat, and Metasploit Basics
Network Penetration Testing Toolkit - Nmap, Netcat, and Metasploit Basics
 
Wireshark ppt
Wireshark pptWireshark ppt
Wireshark ppt
 
Monit
MonitMonit
Monit
 
Backtrack Manual Part3
Backtrack Manual Part3Backtrack Manual Part3
Backtrack Manual Part3
 
Wireshark tutorial
Wireshark tutorialWireshark tutorial
Wireshark tutorial
 

Viewers also liked

MySQL数据库开发的三十六条军规
MySQL数据库开发的三十六条军规MySQL数据库开发的三十六条军规
MySQL数据库开发的三十六条军规mysqlops
 
"Chula" by Manuel Blanco
"Chula" by Manuel Blanco"Chula" by Manuel Blanco
"Chula" by Manuel Blancoenglishprojects
 
Projeto de Resolução: Criação do Canal Parlamento-Açores
Projeto de Resolução: Criação do Canal Parlamento-AçoresProjeto de Resolução: Criação do Canal Parlamento-Açores
Projeto de Resolução: Criação do Canal Parlamento-AçoresPPMonarquico
 
Vente et achat immobilier, guide en 5 étapes clés
Vente et achat immobilier, guide en 5 étapes clésVente et achat immobilier, guide en 5 étapes clés
Vente et achat immobilier, guide en 5 étapes clésGroupe Althémis
 
Respeto y calidad de vida y cancino 2
Respeto y calidad de vida y cancino 2Respeto y calidad de vida y cancino 2
Respeto y calidad de vida y cancino 2jonhatancancino
 
Presentación sobre el curso de asignatura estatal
Presentación sobre el curso de asignatura estatalPresentación sobre el curso de asignatura estatal
Presentación sobre el curso de asignatura estatalKarina Serrano Jimenez
 
Slideshare Continued
Slideshare ContinuedSlideshare Continued
Slideshare ContinuedAl Hopkins
 
Frederik Van Nuffel 'Marine Science meets Maritime Industry'
Frederik Van Nuffel 'Marine Science meets Maritime Industry'Frederik Van Nuffel 'Marine Science meets Maritime Industry'
Frederik Van Nuffel 'Marine Science meets Maritime Industry'Flanders' Maritime Cluster
 
Rawnet Lightning Talk - Anyone Can Draw.
Rawnet Lightning Talk - Anyone Can Draw.Rawnet Lightning Talk - Anyone Can Draw.
Rawnet Lightning Talk - Anyone Can Draw.Rawnet
 
Smartphones vs. Tablets: An Analysis
Smartphones vs. Tablets: An AnalysisSmartphones vs. Tablets: An Analysis
Smartphones vs. Tablets: An AnalysisBilly Schwartz
 
4.6.1 los tipos de cambio
4.6.1 los tipos de cambio4.6.1 los tipos de cambio
4.6.1 los tipos de cambioCARLOS MASSUH
 

Viewers also liked (20)

Medico
MedicoMedico
Medico
 
Bynature video
Bynature videoBynature video
Bynature video
 
MySQL数据库开发的三十六条军规
MySQL数据库开发的三十六条军规MySQL数据库开发的三十六条军规
MySQL数据库开发的三十六条军规
 
2007
20072007
2007
 
"Chula" by Manuel Blanco
"Chula" by Manuel Blanco"Chula" by Manuel Blanco
"Chula" by Manuel Blanco
 
Dia del libro
Dia del libroDia del libro
Dia del libro
 
Phone page startup blog app
Phone page startup blog appPhone page startup blog app
Phone page startup blog app
 
Padre perdonalos
Padre perdonalosPadre perdonalos
Padre perdonalos
 
Projeto de Resolução: Criação do Canal Parlamento-Açores
Projeto de Resolução: Criação do Canal Parlamento-AçoresProjeto de Resolução: Criação do Canal Parlamento-Açores
Projeto de Resolução: Criação do Canal Parlamento-Açores
 
Phone page twit blog app
Phone page twit blog appPhone page twit blog app
Phone page twit blog app
 
Vente et achat immobilier, guide en 5 étapes clés
Vente et achat immobilier, guide en 5 étapes clésVente et achat immobilier, guide en 5 étapes clés
Vente et achat immobilier, guide en 5 étapes clés
 
Respeto y calidad de vida y cancino 2
Respeto y calidad de vida y cancino 2Respeto y calidad de vida y cancino 2
Respeto y calidad de vida y cancino 2
 
Presentación sobre el curso de asignatura estatal
Presentación sobre el curso de asignatura estatalPresentación sobre el curso de asignatura estatal
Presentación sobre el curso de asignatura estatal
 
Slideshare Continued
Slideshare ContinuedSlideshare Continued
Slideshare Continued
 
Frederik Van Nuffel 'Marine Science meets Maritime Industry'
Frederik Van Nuffel 'Marine Science meets Maritime Industry'Frederik Van Nuffel 'Marine Science meets Maritime Industry'
Frederik Van Nuffel 'Marine Science meets Maritime Industry'
 
Argentina seminar
Argentina seminarArgentina seminar
Argentina seminar
 
Rawnet Lightning Talk - Anyone Can Draw.
Rawnet Lightning Talk - Anyone Can Draw.Rawnet Lightning Talk - Anyone Can Draw.
Rawnet Lightning Talk - Anyone Can Draw.
 
Smartphones vs. Tablets: An Analysis
Smartphones vs. Tablets: An AnalysisSmartphones vs. Tablets: An Analysis
Smartphones vs. Tablets: An Analysis
 
MichiganPhDdiplomatranscripts
MichiganPhDdiplomatranscriptsMichiganPhDdiplomatranscripts
MichiganPhDdiplomatranscripts
 
4.6.1 los tipos de cambio
4.6.1 los tipos de cambio4.6.1 los tipos de cambio
4.6.1 los tipos de cambio
 

Similar to project_docs

Hunting for APT in network logs workshop presentation
Hunting for APT in network logs workshop presentationHunting for APT in network logs workshop presentation
Hunting for APT in network logs workshop presentationOlehLevytskyi1
 
10 years in Network Protocol testing L2 L3 L4-L7 Tcl Python Manual and Automa...
10 years in Network Protocol testing L2 L3 L4-L7 Tcl Python Manual and Automa...10 years in Network Protocol testing L2 L3 L4-L7 Tcl Python Manual and Automa...
10 years in Network Protocol testing L2 L3 L4-L7 Tcl Python Manual and Automa...Mullaiselvan Mohan
 
Us 13-opi-evading-deep-inspection-for-fun-and-shell-wp
Us 13-opi-evading-deep-inspection-for-fun-and-shell-wpUs 13-opi-evading-deep-inspection-for-fun-and-shell-wp
Us 13-opi-evading-deep-inspection-for-fun-and-shell-wpOlli-Pekka Niemi
 
Learning spark ch10 - Spark Streaming
Learning spark ch10 - Spark StreamingLearning spark ch10 - Spark Streaming
Learning spark ch10 - Spark Streamingphanleson
 
Taming Deployment With Smart Frog
Taming Deployment With Smart FrogTaming Deployment With Smart Frog
Taming Deployment With Smart FrogSteve Loughran
 
Intrusion Discovery on Windows
Intrusion Discovery on WindowsIntrusion Discovery on Windows
Intrusion Discovery on Windowsdkaya
 
For your final step, you will synthesize the previous steps and la
For your final step, you will synthesize the previous steps and laFor your final step, you will synthesize the previous steps and la
For your final step, you will synthesize the previous steps and laShainaBoling829
 
Open Source Tools for the Systems Administrator
Open Source Tools for the Systems AdministratorOpen Source Tools for the Systems Administrator
Open Source Tools for the Systems AdministratorCharles Profitt
 
Troubleshooting common oslo.messaging and RabbitMQ issues
Troubleshooting common oslo.messaging and RabbitMQ issuesTroubleshooting common oslo.messaging and RabbitMQ issues
Troubleshooting common oslo.messaging and RabbitMQ issuesMichael Klishin
 
Use perl creating web services with xml rpc
Use perl creating web services with xml rpcUse perl creating web services with xml rpc
Use perl creating web services with xml rpcJohnny Pork
 
Apache Pulsar with MQTT for Edge Computing - Pulsar Summit Asia 2021
Apache Pulsar with MQTT for Edge Computing - Pulsar Summit Asia 2021Apache Pulsar with MQTT for Edge Computing - Pulsar Summit Asia 2021
Apache Pulsar with MQTT for Edge Computing - Pulsar Summit Asia 2021StreamNative
 
IRJET- Assessment of Network Protocol Packet Analysis in IPV4 and IPV6 on Loc...
IRJET- Assessment of Network Protocol Packet Analysis in IPV4 and IPV6 on Loc...IRJET- Assessment of Network Protocol Packet Analysis in IPV4 and IPV6 on Loc...
IRJET- Assessment of Network Protocol Packet Analysis in IPV4 and IPV6 on Loc...IRJET Journal
 
Pulsar summit asia 2021 apache pulsar with mqtt for edge computing
Pulsar summit asia 2021 apache pulsar with mqtt for edge computingPulsar summit asia 2021 apache pulsar with mqtt for edge computing
Pulsar summit asia 2021 apache pulsar with mqtt for edge computingTimothy Spann
 
Positive Hack Days. Pavlov. Network Infrastructure Security Assessment
Positive Hack Days. Pavlov. Network Infrastructure Security AssessmentPositive Hack Days. Pavlov. Network Infrastructure Security Assessment
Positive Hack Days. Pavlov. Network Infrastructure Security AssessmentPositive Hack Days
 
Containerizing HPC and AI applications using E4S and Performance Monitor tool
Containerizing HPC and AI applications using E4S and Performance Monitor toolContainerizing HPC and AI applications using E4S and Performance Monitor tool
Containerizing HPC and AI applications using E4S and Performance Monitor toolGanesan Narayanasamy
 

Similar to project_docs (20)

Backtrack Manual Part6
Backtrack Manual Part6Backtrack Manual Part6
Backtrack Manual Part6
 
Hunting for APT in network logs workshop presentation
Hunting for APT in network logs workshop presentationHunting for APT in network logs workshop presentation
Hunting for APT in network logs workshop presentation
 
Multicore
MulticoreMulticore
Multicore
 
10 years in Network Protocol testing L2 L3 L4-L7 Tcl Python Manual and Automa...
10 years in Network Protocol testing L2 L3 L4-L7 Tcl Python Manual and Automa...10 years in Network Protocol testing L2 L3 L4-L7 Tcl Python Manual and Automa...
10 years in Network Protocol testing L2 L3 L4-L7 Tcl Python Manual and Automa...
 
Us 13-opi-evading-deep-inspection-for-fun-and-shell-wp
Us 13-opi-evading-deep-inspection-for-fun-and-shell-wpUs 13-opi-evading-deep-inspection-for-fun-and-shell-wp
Us 13-opi-evading-deep-inspection-for-fun-and-shell-wp
 
Learning spark ch10 - Spark Streaming
Learning spark ch10 - Spark StreamingLearning spark ch10 - Spark Streaming
Learning spark ch10 - Spark Streaming
 
Introduction to ns3
Introduction to ns3Introduction to ns3
Introduction to ns3
 
Taming Deployment With Smart Frog
Taming Deployment With Smart FrogTaming Deployment With Smart Frog
Taming Deployment With Smart Frog
 
wireshark.pdf
wireshark.pdfwireshark.pdf
wireshark.pdf
 
Intrusion Discovery on Windows
Intrusion Discovery on WindowsIntrusion Discovery on Windows
Intrusion Discovery on Windows
 
For your final step, you will synthesize the previous steps and la
For your final step, you will synthesize the previous steps and laFor your final step, you will synthesize the previous steps and la
For your final step, you will synthesize the previous steps and la
 
Open Source Tools for the Systems Administrator
Open Source Tools for the Systems AdministratorOpen Source Tools for the Systems Administrator
Open Source Tools for the Systems Administrator
 
Troubleshooting common oslo.messaging and RabbitMQ issues
Troubleshooting common oslo.messaging and RabbitMQ issuesTroubleshooting common oslo.messaging and RabbitMQ issues
Troubleshooting common oslo.messaging and RabbitMQ issues
 
Use perl creating web services with xml rpc
Use perl creating web services with xml rpcUse perl creating web services with xml rpc
Use perl creating web services with xml rpc
 
TekTape Manual
TekTape ManualTekTape Manual
TekTape Manual
 
Apache Pulsar with MQTT for Edge Computing - Pulsar Summit Asia 2021
Apache Pulsar with MQTT for Edge Computing - Pulsar Summit Asia 2021Apache Pulsar with MQTT for Edge Computing - Pulsar Summit Asia 2021
Apache Pulsar with MQTT for Edge Computing - Pulsar Summit Asia 2021
 
IRJET- Assessment of Network Protocol Packet Analysis in IPV4 and IPV6 on Loc...
IRJET- Assessment of Network Protocol Packet Analysis in IPV4 and IPV6 on Loc...IRJET- Assessment of Network Protocol Packet Analysis in IPV4 and IPV6 on Loc...
IRJET- Assessment of Network Protocol Packet Analysis in IPV4 and IPV6 on Loc...
 
Pulsar summit asia 2021 apache pulsar with mqtt for edge computing
Pulsar summit asia 2021 apache pulsar with mqtt for edge computingPulsar summit asia 2021 apache pulsar with mqtt for edge computing
Pulsar summit asia 2021 apache pulsar with mqtt for edge computing
 
Positive Hack Days. Pavlov. Network Infrastructure Security Assessment
Positive Hack Days. Pavlov. Network Infrastructure Security AssessmentPositive Hack Days. Pavlov. Network Infrastructure Security Assessment
Positive Hack Days. Pavlov. Network Infrastructure Security Assessment
 
Containerizing HPC and AI applications using E4S and Performance Monitor tool
Containerizing HPC and AI applications using E4S and Performance Monitor toolContainerizing HPC and AI applications using E4S and Performance Monitor tool
Containerizing HPC and AI applications using E4S and Performance Monitor tool
 

project_docs

  • 1. DETECTION OF MISCONFIGURED HTTP SERVICES Author: Andrej Lavrinovic Supervisor: Sean Boylan AUGUST 1, 2016 SYNCHRONOSS TECHNOLOGY Galway GIS
  • 2. Tableof Contents Detection of misconfigured HTTP services...............................................................................3 Introduction.............................................................................................................................3 Technologies............................................................................................................................3 Structure .................................................................................................................................4 Performance............................................................................................................................5 Scheduling........................................................................................................................... 5 Input....................................................................................................................................5 Nmapping............................................................................................................................ 6 Scanning.............................................................................................................................. 7 Publishing............................................................................................................................ 8 Features..................................................................................................................................8 Conclusion...............................................................................................................................9
  • 3. Detection of misconfigured HTTP services. Introduction Configuration of web servers and web application is playing key role in the security, as these servers are responsible for serving its content and invoking applications that generate content. Misconfiguration of HTTP services may be the cause of leakage of the sensitive information, that can be used in malicious purpose later. There wide range of IP addresses are owned or assigned to Synchronoss Technology, which are maintained by Network team. It’s important to keep all servers configured and to detect vulnerabilities before malicious people. One of the way is to request content from HTTP servers and check response for information availability. Consider the number of hosts and the huge range of ports that may be opened it is very hard to check them manually. So ipsnapshoter tool are created to automatically scan each IP address with number of available ports. As result the html page is generated with list of snapshots for all available accesses and with all related information. The final goal is to notify the responsible people by rising tickets if any vulnerability is detected. Technologies Utility have been written in Python v.2.7 as this programming language are very powerful and suitable to reach all assigned goals. At the same time Python is interactive, with various programming approaches (such as OOP, scripting or functional), high-level language which very easy to use. Several Python libraries have been used such as:  subprocess (to run sub-processes)  xml.etree (to work with xml structured file)  SimpleHTTPServer (to publish reports)  re (to use regular expression patterns)  argparse (to configure execution) and etc. for different purposes. External projects and utilities are also used to detect vulnerabilities:  Nmap is used to find all available ports and generate nmap xml output file.  EyeWitness project is used for snapshots and generating of report.html page.  Crontab is used to schedule the execution of script.
  • 4. Structure Diagramabove is showing the structure of a script. The top box ‘makeout.py’ is a main file that perform execution. Using argparse library it can accept some configuration that will affect on following process. Process is controlled by ‘fout’ class. This class is used within makeout.py (composition). Depend of initial configuration one or another methods of fout class are called for execution. As script is using input and output resources the appropriate paths need to be configured. ‘Fp’ (file paths) class is responsible for this. Using os.path library ‘fp’ defines its root location and builds paths to the resources, which are used in ‘fout’ (agrigation). Resources represented by ‘fls’ (files) instances that accept two attributes: file name and mode (agrigation). ‘fls’ instances are used then to open file objects for its following utilisation. ‘fls’ components - file name and mode - are represented by fl class which in its turn includes ‘flmd’ class to specify mode. (composition) During script performance some intermediated files are generating using some data components. ‘ipp’ (ip ports) class is maintaining this process. Its used by ‘fout’ (composition)
  • 5. Pretty much of work is given to ‘Ipconv’ by ‘fout’ (composition). Its responsible for matching, converting, file reading and writing and more. Some algorithms are used by ‘Ipconv’. Performance Scheduling Misconfiguration detector execution need to be performed from command line. Crontab utility is scheduling and automating performances process. Cron is a daemon that executes scheduled commands. It wakes up every minute, examining all stored crontabs. Crontab, in its turn, contain those commands and structured time point at which commands assigned to be executed. Cron scheduler is set to be performed weekly every Sunday at 12pm. Input As an input source, script is using txt file with a list of IP addresses. Different formats of IPs are accepted:  Original IPv4 address (such as 192.168.1.0)
  • 6.  CIDR notation (such as 192.168.1.0/24)  Block of last 8 bits renge (such as 192.168.0-255)  Block of all bits range (such as 192.168.1.0 – 192.168.1.255) Ipconverter module of the script is responsible for understanding notation, translating all IP notations into original IPv4 and listing all IPs in initial format. If source file has heading it used by script later to specify report’s name. It is important to know that source file must contain very last line blanked. It is necessary for detecting last IP properly as it recognized by new line character ‘n’. As it was mentioned above, the output is a text file with all IP addressed listed in initial format, suitable to be handled further. Nmapping It is a big chance that list of IP addresses can contain thousands and thousands records. There are thousands of TCP ports that potentially may be opened. With simple maths we can calculate how many GET requests we need to make to check every possibility of vulnerability. Assume we have 1000 of IPs that need to be checked. Even if we’ll try to access top 1000 of most common TCP ports, we need to send 1000000 of GET request, and wait some while for each response. We can never end in this way especially that list may consist of much more than 1000 of IPs. Nmap tool is used by script to solve this problem. Its determine what hosts are available on the network by sending specially crafted packets to the target host and then analyses the responses. The number of features provide the flexibility in choosing of way to scan with specifying all necessary ports. As an output nmap returns xml file with structured information about availability of given hosts. This file is used to retrieve all hosts with open ports to further scanning. There nmapconverter module in the script is dealing with nmap tool. It is also responsible for:  Preparing input instance  Preparing all necessary state flags and other data that may be used by nmap  Creating sub-process that runs nmap  Scanning nmap output file  Filtering and retrieving all useful data from nmap output file  Converting retrieved data into list of all available IP address in initial format for further handling by next module. After nmapconverter module is performed we got filtered list of available hosts with available ports for access only. It is very effective way to increase performance and reduce scanning time.
  • 7. Scanning Scan module performs the final stage in whole process. It is using another project called EyeWitness for capturing screenshots and generating reports. The tasks that are assigned to scan are:  To prepare input instance and prepare all necessary attributes for EyeWitness execution  To run and monitor process of scanning through all available hosts  To brake scanning process if it to large to reduce the risk of unexpected program crash  To manage output reports and to exclude the chance of conflict of the same report’s names Output is a final result of performance of ipsnapshoter utility, in the form of a report in html format. It contains the relative information about HTTP server with appropriate screenshot of a GET response.
  • 8. Consider the output report tester may analyse each HTTP service that is public, and can decide if there leakage or server’s misconfiguration is found. Based on decision tester made, he/she can rise a tickets for particular issue Publishing To get suitable access to all reports the SimpleHTTPServer was established using appropriate python library. It creates a socket with specified port and give an access to the directory where reports are stored. Any browser can be used. Features Ipsnapshoter is created to be performed in certain ways. There are few flags are configured to chose how tool need to be used:  -p allows to specify ports to scan with. Ports need to be separated by comas with no white spaces. Port range are acceptable, for example: ./makeout.py –p 20,22,25,80-85 will run tool using default file with IPs with given ports 20, 22, 25, 80, 81, 82, 83, 84, and 85  -a required to give a file.txt with list of IPs with no nmap scanning. For example: ./makeout.put –a /root/file/ips.txt –p 20,22,25,80-85 will run tool using given file ‘ips.txt’ with list of IPs with given ports 20, 22, 25, 80, 81, 82, 83, 84, and 85  -c is using to make nmap scan for checking host availability. For example: ./makeout.py –c /root/file/ips.txt will scan all available hosts with opened ports only To reach the goals that emphasized in Introduction section is recommended to use -c flag. This configuration is using nmap scanner which scans for available hosts by exploring 2000 most commonly used TCP ports.
  • 9. Conclusion Server Misconfiguration attacks exploit configuration weaknesses found in web and application servers. Many servers come with unnecessary default and sample files, including application files, scripts and web pages. They may also have unnecessary services enabled, such as content management, and remote administration functionality. Debugging functions may be enabled or administrative functions may be accessible to anonymous user. These features may provide a means for a hacker to bypass authentication methods and gain access to sensitive information, perhaps with elevated privileges. Servers may include well-known default account and passwords. Failure to fully lock down or harden the server may leave improperly set file and directory permissions. Verbose and informative error messages may result in data leakage, and the information revealed could be used to formulate the next level of attack. Incorrect configurations in the server software may permit directory indexing and path traversal attacks. The script is designed to help testers detect misconfigured HTTP servers by visually exploring received reports. Detector can handle thousands of IP addresses and response with well designed html pages that contain listed screenshots with relevant information about each available host. Its allow to security testers to find weaknesses before people with malicious intensions. Tool was developed for specific tasks that have been assigned by Global Information Security Team in Synchronoss Technology and have been designed in particular way. However considering of architecture of the script there is possibility to improve the functionality, to add new features, to make exploitation of a detector on another platforms (Windows, X OS etc.)