Security DevCenter
oreilly.comSafari Books Online.Conferences.


Anatomy of an Attack: The Five Ps
Pages: 1, 2, 3, 4

Web page scanners

Another network scanner of note is nikto, a web CGI probe that performs comprehensive tests against web servers for multiple vulnerabilities. This includes detecting over 2,200 potentially dangerous files or CGIs on over 140 servers and problems on over 210 servers. Written by Sullo, it superseded the Whisker application originally written by Rain Forest Puppy (or RFP), who decided to abandon development of Whisker in favor of nikto. This application uses the LibWhisker libraries from Rain Forest Puppy Labs (rfp.labs) or as a base for all network detection. Nikto is not an overly stealthy tool. It tests a web server in the shortest time span possible and its probes are readily apparent in the web server's logfiles.

Snort can easily detect a nikto probe. There are entire categories of signatures that define web attack and web CGI rules. Nikto appears plainly in Snort alerts. The name "nikto" may not be obvious, but a flurry of web CGI alerts should show up in the Snort logs when a scan is run against the web servers.

Here are just a few of the possible alerts that can be generated in response to a Whisker- or nikto-based scan. These are all classified as miscellaneous web rules. A URL points to more information on identifying Whisker-based scans. Detecting such a scan almost always indicates that the early stages of an attack are underway.

web-misc.rules:alert tcp $EXTERNAL_NET any -& gt; $HTTP_SERVERS $HTTP_PORTS 
(msg:"WEB-MISC whisker HEAD/./"; flow:to_server,established; content:"HEAD/./"; 
classtype:attempted-recon; reference:url,
whiskerids.html; sid:1139;  rev:6;)
web-misc.rules:# alert tcp $EXTERNAL_NET any -& gt; $HTTP_SERVERS $HTTP_PORTS 
(msg:"WEB-MISC whisker HEAD with large datagram"; content:"HEAD"; offset: 0; 
depth: 4; nocase; dsize:& gt;512; flow:to_server,established,no_stream; 
classtype:attempted-recon; reference:url,
whiskerids.html; sid:1171; rev:7;)
web-misc.rules:alert tcp $EXTERNAL_NET any -& gt; $HTTP_SERVERS $HTTP_PORTS 
(msg:"WEB-MISC whisker space splice attack"; content:"|20|"; flow:to_server,
established; dsize:1; reference:arachnids,296; classtype:attempted-recon; 
reference:url,; sid:1104;  
web-misc.rules:alert tcp $EXTERNAL_NET any -& gt; $HTTP_SERVERS $HTTP_PORTS 
(msg:"WEB-MISC whisker tab splice attack"; dsize: & lt;5; flow:to_server,
established; content:"|09|"; reference:arachnids,415; classtype:attempted-recon; 
reference:url,; sid:1087; 

Installing and running nikto is simple. Download the source code and uncompress it in a secure directory. Within the new nikto/ directory, run the Perl script. Be sure to define the target host with a -h& lt;target& gt; option. Here is how a sample command appears.

# ./ -h

Refer to the help file for additional options you can tailor the scan for your environment to speed things up. Nikto can use an Nmap file as input and can generate output in several formats, including HTML.

Here are some sample results when nikto is run against an older Apache web server on a standard Linux machine. As you can see, there are several items that can and should be cleaned up.

# ./ -h
-*** SSL support not available (see docs for SSL install instructions) ***
- Nikto 1.30/1.06     -
+ Target IP:
+ Target Hostname:
+ Target Port:     80
+ Start Time:      Sat Oct 11 08:17:36 2003
- Scan is dependent on "Server" string which can be faked, use -g to override
+ Server: Apache/1.3.26 (Unix) PHP/4.2.2
+ HTTP method 'PUT' method may allow clients to save files on the web server.
+ HTTP method 'CONNECT' may allow server to proxy client requests.
+ HTTP method 'DELETE' may allow clients to remove files on the web server.
+ HTTP method 'PROPFIND' may indicate DAV/WebDAV is installed. This may allow DAV 
authorized users to consume system memory via large requests or fill disk quotas.
+ HTTP method 'PROPPATCH' may indicate DAV/WebDAV is installed. This may allow DAV 
authorized users to consume system memory via large requests or fill disk quotas.
+ HTTP method 'TRACE' may allow client XSS or credential theft. See http://www. for details.
+ Apache/1.3.26 appears to be outdated (current is at least Apache/2.0.46). 
Apache 1.3.27 is still widely used and considered secure.
+ PHP/4.2.2 appears to be outdated (current is at least PHP/4.3.0)
+ Apache/1.3.26 - Apache 1.3 below 1.3.27 are vulnerable to a local buffer 
overflow which allows attackers to kill any process on the system. CAN-2002-0839.
+ /~root - Enumeration of users is possible by requesting ~username (responds with 
Forbidden for real users, not found for non-existent users) (GET).
+ /icons/ - Directory indexing is enabled, it should only be enabled for specific 
directories (if required). If indexing is not used all, the /icons directory should 
be removed. (GET)
+ /index.html.en - Apache default foreign language file found. All default files 
should be removed from the web server as they may give an attacker additional 
system information. (GET)
+ /manual/images/ - Apache 2.0 directory indexing is enabled, it should only be
enabled for specific directories (if required). Apache's manual should be removed 
and directory indexing disabled. (GET)
+ / - TRACE option appears to allow XSS or credential theft. See http://www. for details (TRACE)
+ / - TRACK option ('TRACE' alias) appears to allow XSS or credential theft. See for details (TRACK)
+ /manual/ - Web server manual? tsk tsk. (GET)
+ /test/ - This might be interesting... (GET)
+ 1632 items checked - 9 items found on remote host
+ End Time:        Sat Oct 11 08:17:59 2003 (23 seconds)

Some of the more obvious results are that both Apache and PHP should be updated to the latest version. The scan displays the most grievous security concerns and provides some suggested measures. The first line of the scan also indicates that there is no built-in secure socket layer (SSL) support in this version of nikto. Do not enable features you do not understand or that may be unnecessary. If the server your are scanning only supports SSL connections (port 443), consider running the scans through an open-source tool called SSL Proxy. There is also an older, alternative Whisker release that does support SSL at

Other probe tools

Several useful tools exist that have more esoteric results, duplicate the functionality of the tools we discussed earlier, or are more difficult to use. You are invited to investigate these tools at your leisure.


This tool enables an attacker to map out the access control lists of your firewall by using a variety of TCP/IP investigation mechanisms.


Hping uses a variety of techniques to map networks, discover the configuration of firewalls, perform operating system fingerprinting, and make other configuration mapping. The next version of hping promises even more power.


Part of the UCD-SNMP set of tools, this permits an attacker to enumerate a great deal of configuration information about a system whose SNMP ports are exposed to the Internet. SNMP can be a huge security hole, so the SNMP ports should be blocked.


Once the systems and potentially vulnerable services have been discovered, the next step is an attack. The attack can take a variety of forms. The attack may cause a system to execute code of the attacker's choice. If the attacker has access as an unprivileged user, the attack may escalate the user account to an administrator-level access. The attack may simply crash a service or entire system (see Section 4.3 later in this chapter).

There are a myriad of penetration methods and the vast bulk of Snort signatures are built to detect them in progress. Automated attacks such as worms or scripts actually combine the Probe and Penetrate phases by simply launching attacks against a range of addresses (which fail against systems that are not vulnerable). If a rule exists that is designed to recognize one of these attacks, Snort will certainly detect these attempts.

Sometimes the attack is hidden in a Trojan horse& mdash;usually an attack program hidden in another. The attack sometimes contains a remote control utility that calls back to an attacker, giving the attacker a point of presence inside your network. An entire class of rules exist to watch for Trojan horse traffic.

Some of the most useful Snort signatures do not actually trigger on an attack attempt, but on the traffic generated by a successfully attacked host. For instance, an attack is launched against a Windows web server that attempts to trick it into returning a directory listing of the web root. One Snort rule watches for the string "The Volume in Drive C: has no label" coming from port 80 (or another configured web port). Very rarely will legitimate traffic trigger this rule. The nice thing about the signatures in the attack-responses.rules rule set is that it doesn't matter what attack generated the traffic that triggered the alert& mdash;they are almost always true indicators of a successful attack.

Perhaps the best way to get up to speed on the different attacks is to examine the Snort rules themselves. Keeping an eye on resources like and is a good idea, too. The list below gives some of the penetration methods (it's by no means comprehensive).

Pages: 1, 2, 3, 4

Next Pagearrow

Sponsored by: