Lab - Performing Web Vulnerability Scanning

---

Scenario

In this lab, you will run various web vulnerability scans using nikto, wapiti, nmap, SSL Labs, PenTest Tools, and Legion.

As a cybersecurity analyst, you are working to discover weaknesses and vulnerabilities that your organization, Structureality Inc., needs to mitigate on its various websites and web servers. You wish to use a wide range of vulnerability scanners to obtain the broadest perspective on exploitable issues.

Your cybersecurity analyst (CySA) workstation, running Kali Linux, is located in Structureality’s server subnet. From here, you will use a variety of tools to discover web vulnerabilities on various websites. These scans may provide information about exploitable vulnerabilities.

Understand your environment

You will be working from a virtual machine named KALI hosting Kali Linux connected to the vLAN_SERVERS subnet. You will be scanning the websites of www.515support.com and dvwa.structureality.com (both within the lab network) and the Internet site of badssl.com.

Perform web vulnerability scans using nikto and wapiti

Nikto is a CLI web vulnerability scanner that can detect over 6700 potentially dangerous files and CGI scripts, checks for outdated versions of over 1250 servers, and detects web server version-specific problems.

Wapiti is a CLI web vulnerability scanner that focuses on problematic web scripts. It can detect a wide range of vulnerabilities, including SQLi, XSS, file inclusion, command execution, XXE injection, CRLF injection, and much more.

These are popular web vulnerability scanners that you should be familiar with.

1. Connect to the KALI VM.

2. Use nikto to perform a scan of dvwa.structureality.com, capture the output into nikto-scan.txt, then view the results.

   • Enter nikto -h dvwa.structureality.com -output nikto-scan.txt
   • If prompted to submit information to CIRT.net, enter n.
   • Scroll through the results or enter less nikto-scan.txt.
   • What are the web server type and the version number discovered by Nikto?
   • What issues were discovered on the targeted website?

3. Perform a web scan of dvwa.structureality.com using Wapiti.

   • Enter wapiti -u http://dvwa.structureality.com

4. Once the Wapiti scan is complete, the final section of the output will have a heading of Report. This section will contain a path and filename of an HTML report output file. The filename will include a date and a UTC time value. Enter only the eight-digit date and four-digit time numbers from the filename in the following fields:

   • Date from the wapiti report filename:
   • UTC time from the wapiti report filename:

5. View the wapiti report in Firefox.

   • Which issues were discovered by the Wapiti scan?

6. Leave Firefox open.

Perform a web vulnerability scan using nmap

There are over 600 NSE (nmap scripting engine) scripts available to use with nmap. There are at least 135 scripts related to HTTP issues. If you elect to run all of these scripts them against a target, it could take several hours to complete. In this exercise, you will explore just one nmap NSE (nmap scripting engine) HTTP-focused script and its results.

1. Connect to the KALI VM

2. Run an NSE nmap scan against www.515support.com of ssl-enum-ciphers with maximum verbosity and save the result into 515-web-scan.txt. Once the scan completes, review the results.

   • enter nmap www.515support.com -vv --script=ssl-enum-ciphers -oN 515-web-scan.txt
   • review results less 515-web-scan.txt

Your company has a strict web policy that only TLSv1.2 and TLSv1.3 versions are to be enabled on websites. Does the www.515support.com website comply with this policy and why?

Find vulnerabilities in web services with SSL Labs

SSL Labs is a website/web server and web browser testing service provided by Qualys. This is an excellent tool to quickly see the issues related to web security from both a client and server perspective. You will use this online service to evaluate the website badssl.com.

1. On your local computer, open another tab in your current browser or open a new browser.

2. Using your local browser, visit www.ssllabs.com, use SSL Labs to perform an evaluation of badssl.com, then review the results.

   • click Test Your Server
   • Notice the information about certificates, configuration of protocols, cipher suites, handshake simulations, protocol details, and more

Info

The SSL Labs service can be used to evaluate the security configuration of both web servers and web browsers. To test a web browser, use the Test your browser option on the front page of www.ssllabs.com while using the browser you would like to evaluate

3. The SSL Labs service ranks websites and assigns a grade or score. This grade is composed of results from four categories of tests. What are those test categories?

4. Look at a report for a website that has a great score, such as A or A+, and a website that has a poor score, such as T or F.

   • Return to the home page of SSL Labs
   • Select Test your server
   • Below the Hostname: field where you enter your own target to evaluate, there are three boxes labeled Recently Seen, Recent Best, and Recent Worst.
   • Look at an example from each.

5. Close the tab in your local browser focused on ssllabs.com.

Find vulnerabilities in web services with Pentest Tools

Pentest Tools maintains an excellent online web vulnerability scanner. You will use the free demo version (i.e., Light scan) against badssl.com.

1. Using your local browser, visit pentest-tools.com/website-vulnerability-scanning/website-scanner, and perform a scan against badssl.com.

   • Run a Light scan

2. Read over the report generated by Pentest Tools.

3. Close the tab in your local browser focused on pentest-tools.com.

Find vulnerabilities in web services with Legion

The Legion tool can automatically perform reconnaissance and scanning of websites using NMAP, Shodan, whataweb, nikto, Vulners, Hydra, SMBenum, dirbuster, sslyzer, webslayer, and more (with almost 100 auto-scheduled scripts). Not all of its features are available via this lab environment, but you will be able to see some of its capabilities when scanning the lab website www.515support.com.

1. Connect to the KALI VM

2. Use Legion (root) to perform a scan against badssl.com.

   1. Select the Kali Applications menu in the top left corner, then enter legion, then select Legion (root).
   2. On the Legion interface, select the Add host button (i.e., the green circled plus sign) in the top left area of the Legion interface.
   3. On the Add host(s) window, select the IP(s), Range(s), and Host(s) field, then enter www.515support.com.
   4. Select + Submit to initiate the Legion scan.
   5. At the bottom of the Legion interface, on the Processes tab, you will see an initial operation, likely an nmap scan, with an Est. Remaining time presented. This is likely a gross underestimation, as the scan will likely take a few minutes to complete all of its pre-programmed tasks.
   6. As the scan progresses, information will be presented in the main area of the Legion interface.
   7. Once you begin to see information presented or additional tabs added to the display, you can start to review the collected information.
   8. Select the Services tab. Look at the information collected so far about the services on the target.
   9. Select the Scripts tab. Look at the information collected so far from scripts run against the target. This tab is likely one of the last to be populated with information.
   10. Select the Information tab. Look at the facts determined so far about the target.
   11. Select the CVEs tab. Look at the potential vulnerabilities references by CVE detected on the target. This tab will also take considerable time to be populated.
   12. Select the Notes tab. This tab may remain empty/blank, or it may contain information that is not related to the other tabs.
   13. Select any other tabs that might be added to the interface. If available, select a screenshot tab. A screenshot tab would present a picture of the rendered website.
   14. Continue to allow the Legion scan to continue working while you repeatedly explore the tabs for new information as it is collected by the Legion scanning functions.

3. What services/applications and versions were discovered by the Legion scan against www.515support.com?