Explain Traffic Probe in Vulnerability Scanning.

103views

written 23 months ago by

Purvil • 540

• modified 23 months ago

Solution

Services aren’t always so extroverted that they immediately announce themselves. However, lots of them will if you just ask.

For example, a web service will not respond until it receives data from the client. The following command makes a valid HTTP request using the HEAD method:

                   $ echo -e "HEAD / HTTP/1.0\r\n\r\n" | nc -v localhost 80
                   Connection to localhost 80 port [tcp/http] succeeded!
                   HTTP/1.1 200 OK
                   Date: Mon, 12 Nov 2012 21:15:58 GMT
           Server: Apache/2.2.11 (Unix) mod_ssl/2.2.11 OpenSSL/1.0.1c DAV/2 PHP/5.3.14
                   Last-Modified: Sat, 20 Nov 2004 20:16:24 GMT
                   ETag: "eb879f-2c-3e9564c23b600"
                   Accept-Ranges: bytes
                   Content-Length: 44
                   Connection: close
                   Content-Type: text/html; charset=utf-8



 - We glean several bits of useful information from the previous output.
   The web site indicates Apache/2.2.11 in its Server header. You could
   infer from this that the web site is prone to certain denial of
   service (DoS) attacks. It also reports a version of PHP that likely
   has vulns.


 - Traffic probes try to use valid requests. For one thing, valid
   protocol messages are less likely to crash or interrupt a service.** 


 - If a web server didn’t handle the HEAD method without crashing, then
   it’s a buggy service that needs to be fixed regardless of security
   problems. The other reason is that the failure mode for services
   might not reveal as much information.**


 - For example, here’s another probe for an HTTP service using an
   incorrect request format. Notice that the informative headers are
   missing.**


           $ echo "." | nc -v localhost 80
         Connection to localhost 80 port [tcp/http] succeeded!
         <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
         <html><head>
         <title>501 Method Not Implemented</title>
         </head><body>
         <h1>Method Not Implemented</h1>
         <p>. to /index.html not supported.<br /></p>
         </body></html>

There are counter-examples where invalid messages produce verbose errors from a service where valid messages produce uninformative ones.
This is one of the benefits of using a tool with a history of
development and research that has enumerated the best ways to
interrogate services.
Traffic probes are not perfect. Most services can be configured to remove version- related information or even spoof this information.
It’s trivial to make Apache report itself as running Internet Information Services (IIS) version 6. (It’s a lot harder to make Apache behave as if it’s running IIS/6.0.)

ADD COMMENT EDIT