Finding the Needle in the Haystack
It is important to know what applications and services are in your environment to properly evaluate risk. Recently, a question was posed about detecting phpMyAdmin, a popular application for managing MySQL databases. We've previously explored how this application could be used to take over a system, demonstrating the risk this application may pose. There are several actions to perform when searching for applications on your network (in this case we are searching for a web application). This blog post describes how Nessus can be used to perform the following actions:
- Detect if the application is running
- Test for known vulnerabilities
- Detect if the application is patched
- Evaluate the authentication mechanism
- Find any unknown flaws
- Check the security configuration of the host
1. Detect if the application is running
The plugin titled "phpMyAdmin Detection (plugin ID 17219) checks for the presence of phpMyAdmin in several ways, including looking for the web directory name and searching text on the page for specific strings associated with the software. Be sure to enable "Thorough Tests" as this will search for a few variations of the directory name (e.g., "pma" and "phpmyadmin"). When Nessus finds this application running, you will see the following in the Nessus output:
2. Test for Known Vulnerabilities
To detect many known vulnerabilities in a particular application, first find all of the plugins that are associated with the application. The search for this application and associated vulnerabilities should be very targeted and fast. For example, if the application you are scanning for is phpMyAdmin, only enable the plugins that relate to phpMyAdmin. I first did this on the command line of my Linux system in the "/opt/nessus/lib/nessus/plugins/" directory:
|find . -iname 'phpmyadmin*.nasl' -print0 | xargs -0 grep -i "script_id" | cut -d\( -f2 | cut -d\) -f1 | tr '\n' ','|
Some of the NASL scripts were named as "phpmyadmin" and some were named as "phpMyAdmin", so I had to use "-iname" for case insensitive searching (NASL script filenames can vary depending on the author of the plugin). I then used "grep" to grab the "script_id" field from the NASL script, which is the same thing as the plugin ID. The "cut" and "tr" commands put the plugin IDs into a comma delimited list, which is the format expected by "nessuscmd".
I constructed a nessuscmd command, specifying the plugins and options required for the scan to run properly:
/opt/nessus/bin/nessuscmd -o "Global variable settings[checkbox]:Enable CGI scanning=yes" \
-o "Global variable settings[checkbox]:Thorough tests (slow)=yes" \
-U -p 80,443 -V \
-i 15770, 15948, 17689, 22512, 11116, 11761, 17221, 40352, 36083, 15478, 20088, 36170, 17219, 22124, 36171, 19519, 19950, 12041, 17220 \
The above command will not only detect phpMyAdmin, but will also look for associated vulnerabilities covered by the plugins listed. The version of phpMyAdmin is password protected and up-to-date in the test network used for the scan, so the results just showed that it was running on the target host:
|+ Results found on 192.168.1.245 :
- Port http (80/tcp) is open
The above operations can also be performed using the NessusClient. The NessusClient contains a search feature that allows you to find plugins that match given criteria. In this example we need to edit the policy, go to the "Plugin Selection" tab and click "Disable all". This will uncheck all of the plugins, allowing us to start fresh and only enable the plugins that will result from our search. Next, click on the "Find..." button:
From the pull-down menu select "name", indicating we want to search the plugins by name. Enter "phpmyadmin" in the "contains" field as shown above (note: searches in NessusClient are not case sensitive). Click on "OK" and you will then see a list of plugins that contain "phpmyadmin":
If there are known vulnerabilities, Nessus will find many of them using existing plugins. For example, this instance of phpMyAdmin contained an XSS vulnerability identified by plugin ID 19519:
|CAUTION: Dependencies Matter
When running scans for specific plugins you may want to disable "Silent Dependencies", located on the "Plugin selections" tab in the NessusClient:
This option removes the output from plugins that were run due to a dependency. From the command line you can add the switch "-o silent_dependencies=no", which will disable this option when running "nessuscmd". You will see results from some of the other plugins, such as:
The above plugin, Web Server Directory Enumeration, provides information on the directories that are available in the web server root directory. When scanning a smaller number of hosts it is often useful to review the dependency plugin results as well, as they may yield additional information, and/or expose additional vulnerabilities.
3. Detect if the Application is Patched
You can use Nessus Local Checks with credentials and report the patch status of phpMyAdmin packages on the local systems for your platform and distribution. This solves the problem with backports, where the distribution leaves the version number in the banner, and "backports" the patch into the existing version. There are several plugins for many different platforms, that will look for phpMyAdmin packages that contain vulnerabilities.
4. Evaluate the Authentication Mechanism
A new plugin has been released to detect if phpMyAdmin is running without the protection of a login page (plugin ID 40352). Even if phpMyAdmin is fully patched, leaving it open to the world without a password can be the same as granting shell access because it provides the ability to run SQL queries against the database. So, even if the instance of phpMyAdmin has been fully patched, missing authentication could lead to an unauthorized remote attacker gaining access to the system.
5. Find Unknown Flaws
Nessus's improved web application testing scripts enable testing for potentially unknown flaws. The foundation of this testing is performed by the web mirror process, which finds several applications and parameters to test:
These results are passed to the newly improved web application testing modules. In the case of phpMyAdmin, Nessus was able to find both XSS and SQL injection:
The SQL injection "vulnerability" found by Nessus may just be a normal function of phpMyAdmin as it provides the end user the ability to execute SQL statements from a web form. However, Nessus was also able to find a XSS vulnerability as a result of the generic CGI testing, different from the vulnerability found in plugin 19519.
6. Check the Security Configuration of the Host
Credentials can also be used with a custom audit file to look for phpMyAdmin directives in the Apache configuration files. This would indicate which servers are running the product, and how they are configured. An example of how to do this was shown in a previous post where we wrote a custom audit file to check for Apache servers using Base64 encoded passwords.
Nessus contains several methods to detect applications in your environment, and enumerate associated vulnerabilities. The vulnerabilities are either the traditional ones that are documented in vulnerability databases (VDBs), or the result of mis-configurations such as missing authentication. Nessus can also be used to audit local patches and configurations. This will detect backports and search through your configurations (Apache and MySQL in this case) to look for anomalies. To detect this software on an ongoing basis you can use Tenable Security Center to schedule scans and email you the results. The Passive Vulnerability Scanner can also be used to both detect and find vulnerabilities in applications using just network traffic.
- Enhanced Web Application Attacks Added To Nessus
- Auditing Linux, Apache, & MySQL Against CIS Benchmarks
- Detecting Base64 Encoded Authentication Requests
- Auditing PHP Settings to OWASP Recommendations with Nessus
- Packets and Logs Found on the Shmoocon Network (A great example of how to use Tenable's Security Center and Passive Vulnerability Scanner to detect applications in the network)