There's a plugin which Nessus has which sends a specific query to the destination web server.Nessus looks at the "Content-Location" field of the response. This "Content Location" field apparently if the server is not patched reveals the internal IP addresses in this field. A normal request can be made for a valid webserver page by constructing a request as follows. The response will reveal Internal IP information:
[arvind@pal-lin-arvind 192.168.2.249]$ telnet 192.168.2.249 80
Trying 192.168.2.249...
Connected to 192.168.2.249 (192.168.2.249).
Escape character is '^]'.
GET / HTTP/1.1
Host: 192.168.2.249
HTTP/1.1 200 OK
Content-Length: 1433
Content-Type: text/html
Content-Location: http://192.168.2.249/iisstart.htm
As you can clearly see the Content Location reveals the internal IP address of the Webserver.Try this against any public webserver , its not always that you'll get this error(Just incase you're thinking that the Internal IP was eleased here coz I tested it on our LAN). Nessus and Qualys both reveal this finding but Qualys actually gives you an internal IP without telling you the exact page it did it on. Sure, sometime later it gives you a request which it used but that doesn't seem to work for some reason and for 2 different clients we've met with failure and have scrapped the finding. So the only way to be 100% sure that an internal IP Is not revealed is by making requests to EVERY SINGLE PAGE on the webserver.You're busy you say??? Thats where cool tools like wget come in. Along with the great "grep" , in 2 seconds you have a complete list of all pages that return a Content-Location field. Here's the sequence of commands which we plan to hack up a script for very soon(Jaideep's idea):
[arvind@pal-lin-arvind ~]$ wget -r --save-headers 192.168.2.249
[arvind@pal-lin-arvind ~]$ cd 192.168.2.249/
[arvind@pal-lin-arvind 192.168.2.249]$ grep -r Location *
index.html:Content-Location: http://192.168.2.249/iisstart.htm
[arvind@pal-lin-arvind 192.168.2.249]$
What we've done is download the entire website on 192.168.2.249, saved its response headers and grepped for Location. Every request which has obtained a response with Content-Location in it will be caught. That way we can be sure taht we've tried every possible page.This one's just based on initial findings though, R&D is still on and we'll update you if we stumble onto something.
And finally at 11:00pm in the night on a Friday evening Jaideep "The Perl dude" is done with the script. Here it is, just save it as a .pl and run it as follows:
perl wget.pl IP_ADDRESS
Here's the magic script:
-------------
use strict;
if ($#ARGV !=0)
{
die "usage: perl internal_ip.pl
}
my $ip=$ARGV[0];
my $cmd='wget -r --save-headers '.$ip;
#system(`rm -rf $ip`);
#my $cmd1='grep -r Content-Location *'>>'a.txt';
system ($cmd);
chdir($ip);
system (`grep -r Content-Location * > res.txt`);
-------------
1 comment:
Here's an update on this one folks. WGet apparently uses HTTP/1.1 to do the querying; and this Internal IP thing is revealed only if you use HTTP/1.0 so until we can find an option to forcibly use HTTP/1.0 its got to be manual. This seemed to work when we did the following though:
telnet abc.com 80
GET / HTTP/1.0
(Press Enter two times)
IP Address is revealed if the web-server is not patched.
Will pop across another update once I find a way to automate this further.
Post a Comment