10.9.8.

56 - VM
10.9.8.74 - Window 7

' OR '1'='1

10.9.8.174

demo.testfire.net

L1
- Learn intercept using burp suite
- information gathering using vulnerbility
- packet analisis for password clear text must use Network layer sniffing -
wireshark

INFORMATION GATHERING

WHOIS LOOKUP - demo.testfire.net

REVERSE IP LOOKUP - use yougetsignal.com (one public using many sistem)
Application platform - (html,php,asp),
can use application session, using cookie manager add-on
banner grabing - using burp suite intercept the header, check the os,
programming
- check vulnerbility using CVE
- using curl (curl http://moe.gov.my --head or - I)
- curl (https://moe.gov.my - I -X OPTIONS) - allow,get,
post
- curl (https://moe.gov.my - I -k) bypass ssl

* ETag - vulnerbility
error handling - find error information
crawling - check robots (to solve Disallow:*)
- nikto
sslscan - sslscan

(VULN 10.9.8.174)
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP: 10.9.8.174
+ Target Hostname: 10.9.8.174
+ Target Port: 443
---------------------------------------------------------------------------
+ SSL Info: Subject: /C=MY/ST=Selangor/L=Petaling Jaya/O=CZ/OU=IT Sec/CN=CZ
Ciphers: ECDHE-RSA-AES256-GCM-SHA384
Issuer: /C=MY/ST=Selangor/L=Petaling Jaya/O=CZ/OU=IT Sec/CN=CZ
+ Start Time: 2019-11-17 23:55:30 (GMT-5)
---------------------------------------------------------------------------
+ Server: Apache/2.4.7 (Ubuntu)
+ Server leaks inodes via ETags, header found with file /, fields: 0x231f
0x57e8a15ce9500
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user
agent to protect against some forms of XSS
+ The site uses SSL and the Strict-Transport-Security HTTP header is not defined.
+ The X-Content-Type-Options header is not set. This could allow the user agent to
render the content of the site in a different fashion to the MIME type
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ Retrieved x-powered-by header: PHP/5.5.9-1ubuntu4.25
+ Entry '/wp/' in robots.txt returned a non-forbidden or redirect HTTP code (200)
+ Entry '/demo/' in robots.txt returned a non-forbidden or redirect HTTP code (200)
+ "robots.txt" contains 2 entries which should be manually viewed.
+ Apache/2.4.7 appears to be outdated (current is at least Apache/2.4.12). Apache
2.0.65 (final release) and 2.2.29 are also current.
+ Hostname '10.9.8.174' does not match certificate's names: CZ
+ The Content-Encoding header is set to "deflate" this may mean that the server is
vulnerable to the BREACH attack.
+ Allowed HTTP Methods: OPTIONS, GET, HEAD, POST
+ Cookie PHPSESSID created without the secure flag
+ Cookie PHPSESSID created without the httponly flag
+ OSVDB-3092: /demo/: This might be interesting...
+ Uncommon header 'x-ob_mode' found, with contents: 0
+ OSVDB-3268: /test/: Directory indexing found.
+ OSVDB-3092: /test/: This might be interesting...
+ OSVDB-3093: /db.php: This might be interesting... has been seen in web logs from
an unknown scanner.
+ OSVDB-3268: /images/: Directory indexing found.
+ OSVDB-3268: /images/?pattern=/etc/*&sort=name: Directory indexing found.
+ OSVDB-3233: /icons/README: Apache default file found.
+ /login.html: Admin login page/section found.
+ /login.php: Admin login page/section found.
+ OSVDB-3092: /cms/: This might be interesting...
+ /phpmyadmin/: phpMyAdmin directory found
+ 7689 requests: 0 error(s) and 27 item(s) reported on remote host
+ End Time: 2019-11-17 23:58:01 (GMT-5) (151 seconds)
- unencrypted communication
- HSTS not enabled
- etag
- unsafe http methods
- improper error handling
- robot.txt
- clickjacking
- xss on contactus
- httponly flag
- secure flag(https)
- directory listing , indexing
- default page
- admin exposure
- default user credentials
- bruteforce attack
- weak password policy

root@kali:~# nikto -h https://www.moe.gov.my

- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP: 107.154.81.207
+ Target Hostname: www.moe.gov.my
+ Target Port: 443
---------------------------------------------------------------------------
+ SSL Info: Subject: /C=US/ST=Delaware/L=Dover/O=Incapsula
Inc/CN=incapsula.com
Ciphers: TLS_AES_128_GCM_SHA256
Issuer: /C=BE/O=GlobalSign nv-sa/CN=GlobalSign CloudSSL CA -
SHA256 - G3
+ Start Time: 2019-11-17 23:45:34 (GMT-5)
---------------------------------------------------------------------------
+ Server: No banner retrieved
+ Cookie visid_incap_1990809 created without the secure flag
+ Cookie visid_incap_1990809 created without the httponly flag
+ Cookie incap_ses_1128_1990809 created without the secure flag
+ Cookie incap_ses_1128_1990809 created without the httponly flag
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user
agent to protect against some forms of XSS
+ Uncommon header 'x-iinfo' found, with contents: 14-20246465-0 0NNN
RT(1574052608319 12) q(0 -1 -1 -1) r(0 -1) B15(4,200,0) U18
+ The site uses SSL and the Strict-Transport-Security HTTP header is not defined.
+ The X-Content-Type-Options header is not set. This could allow the user agent to
render the content of the site in a different fashion to the MIME type
+ All CGI directories 'found', use '-C none' to test none
+ Hostname 'www.moe.gov.my' does not match certificate's names: incapsula.com
+ 26223 requests: 0 error(s) and 10 item(s) reported on remote host
+ End Time: 2019-11-18 00:01:40 (GMT-5) (966 seconds)
---------------------------------------------------------------------------