An exploit is usually done using automated device scanning and detection software and other vulnerable deployments on the network. To investigate this malicious behavior, multiple cybersecurity firms resort to implementing sensors and honeypots that run various services to attract the attention of bots and hackers, generating millions of events daily.

Based on a thorough analysis, Radware’s cloud security course specialists have drawn up a list of the ten most-used exploits used by threat actors. These attacks are primarily used to exploit known vulnerabilities on popular servers.

/TP/public/index.php

This exploit is used to abuse CVE-2018-20062, a remote code execution vulnerability in NoneCMS ThinkPHP. ThinkPHP is a PHP-based web application development framework widely used in enterprise environments. This vulnerability was discovered in December 2018 and affects NoneCMS ThinkPHP 5.x with maintenance releases earlier than v5.0.23 and v5.1.31.

Other Uniform Resource Identifiers (URIs) related to the same vulnerability:

• /TP/index.php
• /thinkphp/html/public/index.php
• /thinkphp/public/index.php
• /TP/html/public/index.php
• /html/public/index.php

This exploit was used in 25% of reported server attacks over the past year.

/wp-config.php

This is a very important configuration file for WordPress. A threat actor with access to ‘wp-config.php’ could trigger a sensitive file exposure vulnerability in the Content Management System (CMS). This vulnerability was exploited in 14% of server attacks, cloud security course specialists say.

/ctrlt/DeviceUpgrade_1

The Huawei HG532 router is widely used in homes and small businesses. A couple of years ago, the company issued a security alert about a Remote Code Execution Vulnerability (RCE) identified as CVE-2017-17215. When sending malicious requests to port 37215, a threat actor might execute arbitrary code without authenticating to the user interface.

This attack represents 11% of total attacks on servers reported last year.

/nice%20ports%2C/Tri%6Eity.txt%2ebak

Nmap is a widely used network scanner. In a specific request, the attacker uses ASCII escape characters to generate an HTTP 404 error message and parse a web server. A successful scan could have revealed important information about the web server code; 9% of server attacks are associated with this exploit.

/phpMyAdmin/scripts/setup.php

phpMyAdmin is a free and open source management tool for MySQL and MariaDB. The remote code execution vulnerability identified as CVE-2009-1151 would allow a remote hacker to inject arbitrary PHP code into a configuration file by saving, compromising the target system. This exploit was used in 9% of server attacks.

/wls-wsat/CoordinatorPortType11

The CVE-2017-10271 vulnerability could be exploited by unauthenticated remote hackers using a malicious HTML request to take control of an Oracle WebLogic server deployment. 7% of server attacks are associated with this exploit.

/editBlackAndWhiteList

In April 2018, Shenzhen TVT released a critical warning and firmware update to fix a remote code execution vulnerability in NVMS-9000 Digital Video Recorder. An unauthenticated remote attacker could have used the encoded administrator credentials to run their code on the victim’s machine. The exploit was identified in 5% of server attacks, cloud security course experts mentioned.

/HNAP1

HNAP is a network device management protocol patented by Pure Networks and acquired by Cisco that enables advanced programmatic configuration and management by remote entities. The CVE-2014-8244 vulnerability allows you to abuse multiple HNAP devices, such as D-Link and Linksys routers.

/_async/AsyncResponseService

This exploit allowed hackers to abuse CVE-2019-2725, a remote code execution vulnerability that affects Oracle WebLogic components that do not adequately deserialize input data; 1% of server attacks are related to this failure.

/GponForm/diag_Form?images/

Vulnerabilities CVE-2018-10561 and CVE-2018-1056 allowed multiple threat actors to execute arbitrary commands on the affected versions of Gpon routers. This attack is associated with 1% of reported incidents over the past year.

The International Institute of Cyber Security (IICS) recommends visiting the official platforms of technology companies for more details on these attacks and the vulnerabilities exploited by hackers.

The post Top 10 exploits used by hackers to easily take control of servers appeared first on Information Security Newspaper | Hacking News.

Dirbuster/ Directory Traversal Attacks where attacker can use dictionary of word list to find hidden or not hidden directories and files on the target web application & server. According to ethical hacker in international institute of cyber security, attacker may find directories that are thought to be unavailable on the target server or web application.

Dirbuster methods works on URL and a port. Attacker provide it with port 80 and 443 and the wordlist. After executing the attack dirbuster sends HTTP GET requests to the website and listens for site’s response.

How to use DirBuster on Kali linux?

• Type dirbuster in linux terminal to start dirbuster
• Enter the URL https://hacktrhissite.org:80

• In the above screen shot you have the enter the target IP address and the port:80 will be used for sending and receiving client based communication in the dirbuster . It’s an HTTP protocol.
• Now the HTTP method you have to select Auto switch (HEAD and GET).
• Now select the no. of threads 10 or Go Faster. Threads can also be increased but will take time in finishing the dirbuster scan.
• Select the List based bruteforce or pure brute force. List based will selected from the directory of the dirbuster, or attacker can use the custom wordlist. In brute force attack we will take one wordlist at a time as provided by dirbuster. Default directory of wordlist provided by dirbuster is /usr/share/wordlists/dirbuster/
• If you select char set option, it will create a wordlist with all the characters mentioned by user in the dirbuster tool.
• In starting options if attacker uses standard start point – dirbuster will go through all the webpages of target website/server and the webpages. In URL Fuzz dirbuster will try to find hidden HTML.
• If the attacker know some of the directories in the target’s URL/website, then those directory names can be entered in the Dir to start with field. Highest priority will be given to them. If no directory is entered, then it will scan the wordlist sequentially.

CHECK THE WORDLIST:-

• For checking the wordlist that will be used in scanning. Click on the list infobutton to see the wordlist.

SCAN IN PROGRESS:-

• Once you click start button then you will see something like below in dirbuster

=====================DIRBUSTER========================

=====================DIRBUSTER=========================

======================DIRBUSTER=====================

• Dirbuster takes time while scanning the whole URL, the above screen shot shows the scan information with Folders and URL what dirbuster has found.
• In current/average speed shows the number of request per second dirbuster is sending to the victim URL.
• Attacker can also change the speed to dirbuster scanning by changing the number of threads in dirbuster.
• Total Requests shows the number of HTTP/HTTPS request sent to victim URL.
• Time to Finish shows the amount time dirbuster has taken in finishing of the scan.
• In Results – List View Tab shows the list of files that dirbuster has grabbed from the victim URL.
• In Results – Tree View Tab shows the hidden or not hidden directories found.
• In error it shows the connection timeout for the particular page because the request send have been denied because the no response from victim URL/Server.

SAVING THE REPORT:-

• After finishing of the scan you can also save the report and you can choose in what extension you want to save the report in. Select the location where you want to save the report.

REPORT VIEWER:-

• In the above screen shot the report can be seen/downloaded in many formats.

The post Find hidden directories on web server appeared first on Information Security Newspaper | Hacking News.

This week Siemens has released a firmware update for its BACnet Field Panel building automation products that solved two vulnerabilities, one of which is classified as high severity.

The vulnerabilities affect APOGEE PXC and TALON TC BACnet automation controllers running a version of the firmware prior to 3.5. Both families of affected devices are widely used in commercial facilities to control a  heating, ventilation and air conditioning (HVAC) equipment.

This flaw, tracked as CVE-2017-9946, is classified as high severity and obtained a CVSS score of 7.5.

According to the security advisory published by the US-CERT, an unauthenticated with access to the integrated webserver attacker can trigger the flaws to download sensitive information.

“Successful exploitation of these vulnerabilities could allow unauthenticated attackers with access to the integrated webserver to download sensitive information.” states the US-CERT.

The BACnet Field Panel allows facility operators to easily configure, monitor and control the automation controllers. The attackers can bypass the authentication mechanism to download sensitive information from a device.

The company downplayed the flaw because the attacker requires network access to the web server.

A second security vulnerability tracked as CVE-2017-9947 is a directory traversal issue that could be exploited by an attacker to obtain information on the structure of the file system on vulnerable devices. It is requested the network access to the web server for the exploitation also of this vulnerability.

Below the information provided by Siemens:

“Vulnerability 1 (CVE-2017-9946) –  An attacker with network access to the integrated web server (80/tcp and 443/tcp) could bypass the authentication and download sensitive information from the device.
CVSS Base Score 7.5 
CVSS Vector CVSS:3.0″

and
“Vulnerability 2 (CVE-2017-9947) – A directory traversal vulnerability could allow a remote attacker with network access to the integrated web server (80/tcp and 443/tcp) to obtain information on the structure of the file system of the affected devices.
CVSS Base Score 5.3
CVSS Vector CVSS:3.0″

Siemens addressed both vulnerabilities with the release of firmware version 3.5 for BACnet Field Panel Advanced modules.

Source:https://securityaffairs.co/wordpress/64330/hacking/siemens-building-automation-controllers-flaws.html

The post Flaws in Siemens Building Automation Controllers open to hack. Fix them asap appeared first on Information Security Newspaper | Hacking News.