Re: [whisker] How to Analyse Whisker Report

On Wed, 29 Jan 2003, Indian Tiger wrote:

> But I feel there should be some short and sweet document or way to do
> analyze whisker report.

There is:

        http://www.google.com/search?q=security+<FILE>

Where <FILE> is the file reported by whisker. Google returns a relevant document in the top 5 returns for each file you listed.

> Found URL: /_vti_inf.html

This is a FrontPage configuration file. It tells you FrontPage version and location information. Informational value only.

Do you need help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

> /_vti_bin/shtml.dll
> /_vti_bin/shtml.exe
> Found URL: /_vti_bin/_vti_aut/author.dll
> Found URL: /_vti_bin/_vti_aut/author.exe

Just FrontPage components. Depending on the version, there are various vulnerabilities.

> Found URL: /support/

This is just a potentially interesting directory. No immediate vulnerability (hence the "Informational" blurb).

> The following cookies were encountered while scanning:
> ASPSESSIONIDGQGQQVDC=KCFINCADOLIBGEMOBEDFKJAF; path=/
> ASPSESSIONIDGQGQQVDC=HCFINCADMFKBHMJKMOJMCFHL; path=/
> ASPSESSIONIDGQGQQVDC=JCFINCADBAKBDIMCBMFCMGAH; path=/
> How to perform replay on these cookies? and what more I can get by these
> cookies?

Nothing. Replay attacks won't provide anything, as there's no sensitive information associated with those cookies. It's purely informational.

If you were curious, you'd take the returned cookie values and data mine them for possible predictable sequences...but since this is IIS, let me save you some time and tell you that they are sufficiently random. ;)

> What does "Server failure" mean?

Do you need more help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

It means the server returned a 5xx response, indicting there was an error with the CGI component. No immediate vulnerability...just (ab)normal response.

• rfp