The Importance of Cookie Recon

Commonplace with network or application assessments, nikto, dirb, and/or DirBuster are often used to scan web servers for common content in order to find interesting tidbits that disclose information or may be manipulated for an advantage.  During a recent assessment, I encountered a small issue that piqued my interest.

I booted my BackTrack 5 VM.  The problems began with an ordinary nikto scan that appeared to hang:

root@bt:/pentest/web/nikto# ./nikto.pl -h www.client.local -p 80
- Nikto v2.1.5
---------------------------------------------------------------------------
+ Target IP: 2.21.36.217
+ Target Hostname: www.moodys.com
+ Target Port: 80
+ Start Time: 2012-06-22 23:49:32 (GMT-4)
---------------------------------------------------------------------------
+ Server: No banner retrieved

Huh? Using tshark to examine revealed that no HTTP responses were being transmitted (TCP 3 way handshake was fine).

root@bt:~# tshark -f "port 80 and host www.moodys.com" -R http
Running as user "root" and group "root". This could be dangerous.
Capturing on eth1
 0.131856 172.16.229.130 -> 2.21.36.217 HTTP 193 HEAD / HTTP/1.1 
 0.604160 172.16.229.130 -> 2.21.36.217 HTTP 189 GET / HTTP/1.1 
 10.743753 172.16.229.130 -> 2.21.36.217 HTTP 189 GET / HTTP/1.1 
 20.888732 172.16.229.130 -> 2.21.36.217 HTTP 191 GET / HTTP/1.1 
 31.025047 172.16.229.130 -> 2.21.36.217 HTTP 191 GET / HTTP/1.1 
 41.165659 172.16.229.130 -> 2.21.36.217 HTTP 202 GET /zQKunQmk.sh HTTP/1.1

I double checked the site with a browser – everything was in order.  More details were needed from tshark:

root@bt:~# tshark -f "port 80 and host www.moodys.com" -R http.request -O http -V
Running as user "root" and group "root". This could be dangerous.
Capturing on eth1
Frame 4: 193 bytes on wire (1544 bits), 193 bytes captured (1544 bits)
Ethernet II, Src: Vmware_42:97:9e (00:0c:29:42:97:9e), Dst: Vmware_ea:8d:54 (00:50:56:ea:8d:54)
Internet Protocol Version 4, Src: 172.16.229.130 (172.16.229.130), Dst: 2.21.36.217 (2.21.36.217)
Transmission Control Protocol, Src Port: 40430 (40430), Dst Port: http (80), Seq: 1, Ack: 1, Len: 139
Hypertext Transfer Protocol
 HEAD / HTTP/1.1\r\n
 [Expert Info (Chat/Sequence): HEAD / HTTP/1.1\r\n]
 [Message: HEAD / HTTP/1.1\r\n]
 [Severity level: Chat]
 [Group: Sequence]
 Request Method: HEAD
 Request URI: /
 Request Version: HTTP/1.1
 Connection: Keep-Alive\r\n
 User-Agent: Mozilla/5.00 (Nikto/2.1.5) (Evasions:None) (Test:Port Check)\r\n
 Host: www.moodys.com\r\n
 \r\n
 [Full request URI: http://www.moodys.com/]