RE: Penetration test of 1 IP address

From: Edmond Chow [mailto:echow@xxxxxxxxxxxx]

I have been asked to perform a security audit of 1 IP address
for client.

Security audit or penetration test? They are different. An audit verifies
that a system (and its users) conforms to all rules and regulation it is
subject to, while a penetration test is just getting access to things you
should not get access to, typically outlined in the task description.

It's not a security audit -- they're white-box jobs, made from the
inside. So I assume penetration test.

They have given me the 1 IP address and a clue (webblaze).

I assume that IP address is the only one you are allowed to touch.
That rules out general subnet scanning, and router or firewall attacks.
Tracerouting the address to get an idea of network structure ... lots
of company-owned routers in front, or none at all? ... is still
a good idea.

If I enter the IP address and then /webblaze, I am taken to a
login page (user name and password requested).

Do a full scan TCP and UDP. Any other ports open that you could use?
(If there is a firewall, it may bias the result.)

SInce there is a web site, use nikto. Nessus may have something
useful among its web tests. If you have commercial tools, use them.
(Sometimes N-Stealth Free Edition comes up with something useful.)

Walk over the web site. Use xenu just to get an idea of what's
there, and where links go. wget will get you the contents of the site,
so you can look at scripts and other things to explore. (Be systematic.)
If there are scripts, save the page, tweak any parameters locally, and run
the page and script from your local disk (with suitable changes in links).
Some web designers don't realise you can do that.

If you have an authentication situation, you need to have some ideas
about possible user names. Google for company information,
Usenet news messages from the company, you may even have one or two
mails from them to check. Use to learn about network
information (if they have their own network) and people in charge of
it. Do they have another website ... Google that as well for names (if you don't
know how, try the book 'Google hacking'). And not the least, google for
the IP-address or it's related domain name.

It's can be surprisingly useful ... I remember one assignment where
my co-worker discovered the name of the IT manager on the company
web site, and then that that IT manager had an account in the company
firewall (for no clear reason). The main difficulty was knowing the structure
of their user ID's, but that was the same as the From: addresses in their e-mail.

Are there any links from that site to the one you're investigating ... if so check
them out. It may be that you can bypass authentication.

At this point, nikto should have told you what server is running. Try HTTPprint
to verify it, if it looks like they have obfuscated any banners. Check out
known vulnerabilities for that product in the SecurityFocus vulnerability database,
or look at for ideas. Look at the metasploit framework
if they have exploits for it. Google again.

By know you should also have Googled for 'webblaze'. Does that seem to be
the product you're looking at? Do they have any user guides or admin manuals
for download that may contain useful information for downloads ... like
default admin account & password? Do they have patches for download ... that
you can inspect for information in cleartext? (Some years ago backdoor accounts
to a line of network switches could be discovered by examining updates closer
than most people would do.) In some cases ... perhaps not this ... it's possible to
download demo versions to play with. Always useful to get more insight into
what's going on. Don't forget to check the vulnerability databases on the net for
'webblaze' or the company that makes it. Or Google usenet groups for users
of the product ... perhaps the manufacturer has a user forum from which you can
glean useful hints?

I assume you didn't find an easy way in.

Try overflows. What happens if you use 10000 'A's as user name
and password? Any interesting error messages? Look up 'SQL Injection'
on the net, and try that. Try other special characters.

Is the login good? That is, it doesn't give different messages for bad user
name and for bad password? If it does, you can fairly easily guess user names
just by looking at the error message.

If you don't know what typical username/passwords can be, find the 'default password'
list from, and see what looks reasonable to try. 'administrator' for username
is standard, but there are others.

Now start guessing.

Try using Brutus or THC Hydra or any other tool for guessing web
passwords that you feel comfortable about using, and let it run
unintelligently, while you do the intelligent attempts to get in.

You should by know know if the web site limits login attempts.
It can also be embarrassing to discover that you've been locked
out by an automatic defense system. Look for those product
manuals *before* you start the automatic brute force stuff.

What tools would you recommend that I use for this assignment?

Show time is not time to learn about new and unfamiliar tools.
If you do not know how to use nmap, nikto, google, learn to.
Showtime is rarely the time to discover that certain exploits are fragile,
and that you only get one chance with them. It can be embarrassing to
ask the customer to fire up their web server again, because you blew
the chance to break in, and want to have another go. You'll learn that the
first time ...

And ... get a copy of either Hacking Exposed Web Applications or
Web Hacking, read, digest, think and experiment. (There's also a
HE J2EE and Java volume, though not as immediately useful.)

And ... if you are serious about web security testing, look around for a
web security testing course.

Anders Thulin anders.thulin@xxxxxxxxxxxxxxx 040-661 50 63
TietoEnator Telecom & Media AB, Box 85, SE-201 20 Malmö

Audit your website security with Acunetix Web Vulnerability Scanner:

Hackers are concentrating their efforts on attacking applications on your
website. Up to 75% of cyber attacks are launched on shopping carts, forms,
login pages, dynamic content etc. Firewalls, SSL and locked-down servers are
futile against web application hacking. Check your website for vulnerabilities
to SQL injection, Cross site scripting and other web attacks before hackers do!
Download Trial at: