RE: Penetration test of 1 IP address




Here are a few notes or methods I follow for myself -
-----
Questions from the moderator:
If this task was assigned to me how would I proceed?

Its not about using the right tools, its about asking the right
questions.

You could use a whole sleth of tools on some server, but if your using
the wrong tools for the wrong problem you won't get anything back and
you will in turn give your client the wrong impression of security when
you told them you haven't found anything.

So I first try to ask the right questions technically, and try to see
what the client wants.

Usually with a webserver assessment I divide the assessment into a few
parts.

Webserver vulnerabilities
Webserver Misconfigurations
Application/Webapp problems


1) Validate the webserver version and protocol.

If doing this by hand I do the following things

- telnet webserver.com 80 GET /%00
- echo "GET /AA" | nc webserver.com 80
- browser , append %00 the end of index.html

- I then view the HTTP error codes to see whats up, or
if the server gave back some default server version.

To validate some of this and take it a bit deeper I use some of
the following tools -
Tools that can be used for this type of snooping include
httprint, nmap with -sV , amap.

2) Before I do anything very intrusive I personally go to the website
and look for common artifacts.
- view source - look for comments, names
- try /robots.txt , this is always useful and isn't too
intrusive, but may give you information on other
directories or give you a feel for the security posture of the site.
-
3) Moving a bit more into the intrusive stage.
- Brute forcing of common directories - wikto (from
sensepost.com) is a good tool for this. Nikto is also good, if your
using *nix, and if you're a die hard check out the last version
libwhisker and you can roll your own.
- After bruteforcing , go onto looking for default web vulns
with nikto.
4) Application.
- Start messing with the application. Try to identify what type
of application is it.
Is this .net, perl/cgi,j2ee.
- Look for uri mappings that may indicate what
application server is being used.
If its .cgi, look for common cgi problems.
- null bytes, directory transversals, illegal
chars & sql injection
If it is .net, assume its using a microsoft sql server and start
sql injection tricks...
You may also want to always remember to look at the view-source
when testin the webapp. I have seen some pretty scary stuff in error
messages developers send to end users, and within the actual
applications.
Sometimes they put in hidden fields that pass .xml files from
the webserver for weird authentication (which you can just snag the
..xml files via your browser...)... Webapp developers do all sorts of
crazy stuff. The sky is the limit..

For j2ee, or crappy java apps view the comements and see if you
can download the .jar's so you can decompile them.

If you can download them to decompile them run jad, and then run
the .class files through your osx tool set to get a pretty visual
map of the program. Search for passwords and strings in the binary
that may give you other clues....

Keep remembering that you can do this, as long as you ask the
right questions and look for the right clues!

Good webapp tools include - @stakes webproxy,spike, & paros
proxy.
Also remember once you have found a vulnerability, don't become
frustrated when you can't exploit it right away.

Sometimes after finding sql injection holes it takes days to be
creative to either exploit the hole or really understand where you
land in the SELECT and or INSERT statement and how you can escalate your
privs.


If your goal is to give a report on the posture of the security of a
webapplication from a black box perspective some of these tools and
methods work pretty well.

- I would add more, but for now I have other things pending....

-Daniel

To all:

I have been asked to perform a security audit of 1 IP address for
client.
They have given me the 1 IP address and a clue (webblaze).

If I enter the IP address and then /webblaze, I am taken to a login
page (user name and password requested).

What tools would you recommend that I use for this assignment?

Thanks for your help.

Regards,


Edmond


--------------------------------------------------------------
----------------
Audit your website security with Acunetix Web Vulnerability Scanner:

Hackers are concentrating their efforts on attacking applications on

your website. Up to 75% of cyber attacks are launched on shopping
carts, forms, login pages, dynamic content etc. Firewalls, SSL and
locked-down servers are futile against web application hacking.
Check your website for vulnerabilities to SQL injection, Cross site
scripting and other web attacks before hackers do!
Download Trial at:

http://www.securityfocus.com/sponsor/pen-test_050831
--------------------------------------------------------------
-----------------

--
No virus found in this incoming message.
Checked by AVG Free Edition.
Version: 7.1.375 / Virus Database: 267.15.2/253 - Release
Date: 2/7/2006



--
No virus found in this outgoing message.
Checked by AVG Free Edition.
Version: 7.1.375 / Virus Database: 267.15.2/253 - Release Date:
2/7/2006



----------------------------------------------------------------------
-------- Audit your website security with Acunetix Web Vulnerability
Scanner:

Hackers are concentrating their efforts on attacking applications on
your website. Up to 75% of cyber attacks are launched on shopping
carts, forms, login pages, dynamic content etc. Firewalls, SSL and
locked-down servers are futile against web application hacking. Check
your website for vulnerabilities to SQL injection, Cross site
scripting and other web attacks before hackers do!
Download Trial at:

http://www.securityfocus.com/sponsor/pen-test_050831
----------------------------------------------------------------------
---------



------------------------------------------------------------------------
------
Audit your website security with Acunetix Web Vulnerability Scanner:

Hackers are concentrating their efforts on attacking applications on
your website. Up to 75% of cyber attacks are launched on shopping carts,
forms, login pages, dynamic content etc. Firewalls, SSL and locked-down
servers are futile against web application hacking. Check your website
for vulnerabilities to SQL injection, Cross site scripting and other web
attacks before hackers do!
Download Trial at:

http://www.securityfocus.com/sponsor/pen-test_050831
------------------------------------------------------------------------
-------



-----------------------------------------
Confidentiality Notice: This e-mail communication and any attachments
may contain confidential and privileged information for the use of the
designated recipients named above. If you are not the intended
recipient, you are hereby notified that you have received this
communication in error and that any review, disclosure, dissemination,
distribution or copying of it or its contents is prohibited. If you
have received this communication in error, please notify me immediately
by replying to this message and deleting it from your computer. Thank
you.


------------------------------------------------------------------------------
Audit your website security with Acunetix Web Vulnerability Scanner:

Hackers are concentrating their efforts on attacking applications on your
website. Up to 75% of cyber attacks are launched on shopping carts, forms,
login pages, dynamic content etc. Firewalls, SSL and locked-down servers are
futile against web application hacking. Check your website for vulnerabilities
to SQL injection, Cross site scripting and other web attacks before hackers do!
Download Trial at:

http://www.securityfocus.com/sponsor/pen-test_050831
-------------------------------------------------------------------------------



Relevant Pages

  • Re: Web Server Botnets and Server Farms as Attack Platforms
    ... Web Server Botnets and Server Farms as Attack ... We discuss how these attacks work using file inclusion ... vulnerabilities and PHP shells. ... place platform by platform, ...
    (Bugtraq)
  • RE: Pre-Scanning for Marketing
    ... installer there were some Security issue, ... vulnerabilities are easily and efficiently identified. ... Audit your website security with Acunetix Web Vulnerability Scanner: ... Up to 75% of cyber attacks are launched on shopping carts, ...
    (Pen-Test)
  • Re: [Full-disclosure] Web Server Botnets and Server Farms as Attack Platforms
    ... Web Server Botnets and Server Farms as Attack ... We discuss how these attacks work using file inclusion ... vulnerabilities and PHP shells. ... place platform by platform, ...
    (Full-Disclosure)
  • Re: ARP Spoofing and Routing
    ... I would like to know how to go abt spoofing arp caches, ... >What I was trying to do was arpspoof a server so that I could intercept ... Up to 75% of cyber attacks are launched on shopping carts, forms, ... Check your website for ...
    (Pen-Test)
  • RE: Pre-Scanning for Marketing
    ... Subject: RE: Pre-Scanning for Marketing ... even though certainly vulnerabilities are ... Audit your website security with Acunetix Web Vulnerability Scanner: ... Up to 75% of cyber attacks are launched on shopping carts, forms, ...
    (Pen-Test)