Re: Pen testing web servers

So here's a story of a recent penetration test on a web server we did.
Technically, it was 3 web servers - but let's run with it.

So first, we did all the basic scanning against it. It's IIS 5, so you have
to look for old buffer overflows you know aren't there. Then Bas got wrapped
into webdav for some reason. He was playing with PROPFIND and got a
directory listing of one of the server's /'s. Then, on a lark, he wrote up a
tool that checked for PROPFIND listings on every other server and every
directory - which, much to my suprise, found another one.

So there we are, with some directory listings! Horray! But we wanted a

So I told him to check for PUT uploads, but at the same time, I told him
they were a myth, like dragons or santa claus or dolphins. I'd heard about
people seeing it, but I'd never in all my years of IIS 5 pen tests ever seen
it. So he modified his script and checked to see if he could upload hi.html.
And lo and behold on one lonely directory on one of the web servers, he

So that was pretty cool. Now we can do XSS easily! Horray!

But we wanted a shell. So he tried uploading hi.asp, an ASP Shell. But no
go. So then he tried uploading hi.html and then using WebDav to copy it to
hi.asp, which worked. Then we could request hi.asp and get a shell!

So then the next step for us is to upload a MOSDEF callback and get a CANVAS
node running. This failed. and froze the entire ASP process. So now no ASP
files would run. It was very upsetting, as you can imagine. Remember to
always use "start" to run programs that might freeze your ASP shell!

Our next step was to think for a while, and then we uploaded an ASP.Net file
that also got us a shell. Luckily for us this server also had ASP.Net
support. So once that was done, we did some recon by having MOSDEF call back
to us to a server outside our network on the real Internet (you need lots of
infrastructure like this for penetration testing). We found that no TCP
ports were allowed outbound from the target network by portscanning our
external box from the target machine. :< This made us unhappy, as MOSDEF
currently worked only over TCP.

We tried pinging ourselves from the target, and that worked. So there was a
way out! But .... we were not Admin or System yet, and the publicly
available tools for ICMP tunneling required winpcap, which we don't want to
install on a target even if we DO have admin. It's just more likely to crash
the host than work properly.

So we thought for a while, then Bas sat down and coded up an ICMP to TCP
proxy for Windows that did not require Admin privs using the Windows ICMP
API! Horray! Now we can get MOSDEF connectivity, kill our stuck process
after running local roots, and so forth. Sadly, this machine had all its RPC
interfaces already crashed which makes it hard to get local Admin using RPC
exploits. As we're working, we notice someone from another country log onto
the machine using the same webdav vulnerability (we assume). We clean up,
and inform the client and are done.

Afterwards we sent the ICMP Proxy to Justin to finalize, clean up, and put
into CANVAS, and now everyone has it.

The end.


On Fri, Dec 19, 2008 at 6:10 PM, Kevin P Biggs <kbiggs81@xxxxxxxxx> wrote:

What does everyone consider the best pen tool for testing web servers?
I have tried Nessus.
What tool(s) do you recommend?

This list is sponsored by: Cenzic

Security Trends Report from Cenzic
Stay Ahead of the Hacker Curve!
Get the latest Q2 2008 Trends Report now

This list is sponsored by: Cenzic

Security Trends Report from Cenzic
Stay Ahead of the Hacker Curve!
Get the latest Q2 2008 Trends Report now