Penetration Testing mailing list archives
RE: Penetration test of 1 IP address
From: "Sels, Roger" <roger.sels () gov-fbi net>
Date: Thu, 9 Feb 2006 00:55:59 +0100 (CET)
-----Original Message----- From: Edmond Chow [mailto:echow () videotron ca] Sent: Tuesday, February 07, 2006 10:45 PM To: 'Michael Gargiullo'; pen-test () securityfocus com Cc: 'Edmond Chow' Subject: RE: Penetration test of 1 IP address To all: I have been asked to perform a security audit of 1 IP address for client. They have given me the 1 IP address and a clue (webblaze). If I enter the IP address and then /webblaze, I am taken to a login page (user name and password requested). What tools would you recommend that I use for this assignment? Thanks for your help. Regards, Edmond
On Thu, February 9, 2006 3:59 am, Erin Carroll said:
List members,
<snip>
So how bout it gang? You've been given some basic information on a target IP. It's running HTTP. It also has a login/password prompt. Where do you go from here and what information do you look for next? -- Erin Carroll Moderator SecurityFocus pen-test list "Do Not Taunt Happy-Fun Ball"
Hello Edmond, Due to the customer giving you that hint, I suspect noise is not an issue? However, should it be, there are some other approaches to consider before nmapping the box. Nothing fancy, and if it'd work, you'd have picked the low-hanging fruit. But better check for low-hanging fruit before getting more complex/"intelligent" (and noisy ;) ) but that's just my 0.02EURO. Also, what is the scope of your test? Should you only test the webapplication and assume the server is hardened correctly, or is this a full test of this 1 IP address? You could grab the banner of the HTTP server or run p0f (if you are using linux or plain pf for *BSD) to get an idea of which webserver you are dealing with. It very well could be an older version of e.g. apache for which you can find an exploit. If the server seems to be rather silent about it's version, maybe more info can be found on errorpages which you will be generating (by accessing non-existant URLs). Basically, you can look around in the source of the loginpage to see if you can find anything usefull in there (maybe a pointer to a directory which happens to be world readable and contains interesting/sensitive files). Another test would be trying to login as ie admin with the company's name as a password. Try some variations on that and who knows. Maybe there will be a clue (commented or not) in the source HTML of that loginpage that will give away the password or hint you in the right direction. Again, I realise these tips aren't rocket science, but it's a starting place. If anyone disagrees I'll hear so soon enough ;-) Kind regards & good luck Roger P.S. Other things to look into: you mention a login prompt. Is that javascript, PHP, ... ? Depending on what you find there, you'll know if there is a DB in the back-end. (well, it's very likely...). Does it look vulnerable to SQL injection? What OS is this on? Find anything interesting there - e.g. it's an NT4 box with an outdated IIS. -- Life is 10 percent what you make it and 90 percent how you take it. - Irving Berlin ------------------------------------------------------------------------------ Audit your website security with Acunetix Web Vulnerability Scanner: Hackers are concentrating their efforts on attacking applications on your website. Up to 75% of cyber attacks are launched on shopping carts, forms, login pages, dynamic content etc. Firewalls, SSL and locked-down servers are futile against web application hacking. Check your website for vulnerabilities to SQL injection, Cross site scripting and other web attacks before hackers do! Download Trial at: http://www.securityfocus.com/sponsor/pen-test_050831 -------------------------------------------------------------------------------
Current thread:
- RE: Penetration test of 1 IP address Edmond Chow (Feb 08)
- RE: Penetration test of 1 IP address Larry Chin (Feb 08)
- RE: Penetration test of 1 IP address Erin Carroll (Feb 08)
- RE: Penetration test of 1 IP address Sels, Roger (Feb 09)
- Re: Penetration test of 1 IP address Ivan . (Feb 09)
- Re: Penetration test of 1 IP address Dave (Feb 08)
- RE: Penetration test of 1 IP address Matt Bowles (Feb 09)
- Message not available
- RE: Penetration test of 1 IP address T0aD (Feb 09)
- RE: Penetration test of 1 IP address Sels, Roger (Feb 09)
- RE: Penetration test of 1 IP address Erin Carroll (Feb 10)
- Re: Penetration test of 1 IP address Christine Kronberg (Feb 09)
- Re: Penetration test of 1 IP address Buz Dale (Feb 09)
- Re: Penetration test of 1 IP address Ailton Caetano (Feb 09)
- Re: Penetration test of 1 IP address Ailton Caetano (Feb 09)