Penetration Testing mailing list archives
RE: Penetration test of 1 IP address
From: Edmond Chow <echow () videotron ca>
Date: Thu, 09 Feb 2006 22:33:52 -0500
Dear List: Thanks to all of those who provided helpful comments. And to those who are doubting my honesty, please rest assured that I would NOT jeopardize my Ivy League education, my personal reputation or the reputation of the company I have spent many years to build to hack an unauthorized website. I suggested to the moderator that it might be an interesting and educational exercise for me to provide the details of the assignment to the list (i.e., the IP address) and for all of us to collectively work through the assignment. I suspect that several individuals who are questioning my ethics could learn volumes from this exercise. The law firm in question is one of the world's most respected law firms and one of my top clients. Their systems administrator would be thrilled to be part of this exercise! I am with him tomorrow morning as we start to investigate web application vulnerability tools. Our first call is with Watchfire. Thanks again for all those who genuinely wanted to help! And for those that want to offer their help to me offline, please do not hesitate to contact me as I am always looking for ethical and qualified computer professionals to help with C-level consulting mandates. Regards, Edmond -----Original Message----- From: Clemens, Dan [mailto:Dan.Clemens () healthsouth com] Sent: Thursday, February 09, 2006 11:59 AM To: Ivan .; Erin Carroll Cc: Edmond Chow; Michael Gargiullo; pen-test () securityfocus com Subject: RE: Penetration test of 1 IP address Here are a few notes or methods I follow for myself - ----- Questions from the moderator: If this task was assigned to me how would I proceed? Its not about using the right tools, its about asking the right questions. You could use a whole sleth of tools on some server, but if your using the wrong tools for the wrong problem you won't get anything back and you will in turn give your client the wrong impression of security when you told them you haven't found anything. So I first try to ask the right questions technically, and try to see what the client wants. Usually with a webserver assessment I divide the assessment into a few parts. Webserver vulnerabilities Webserver Misconfigurations Application/Webapp problems 1) Validate the webserver version and protocol. If doing this by hand I do the following things - telnet webserver.com 80 GET /%00 - echo "GET /AA" | nc webserver.com 80 - browser , append %00 the end of index.html - I then view the HTTP error codes to see whats up, or if the server gave back some default server version. To validate some of this and take it a bit deeper I use some of the following tools - Tools that can be used for this type of snooping include httprint, nmap with -sV , amap. 2) Before I do anything very intrusive I personally go to the website and look for common artifacts. - view source - look for comments, names - try /robots.txt , this is always useful and isn't too intrusive, but may give you information on other directories or give you a feel for the security posture of the site. - 3) Moving a bit more into the intrusive stage. - Brute forcing of common directories - wikto (from sensepost.com) is a good tool for this. Nikto is also good, if your using *nix, and if you're a die hard check out the last version libwhisker and you can roll your own. - After bruteforcing , go onto looking for default web vulns with nikto. 4) Application. - Start messing with the application. Try to identify what type of application is it. Is this .net, perl/cgi,j2ee. - Look for uri mappings that may indicate what application server is being used. If its .cgi, look for common cgi problems. - null bytes, directory transversals, illegal chars & sql injection If it is .net, assume its using a microsoft sql server and start sql injection tricks... You may also want to always remember to look at the view-source when testin the webapp. I have seen some pretty scary stuff in error messages developers send to end users, and within the actual applications. Sometimes they put in hidden fields that pass .xml files from the webserver for weird authentication (which you can just snag the ..xml files via your browser...)... Webapp developers do all sorts of crazy stuff. The sky is the limit.. For j2ee, or crappy java apps view the comements and see if you can download the .jar's so you can decompile them. If you can download them to decompile them run jad, and then run the .class files through your osx tool set to get a pretty visual map of the program. Search for passwords and strings in the binary that may give you other clues.... Keep remembering that you can do this, as long as you ask the right questions and look for the right clues! Good webapp tools include - @stakes webproxy,spike, & paros proxy. Also remember once you have found a vulnerability, don't become frustrated when you can't exploit it right away. Sometimes after finding sql injection holes it takes days to be creative to either exploit the hole or really understand where you land in the SELECT and or INSERT statement and how you can escalate your privs. If your goal is to give a report on the posture of the security of a webapplication from a black box perspective some of these tools and methods work pretty well. - I would add more, but for now I have other things pending.... -Daniel
To all: I have been asked to perform a security audit of 1 IP address for client. They have given me the 1 IP address and a clue (webblaze). If I enter the IP address and then /webblaze, I am taken to a login page (user name and password requested). What tools would you recommend that I use for this assignment? Thanks for your help. Regards, Edmond -------------------------------------------------------------- ---------------- Audit your website security with Acunetix Web Vulnerability Scanner: Hackers are concentrating their efforts on attacking applications on
your website. Up to 75% of cyber attacks are launched on shopping carts, forms, login pages, dynamic content etc. Firewalls, SSL and locked-down servers are futile against web application hacking. Check your website for vulnerabilities to SQL injection, Cross site scripting and other web attacks before hackers do! Download Trial at: http://www.securityfocus.com/sponsor/pen-test_050831 -------------------------------------------------------------- ----------------- -- No virus found in this incoming message. Checked by AVG Free Edition. Version: 7.1.375 / Virus Database: 267.15.2/253 - Release Date: 2/7/2006-- No virus found in this outgoing message. Checked by AVG Free Edition. Version: 7.1.375 / Virus Database: 267.15.2/253 - Release Date: 2/7/2006 ---------------------------------------------------------------------- -------- Audit your website security with Acunetix Web Vulnerability Scanner: Hackers are concentrating their efforts on attacking applications on your website. Up to 75% of cyber attacks are launched on shopping carts, forms, login pages, dynamic content etc. Firewalls, SSL and locked-down servers are futile against web application hacking. Check your website for vulnerabilities to SQL injection, Cross site
scripting and other web attacks before hackers do!
Download Trial at: http://www.securityfocus.com/sponsor/pen-test_050831 ---------------------------------------------------------------------- ---------
------------------------------------------------------------------------ ------ Audit your website security with Acunetix Web Vulnerability Scanner: Hackers are concentrating their efforts on attacking applications on your website. Up to 75% of cyber attacks are launched on shopping carts, forms, login pages, dynamic content etc. Firewalls, SSL and locked-down servers are futile against web application hacking. Check your website for vulnerabilities to SQL injection, Cross site scripting and other web attacks before hackers do! Download Trial at: http://www.securityfocus.com/sponsor/pen-test_050831 ------------------------------------------------------------------------ ------- ----------------------------------------- Confidentiality Notice: This e-mail communication and any attachments may contain confidential and privileged information for the use of the designated recipients named above. If you are not the intended recipient, you are hereby notified that you have received this communication in error and that any review, disclosure, dissemination, distribution or copying of it or its contents is prohibited. If you have received this communication in error, please notify me immediately by replying to this message and deleting it from your computer. Thank you. ---------------------------------------------------------------------------- -- Audit your website security with Acunetix Web Vulnerability Scanner: Hackers are concentrating their efforts on attacking applications on your website. Up to 75% of cyber attacks are launched on shopping carts, forms, login pages, dynamic content etc. Firewalls, SSL and locked-down servers are futile against web application hacking. Check your website for vulnerabilities to SQL injection, Cross site scripting and other web attacks before hackers do! Download Trial at: http://www.securityfocus.com/sponsor/pen-test_050831 ---------------------------------------------------------------------------- --- ------------------------------------------------------------------------------ Audit your website security with Acunetix Web Vulnerability Scanner: Hackers are concentrating their efforts on attacking applications on your website. Up to 75% of cyber attacks are launched on shopping carts, forms, login pages, dynamic content etc. Firewalls, SSL and locked-down servers are futile against web application hacking. Check your website for vulnerabilities to SQL injection, Cross site scripting and other web attacks before hackers do! Download Trial at: http://www.securityfocus.com/sponsor/pen-test_050831 -------------------------------------------------------------------------------
Current thread:
- Re: Penetration test of 1 IP address, (continued)
- Re: Penetration test of 1 IP address intel96 (Feb 09)
- Re: Penetration test of 1 IP address Ivan Arce (Feb 15)
- Re: Penetration test of 1 IP address Sugiowono (Feb 09)
- RE: Penetration test of 1 IP address Bob Radvanovsky (Feb 09)
- RE: Penetration test of 1 IP address Sels, Roger (Feb 09)
- RE: Penetration test of 1 IP address Anders Thulin (Feb 09)
- RE: Penetration test of 1 IP address Edmond Chow (Feb 09)
- RE: Penetration test of 1 IP address John Forristel (SunGard-Chico) (Feb 09)
- Re: Penetration test of 1 IP address Dave (Feb 09)
- RE: Penetration test of 1 IP address Clemens, Dan (Feb 09)
- RE: Penetration test of 1 IP address Edmond Chow (Feb 10)
- Re: Penetration test of 1 IP address thomas springer (Feb 10)
- RE: Penetration test of 1 IP address John Forristel (SunGard-Chico) (Feb 09)
- RE: Penetration test of 1 IP address Levenglick, Jeff (Feb 09)
- Message not available
- Fwd: Penetration test of 1 IP address Brian Loe (Feb 09)
- Re: Fwd: Penetration test of 1 IP address Justin Seitz (Feb 09)
- Message not available
- RE: Penetration test of 1 IP address Beau Mersereau (Feb 09)
- RE: Penetration test of 1 IP address Bob Radvanovsky (Feb 09)
- Re: Fwd: Penetration test of 1 IP address Bob Radvanovsky (Feb 09)
- Re: Fwd: Penetration test of 1 IP address pagvac (Feb 09)
- RE: Penetration test of 1 IP address Navroz Shariff (Feb 09)