OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
RE: Penetration test of 1 IP address

From: Sels, Roger (roger.selsgov-fbi.net)
Date: Wed Feb 08 2006 - 17:55:59 CST


>> -----Original Message-----
>> From: Edmond Chow [mailto:echowvideotron.ca]
>> Sent: Tuesday, February 07, 2006 10:45 PM
>> To: 'Michael Gargiullo'; pen-testsecurityfocus.com
>> Cc: 'Edmond Chow'
>> Subject: RE: Penetration test of 1 IP address
>>
>>
>>
>>
>> To all:
>>
>> I have been asked to perform a security audit of 1 IP address
>> for client.
>> They have given me the 1 IP address and a clue (webblaze).
>>
>> If I enter the IP address and then /webblaze, I am taken to a
>> login page (user name and password requested).
>>
>> What tools would you recommend that I use for this assignment?
>>
>> Thanks for your help.
>>
>> Regards,
>>
>>
>> Edmond

On Thu, February 9, 2006 3:59 am, Erin Carroll said:
> List members,
>

<snip>

> So how bout it gang? You've been given some basic information on a target
> IP. It's running HTTP. It also has a login/password prompt. Where do you
> go
> from here and what information do you look for next?
>
>
> --
> Erin Carroll
> Moderator
> SecurityFocus pen-test list
> "Do Not Taunt Happy-Fun Ball"
>

Hello Edmond,

Due to the customer giving you that hint, I suspect noise is not an issue?
However, should it be, there are some other approaches to consider before
nmapping the box. Nothing fancy, and if it'd work, you'd have picked the
low-hanging fruit. But better check for low-hanging fruit before getting
more complex/"intelligent" (and noisy ;) ) but that's just my 0.02EURO.

Also, what is the scope of your test? Should you only test the
webapplication and assume the server is hardened correctly, or is this a
full test of this 1 IP address?

You could grab the banner of the HTTP server or run p0f (if you are using
linux or plain pf for *BSD) to get an idea of which webserver you are
dealing with. It very well could be an older version of e.g. apache for
which you can find an exploit. If the server seems to be rather silent
about it's version, maybe more info can be found on errorpages which you
will be generating (by accessing non-existant URLs).

Basically, you can look around in the source of the loginpage to see if
you can find anything usefull in there (maybe a pointer to a directory
which happens to be world readable and contains interesting/sensitive
files).

Another test would be trying to login as ie admin with the company's name
as a password.
Try some variations on that and who knows. Maybe there will be a clue
(commented or not) in the source HTML of that loginpage that will give
away the password or hint you in the right direction.

Again, I realise these tips aren't rocket science, but it's a starting place.

If anyone disagrees I'll hear so soon enough ;-)

Kind regards & good luck

Roger

P.S. Other things to look into: you mention a login prompt. Is that
javascript, PHP, ... ? Depending on what you find there, you'll know if
there is a DB in the back-end. (well, it's very likely...). Does it look
vulnerable to SQL injection? What OS is this on? Find anything interesting
there - e.g. it's an NT4 box with an outdated IIS.

--
Life is 10 percent what you make it and 90 percent how you take it. -
Irving Berlin

------------------------------------------------------------------------------
Audit your website security with Acunetix Web Vulnerability Scanner:

Hackers are concentrating their efforts on attacking applications on your
website. Up to 75% of cyber attacks are launched on shopping carts, forms,
login pages, dynamic content etc. Firewalls, SSL and locked-down servers are
futile against web application hacking. Check your website for vulnerabilities
to SQL injection, Cross site scripting and other web attacks before hackers do!
Download Trial at:

http://www.securityfocus.com/sponsor/pen-test_050831
-------------------------------------------------------------------------------