From: Erik Harrison (eharrison@gmail.com)
Date: Thu Apr 10 2008 - 14:39:47 EDT
well, the most obvious question that comes to mind here.. why don't
you ask them for a login? not an admin user, just a regular customer
account that you can use.
since they're already aware of the pentest, you dont have to worry
about blowing your cover. ask them, if they don't give it to you make
note of that in your report and make it clear that the vulnerability
of the application can't be measured accurately . its easy to secure a
login form, its far more difficult to secure an app's internals.
chances are if you get a login you'll find a myriad of items to report
on.
just because by default an attacker can't login to the form, doesnt
mean they don't have prior knowledge of your customers, or already
compromised one of them in order to access your client's app. if you
get a login, does there appear to be a naming convention to it? do you
know any of their customers? can you guess what theirs might be? hell,
at that point brute force the form, see if they even notice. if they
dont, there's something else for your report. if they do, what was it?
how do you evade it? does it uncover any of their underlying operating
procedures?
if you're being paid for it then there's a timeline you have to adhere
to and deliver by. you can spend forever trying to get into a system
which appears secure and given enough time you will. however, if its
tight on time, and there are no apparent vulnerabilities to target, be
blunt and noisy about your attacks. you don't have to be graceful all
the time.
On Wed, Apr 9, 2008 at 6:18 PM, Atif Azim <azim.atif@gmail.com> wrote:
> Well, the results are definitely verified through nmap as well.OS is
> win 2k3 running IIS 6.0 and only 80 being open.Yes indeed the client
> has assigned us the job to perform the pen test and knows about it.
> I do have the CPTS training dvd and am going through that, but it will
> take time to digest that horde of information.Also downloading web
> goat to get my hands wet with web app testing.
> The client's website offers a place for legitimate users (I cannot
> become that legitimate user) to login and do their respective tasks.So
> what is available to me as a pen tester is only the user ID and
> password field to play with :)
>
>
>
>
>
>
> On Thu, Apr 10, 2008 at 3:00 AM, jond <x@jond.com> wrote:
> > I agree with everyone above training is more important that the tool
> > used. Core is an incredible tool, but it CAN'T be used alone.
> > My FIRST question would be what is the web app, and what version.
> > My SECOND question would be, is port 80 really the only thing open.
> >
> > Did they know about the pentest in advance?
> >
> >
> > Jon
> >
> >
> >
> >
> > On Wed, Apr 9, 2008 at 5:11 PM, Jason <securitux@gmail.com> wrote:
> > > Oh boy... let me intercept this before some others do, lol.
> > >
> > > You cannot rely on Core or any one tool for a pen test AT ALL. It's a
> > > great tool but there is SO much more to pen testing than relying on
> > > one single tool, in fact that is the cardinal sin. You need to follow
> > > a methodology and use an array of tools and manual techniques to make
> > > sure the test is thorough. When I do a web app pen test, the tools
> > > never find some of the nastiness that I do manually. Never. Web apps
> > > are a curious breed because they are usually custom coded in some way
> > > so every single one is different, making standard tools less useful.
> > >
> > > I am not surprised by your Core Impact results, it is a great tool but
> > > they are new to the web app game, and it hasn't been thoroughly
> > > developed yet. No fault of theirs, it just hasn't matured the way
> > > others have. For web apps I prefer a web app vulnerability scanner
> > > like Cenzic Hailstorm for the automated dumb stuff like XFS / XSS and
> > > basic authentication bypass. You definitely need to do manual checks,
> > > regardless of what the tools find. Try some injections and
> > > authentication bypass techniques, and, well, everything else too.
> > > Might want to do a search for the OWASP guide, they have great info on
> > > web app testing.
> > >
> > > Besides all this, have you used anything like nmap to find open ports
> > > and verify your results? Perhaps Core missed something. Is a stealth
> > > approach required to emulate a malicious hacker and therefore your
> > > checks need to be quiet and evade detection?
> > >
> > > I highly recommend if you are new to this to take a course or at least
> > > get some good books. A person really can't jump into pen testing like
> > > they can jump into product deployment / administration.
> > >
> > > Might want to search this list as well, you will find some helpful
> > > information I am sure.
> > >
> > > Good luck.
> > >
> > > -J
> > >
> > >
> > >
> > > On Wed, Apr 9, 2008 at 3:48 PM, Atif Azim <azim.atif@gmail.com> wrote:
> > > > Hello,
> > > > I am new to pen testing and am currently involved in doing an external
> > > > pen test for one of our clients.We are doing it through Core
> > > > Impact.Reconnaisance showed only port 80 as open and the web server
> > > > running IIS 6.0.Core Impact did not find any vulnerabilities in the
> > > > server and hence was unable to penetrate.The web application was also
> > > > tested for SQL Injection and PHP remote file inclusion and did not
> > > > find any vulnerabilities there either.
> > > >
> > > > My question is what else can we do besides relying on Core Impact for
> > > > this pen test.And what impression can a client get if we say to them
> > > > that there are no vulnerabilites in your network or web app.Its
> > > > dificult to digest something like that for a security specialist that
> > > > everythings alright.
> > > >
> > > > Looking forward to some great views.Thanks.
> > > >
> > > > Regards,
> > > > Atif Azim
> > > >
> > > > ------------------------------------------------------------------------
> > > > This list is sponsored by: Cenzic
> > > >
> > > > Need to secure your web apps NOW?
> > > > Cenzic finds more, "real" vulnerabilities fast.
> > > > Click to try it, buy it or download a solution FREE today!
> > > >
> > > > http://www.cenzic.com/downloads
> > > > ------------------------------------------------------------------------
> > > >
> > > >
> > >
> > > ------------------------------------------------------------------------
> > > This list is sponsored by: Cenzic
> > >
> > > Need to secure your web apps NOW?
> > > Cenzic finds more, "real" vulnerabilities fast.
> > > Click to try it, buy it or download a solution FREE today!
> > >
> > > http://www.cenzic.com/downloads
> > > ------------------------------------------------------------------------
> > >
> > >
> >
> > ------------------------------------------------------------------------
> > This list is sponsored by: Cenzic
> >
> > Need to secure your web apps NOW?
> > Cenzic finds more, "real" vulnerabilities fast.
> > Click to try it, buy it or download a solution FREE today!
> >
> > http://www.cenzic.com/downloads
> > ------------------------------------------------------------------------
> >
> >
>
> ------------------------------------------------------------------------
> This list is sponsored by: Cenzic
>
> Need to secure your web apps NOW?
> Cenzic finds more, "real" vulnerabilities fast.
> Click to try it, buy it or download a solution FREE today!
>
> http://www.cenzic.com/downloads
> ------------------------------------------------------------------------
>
>
------------------------------------------------------------------------
This list is sponsored by: Cenzic
Need to secure your web apps NOW?
Cenzic finds more, "real" vulnerabilities fast.
Click to try it, buy it or download a solution FREE today!
http://www.cenzic.com/downloads
------------------------------------------------------------------------
-- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean.
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:58:30 EDT