From: Edmond Chow (echow@videotron.ca)
Date: Thu Feb 09 2006 - 22:33:52 EST
Dear List:
Thanks to all of those who provided helpful comments. And to those who are
doubting my honesty, please rest assured that I would NOT jeopardize my Ivy
League education, my personal reputation or the reputation of the company I
have spent many years to build to hack an unauthorized website.
I suggested to the moderator that it might be an interesting and educational
exercise for me to provide the details of the assignment to the list (i.e.,
the IP address) and for all of us to collectively work through the
assignment. I suspect that several individuals who are questioning my
ethics could learn volumes from this exercise.
The law firm in question is one of the world's most respected law firms and
one of my top clients. Their systems administrator would be thrilled to be
part of this exercise! I am with him tomorrow morning as we start to
investigate web application vulnerability tools. Our first call is with
Watchfire.
Thanks again for all those who genuinely wanted to help! And for those that
want to offer their help to me offline, please do not hesitate to contact me
as I am always looking for ethical and qualified computer professionals to
help with C-level consulting mandates.
Regards,
Edmond
-----Original Message-----
From: Clemens, Dan [mailto:Dan.Clemens@healthsouth.com]
Sent: Thursday, February 09, 2006 11:59 AM
To: Ivan .; Erin Carroll
Cc: Edmond Chow; Michael Gargiullo; pen-test@securityfocus.com
Subject: RE: Penetration test of 1 IP address
Here are a few notes or methods I follow for myself -
-----
Questions from the moderator:
If this task was assigned to me how would I proceed?
Its not about using the right tools, its about asking the right
questions.
You could use a whole sleth of tools on some server, but if your using
the wrong tools for the wrong problem you won't get anything back and
you will in turn give your client the wrong impression of security when
you told them you haven't found anything.
So I first try to ask the right questions technically, and try to see
what the client wants.
Usually with a webserver assessment I divide the assessment into a few
parts.
Webserver vulnerabilities
Webserver Misconfigurations
Application/Webapp problems
1) Validate the webserver version and protocol.
If doing this by hand I do the following things
- telnet webserver.com 80 GET /%00
- echo "GET /AA" | nc webserver.com 80
- browser , append %00 the end of index.html
- I then view the HTTP error codes to see whats up, or
if the server gave back some default server version.
To validate some of this and take it a bit deeper I use some of
the following tools -
Tools that can be used for this type of snooping include
httprint, nmap with -sV , amap.
2) Before I do anything very intrusive I personally go to the website
and look for common artifacts.
- view source - look for comments, names
- try /robots.txt , this is always useful and isn't too
intrusive, but may give you information on other
directories or give you a feel for the security posture of the site.
-
3) Moving a bit more into the intrusive stage.
- Brute forcing of common directories - wikto (from
sensepost.com) is a good tool for this. Nikto is also good, if your
using *nix, and if you're a die hard check out the last version
libwhisker and you can roll your own.
- After bruteforcing , go onto looking for default web vulns
with nikto.
4) Application.
- Start messing with the application. Try to identify what type
of application is it.
Is this .net, perl/cgi,j2ee.
- Look for uri mappings that may indicate what
application server is being used.
If its .cgi, look for common cgi problems.
- null bytes, directory transversals, illegal
chars & sql injection
If it is .net, assume its using a microsoft sql server and start
sql injection tricks...
You may also want to always remember to look at the view-source
when testin the webapp. I have seen some pretty scary stuff in error
messages developers send to end users, and within the actual
applications.
Sometimes they put in hidden fields that pass .xml files from
the webserver for weird authentication (which you can just snag the
..xml files via your browser...)... Webapp developers do all sorts of
crazy stuff. The sky is the limit..
For j2ee, or crappy java apps view the comements and see if you
can download the .jar's so you can decompile them.
If you can download them to decompile them run jad, and then run
the .class files through your osx tool set to get a pretty visual
map of the program. Search for passwords and strings in the binary
that may give you other clues....
Keep remembering that you can do this, as long as you ask the
right questions and look for the right clues!
Good webapp tools include - @stakes webproxy,spike, & paros
proxy.
Also remember once you have found a vulnerability, don't become
frustrated when you can't exploit it right away.
Sometimes after finding sql injection holes it takes days to be
creative to either exploit the hole or really understand where you
land in the SELECT and or INSERT statement and how you can escalate your
privs.
If your goal is to give a report on the posture of the security of a
webapplication from a black box perspective some of these tools and
methods work pretty well.
- I would add more, but for now I have other things pending....
-Daniel
> > To all:
> >
> > I have been asked to perform a security audit of 1 IP address for
> > client.
> > They have given me the 1 IP address and a clue (webblaze).
> >
> > If I enter the IP address and then /webblaze, I am taken to a login
> > page (user name and password requested).
> >
> > What tools would you recommend that I use for this assignment?
> >
> > Thanks for your help.
> >
> > Regards,
> >
> >
> > Edmond
> >
> >
> > --------------------------------------------------------------
> > ----------------
> > Audit your website security with Acunetix Web Vulnerability Scanner:
> >
> > Hackers are concentrating their efforts on attacking applications on
> > your website. Up to 75% of cyber attacks are launched on shopping
> > carts, forms, login pages, dynamic content etc. Firewalls, SSL and
> > locked-down servers are futile against web application hacking.
> > Check your website for vulnerabilities to SQL injection, Cross site
> > scripting and other web attacks before hackers do!
> > Download Trial at:
> >
> > http://www.securityfocus.com/sponsor/pen-test_050831
> > --------------------------------------------------------------
> > -----------------
> >
> > --
> > No virus found in this incoming message.
> > Checked by AVG Free Edition.
> > Version: 7.1.375 / Virus Database: 267.15.2/253 - Release
> > Date: 2/7/2006
> >
> >
>
> --
> No virus found in this outgoing message.
> Checked by AVG Free Edition.
> Version: 7.1.375 / Virus Database: 267.15.2/253 - Release Date:
> 2/7/2006
>
>
>
> ----------------------------------------------------------------------
> -------- Audit your website security with Acunetix Web Vulnerability
> Scanner:
>
> Hackers are concentrating their efforts on attacking applications on
> your website. Up to 75% of cyber attacks are launched on shopping
> carts, forms, login pages, dynamic content etc. Firewalls, SSL and
> locked-down servers are futile against web application hacking. Check
> your website for vulnerabilities to SQL injection, Cross site
scripting and other web attacks before hackers do!
> Download Trial at:
>
> http://www.securityfocus.com/sponsor/pen-test_050831
> ----------------------------------------------------------------------
> ---------
>
>
------------------------------------------------------------------------
------
Audit your website security with Acunetix Web Vulnerability Scanner:
Hackers are concentrating their efforts on attacking applications on
your website. Up to 75% of cyber attacks are launched on shopping carts,
forms, login pages, dynamic content etc. Firewalls, SSL and locked-down
servers are futile against web application hacking. Check your website
for vulnerabilities to SQL injection, Cross site scripting and other web
attacks before hackers do!
Download Trial at:
http://www.securityfocus.com/sponsor/pen-test_050831
------------------------------------------------------------------------
-------
-----------------------------------------
Confidentiality Notice: This e-mail communication and any attachments
may contain confidential and privileged information for the use of the
designated recipients named above. If you are not the intended
recipient, you are hereby notified that you have received this
communication in error and that any review, disclosure, dissemination,
distribution or copying of it or its contents is prohibited. If you
have received this communication in error, please notify me immediately
by replying to this message and deleting it from your computer. Thank
you.
----------------------------------------------------------------------------
-- Audit your website security with Acunetix Web Vulnerability Scanner: Hackers are concentrating their efforts on attacking applications on your website. Up to 75% of cyber attacks are launched on shopping carts, forms, login pages, dynamic content etc. Firewalls, SSL and locked-down servers are futile against web application hacking. Check your website for vulnerabilities to SQL injection, Cross site scripting and other web attacks before hackers do! Download Trial at: http://www.securityfocus.com/sponsor/pen-test_050831 ---------------------------------------------------------------------------- --- ------------------------------------------------------------------------------ Audit your website security with Acunetix Web Vulnerability Scanner: Hackers are concentrating their efforts on attacking applications on your website. Up to 75% of cyber attacks are launched on shopping carts, forms, login pages, dynamic content etc. Firewalls, SSL and locked-down servers are futile against web application hacking. Check your website for vulnerabilities to SQL injection, Cross site scripting and other web attacks before hackers do! Download Trial at: http://www.securityfocus.com/sponsor/pen-test_050831 -------------------------------------------------------------------------------
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:55:29 EDT