LPTv4 Module 18 External Penetration Testing_NoRestriction

ECSA/LPT

EC Council Module XVIIIEC-Council Module XVIII

External Penetration TestingTesting

Penetration Testing Roadmap

Start HereInformation Vulnerability External

Gathering Analysis Penetration Testing

Fi ll Router and InternalFirewall

Penetration Testing

Router and Switches

Penetration Testing

Internal Network

Penetration Testing

IDS

Penetration Testing

Wireless Network

Penetration Testing

Denial of Service

Penetration Testing

Password Cracking

Stolen Laptop, PDAs and Cell Phones

Social EngineeringApplication

Cont’d

EC-CouncilCopyright © by EC-Council

All Rights Reserved. Reproduction is Strictly Prohibited

Penetration TestingPenetration Testing Penetration TestingPenetration Testing

Penetration Testing Roadmap (cont’d)(cont d)

Cont’dPhysical S i

Database P i i

VoIP P i T iSecurity

Penetration Testing

Penetration testing Penetration Testing

Vi dVirus and Trojan

Detection

War Dialing VPN Penetration Testing

Log Management

Penetration Testing

File Integrity Checking

Blue Tooth and Hand held

Device Penetration Testing

Telecommunication And Broadband Communication

Email Security Penetration Testing

Security Patches

Data Leakage Penetration Testing

End Here



Communication Penetration Testing

gPenetration Testing

Penetration Testing

External Intrusion Test and AnalysisAnalysis

An external intrusion test and analysis identifies security weaknesses and strengths of the client's systems and networks as they appear from outside the client's security perimeter, usually from the Internet.

The goal of an external intrusion test and analysis is to d t t th i t f k l biliti th t ld b demonstrate the existence of known vulnerabilities that could be exploited by an external attacker.



How is it Done?

Gather externally accessible configuration informationGather externally accessible configuration information

Scan client external network gateways to identify services andt ltopology

Scan client Internet servers for ports and services vulnerable toattackattack

Attempt intrusion of vulnerable internal systems



Client Benefits

The external penetration testing allows the client to anticipate externalThe external penetration testing allows the client to anticipate externalattacks that might cause security breaches and to proactively reducerisks to its information, systems, and networks.

This proactive approach will improve the security of the client'snetworked resources.

The external penetration testing can provide solutions for improving e-business and e-commerce operations with increased confidence in theirability to protect valuable data, resources, and reputation.



External Penetration Testing



Steps – Conduct External Penetration TestingPenetration Testing

1 • Inventory the company’s external infrastructure

2 • Create topological map of the network

3 • Identify the IP address of the targets3

4 • Locate the traffic route that goes to the web servers

• Locate TCP traffic path to the destination5 Locate TCP traffic path to the destination

6 • Locate UDP traffic path to the destination

Id if h h i l l i f h7 • Identify the physical location of the target servers

8 • Examine the use IPV6 at the remote location



9 • Lookup domain registry for IP information

Steps – Conduct External Penetration Testing (cont’d)Penetration Testing (cont d)

10 • Find IP block information about the target

11 • Locate the ISP servicing the client

12 • List open ports

13 • List closed ports

14 • List suspicious ports that are half open/close14

15 • Port scan every port (65,536) on the target’s network

16 • Use SYN scan on the target and see the response16 Use SYN scan on the target and see the response

17 • Use connect scan on the target and see the response

U XMAS th t t d th



18 • Use XMAS scan on the target and see the response


19 • Use FIN scan on the target and see the response

20 • USE NULL scan on the target and see the response

21 • Firewalk on the router’s gateway and guess the access-list

22 • Examine TCP sequence number prediction

23 • Examine the use standard and non-standard protocols

24 • Examine IPID sequence number prediction

25 • Examine the system uptime of target

26 • Examine the operating system used for different targets

27 • Examine the applied patch to the operating system



28 • Locate DNS record of the domain and attempt DNS hijacking


29• Download applications from the company’s website and reverse engineer the

binary code

30• List programming languages used and application software to create various

programs from the target server

31• Look for error and custom web pages

• Guess different sub domain names and analyze different responses32

Guess different sub domain names and analyze different responses

33• Examine the session variables

34• Examine cookies generated by the server



35• Examine the access controls used in the web applications


36• Brute force URL injections and session tokens

37• Check for directory consistency and page naming syntax of the web pages

• Look for sensitive information in web page source code38 • Look for sensitive information in web page source code

39 • Attempt URL encodings on the web pages

40 • Try buffer overflow attempts at input fields

41 • Try Cross Site Scripting (XSS) techniques41 y p g ( ) q

42 • Record and replay the traffic to the target web server and note the response



43 • Try various SQL injection techniques


44 • Examine hidden fields

45 • Examine e-commerce and payment gateways handled by the web server

46 • Examine welcome messages, error messages, and debug messages

47 • Probe the service by SMTP mail bouncing

48 • Grab the banner of HTTP servers48

49 • Grab the banner of SMTP servers

50 • Grab the banner of POP3 servers50 3

51 • Grab the banner of FTP servers

• Identify the web extensions used at the server



52 • Identify the web extensions used at the server


53 • Try to use an HTTPS tunnel to encapsulate traffic

54 • OS fingerprint target servers

55 • Check for ICMP responses (type 3, port unreachable)

56 • Check for ICMP responses (type 8, echo request)

57 • Check for ICMP responses (type 13, timestamp request)

58 • Check for ICMP responses (type 15, information request)

59 • Check for ICMP responses (type 17, subnet address mask request)

60 • Check for ICMP responses from broadcast address

61 • Port scan DNS servers (TCP/UDP 53)



62 • Port scan TFTP servers (Port 69)


63 • Test for NTP ports (Port 123)

64 • Test for SNMP ports (Port 161)

65 • Test for Telnet ports (Port 23)

66 • Test for LDAP ports ( Port 389)

67 • Test for NetBIOS ports ( Ports 135-139, 445)

68 • Test for SQL server ports (Port 1433, 1434)

69 • Test for Citrix ports (Port 1495)

70 • Test for Oracle ports (Port 1521)

71 • Test for NFS ports (Port 2049)



72 • Test for Compaq, HP Inside Manager ports (Port 2301, 2381)


73 • Test for Remote Desktop ports (Port 3389)

74 • Test for Sybase ports (Port 5000)

75 • Test for SIP ports (Port 5060)

Test for VNC ports (Port 5900/5800)76 • Test for VNC ports (Port 5900/5800)

77 • Test for X11 ports (Port 6000)

78 • Test for Jet Direct ports (Port 9100)78 Test for Jet Direct ports (Port 9100)

79 • Port scan FTP data (Port 20)

80 • Port scan web servers (Port 80) 80

81 • Port scan SSL servers (Port 443)

82 • Port scan Kerberos-Active directory (Port TCP/UDP 88)



83 • Port scan SSH servers (Port 22)

Step 1: Inventory Company’s External InfrastructureExternal Infrastructure

Locate all the external resource of the target’s networks

Look for the following:

S l i i i i• Server locations in cities• Partners• Links• Vendors Vendors

Create an inventory list with a map



Inventory Company’s External Infrastructure (cont’d)Infrastructure (cont d)



Step 2: Create Topological Map of the Network

Draw a topological diagram of the external IT infrastructure.

The drawing must contain the following:

• Servers.• Connection to ISP.• Infrastructure used.• How they are networked to other systems:

• Customers.• Partners.



Create Topological Map of the Network (cont’d)Network (cont d)



Step 3: Identify the IP Address

Identify the IP address of the target network:

• Mail servers• Web servers

network:

• DNS servers• Proxy servers, etc.

• NeoTrace

Tools:

• IP Address 2 Country• IP Prober



Step 4: Locate the Traffic Route that Goes to the Web Serversthat Goes to the Web Servers

The network's topological map (or matrix) can be manually verified bylogging into each device on the network and using built-in operatingsystem commands such as tracert (Windows) or traceroute (Unix).

These commands show the path taken by an ICMPrequest as it traverses the network (hopping fromdevice to device) to its ultimate destination:

• C::>tracert xweb.xsecurity.com Tracing route to xweb.xsecurity.com [10.2.34.5] over a maximum of 30 hops: 1 69 ms 27 ms 14 ms

b it [10 2 3 ] 2 28 10 1 10 2 3 3 1

)

xboy.xsecurity.com [10.2.34.5] 2 28 ms <10 ms 14 ms 10.2.34.4 3 41 ms 27 ms 14 ms xweb.xsecurity.com [10.2.34.5] Trace complete.



Tracert



Step 5/6: Locate TCP/UDP Traffic Path to the DestinationPath to the Destination

TCP/UDP trace tools:

IGI

pathChirpp p

Pathload

Pathrate Pathrate

tulip

Tcptrace

Netperf



Scriptroute

Step 7: Identify the Physical Location of the Target ServersLocation of the Target Servers

Use Neotrace tools to identify physical location of the targetservers.



Step 8: Examine the Use IPV6 at the Remote Locationthe Remote Location

Verify if the target servers are using IPv6 protocol.y g g p

• 46BouncerTools



Step 9: Lookup Domain Registry for IP Informationfor IP Information

Locate DNS servers All-Nettools.Com

Network tools include Whois, Traceroute, ping.

Completewhois Whois engine providing information on

Attempt DNS zone transfers

Look for primary and secondary servers

domain ownership and IP address.

DNS Report Comprehensive report of NS records at nameservers, SOA record, MX, Mail, and www records.

DNS Utilities Detailed domain and network information Online including specific queries of domain records.

DNSstuff Whois and DNS lookup. Trace route, Ping. Spam database lookup.

Global whois utility

Global domain ownership information.utility

Whois search -America

Reverse DNS lookup for American registry for Internet Numbers (ARIN)

Whois search -Asia Pacific

Reverse DNS lookup for Asia Pacific Network Information Center (APNIC)

Whois search -Europe

Reverse DNS lookup for Europe, Middle East and North Africa (RIPE)

Whois search -Latin America

Latin American and Caribbean Internet Addresses Registry (LACNIC)



WHOIS search for .il domain names

Israel Internet Society (.il) domain name registry.

Step 10: Find IP Block Information about the TargetInformation about the Target

Locate the IP block owned Locate the IP block owned by the company

• SAM SPADE

Tools :

• ARIN DATABASE



Step 11: Locate the ISP Servicing the Clientthe Client

Look for the following:

• Name of the ISP• Pricing plans• Services provided• Services provided• Which other companies are assigned IP address from the

same block• Call the ISP and ask for the default equipment (hardware) q p ( )

delivered if you sign up a similar plan used by the target company



Step 12: List Open Ports

7 Echo

13 DayTime

17 Quote of the Day (QOTD) Look for the following open portsQ y (Q )

20 and 21 File Transfer Protocol (FTP)

22 Secure Socket Shell (SSH)

23 Telnet

25 SMTP

Look for the following open ports

Tools:53 Domain Name System (DNS)

63 Whois

66 SQL*net (Oracle)

70 Gopher

79 Finger

• Super Scanner• NetScan Tools Pro

Tools:

80 HTTP

88 Kerberos

101 Host Name Server

109 Post Office Protocol 2 (POP2)


• Nmap


113 IDENT

115 Simple File Transfer Protocol (SFTP)

137, 138, and 139 NetBIOS

143 Internet Message Access Protocol (IMAP)



161 and 162 Simple Network Management Protocol (SNMP)

194 Internet Relay Chat (IRC)

443 Hypertext Transfer Protocol over Secure Socket Layer (HTTPS)

Open Ports on Web Server

Por

t 443

Port 21

Port 23

Port 53

0P

ort 8

0



Step 13: List Closed Ports

Once a port is closed, any request made to a machine via thep , y qclosed port will result in a "this port is closed" acknowledgmentfrom the machine.



Port Scanning Tools

Cerberus Internet Scanner (formally NTInfoScan or NTIS) www.cerberus-infosec.co.uk

CyperCop Scanner www.nai.com

Firewalk www.packetfactory.netFirewalk www.packetfactory.net

HackerShield www.bindview.com

Hostscan www.savant-software.com

Internet Scanner www.iss.net

IpEye/WUPS www.ntsecurity.nuIpEye/WUPS www.ntsecurity.nu

Nessus www.nessus.org

Netcat www.atstake.com

Netcop www.cotse.com

NetScan Tools www.nwpsw.comNetScan Tools www.nwpsw.com

Nmap www.insecure.org

NmapNT www.eeye.com

SAINT/SATAN www.wwdsi.com

SARA www.www-arc.comSARA www.www arc.com

Scanport www.dataset.fr

Strobe www.freebsd.org

Super Scan/Fscan www.foundstone.com

Twwwscan www.search.iland.co.kr



Twwwscan www.search.iland.co.kr

Whisker www.wiretrip.net

Winscan www.prosolve.com

Step 14: List Suspicious Ports that are Half Open/Closethat are Half Open/Close

Look out for stealth ports – stealth port will not generateany kind of acknowledgement from the target machine.

This lack of acknowledgement will typically cause therequesting machine to have to wait until its own internaltime-out mechanism gives up waiting for a reply.

h d f l h l d hThe advantage of a stealth port over a closed port is thatthe intruder's probing efforts are going to be slowed.



Step 15: Port Scan Every Port (65,536) on the Target’s Network( 5,53 ) g

Scan for all ports including Trojan portsScan for all ports, including Trojan ports.

This scan is tedious and can take a long timeThis scan is tedious and can take a long time.

Carry the complete scan in stages – scanning 50 ports per hourCarry the complete scan in stages – scanning 50 ports per hour.



Step 16: Use SYN Scan on the Target and See the ResponseTarget and See the Response

Th l ll d th "h lf " i thThe syn scan, also called the "half open" scan, is theability to determine a port’s state without making afull connection to the host.

Many systems do not log the attempt, and discard itas a communications erroras a communications error.

You must first learn the three-way handshake tounderstand the syn scan.



Step 17: Use Connect Scan on the Target and See the ResponseTarget and See the Response

Use Nmap options to conduct a “connect” scan and examineUse Nmap options to conduct a connect scan and examinethe response returned by the server.



Step 18: Use XMAS Scan on the Target and See the ResponseTarget and See the Response

Computer A Computer B

Xmas scan directed at open port:

192.5.5.92:4031 -----------FIN/URG/PSH----------->192.5.5.110:23192.5.5.92:4031 <----------NO RESPONSE------------192.5.5.110:23

Xmas scan directed at closed port:

192.5.5.92:4031 -----------FIN/URG/PSH----------->192.5.5.110:23192.5.5.92:4031 FIN/URG/PSH >192.5.5.110:23192.5.5.92:4031<-------------RST/ACK--------------192.5.5.110:23

Note:

• XMAS scan only works OS system's TCP/IP implementation is developedaccording to RFC 793.

• Xmas scan will not work against any current version of Microsoft Windows.X di d Mi f ill h ll h h



• Xmas scans directed at any Microsoft system will show all ports on the hostas being closed.

Step 19: Use FIN Scan on the Target and See the ResponseTarget and See the Response


FIN scan directed at open port:

192.5.5.92:4031 -----------FIN----------------->192.5.5.110:23192.5.5.92:4031 <----------NO RESPONSE----------192.5.5.110:23

FIN scan directed at closed port:

192.5.5.92:4031 -------------FIN----------------192.5.5.110:23192.5.5.92:4031<-------------RST/ACK------------192.5.5.110:23

Note:

• FIN scan only works OS system's TCP/IP implementation is developed according to RFC 793.

• FIN scan will not work against any current version of Microsoft Windows. FIN di d Mi f ill h ll h h



• FIN scans directed at any Microsoft system will show all ports on the host as being closed.

Step 20: USE NULL Scan on the Target and See the ResponseTarget and See the Response


NULL scan directed at open port:

192.5.5.92:4031 -----------NO FLAGS SET---------->192.5.5.110:23192 5 5 92:4031 <----------NO RESPONSE------------192 5 5 110:23192.5.5.92:4031 < NO RESPONSE 192.5.5.110:23

NULL scan directed at closed port:

192.5.5.92:4031 -------------NO FLAGS SET---------192.5.5.110:23192.5.5.92:4031<-------------RST/ACK--------------192.5.5.110:23

Note:

• NULL scan only works OS system's TCP/IP implementation is developed according to RFC 793.

• NULL scan will not work against any current version of Microsoft Windows. NULL di t d t Mi ft t ill h ll t th h t



• NULL scans directed at any Microsoft system will show all ports on the host as being closed.

Use Fragmentation Scanning and Examine the ResponseExamine the Response

Instead of just sending the probe packet you break it into aInstead of just sending the probe packet, you break it into acouple of small IP fragments.

You are splitting up the TCP header over several packets tomake it harder for packet filters and so forth to detect what youare doing.

The -f switch instructs the specified SYN or FIN scan to use tinyfragmented packetsfragmented packets.



Step 21: Firewalk on the Router’s Gateway and Guess the Access-ListGateway and Guess the Access List

Firewalk is an active reconnaissance network security tool that attempts tod i h l l i IP f di d i illdetermine what layer 4 protocols a given IP forwarding device will pass.

Firewalk works by sending out TCP or UDP packets with a TTL one greaterthan the targeted gateway.

If the gateway allows the traffic, it will forward the packets to the next hopg y , p pwhere they will expire and elicit an ICMP_TIME_EXCEEDED message.

If the gateway host does not allow the traffic, it is likely to drop the packetsIf the gateway host does not allow the traffic, it is likely to drop the packetson the floor and we will see no response.



Step 22: Examine TCP Sequence Number PredictionNumber Prediction

Use tools like nmap and predict

C:\> nmapnt -O -p 130-140 10.0.0.1

Starting nmapNT V. 2.53 by [email protected]

eEye Digital Security ( http://www.eEye.com )Use tools like nmap and predictthe sequence numbers generatedby the targeted server.

y g y ( p // y )

based on nmap by [email protected]

( www.insecure.org/nmap/ )

Interesting ports on baseman.xsecurity.com

(10.0.0.1):

This information can be used forsession hijacking techniques.

(The 9 ports scanned but not shown

below are in state: closed)

Port State Service

135/tcp open unknown

139/tcp open unknown

TCP Sequence Prediction:

Class=random positive increments

Difficulty=14168 (Worthy challenge)

Remote operating system guess:

d h h f l lWindows 2000 RC1 through final release

Nmap run completed -- 1 IP address

(1 host up) scanned in 10 seconds



Step 23: Examine the Use of Standard and Non-Standard Protocolsand Non Standard Protocols

The use of new protocols has an important impact on the Intrusion detection tools.

The IDSes must support each protocol to identify signs of misuse or l b h ianomaly behaviors.

The appearance of new protocols affects the NIDS (Network-based IDS) t ltools.

Almost no NIDS products can decode IPv6.p

Attacks can enable IPv6 tunneling within IPv4 blinding detection technologies



technologies.

Step 24: Examine IPID Sequence Number Prediction Number Prediction

Sequential IPID numbers expose the number of packets sent by a hostSequential IPID numbers expose the number of packets sent by a hostover a given period.

This can be used to estimate web site traffic, determine when people logon, etc.

Large sites use load balancing equipment so that a single address mapsto a small farm of servers.

By noting the IPID values you can determine how many machines arebehind the load balancer and which one you are connected with.



Hping2 IPID Example

For example, the "id" fields in the hping2 execution reveals thatp , p gbeta.search.microsoft.com is handled by two machines behind a loadbalancer (207.46.197.115).

# hping2 -c 10 -i 1 -p 80 -S beta.search.microsoft.com.HPING beta.search.microsoft.com. (eth0 207.46.197.115): S set, 40 headers + 0 data bytes46 bytes from 207.46.197.115: flags=SA seq=0 ttl=56 id=57645 win=16616 rtt=21.2 ms46 bytes from 207.46.197.115: flags=SA seq=1 ttl=56 id=57650 win=16616 rtt=21.4 ms46 bytes from 207.46.197.115: flags=RA seq=2 ttl=56 id=18574 win=0 rtt=21.3 ms46 bytes from 207 46 197 115: flags=RA seq=3 ttl=56 id=18587 win=0 rtt=21 1 ms46 bytes from 207.46.197.115: flags=RA seq=3 ttl=56 id=18587 win=0 rtt=21.1 ms46 bytes from 207.46.197.115: flags=RA seq=4 ttl=56 id=18588 win=0 rtt=21.2 ms46 bytes from 207.46.197.115: flags=SA seq=5 ttl=56 id=57741 win=16616 rtt=21.2 ms46 bytes from 207.46.197.115: flags=RA seq=6 ttl=56 id=18589 win=0 rtt=21.2 ms46 bytes from 207.46.197.115: flags=SA seq=7 ttl=56 id=57742 win=16616 rtt=21.7 ms46 bytes from 207.46.197.115: flags=SA seq=8 ttl=56 id=57743 win=16616 rtt=21.6 ms46 bytes from 207.46.197.115: flags=SA seq=9 ttl=56 id=57744 win=16616 rtt=21.3 ms

--- beta.search.microsoft.com. hping statistic ---10 packets tramitted, 10 packets received, 0% packet lossround-trip min/avg/max = 21.1/21.3/21.7 ms



Step 25: Examine the System Uptime of Target ServerUptime of Target Server

Look for the following i f i

• When was the last time the server rebooted?

information:

rebooted?• When was the last time the server

crashed?• When was the last time the server was

d DD S tt k?under a DDoS attack?• What is the uptime of the server?

• Netcraft

Tools:



• Uptime

Step 26: Examine Operating System Used for Different TargetsSystem Used for Different Targets

Use banner grabbing techniques to identify remote OS.

Look out for honey pots, packet crafters, and banner fakers.

Tools:

Nmap

Telnet

Nc

Netcraft

OS fingerprinting tool



OS fingerprinting tool

Step 27: Examine the Applied Patch to the Operating SystemPatch to the Operating System

List the dates for List the dates for patches applied to the server.

Look for version number, OS level, , ,and the date.

• NetcraftTools:



Step 28: Locate DNS Record of the Domain and Attempt DNS HijackingDomain and Attempt DNS Hijacking

Locate the domain vendor Locate the domain vendor responsible for the DNS of the target server

Guess passwords and attempt to logon



Step 29: Download Applications From the Company’s Website and Reverse Engineer the

Bi C dBinary Code

Ja a p og ams

Download program executables from the remote website:

h b d

• Java programs• Exe programs• Flash programs

Reverse engineer the binary code

• Programmer’s name

Look for:

• Programmer s name• Comments• Sensitive information• Programming style

• IDA Pro• Java Engineer

Fl hS

Tools:



• FlashSaver• REC Decompiler

IDA Pro



Step 30: List Programming Languages Used and Application Software to Create Various

Programs From the Target ServerPrograms From the Target Server

h k f i h d l d li iCheck for in-house developed application

Check for commercial application



Step 30: List Programming Languages Used and Application Software to Create Various Programs

From the Target Server (cont’d)From the Target Server (cont d)

Identify the programming languages used by the web application:

• AppleScript• C• AWK• C++• JavaScript• C#• Perl• COBOL• PHP• Java• Python• J++

R b• Ruby• J#• Tcl• PowerBuilder• VBScript



• VBScript• Visual Basic

Step 31: Look for Error and Custom Web PagesCustom Web Pages

Try various URL strings and look for Try various URL strings and look for strange messages thrown by the server.

• http://www.xsecurity.com/slkdjfslkdfj

• http://www.xsecurity.com/sdkfjsdlf.asp

Example:

p // y / j p

• http://www.xsecurity.com/global.asa

• http://www.xsecurity.com/sdlfkj.aspx

• http://www.xsecurity.com/sdfsdf/php?

• http://www.xsecurity.com/login?



Step 32: Guess Different Sub Domain Names and Analyze Responsesy p

Web servers sometimes operate under different sub domain names

They are not published and used for internal purposes only

Guess the sub-domain names

• sales.xsecurity.com• marketing.xsecurity.com

i l i

Example: xsecurity.com:

• internal.xsecurity.com• intranet.xsecurity.com• devl.xsecurity.com• test.xsecurity.com

b k it• backup.xsecurity.com• partner.xsecurity.com• beta.xsecurity.com• secret.xsecurity.com

i it



• preview.xsecurity.com• temp.xsecurity.com

Step 33: Examine the Session VariablesVariables

Session hijacking, grabbing someone’s URL and stealing their session, is one ofthe biggest security concernsthe biggest security concerns.

Try to alter session strings in URL.

• http://example com/cgi bin/phf?%0aid==haqr== phone=

Example:

• http://example.com/cgi-bin/phf?%0aid==haqr==_phone= • http://example.com/cgi-bin/phf?%0als%20-

la%20%7Esomeuser==haqr==_phone= • http://example.com/cgi-

bin/phf?%0acp%20/etc/passwd%20%7Esomeuser/passwd%0A==haqr==_phone= • http://example.com/~someuser/passwd • http://example.com/cgi-

bin/phf?%0arm%20%7Esomeuser/passwd==haqr==_phone=



Step 34: Examine Cookies Generated by the Server Generated by the Server

Cookies offer a way to check the identity of the user by means of storing the CFID and CFTOKEN in client side cookies and using that information to uniquely identify the user.CFTOKEN in client side cookies and using that information to uniquely identify the user.

Log on to the web application as a normal user.

Select YES if the site offers “Keep me logged on this computer”.

A cookie will be downloaded to your computer.

• If encryptedE i d t

Examine the cookie:



• Expiry date• Content stored

Step 35: Examine the Access Controls Used by the Web Applicationby b pp

Look for login pages and identify the th ti ti d b th b

• Form authentication

authentication used by the web server:

• Windows authentication• Biometrics authentication• Secret question authenticationSecret question authentication• Session based authentication• Digital certificates• Microsoft single-sign onMicrosoft single sign on



Step 36: Brute Force URL Injections and Session TokensInjections and Session Tokens

Some web applications embed user IDs and other sensitive information into aURL, typically as parameters in the query component of the URL (the fields that

f h ? b l i URL)occur after the ? symbol in a URL).

Inject strings into the URL of a page and examine the response.

Inject into the following fields: Attempt injection here

Sessions Forms User ID Login Access

p j



Step 37: Check for Directory Consistency and Page Naming Syntax of the Web Pagesg g y g

A well-designed web application will

• Logical directory.

have the following:

Logical directory.• Files named based on naming conventions.• Repository for images, PDFs, and other documents.• Repository for sensitive informationRepository for sensitive information.• Structured links and pages.• Site outline.



Step 37: Check for Directory Consistency and Page Naming Syntax of the Web Pages

(cont’d)(cont d)



Step 38: Look for Sensitive Information in Web Page Source Codeo at o Web age Sou ce Code

HTML source might reveal the f ll i i f i

• Web authors.D l i f i

following information:

• Developer information.• User comments.• Login information.

i bl• Temp variables.• Revision numbers.• Project deadline.• Dates.



Step 39: Attempt URL Encodings on the Web PagesEncodings on the Web Pages

Try to access the website using various URL encodings.

Server might send different response when accessed using URL encodings.



Step 40: Try Buffer Overflow Attempts in Input FieldsAttempts in Input Fields

Input large amounts of data into the form and examine the response.p g p

Servers sometimes behave differently when large amounts of data issent to the form.

NTOM f d

Tools:

• NTOMax at www.foundstone.com• Hailstrom (www.cenzic.com)



Look for Invalid Rages in Input FieldsFields

A web developer may decide to use some of the built-in validationbili i f li id l ( h HTML J S icapabilities of a client-side language (such as HTML, JavaScript, or

VBScript) to ensure that an input value is no longer (or shorter) thanexpected.

Try random selection of input values or a large range of numbers testingtechniques such as equivalence partitioning and boundary valueq q p g yanalysis.



Attempt Escape Character InjectionInjection

Some operating systems will execute system-level commands if they areembedded in an application's data input streamembedded in an application s data input stream.

This can occur when the system command is hidden in input data that is prefixedby special control (escape) characters, such as $$.

The application may permit the command to escape up to the process that iscurrently running the application.

T ti t l

The receiving process then attempts to execute the system command using itsown system privileges.

• APSwww.stratum8.com• G-Serverwww.gilian.com• iBroker SecureWebwww elitesecureweb com

Testing tools:



• iBroker SecureWebwww.elitesecureweb.com• URLScanwww.microsoft.com

Step 41: Try Cross Site Scripting (XSS) Techniques(XSS) Techniques

Modify the script and send Modify the script and send the page to the server

Examine various responses

Look for weakness

Examine various responses generated by the server

• JavaScript

Look for weakness in scripts:

p• VBScript



Step 42: Record and Replay the Traffic to the Target Web Server and Note the Responseg p

Record and playback browser sessions.

Recording browser sessions allows you toautomate web site logins, and any other webt k th t f ith ttask that you perform with your computer.

A recording session will record everything youdo, including keystrokes, scrolling, link clicksetc. - and can then replay the entire session atany time with the click of a button.

Look for anomaliesLook for anomalies.

• CruiseControl• Webload (www.radview.com)Tools:



• e-Test Suite (www.empirix.com)oo s:

Step 43: Try Various SQL Injection TechniquesTechniques

Attempt SQL injection techniques to the following:

• Form fields.• Directly in URL.• Login screens.

db k f• Feedback forms.• Guestbook.

Try the following:

• ' or 1=1--• " or 1=1--

Try the following:

Attempt SQL Injection• or 1=1--• ' or 'a'='a• " or "a"="a• ') or ('a'='a

") (" " "

Attempt SQL Injection here



• ") or ("a"="a

Step 44: Examine Hidden Fields

Hidden fields in web pages could reveal the f ll i i f ti

• Price.• Username.

following information:

Username.• Password.• Session.• URL characters.• Special instructors.• Encryption used.• Web page behaviors.



Examine Server Side Includes (SSI)(SSI)

Server Side Includes (SSI) are placeholders (or k ) i d h h b markers) in an HTML document that the web server

will dynamically replace with data just before sending the requested document to a browser:

• <HTML>• <HEAD><TITLE>Show SSI at work</TITLE></HEAD>• <BODY>• <P>Lots of really Interesting stuff to read</P>• 

/BODY• </BODY>• </HTML>



Examine Server Side Includes (SSI) (cont’d)(SSI) (cont d)

The danger with an include command comes when an intruder is able to manipulate a web page into including a file that would otherwise not be available.

For example, if an intruder is able to gain write access to a directory on For example, if an intruder is able to gain write access to a directory on a Unix web server (possibly a .temp directory that didn't have any sensitive information stored in it and was therefore not locked down), the intruder could upload a .shtml web page containing the following i l dinclude statement:

• 



• <! #exec cmd= /bin/cat /etc/passwd >

Step 45: Examine E-commerce and Payment Gateways Handled by the Web Servery y

Look out for the following information:

In-house built e-commerce gateway

Outsourced e-commerce gatewayOutsourced e commerce gateway

Program logic

How payments are handled

Check for confirmation emails

Minimum order amount



Account and merchant ID

Step 46: Examine Welcome Messages, Error Messages, and Debug Messagesg , g g

D h f ll i i f i

• Web application welcome message

Document the following information:

Web application welcome message• Web application error messages• Web application intrusion warning messages• Web application debugging messagesWeb application debugging messages• Web application site maintenance messages



Step 47: Probe the Service by SMTP Mail BouncingSMTP Mail Bouncing

SMTP mail bouncing indicates that the user does not exist on that server.

Bounced mail carries information about SMTP server such as server i d i i i name, version, and various services running on server.



Step 48: Grab the Banner of HTTP ServersHTTP Servers

httprint is a web server fingerprinting tool which captures the b f htt banner of http servers.

It identifies http web servers despite the banner stringIt identifies http web servers despite the banner string.



Step 49: Grab the Banner of SMTP ServersSMTP Servers

GNIT NT vulnerability scanner captures banner message y p gfrom an SMTP server.

Install the following:

• perl Makefile.PL • make

Install the following:

• make • make test • make install

Class::Accessor::Fast

Required libraries:



• Class::Accessor::Fast

Step 50: Grab the Banner of POP3 ServersPOP3 Servers

GNIT NT vulnerability scanner captures the banner of POP3 servers.GNIT NT vulnerability scanner captures the banner of POP3 servers.



Step 51: Grab the Banner of FTP ServersServers

Use netcat to banner grab an FTP serverUse netcat to banner grab an FTP server.



Step 52: Identify the Web Extensions Used at the ServerExtensions Used at the Server

GNIT NT vulnerability scanner determines the web extensions at the server.

The scanner displays web server type and version.

-It scans for 84 known vulnerable URL structures (easily modified).



Step 53: Try to use HTTPS Tunnel to Encapsulate TrafficTunnel to Encapsulate Traffic

Install the GNU freeware tunneling software ‘HTTPTunnel’.

Encapsulate all P2P traffic as HTTP and forward to the corporate network's default gateway over Port 80.

Traffic takes the reverse path and appears as a legitimate web p pp grequest.



Step 54: OS Fingerprint Target ServersServers

Identifies OS using only ICMP packets

• NetScanTools Pro

Tools for OS fingerprint:

NetScanTools Pro • nmap



Step 55: Check for ICMP Responses (Type 3, Port Unreachable)( yp 3, b )

SYN scan is the default and most popular scan option for good reasons.SYN scan is the default and most popular scan option for good reasons.

It can be performed quickly, scanning thousands of ports per second on a fast network not hampered by intrusive firewallsa fast network not hampered by intrusive firewalls.

The port is also marked filtered if an ICMP unreachable error (type 3, code 1 2 3 9 10 or 13) is receivedcode 1,2, 3, 9, 10, or 13) is received.



Step 56: Check for ICMP Responses (Type 8, Echo Request)( yp , q )

The Echo request is an ICMP message that sends a packet of data to the q g phost and expects that data to be sent in return in an Echo reply.

The host must respond to all Echo requests with an Echo reply containing the exact data received in the request message.



Step 57: Check for ICMP Responses (Type 13, Timestamp Request)( yp 3, p q )

SYN scan is the default and most popular scan option for good reasonsSYN scan is the default and most popular scan option for good reasons.

It can be performed quickly, scanning thousands of ports per second on It can be performed quickly, scanning thousands of ports per second on a fast network not hampered by intrusive firewalls.

The port is also marked filtered if an ICMP unreachable error (type 3 The port is also marked filtered if an ICMP unreachable error (type 3, code 1,2, 3, 9, 10, or 13) is received.

Use the following nmap command:



• nmap -sS –p X x.x.x.x

Step 58: Check for ICMP Responses (Type 15, Information Request)(Type 15, Information Request)

Enables a host to learn the network part of an IP address on itsEnables a host to learn the network part of an IP address on itssubnet by sending a message with the source address in the IPheader filled and all zeros in the destination address field.



Step 59: Check for ICMP responses (Type 17, Subnet Address Mask Request)7, q )

Requests for the correct subnet mask to be usedRequests for the correct subnet mask to be used



Step 60: Check for ICMP Responses from Broadcast Address

Specifies the broadcast address in use on the client's subnet.

Check for a broadcast IP address by setting the net and subnet (if used) fields to all 1s and check if the address is all 1s.



Step 61: Port Scan DNS Servers (TCP/UDP 53)(TCP/UDP 53)

Use Nmap to scan for DNS servers on TCP/UDP port 53Use Nmap to scan for DNS servers on TCP/UDP port 53.

UDP scan is activated with the -sU option. It can be combined with a TCP scan type such as SYN scan (-sS) to check both protocols during the same run.type such as SYN scan ( sS) to check both protocols during the same run.

UDP scan works by sending an empty (no data) UDP header to every targeted port.



Step 62: Port Scan TFTP Servers (Port 69)(Port 69)

By default, the TFTP server listens on UDP Port 69.By default, the TFTP server listens on UDP Port 69.

PortQry is a command-line utility that you can use to help troubleshoot TCP/IP connectivity issues.

This utility reports the port status of target TCP and User D t P t l (UDP) t l l t Datagram Protocol (UDP) ports on a local computer or on a remote computer.

type a command that is similar to the following command: type a command that is similar to the following command:

portqry -n myserver.example.com -p udp -e 69



You receive the following output:

Step 63: Test for NTP Ports (Port 123)(Port 123)

Use nmap to scan for NTP ports.

By default, NTP Ports listen on port 123.

Use the following command to find the NTP service on the network:

nmap -sU –p 123 x.x.x.x



p p

Step 64: Test for SNMP Ports (Port 161)(Port 161)

By default, SNMP listens on Ports 161 and 162.

Use nmap to locate the SNMP service on the network.

Use the following command to find the NTP service on the network:

• nmap –sU –p 161 x.x.x.x • nmap -sU –p 162 x.x.x.x



Step 65: Test for Telnet Ports (Port 23)(Port 23)

Use nmap to scan for Telnet portsUse nmap to scan for Telnet ports.

By default, Telnet listens on port 23.



Step 66: Test for LDAP Ports (Port 389)(Port 389)

PortQry version 1.22 is a TCP/IP connectivity testing utility that is Q y / y g yincluded with the Microsoft Windows Server 2003 support tools.

PortQry can send an LDAP query by using both TCP and UDP and interpret an LDAP server's response to that query correctly.

PortQry parses, formats, and then returns the response from the LDAP server to the user.

For example, type the following command:

portqry -n myserver -p udp -e 389



portqry n myserver p udp e 389

LDAP Query Response



Step 67: Test for NetBIOS Ports (Ports 135-139, 445)(Ports 135 139, 445)

Th d f l d b N BIOS i 6 8 d The default ports used by NetBIOS service are 135,136,137,138,139, and 445.

Use nmap to scan for open NetBIOS ports.

You can also use NAT (NetBIOS Auditing Tool) for checking open You can also use NAT (NetBIOS Auditing Tool) for checking open NetBIOS ports.



Step 68: Test for SQL Server Ports (Port 1433, 1434)Ports (Port 1433, 1434)

By default, the SQL server listens on port 1433 and 1434.

Use a network scanner to identify open SQL server ports.



Step 69: Test for Citrix Ports (Port 1495)(Port 1495)

B d f l Ci i li P By default, Citrix listens on Port 1495.

Scan for the service using a network port scanner.



Step 70: Test for Oracle Ports (Port 1521)(Port 1521)

1521 is the typical port number used by Oracle.

Oracle uses port 1521 for networking services.

Use a port scanner such as Nmap to scan services on port Use a port scanner such as Nmap to scan services on port 1521.



Step 71: Test for NFS Ports (Port 2049)(Port 2049)

Use RPC scan of nmap to discover NFS ports.

By default, NFS listens on port 2049.

Use the following command to detect NFS port:

• nmap -v –sR –p 2049 x.x.x.x

NFS port:



Step 72: Test for Compaq, HP Inside Manager ports (Port 2301, 2381)g p ( 3 , 3 )

Port 2301 is used for the Compaq Insight Management Web Port 2301 is used for the Compaq Insight Management Web Agents.

Port 2381 is also known as Compaq-https port.



Step 73: Test for Remote Desktop Ports (Port 3389)Ports (Port 3389)

Port 3389 is typically blocked to enhance network securityPort 3389 is typically blocked to enhance network security.

Remote Desktop connections use port 3389Remote Desktop connections use port 3389.

Use a network port scanner to scan for port 3389Use a network port scanner to scan for port 3389.

Use the command in nmap to detect the remote desktop service:Use the command in nmap to detect the remote desktop service:

• nmap –sT –p 3389 X.X.X.X



Step 74: Test for Sybase Ports (Port 5000)(Port 5000)

By default Sybase listens on port 5000By default, Sybase listens on port 5000.

Use a network scanner to detect the service.

For nmap use the following command:

• nmap –sT -p 5000 x.x.x.x



Step 75: Test for SIP Ports (Port 5060)5060)

SIP can be regarded as the enabler protocol for telephony SIP can be regarded as the enabler protocol for telephony and voice over IP (VoIP) services.

By default, SIP listens on port 5060.

Run a port scan on the network to find whether any VoIP service is running.g



Step 76: Test for VNC Ports (Port 5900/5800)5900/5800)

VNC works on P t b

The Java Viewer k P t

Scan for these default ports

Port 5900 by default.

works on Port 5800.

pusing network

scanner.



Step 77: Test for X11 Ports (Port 6000)6000)

By default, the X server listens on port

6000 for incoming 6000 for incoming connections.

Scan for port 6000 using nmapusing nmap.



Step 78: Test for Jet Direct Ports (Port 9100)(Port 9100)

Test for Jet Direct ports (Port 9100) by using the:

• Nmap tool.

HP printers use this port for the JetDirect protocol.



Step 79: Port Scan FTP Data (Port 20)(Port 20)

In PORT mode, the FTP server always sends data

from TCP port 20.

Use nmap to scan the network for open FTP

ports.



Step 80: Port Scan Web Servers (Port 80) (Port 80)

Determines TCP and UDP ports that use port 80 for C U p p 80transporting HTTP data from a web server



Step 81: Port Scan SSL Servers (Port 443)(Port 443)

• “–sV” scan option is able to identify SSL services

Scan with nmap scanner:

F V

sV scan option is able to identify SSL services

nmap -F -sV x.x.x.x



Step 82: Port Scan Kerberos-Active Directory (Port TCP/UDP 88)y ( / )

Kerberos Active Directory uses port 88 as its default portKerberos-Active Directory uses port 88 as its default port.

P t th t k f i li t i t 88Port scan the network for services listening on port 88.



Step 83: Port Scan SSH Servers (Port 22)(Port 22)

By default SSH servers listen on port 22By default, SSH servers listen on port 22.

• nmap -sS -p 22 x.x.x.x

Use nmap to identify the service:

nmap sS p 22 x.x.x.x



Summary

We have reviewed the various steps involved in external penetration testing.

We have scanned for default ports of various services.p

Documents

LPTv4 Module 18 External Penetration Testing_NoRestriction