Alt3rn4tiv3's Tech Blog

Apart from the highly-inactive DOSAM series that I hope to continue writing soon, I decided to write another series about web application penetration testing (WAPT). I’ve learnt pretty much over the past few months and I’d like to share my knowledge and experiences.

So, let’s start off the core of today’s post. Penetration testing requires a good knowledge of your target. The better you know your victim, the safer you are, and the higher chance your victim will fall. Not only can discovery of information about your target give you valuable information about its internal network structure, it can also give you insights as to what type of attacks can be used and which of those might be more successful and / or useful than others.

The first step in the discovery process is looking for the information about your target’s host. Where is it hosted in? Who runs it? Does it have a load balancer? What might its network structure look like? WHOIS is your friend here. Whois servers belonging to Regional Internet Registries (RIR) can be queried to determine the Internet Service Provider responsible for a particular IP address.

These servers are:
ARIN (North America) - whois.arin.net
RIPE NCC (Europe and parts of Asia) - whois.ripe.net
APNIC (Asia Pacific) - whois.apnic.net
LACNIC (Latin America and the Caribbean) - whois.lacnic.net
AFRINIC (Africa) - whois.afrinic.net
And finally, International NIC.

Checking DNS records is also a great way of finding out more information. You can use the following tools -

• dig
• nslookup
• host

Of course, if you’re lazy to visit so many sites and use so many tools, there’s always SamSpade to do it for you.

The next part to the discovery phase is to look out for filters. Knowing your target’s network infrastructure… whether there is any filtering device between your traffic and the actual target… will go a long way. There’s a project out there by PureHacking called Active Filter Detection (AFD). It detects the presence of Intrusion Prevention Systems (IPS) and other technologies that would directly impact the quality of a security assessment. Of course, you could get nmap to do it for you as well.

A load balancer is often in place to divert massive amounts of traffic to different servers for handling. This load balancer can be detected in a variety of ways. There is no generic way for detection, but some of them maintain session information in cookies and some use custom HTTP headers. In the F5 BigIP series of load balancers, you’ll get a cookie saying something like…

Cookie: BIGipServerHTTP-Servers=374349740.20480.0000

Converting 374349740 to binary, we get 10110010100000001111110101100. Breaking it up into…
10110010 = 178
10000000 = 128
11111101 = 253
00001100 = 12
So, we know that the IP of one of the machines that sits behind the load balancer is 178.128.253.12 - isn’t that easy?

Header-based identification is also possible. Typically, infrastructural-level devices can modify HTTP headers to work their magic. Two common modifications are “nnCoection: close” and “Cneonction: close” instead of “Connection: close".

Now also, if your target uses SSL / TLS, you should find out their versions and what ciphers they support. A good tool to use is THC’s THCSSLCheck. Another one is Foundstone’s SSLDigger.

Of course, the next step is to find out what OS your target is using. Most of you should be familiar with this. There are just so many variety of ways you can do this. You can use NetCraft and nmap amongst all the other tools. However, there are 2 interesting programs I would like to introduce to you guys. The first is passive OS fingerprinting (p0f) written by Michal Zalewski. It has a database of unique TCP/IP characteristics for both SYN handshake initiations and SYN/ACK response packets. Unlike active OS fingerprinting, which includes sending uniquely crafted abnormal packets to the remote host, p0f makes its decisions based on the normal requests, since different TCP stacks consistently provide unique responses. p0f doesn’t need to send any data, thus the “passive” in its name. This way, it doesn’t trigger any Intrusion Detection System (IDS). You can perform analysis on the data with p0f stats or store the p0f data in a database.

Another interesting tool is DMitry (Deepmagic Information Gathering Tool). It taps into numerous sources of data and presents them all a nicely formated page, all in one program run. You gotta love this.

So now you know that your target runs on Windows Server 2008, or perhaps an outdated version of Linux. The next step is to find out what web server it’s running. For you guys who only know about the LAMP / WAMP configurations, please remember that there are other types of web servers out there There’s Microsoft IIS, Google GFE (yes, Google has its own web server too! It’s called Google Front End, or GFE for short), Oversee, lighthttpd and amongst others. At this point, I’d like to make a note about Google. Just as California’s wildfires can be seen from space, Google seems to be becoming more and more significant by the days. Watch out for its probably-coming battle with Yahoo over the TrustRank algorithm soon.

Perhaps a useful tool in this case would be httPrint. It can identify web servers whose identities have been obfuscated in some fashion and is excellent at identifying web servers that are protected by proxies. I’ll leave you to find out how to use it.

Right now, you must probably be getting tired of all the boring stuff. The real stuff comes now. There are a few questions you need to ask yourself to identify what applications are running on your target -

• What ports are actively listening?
• Are the services for each open port identifiable?
• Are there error pages that can leak information about the services?
• What file types do this target properly handle?
• What resources are verified as “existing” on your target?

Port mapping comes in as an important process here. Of course, nmap is our best candidate again. However, there’s another tool called unicornscan which can uniquely scan UDP-based targets.

To identify applications running on your target, use this extremely powerful application-mapping tool amap. With nmap results from the -oM switch (which outputs XML), amap will attempt to identify applications even if they are running on non-standard ports. It sends out trigger packets and then compares the responses against a list of known and confirmed response signatures. Because this tool is a must-have in all pen-testers’ toolkit, it would be good for everyone to submit unidentified signatures to the project to aid further development of the tool.

A similar project to amap is the Open Protocol Resource Project (OPRP). A PERL wrapper script that couples nmap with the OPRP data has also been written - nwrap. You’ll also need the OPRP DB dump.

Database identification is not easy. THC (again) has a tool to help identify the running database if it’s Oracle or DB2, though - THCDBFP.

Analyzing error pages can you identify services running on the web server as well. Look out for differences between the 404 and 500 error pages. Also look out for other types of errors such as “Proxy Error". Try making different types of requests -

• valid requests for invalid resources
• invalid requests for valid resources
• violate protocol, e.g. GGGG / HTTP / 1.0
• tamper with parameters in query strings, HTML forms for POST requests too

A very important lesson I learnt from rustylime’s competition is that resource enumeration is very important. Not only do you need to find resources already shown, you also need to find those which are not listed for public eyes.

Of all programs that you can run, there are …

• HTTrack
• wget –mirror -r -w2 -p –html-extension –convert-links -P /targetdirectory/ http://www.site.com/
• Wikto
• PureTest
• http://www.softbytelabs.com/” target="_blank">Black Widow

A PERL script written by Andres Andreu I found does the “hidden” resource enumeration just fine. Below is the source.

Code:

Have fun with it!

Now, the final step to discovery is the one which I’m sure you guys always do - scanning the HTML code for leaks. There can be legacy codes, random comments and hidden directories amongst other clues hidden in there. It’s a real gem. Picture this -

<meta name="GENERATOR" content="Microsoft FrontPage (Visual InterDev Edition) 2.0">. Refer to DOSAM II for more information.

And thus I conclude Volume 1 of WAPT. I hope you enjoyed reading my post as much as I had enjoyed typing it. Have fun discovering!