Security Basics mailing list archives

Re: Pen-Testing New Server - Where to start?

From: "Serg B" <sergeslists () gmail com>
Date: Wed, 14 Nov 2007 13:03:58 +1100

Unless you want to start reading source code (recommended) and hunting
for some 0-days I suggest thinking a little higher than the underlying
server infrastructure.

For example, you can enumerate services (name, version number, etc)
and search for some exploits that could work on those ports. Also try
some default usernames and passwords, etc. Common configuration errors
are always fun. Brute forcing is not going to teach you much so in my
opinion you could skip that all together.

In regards to "thinking higher" (most of the time this is how an
attacker gets access) you could smoke a joint (thinking higher, get
it, get it, ha-ha) and enumerate user-land applications (i.e. those
running on the HTTP port) and try to exploit them. Remember that
gaining access does not necessarily mean you are going to execute an
exploit and you're in. XSS and session hi-jacking could very well get
you an account, as well as phishing, etc. So look for all
vulnerabilities, not just those that you saw in Hackers (movie).

Great starting points in my opinion are:

Learn to program (strongly recommended if you don't know already).
   C (at a minimum)
   Java/C# (pick one, same shit)
   Python/Perl/PHP (pick one, depending on what you want to do).

Read www.owasp.org (reference section).


   Cheers,
      Serg

On Nov 14, 2007 7:56 AM, Security <security () gridrunners com> wrote:

Hi, I'm new to the InfoSec industry and would like to try my hand at
penetration-testing (and securing) a new server I've set up at home.

Seeing as I've set up the system, I know all the usernames/passwords
used on the box, as well as how everything is set up, but I'd like to
approach this as an outside user, pretending that I have none of this
information. I want to try to gather information, form an attack plan,
and attempt to crack the system from scratch, so that I can later on go
back and secure the system against those attacks.

Here's the information I can assume I'd know, from basic enumeration:

The server is running Ubuntu v6.06, with the following services:
ftp
http (apache)
smtp
pop3
irc (hybrid)
ssh

When setting up the system, I followed the following tutorial (almost to
a T... though I did a few things different):

http://www.howtoforge.com/perfect_setup_ubuntu_6.06

Since the system is on my local network, I know there's only one IP I've
got to worry about, and this is the only target machine.

Any ideas where I should start? What information might help?

Thanks.

~Xor

Current thread:

Pen-Testing New Server - Where to start? Security (Nov 13)
- Re: Pen-Testing New Server - Where to start? Serg B (Nov 14)
  - Re: Pen-Testing New Server - Where to start? Security (Nov 14)
    - Re: Pen-Testing New Server - Where to start? Serg B (Nov 14)
- Re: Pen-Testing New Server - Where to start? crazy frog crazy frog (Nov 14)
- <Possible follow-ups>
- Re: Pen-Testing New Server - Where to start? theosdguy (Nov 14)
- Re: Pen-Testing New Server - Where to start? none (Nov 14)
- Re: Pen-Testing New Server - Where to start? rohnskii (Nov 14)
- Re: Re: Pen-Testing New Server - Where to start? adrian-lazar (Nov 14)
- Re: Pen-Testing New Server - Where to start? krymson (Nov 16)