Dailydave mailing list archives
Re: Pen testing web servers
From: "Brett Moore" <brett.moore () insomniasec com>
Date: Sun, 21 Dec 2008 11:00:33 +1300
Nice one... On a side note.. Propfind will return dir listings for folders that have directory browsing enabled, but have a default page which is shown. Not sure if this was the case, but it is something that should always be checked for.
Afterwards we sent the ICMP Proxy to Justin to finalize, clean up, and put into CANVAS, and now everyone has it.
Another great addition. Brett -----Original Message----- From: dailydave-bounces () lists immunitysec com [mailto:dailydave-bounces () lists immunitysec com] On Behalf Of Dave Aitel Sent: Sunday, 21 December 2008 2:09 a.m. To: Kevin P Biggs Cc: pen-test () securityfocus com; dailydave Subject: Re: [Dailydave] Pen testing web servers So here's a story of a recent penetration test on a web server we did. Technically, it was 3 web servers - but let's run with it. So first, we did all the basic scanning against it. It's IIS 5, so you have to look for old buffer overflows you know aren't there. Then Bas got wrapped into webdav for some reason. He was playing with PROPFIND and got a directory listing of one of the server's /'s. Then, on a lark, he wrote up a tool that checked for PROPFIND listings on every other server and every directory - which, much to my suprise, found another one. So there we are, with some directory listings! Horray! But we wanted a shell. So I told him to check for PUT uploads, but at the same time, I told him they were a myth, like dragons or santa claus or dolphins. I'd heard about people seeing it, but I'd never in all my years of IIS 5 pen tests ever seen it. So he modified his script and checked to see if he could upload hi.html. And lo and behold on one lonely directory on one of the web servers, he could! So that was pretty cool. Now we can do XSS easily! Horray! But we wanted a shell. So he tried uploading hi.asp, an ASP Shell. But no go. So then he tried uploading hi.html and then using WebDav to copy it to hi.asp, which worked. Then we could request hi.asp and get a shell! So then the next step for us is to upload a MOSDEF callback and get a CANVAS node running. This failed. and froze the entire ASP process. So now no ASP files would run. It was very upsetting, as you can imagine. Remember to always use "start" to run programs that might freeze your ASP shell! Our next step was to think for a while, and then we uploaded an ASP.Net file that also got us a shell. Luckily for us this server also had ASP.Net support. So once that was done, we did some recon by having MOSDEF call back to us to a server outside our network on the real Internet (you need lots of infrastructure like this for penetration testing). We found that no TCP ports were allowed outbound from the target network by portscanning our external box from the target machine. :< This made us unhappy, as MOSDEF currently worked only over TCP. We tried pinging ourselves from the target, and that worked. So there was a way out! But .... we were not Admin or System yet, and the publicly available tools for ICMP tunneling required winpcap, which we don't want to install on a target even if we DO have admin. It's just more likely to crash the host than work properly. So we thought for a while, then Bas sat down and coded up an ICMP to TCP proxy for Windows that did not require Admin privs using the Windows ICMP API! Horray! Now we can get MOSDEF connectivity, kill our stuck process after running local roots, and so forth. Sadly, this machine had all its RPC interfaces already crashed which makes it hard to get local Admin using RPC exploits. As we're working, we notice someone from another country log onto the machine using the same webdav vulnerability (we assume). We clean up, and inform the client and are done. Afterwards we sent the ICMP Proxy to Justin to finalize, clean up, and put into CANVAS, and now everyone has it. The end. -dave On Fri, Dec 19, 2008 at 6:10 PM, Kevin P Biggs <kbiggs81 () gmail com> wrote:
What does everyone consider the best pen tool for testing web servers? I have tried Nessus. What tool(s) do you recommend? ------------------------------------------------------------------------ This list is sponsored by: Cenzic Security Trends Report from Cenzic Stay Ahead of the Hacker Curve! Get the latest Q2 2008 Trends Report now www.cenzic.com/landing/trends-report ------------------------------------------------------------------------
_______________________________________________ Dailydave mailing list Dailydave () lists immunitysec com http://lists.immunitysec.com/mailman/listinfo/dailydave _______________________________________________ Dailydave mailing list Dailydave () lists immunitysec com http://lists.immunitysec.com/mailman/listinfo/dailydave
Current thread:
- Re: Pen testing web servers Dave Aitel (Dec 20)
- Re: Pen testing web servers Brett Moore (Dec 21)