Re: Pen-Testing New Server - Where to start?

[Security <security () gridrunners com>]

Good ideas! Here are some of my (out of order) thoughts:

0.) Jamming through the code sounds interesting, but at the present 
moment would seem to be counterproductive (see number 1 below). Maybe 
once I get better at C... (I'm a PHP developer ATM.)

1.) I used to write in C/C++ but it's been a long time. I should pick it 
up again, and start learning the more advanced workings of the language. 
I've got a book on C#, and am learning python, so hopefully those will 
be useful. (I'm running Linux tho, so I'll need mono for C#)

2.) I ran a nessus scan of the system and it returned information about 
pop3/imap vulns, apache webserver vulns, and DNS vulns. The only one I 
can consider exploitable ATM is the webserver, though I need to learn 
more about XSS and exploiting TRACE for info.

3.) Default usernames//passwords are a good idea, but since I own the 
box I can't justify pretending to guess passwords. (A good tip for 
pen-testing other systems, though.)

4.) As for user-land apps, I'm assuming you're talking about PHP scripts 
and the like... Of which I have none (yet). Maybe I should do some 
default-installs of various software (phpbb, etc) and play with breaking 
that. Again, XSS is something I need to jump into.

5.) Though "Hackers" was a fun flick, I doubt I'll be flying around 
databases with blinking garbage files filled with fractals any time 
soon. ;-)

Thanks for the tips! If you know of any other good websites to research 
from (other than Securityfocus and milw0rm) I'd like to know!

Again, thanks.

~Xor

Serg B wrote:
> Unless you want to start reading source code (recommended) and hunting
> for some 0-days I suggest thinking a little higher than the underlying
> server infrastructure.
>
> For example, you can enumerate services (name, version number, etc)
> and search for some exploits that could work on those ports. Also try
> some default usernames and passwords, etc. Common configuration errors
> are always fun. Brute forcing is not going to teach you much so in my
> opinion you could skip that all together.
>
> In regards to "thinking higher" (most of the time this is how an
> attacker gets access) you could smoke a joint (thinking higher, get
> it, get it, ha-ha) and enumerate user-land applications (i.e. those
> running on the HTTP port) and try to exploit them. Remember that
> gaining access does not necessarily mean you are going to execute an
> exploit and you're in. XSS and session hi-jacking could very well get
> you an account, as well as phishing, etc. So look for all
> vulnerabilities, not just those that you saw in Hackers (movie).
>
> Great starting points in my opinion are:
>
> Learn to program (strongly recommended if you don't know already).
>    C (at a minimum)
>    Java/C# (pick one, same shit)
>    Python/Perl/PHP (pick one, depending on what you want to do).
>
> Read www.owasp.org (reference section).
>
>
>    Cheers,
>       Serg