Penetration Testing mailing list archives
Re: [PEN-TEST] How to deal with others' security ?
From: Max Vision <vision () WHITEHATS COM>
Date: Tue, 22 Aug 2000 19:36:25 -0700
On Tue, 22 Aug 2000, Nicolas Gregoire wrote:
My question is simple : - you have to do a penetration test on a web server. - you discover that there are virtual hosts on the same box than the web site you have to check. first question : do you know how to learn which virtual hosts are hosted on this machine how obtain authorization to scan these virtual hosts ?
You need to get authorization from the owner of the IP address, which is usually the same as the owner of the physical machine. If you are stuck trying to figure out who owns a target in your penetration test, then you have made a mistake and need to talk to the customer. Clarification of ownership should be spelled out in the scanning agreement. IMHO, security of virtual servers is the responsibility of the ISP and should be managed by the ISP. There is probably some language to this effect in the terms of service agreement between the ISP and the virtual server customer (your customer). Since you have not legally entered into an agreement with the ISP, you could be liable for any activity. AFAIK, the virtual host customer can't legally authorize your scan. (Although I suppose there is nothing keeping them from paying for it) Now your other question - there are several ways to find virtual hosts on a webserver remotely. A few possible ways are: o shell access - game over o directory viewing bugs - many vulnerabilities that don't yield access do expose directory structure or allow directory browsing on the server. admin often name virtual server dirs after the domain names ( classic example of such a bug: /cgi-bin/test-cgi?* * ) o forward dns domain records - if you have a forward axfr of .com, etc. then you can grep for the ip address (this will be partial but good) o ftp password file - usually virtual host providers allow management via ftp. I've seen misconfigured passwd stubs sitting around that have username:userid and path infomation - where the path is usually the web root directory (named after the website) ( connect to anonymous ftp and `get /etc/passwd -` Example entry: vdudes:x:503:500::/web/virtualdudes.com:/etc/ftponly ) o connect to http://ip.address/ - some virtual hosting providers have default "directory" pages listing hosted domains ( quick examples: http://209.60.53.26/ or http://205.243.147.102/ ) o other services like ldap, etc I know these aren't great options, but the problem is that information about virtual hosts are only kept in two places by default - forward dns records, and on the webserver which requires local access. Everything else is a longshot. I used to keep forward axfr for the entire net, but it just got too big (!!) - combined with people wising up and restricting axfr (I have been giving this advice for awhile). I suppose I could get another axfr and put up a web-searchable database, taking reverse-dns into the virtual server space.. but there will always be gaps, I don't have the time, and honestly, I couldn't take the heat right now for the flood of complaints I would surely receive. I would love to hear other people's experiences or techniques for prying virtual host information remotely! Max Vision http://whitehats.com/
Current thread:
- [PEN-TEST] How to deal with others' security ? Nicolas Gregoire (Aug 22)
- Re: [PEN-TEST] How to deal with others' security ? Max Vision (Aug 23)
- Re: [PEN-TEST] How to deal with others' security ? Ejovi Nuwere (Aug 24)
- <Possible follow-ups>
- Re: [PEN-TEST] How to deal with others' security ? Steve (Aug 23)
- Re: [PEN-TEST] How to deal with others' security ? Meritt, Jim (Aug 24)