Penetration Testing mailing list archives

Re: [PEN-TEST] How to deal with others' security ?

From: Max Vision <vision () WHITEHATS COM>
Date: Tue, 22 Aug 2000 19:36:25 -0700

On Tue, 22 Aug 2000, Nicolas Gregoire wrote:

My question is simple :
- you have to do a penetration test on a web server.
- you discover that there are virtual hosts on the same box than the web
site you have to check.
first question :
do you know how to learn which virtual hosts are hosted on this machine
how obtain authorization to scan these virtual hosts ?

You need to get authorization from the owner of the IP address, which is
usually the same as the owner of the physical machine.  If you are stuck
trying to figure out who owns a target in your penetration test, then you
have made a mistake and need to talk to the customer.  Clarification of
ownership should be spelled out in the scanning agreement.

IMHO, security of virtual servers is the responsibility of the ISP and
should be managed by the ISP.  There is probably some language to this
effect in the terms of service agreement between the ISP and the virtual
server customer (your customer).  Since you have not legally entered into
an agreement with the ISP, you could be liable for any activity.  AFAIK,
the virtual host customer can't legally authorize your scan.  (Although I
suppose there is nothing keeping them from paying for it)

Now your other question - there are several ways to find virtual hosts on
a webserver remotely.  A few possible ways are:
 o shell access - game over
 o directory viewing bugs - many vulnerabilities that don't yield access
   do expose directory structure or allow directory browsing on the
   server.  admin often name virtual server dirs after the domain names
   ( classic example of such a bug: /cgi-bin/test-cgi?* * )
 o forward dns domain records - if you have a forward axfr of .com, etc.
   then you can grep for the ip address (this will be partial but good)
 o ftp password file - usually virtual host providers allow management
   via ftp.  I've seen misconfigured passwd stubs sitting around that
   have username:userid and path infomation - where the path is usually
   the web root directory (named after the website)
   ( connect to anonymous ftp and `get /etc/passwd -`  Example entry:
     vdudes:x:503:500::/web/virtualdudes.com:/etc/ftponly )
 o connect to http://ip.address/ - some virtual hosting providers have
   default "directory" pages listing hosted domains
   ( quick examples: http://209.60.53.26/ or http://205.243.147.102/ )
 o other services like ldap, etc

I know these aren't great options, but the problem is that information
about virtual hosts are only kept in two places by default - forward dns
records, and on the webserver which requires local access.  Everything
else is a longshot.  I used to keep forward axfr for the entire net, but
it just got too big (!!)  - combined with people wising up and restricting
axfr (I have been giving this advice for awhile).

I suppose I could get another axfr and put up a web-searchable database,
taking reverse-dns into the virtual server space.. but there will always
be gaps, I don't have the time, and honestly, I couldn't take the heat
right now for the flood of complaints I would surely receive.

I would love to hear other people's experiences or techniques for prying
virtual host information remotely!

Max Vision
http://whitehats.com/

Current thread:

[PEN-TEST] How to deal with others' security ? Nicolas Gregoire (Aug 22)
- Re: [PEN-TEST] How to deal with others' security ? Max Vision (Aug 23)
- Re: [PEN-TEST] How to deal with others' security ? Ejovi Nuwere (Aug 24)
- <Possible follow-ups>
- Re: [PEN-TEST] How to deal with others' security ? Steve (Aug 23)
- Re: [PEN-TEST] How to deal with others' security ? Meritt, Jim (Aug 24)