Penetration Testing mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Penetration test of 1 IP address

From: "Ivan ." <ivanhec () gmail com>
Date: Thu, 9 Feb 2006 14:31:58 +1100
Hi Edmond,

You could always start with a brute force attack on the login.

Try these tools
ObiWaN - http://www.phenoelit.de/fr/tools.html
Hydra - http://thc.org/download.php?t=r&f=hydra-5.2-src.tar.gz
Brutus - 
http://www2.packetstormsecurity.org/cgi-bin/search/search.cgi?searchvalue=brutus&type=archives&%5Bsearch%5D.x=0&%5Bsearch%5D.y=0

google
http://www.google.com.au/search?hl=en&q=brute+force+web+logins&btnG=Google+Search&meta=

cheers
Ivan

On 2/9/06, Erin Carroll <amoeba () amoebazone com> wrote:

List members,

I allowed this question through even though it is, at it's heart, a very
basic question that should have gone to security-basics or some other
relavent list. My goal in doing so was to hopefully garner responses which
would show Edmond and other less-experienced pen-testers the thought
processes behind how professionals break down engagements into various
segments and proceed with what is, to many of us, a simple and non-complex
task. If this task was assigned to you how would you proceed? Why would you
use the methods or tools chosen and how would your approach change based on
the data you were able to collect? Maybe my method of approaching this would
be radically different than yours. Maybe I might learn something I hadn't
thought to try from this discussion. Sometimes the most basic questions can
produce the most interesting discussions. So far, most of the reponses
received on Edmond's email have been... not very professional.

<rant> I spend a fair amount of time every day in weeding through enormous
buckets of spam and submissions looking for things that would interest list
subscribers and adhere to the focus on pen-testing. Not all of the
submissions are areas everyone has interest in or are things we've seen
previously (rainbow tables again Mom?) but I'm constantly surprised by the
level and breadth of knowledge shared here. I don't blindly approve
submissions willy-nilly. I will very occassionally allow more basic
questions through because sometimes the responses bring out some gem of
knowledge from our more experienced members. If you have an issue with
something posted to the list please provide me with some feedback (aka
complain to me, I wear asbestos underoos). Replying with the something
equivalent to "HAHA n00b! U Suxx0r!" is not something I condone or will
allow on the list. To paraphrase an email last year from Al Huger prior to
my taking over moderation duties: "If you can't say something nice, don't
bother saying anything." </rant>

So how bout it gang? You've been given some basic information on a target
IP. It's running HTTP. It also has a login/password prompt. Where do you go
from here and what information do you look for next?


--
Erin Carroll
Moderator
SecurityFocus pen-test list
"Do Not Taunt Happy-Fun Ball"



-----Original Message-----
From: Edmond Chow [mailto:echow () videotron ca]
Sent: Tuesday, February 07, 2006 10:45 PM
To: 'Michael Gargiullo'; pen-test () securityfocus com
Cc: 'Edmond Chow'
Subject: RE: Penetration test of 1 IP address




To all:

I have been asked to perform a security audit of 1 IP address
for client.
They have given me the 1 IP address and a clue (webblaze).

If I enter the IP address and then /webblaze, I am taken to a
login page (user name and password requested).

What tools would you recommend that I use for this assignment?

Thanks for your help.

Regards,


Edmond


--------------------------------------------------------------
----------------
Audit your website security with Acunetix Web Vulnerability Scanner:

Hackers are concentrating their efforts on attacking
applications on your website. Up to 75% of cyber attacks are
launched on shopping carts, forms, login pages, dynamic
content etc. Firewalls, SSL and locked-down servers are
futile against web application hacking. Check your website
for vulnerabilities to SQL injection, Cross site scripting
and other web attacks before hackers do!
Download Trial at:

http://www.securityfocus.com/sponsor/pen-test_050831
--------------------------------------------------------------
-----------------

--
No virus found in this incoming message.
Checked by AVG Free Edition.
Version: 7.1.375 / Virus Database: 267.15.2/253 - Release
Date: 2/7/2006




--
No virus found in this outgoing message.
Checked by AVG Free Edition.
Version: 7.1.375 / Virus Database: 267.15.2/253 - Release Date: 2/7/2006



------------------------------------------------------------------------------
Audit your website security with Acunetix Web Vulnerability Scanner:

Hackers are concentrating their efforts on attacking applications on your
website. Up to 75% of cyber attacks are launched on shopping carts, forms,
login pages, dynamic content etc. Firewalls, SSL and locked-down servers are
futile against web application hacking. Check your website for vulnerabilities
to SQL injection, Cross site scripting and other web attacks before hackers do!
Download Trial at:

http://www.securityfocus.com/sponsor/pen-test_050831
-------------------------------------------------------------------------------




------------------------------------------------------------------------------
Audit your website security with Acunetix Web Vulnerability Scanner:

Hackers are concentrating their efforts on attacking applications on your
website. Up to 75% of cyber attacks are launched on shopping carts, forms,
login pages, dynamic content etc. Firewalls, SSL and locked-down servers are
futile against web application hacking. Check your website for vulnerabilities
to SQL injection, Cross site scripting and other web attacks before hackers do!
Download Trial at:

http://www.securityfocus.com/sponsor/pen-test_050831
-------------------------------------------------------------------------------
Previous By Date Next
Previous By Thread Next

Current thread: