Re: Penetration test of 1 IP address

[Christine Kronberg <Christine_Kronberg () genua de>]

On Wed, 8 Feb 2006, Dave wrote:
> > To all:
> >
> > I have been asked to perform a security audit of 1 IP address for client.
> > They have given me the 1 IP address and a clue (webblaze).
> >
> > If I enter the IP address and then /webblaze, I am taken to a login page
> > (user name and password requested).
> >
> > What tools would you recommend that I use for this assignment?
> nmap and nessus will tell you more about the IP and what other services are

  I'm not so much impressed by using nessus. In most cases I archieve
  more by using nmap, telnet and brain. Might be due to the fact the
  last couple of pen-tests were against computers pretty much protected.
  For the original poster as a starting I recommend using nmap to see
  whether other ports on that host are available.

> running that you might be able to exploit. If they just want you to test the 
> strength of the webpage login then possibly using Brutus will reveal weak 
> passwords etc... although this is generally a bad idea. Right off hand, I 
> cant look now, but webblaze may be a publicly available script...download it 
> and check the source for any possible coding errors that could be exploited.

  Before you can exploit a possible weakness you have to bypass the
  authentication. If this can be done depends on the type of
  authentication.

  Searching for weak password is certainly a way to go. But: If you
  don't have any username to start, you must use a list of common
  usernames and a list of weak passwords. Ok, no problem to get those
  lists. But you have to test each password foreach user. That consumes
  a good deal of time. If you are not allowed to harm the computer by
  filling up the logfiles whatever this does to the node, you are very
  limited. Example: I did that for a customer a while ago. First step
  was to get some probable usernames from google. Found about 100.
  Now, my private password list has about 12 Mio entries. Stripping
  them down to a maximum of 8 characters left about 4.5 Mio entries.
  Using hydra with abount 180 tries/min gives:
             100 x 4.5Mio /180  = 1736 days.
  No way to go. So you need to use a very small password lists (really
  easy passwords). But then it is highly unlikely that you find something.
  I ended up calculating my paramters for a runtime of 5 hours.

  I remember the thread about password cracking a while back pretty well.
  But I wonder: How many of you do this over the net? Not having any
  username to check on? It is one thing to have an encrypted password
  list, it is completely different to have nothing at all.

  Cheers,


                                                  Christine Kronberg.

--
GeNUA mbH


------------------------------------------------------------------------------
Audit your website security with Acunetix Web Vulnerability Scanner: 

Hackers are concentrating their efforts on attacking applications on your 
website. Up to 75% of cyber attacks are launched on shopping carts, forms, 
login pages, dynamic content etc. Firewalls, SSL and locked-down servers are 
futile against web application hacking. Check your website for vulnerabilities 
to SQL injection, Cross site scripting and other web attacks before hackers do! 
Download Trial at:

http://www.securityfocus.com/sponsor/pen-test_050831
-------------------------------------------------------------------------------