Penetration Testing mailing list archives
RE: Penetration test of 1 IP address
From: "John Forristel (SunGard-Chico)" <John.Forristel () sungardbi-tech com>
Date: Thu, 9 Feb 2006 09:09:52 -0800
Dave, You are absolutely correct. My only thought here was they may be misdirecting him away from a potential way in, and I didn't want him to get bogged down on that one clue. If he can look around and gain higher privileged access, so much the better. The other thing that crossed my mind was that he is new at this, and probably doesn't know the more technical ways of getting in. From his message, it almost appeared that his manager wanted to see what he could find out about a server. Go ahead and suggest it as a further method of getting information from the machine. Once he goes through the box, he should learn that kind of penetration as well. John John Forristel Network Security Analyst SunGard Bi-Tech -----Original Message----- From: Dave [mailto:dlaud.flux () gmail com] Sent: Thursday, February 09, 2006 8:14 AM To: pen-test () securityfocus com Subject: Re: Penetration test of 1 IP address John Forristel (SunGard-Chico) wrote:
WebBlaze is a way for lawyers to share documents. As Dave mentioned, scan the machine with nmap, Nessus, and other tools. Be careful with Brutus, you can lock out accounts very quickly and your information is logged for all to see. WebBlaze is a webform, not a listening
protocol,
so it may be that the software is using a local database to store login information. Try gaining access without using WebBlaze.
May I ask why you recommended trying to gain access without using webblaze? As you said previously, weblaze could be using a database to hold valuable information etc... doesnt *possible* SQL injection come into mind? The pen tester could potentially get a wealth of information even if the box cant be cracked.
Then look on the website for the company you are trying to penetrate. Email addresses make for good login material. Check to see if there is a default password for WebBlaze and try that.
My $1.32 (2 cents + inflation) John Forristel Network Security Analyst SunGard Bi-Tech "You don't have to lie to me, we aren't married."
------------------------------------------------------------------------ ------ Audit your website security with Acunetix Web Vulnerability Scanner: Hackers are concentrating their efforts on attacking applications on your website. Up to 75% of cyber attacks are launched on shopping carts, forms, login pages, dynamic content etc. Firewalls, SSL and locked-down servers are futile against web application hacking. Check your website for vulnerabilities to SQL injection, Cross site scripting and other web attacks before hackers do! Download Trial at: http://www.securityfocus.com/sponsor/pen-test_050831 ------------------------------------------------------------------------ ------- ------------------------------------------------------------------------------ Audit your website security with Acunetix Web Vulnerability Scanner: Hackers are concentrating their efforts on attacking applications on your website. Up to 75% of cyber attacks are launched on shopping carts, forms, login pages, dynamic content etc. Firewalls, SSL and locked-down servers are futile against web application hacking. Check your website for vulnerabilities to SQL injection, Cross site scripting and other web attacks before hackers do! Download Trial at: http://www.securityfocus.com/sponsor/pen-test_050831 -------------------------------------------------------------------------------
Current thread:
- Re: Penetration test of 1 IP address, (continued)
- Re: Penetration test of 1 IP address Sugiowono (Feb 09)
- RE: Penetration test of 1 IP address Bob Radvanovsky (Feb 09)
- RE: Penetration test of 1 IP address Sels, Roger (Feb 09)
- RE: Penetration test of 1 IP address Anders Thulin (Feb 09)
- RE: Penetration test of 1 IP address Edmond Chow (Feb 09)
- RE: Penetration test of 1 IP address John Forristel (SunGard-Chico) (Feb 09)
- Re: Penetration test of 1 IP address Dave (Feb 09)
- RE: Penetration test of 1 IP address Clemens, Dan (Feb 09)
- RE: Penetration test of 1 IP address Edmond Chow (Feb 10)
- Re: Penetration test of 1 IP address thomas springer (Feb 10)
- RE: Penetration test of 1 IP address John Forristel (SunGard-Chico) (Feb 09)
- RE: Penetration test of 1 IP address Levenglick, Jeff (Feb 09)
- Message not available
- Fwd: Penetration test of 1 IP address Brian Loe (Feb 09)
- Re: Fwd: Penetration test of 1 IP address Justin Seitz (Feb 09)
- Message not available
- RE: Penetration test of 1 IP address Beau Mersereau (Feb 09)
- RE: Penetration test of 1 IP address Bob Radvanovsky (Feb 09)
- Re: Fwd: Penetration test of 1 IP address Bob Radvanovsky (Feb 09)
- Re: Fwd: Penetration test of 1 IP address pagvac (Feb 09)
- RE: Penetration test of 1 IP address Navroz Shariff (Feb 09)
- Re: Penetration test of 1 IP address Ratna Kumar (Feb 10)
- RE: Penetration test of 1 IP address Levenglick, Jeff (Feb 10)