Penetration Testing mailing list archives
Re: Penetration Testing a Firewalled Network
From: Marco Ivaldi <raptor () 0xdeadbeef info>
Date: Fri, 9 Jun 2006 16:39:52 +0200 (CEST)
Hey pen-testers, On Tue, 6 Jun 2006, David M. Zendzian wrote:
What is running on the web server? Maybe you can gain some info about the environment through there first.
As a side note, speaking about NAT'ed web servers, it's sometimes possible to infer their real (private) IP address, either testing the applications or the underlying web server software. YMMV. For instance, here are a few quite popular techniques to exploit this kind of information leaks on the Microsoft-IIS platform: 1) Regular GET technique. $ telnet x.x.x.x 80 Trying x.x.x.x... Connected to x.x.x.x. Escape character is '^]'. GET / HTTP/1.0 HTTP/1.1 200 OK Content-Length: 3033 Content-Type: text/html Content-Location: http://10.10.0.209/index.htm Last-Modified: Thu, 23 Feb 2006 09:34:50 GMT Accept-Ranges: bytes ETag: "393fd8645c38c60:304" Server: Microsoft-IIS/6.0 X-Powered-By: ASP.NET MicrosoftOfficeWebServer: 5.0_Pub Date: Fri, 09 Jun 2006 14:22:34 GMT Connection: close [...] 2) GET /images technique. $ telnet x.x.x.x 80 Trying x.x.x.x... Connected to x.x.x.x. Escape character is '^]'. GET /images HTTP/1.0 HTTP/1.1 302 Object Moved Location: http://10.10.1.100/images/ Server: Microsoft-IIS/5.0 Content-Type: text/html Content-Length: 178 [...] 3) WebDAV PROPFIND technique. $ telnet x.x.x.x 80 Trying x.x.x.x... Connected to x.x.x.x. Escape character is '^]'. PROPFIND / HTTP/1.1 Host: Content-Length: 0 HTTP/1.1 207 Multi-Status Server: Microsoft-IIS/5.0 Date: Tue, 06 Jun 2006 12:57:37 GMT Content-Type: text/xml Transfer-Encoding: chunked 319 <?xml version="1.0"?><a:multistatus xmlns:b="urn:uuid:c2f42010-65b3-11d1-a39f-00aa00c13882/" xmlns:c="xml:" xmlns:a="DAV:"><a:response><a:href>http://10.10.1.100/</a:href><a:propstat><a:status>HTTP/1.1 200 OK</a:status> [...] These are just a few hints: you can find more information leaks (specially related to WebDAV) googlin' around a bit. Have a nice week-end, -- Marco Ivaldi Antifork Research, Inc. http://0xdeadbeef.info/ 3B05 C9C5 A2DE C3D7 4233 0394 EF85 2008 DBFD B707 ------------------------------------------------------------------------------ This List Sponsored by: Cenzic Concerned about Web Application Security? Why not go with the #1 solution - Cenzic, the only one to win the Analyst's Choice Award from eWeek. As attacks through web applications continue to rise, you need to proactively protect your applications from hackers. Cenzic has the most comprehensive solutions to meet your application security penetration testing and vulnerability management needs. You have an option to go with a managed service (Cenzic ClickToSecure) or an enterprise software (Cenzic Hailstorm). Download FREE whitepaper on how a managed service can help you: http://www.cenzic.com/news_events/wpappsec.php And, now for a limited time we can do a FREE audit for you to confirm your results from other product. Contact us at request () cenzic com for details. ------------------------------------------------------------------------------
Current thread:
- Re: Penetration Testing a Firewalled Network, (continued)
- Re: Penetration Testing a Firewalled Network James Fryman (Jun 06)
- Re: Re: Penetration Testing a Firewalled Network killy (Jun 07)
- Re: Re: Penetration Testing a Firewalled Network kratzer . jason (Jun 06)
- Re: Penetration Testing a Firewalled Network James Fryman (Jun 07)
- Re: Penetration Testing a Firewalled Network Javier Fernandez-Sanguino (Jun 08)
- Re: Penetration Testing a Firewalled Network James Fryman (Jun 07)
- RE: Re: Penetration Testing a Firewalled Network David M. Zendzian (Jun 06)
- Re: RE: Re: Penetration Testing a Firewalled Network kratzer . jason (Jun 07)
- Re: RE: Re: Penetration Testing a Firewalled Network Eagle Fire (Jun 07)
- Re: RE: Re: Re: Penetration Testing a Firewalled Network kratzer . jason (Jun 07)
- Re: RE: Re: Re: Penetration Testing a Firewalled Network killy (Jun 09)
- Re: Penetration Testing a Firewalled Network Marco Ivaldi (Jun 09)