RE: Pen testing web servers

["Shenk, Jerry A" <jshenk () decommunications com>]

I think stories like this are helpful...helps remind everyone of the
need to methodically go though all the "simple stuff".  I remember and
old song, "Little thing mean a lot"...not sure how I know that song 'cuz
it's older than I am;)

-----Original Message-----
From: listbounce () securityfocus com [mailto:listbounce () securityfocus com]
On Behalf Of Dave Aitel
Sent: Saturday, December 20, 2008 8:09 AM
To: Kevin P Biggs
Cc: pen-test () securityfocus com; dailydave
Subject: Re: Pen testing web servers

So here's a story of a recent penetration test on a web server we did.
Technically, it was 3 web servers - but let's run with it.

So first, we did all the basic scanning against it. It's IIS 5, so you
have
to look for old buffer overflows you know aren't there. Then Bas got
wrapped
into webdav for some reason. He was playing with PROPFIND and got a
directory listing of one of the server's /'s. Then, on a lark, he wrote
up a
tool that checked for PROPFIND listings on every other server and every
directory - which, much to my suprise, found another one.

So there we are, with some directory listings! Horray! But we wanted a
shell.

So I told him to check for PUT uploads, but at the same time, I told him
they were a myth, like dragons or santa claus or dolphins. I'd heard
about
people seeing it, but I'd never in all my years of IIS 5 pen tests ever
seen
it. So he modified his script and checked to see if he could upload
hi.html.
And lo and behold on one lonely directory on one of the web servers, he
could!

So that was pretty cool. Now we can do XSS easily! Horray!

But we wanted a shell. So he tried uploading hi.asp, an ASP Shell. But
no
go. So then he tried uploading hi.html and then using WebDav to copy it
to
hi.asp, which worked. Then we could request hi.asp and get a shell!

So then the next step for us is to upload a MOSDEF callback and get a
CANVAS
node running. This failed. and froze the entire ASP process. So now no
ASP
files would run. It was very upsetting, as you can imagine. Remember to
always use "start" to run programs that might freeze your ASP shell!

Our next step was to think for a while, and then we uploaded an ASP.Net
file
that also got us a shell. Luckily for us this server also had ASP.Net
support. So once that was done, we did some recon by having MOSDEF call
back
to us to a server outside our network on the real Internet (you need
lots of
infrastructure like this for penetration testing). We found that no TCP
ports were allowed outbound from the target network by portscanning our
external box from the target machine. :< This made us unhappy, as MOSDEF
currently worked only over TCP.

We tried pinging ourselves from the target, and that worked. So there
was a
way out! But .... we were not Admin or System yet, and the publicly
available tools for ICMP tunneling required winpcap, which we don't want
to
install on a target even if we DO have admin. It's just more likely to
crash
the host than work properly.

So we thought for a while, then Bas sat down and coded up an ICMP to TCP
proxy for Windows that did not require Admin privs using the Windows
ICMP
API! Horray! Now we can get MOSDEF connectivity, kill our stuck process
after running local roots, and so forth. Sadly, this machine had all its
RPC
interfaces already crashed which makes it hard to get local Admin using
RPC
exploits. As we're working, we notice someone from another country log
onto
the machine using the same webdav vulnerability (we assume). We clean
up,
and inform the client and are done.

Afterwards we sent the ICMP Proxy to Justin to finalize, clean up, and
put
into CANVAS, and now everyone has it.

The end.

-dave



On Fri, Dec 19, 2008 at 6:10 PM, Kevin P Biggs <kbiggs81 () gmail com>
wrote:
> What does everyone consider the best pen tool for testing web servers?
> I have tried Nessus.
> What tool(s) do you recommend?
------------------------------------------------------------------------
> This list is sponsored by: Cenzic
>
> Security Trends Report from Cenzic
> Stay Ahead of the Hacker Curve!
> Get the latest Q2 2008 Trends Report now
>
> www.cenzic.com/landing/trends-report
------------------------------------------------------------------------
>

------------------------------------------------------------------------
This list is sponsored by: Cenzic

Security Trends Report from Cenzic
Stay Ahead of the Hacker Curve!
Get the latest Q2 2008 Trends Report now

www.cenzic.com/landing/trends-report
------------------------------------------------------------------------


**DISCLAIMER
This e-mail message and any files transmitted with it are intended for the use of the individual or entity to which 
they are addressed and may contain information that is privileged, proprietary and confidential. If you are not the 
intended recipient, you may not use, copy or disclose to anyone the message or any information contained in the 
message. If you have received this communication in error, please notify the sender and delete this e-mail message. The 
contents do not represent the opinion of D&E except to the extent that it relates to their official business.

------------------------------------------------------------------------
This list is sponsored by: Cenzic

Security Trends Report from Cenzic
Stay Ahead of the Hacker Curve!
Get the latest Q2 2008 Trends Report now

www.cenzic.com/landing/trends-report
------------------------------------------------------------------------