zeldor.biz

Linux, programming and more

Penetration Testing

by Leave a Comment

Penetration testing(pentest) is very important for development and production environments unfortunately many people forget that and play with fire.

Pentest is a method of evaluating the security of a server services and hardware devices.
This hard analysis is carried out from the position of a potential attacker, in this case this attacker is a white hat and he can involve active exploitation of security vulnerabilities.

The first step of penetration testing is to inform about the infrastructure of running devices.

– How many servers they have
– Who is hosting them (Provider)
– Routing information
– Technical Contact Name (Tech-C)
– Domain Name System
– Firewall (Software | Hardware)
– IP4-Addresses
– IP6-Addresses
– Open Ports
– Running Services

This post is based on a real penetration testing of a hosting provider.

I get a list of all available servers that I may test:
78.47.220.105 hosting.rootpfad.org
78.47.220.106 mysql.rootpfad.org
78.47.220.107 mail.rootpfad.org
78.47.220.108 services.rootpfad.org
78.46.108.171 smugglers.rootpfad.org

After collecting of information you can start with the penetration of the hosts and services.

Useful tools for penetration:
– dig (tool to look up information in the DNS)
– mtr (network diagnostic tool combines the functionality of traceroute and ping)
– ping (reachability tester of a ip/ domain)
– nmap (security scanner)
– whois (Query domain owner information)
– amap (application protocol detection tool)
– fpdns (program that remotely determines DNS server versions)
– nikto (vulnerabilities scanner)
– sslscan (determines what ciphers are supported)
– traceroute (connectivity analyzer)

Lets start our penetration!
Checking open ports:
Nmap tests:

1
2
3
4
5

nmap 78.47.220.105 -A -PN
21/tcp  open  ftp      ProFTPD
80/tcp  open  http     Apache httpd
443/tcp open  ssl/http Apache httpd
Pingable
1
2
3

nmap 78.47.220.106 -A -PN
Everything closed
Pingable
1
2
3
4

nmap 78.47.220.108 -A -PN
80/tcp  open  http     Apache httpd 2.2.14 ((Ubuntu))
443/tcp open  ssl/http Apache httpd 2.2.14 ((Ubuntu))
Pingable
1
2
3

nmap 78.46.108.171 -A -PN
443/tcp open  ssl/https
Pingable
1
2
3
4
5
6
7
8

nmap 78.47.220.107 -A -PN
25/tcp  open   smtp       Postfix smtpd
143/tcp closed imap
465/tcp open   ssl/smtp   Postfix smtpd
587/tcp open   smtp       Postfix smtpd
993/tcp open   ssl/imap
995/tcp open   ssl/pop3s?
Pingable

– Connections on port 143 refused

Unknown ports can be checked with amap:

1

amap -bqv 78.47.220.107 143

To determine the ciphers of SSL that are supported you can use sslscan:

1

sslscan 78.47.220.107:993

Nikto tests:

1
2
3
4
5
6

nikto -h https://rootpfad.de/ (78.47.220.108)
Server: Apache/2.2.14 (Ubuntu)
Allowed HTTP Methods: GET, HEAD, POST, OPTIONS
/squirrelmail/src/read_body.php
/icons/ (Apache default folder)
/icons/README (Apache default file)

Apache HTTP Trace test:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19

telnet 78.47.220.105 80
Trying 78.47.220.105...
Connected to 78.47.220.105.
Escape character is '^]'.
TRACE / HTTP/1.0
Host: foo
A: b
C: d
 
HTTP/1.1 200 OK
Date: Wed, 20 Jul 2011 21:22:56 GMT
Server: Apache
Connection: close
Content-Type: message/http
 
TRACE / HTTP/1.0
Host: foo
A: b
C: d

Another PHP-Check:
If expose_php is enabled you will see a php generated page:

1

http://rootpfad.de/index.php?=PHPB8B5F2A0-3C92-11d3-A3A9-4C7B08C10000

DNS-Server Test:

1
2
3
4
5
6

fpdns -t 1 -D rootpfad.org
fingerprint (rootpfad.org, 62.116.159.10): No match found  
fingerprint (rootpfad.org, 217.160.113.50): No match found  
fingerprint (rootpfad.org, 83.169.55.10): No match found  
fingerprint (rootpfad.org, 89.146.248.20): No match found  
fingerprint (rootpfad.org, 74.208.254.20): No match found

Pentest Conclusion:
– Not needed open port should be closed (port 143 on host 78.47.220.107)
– Disable server string of apache Apache/2.2.14 (Ubuntu), server should be quiet
– Hide sensible php information (PHP/5.3.2-1ubuntu4.9) (expose_php), disable it
– I dont know any reasons why you should allow a ping, drop or reject pings
– Outdated certificate: https://hosting.rootpfad.org/
– Missing Apache web-master contact address on host 78.47.220.105 and 78.47.220.108
– Disable Apache HTTP TRACE method on host 78.47.220.105
– Remove default apache files and folders /icons/README /icons/ (78.47.220.108)

Categories

Archives

Tags

apache2 Apple arduino ARM Automation backup bash Cisco Cluster Corosync Database Debian Debian squeeze DIY DNS Fedora FTP Fun Icinga Ipv6 KVM Linux LVM MAC OS X Monitoring MySQL Nagios Nginx openSUSE OpenVPN PHP Proxy Python python3 qemu RAID rsync Samba security ssh Ubuntu virtualization Windows Windows 7 Wordpress

Leave a Reply

Your email address will not be published. Required fields are marked *