Home page logo

basics logo Security Basics mailing list archives

Re: Pen-Testing New Server - Where to start?
From: "Serg B" <sergeslists () gmail com>
Date: Wed, 14 Nov 2007 17:58:49 +1100

If you do PHP you may want to read OWASP guide. Maybe learn it,
definately understand it, perhaps have it under your pillow when you
brain storm (developers don't sleep - they brain storm with their eyes


I choose PHP over any language when it comes to web development. Bring
on the flames!

On Nov 14, 2007 2:44 PM, Security <security () gridrunners com> wrote:
Good ideas! Here are some of my (out of order) thoughts:

0.) Jamming through the code sounds interesting, but at the present
moment would seem to be counterproductive (see number 1 below). Maybe
once I get better at C... (I'm a PHP developer ATM.)

1.) I used to write in C/C++ but it's been a long time. I should pick it
up again, and start learning the more advanced workings of the language.
I've got a book on C#, and am learning python, so hopefully those will
be useful. (I'm running Linux tho, so I'll need mono for C#)

2.) I ran a nessus scan of the system and it returned information about
pop3/imap vulns, apache webserver vulns, and DNS vulns. The only one I
can consider exploitable ATM is the webserver, though I need to learn
more about XSS and exploiting TRACE for info.

3.) Default usernames//passwords are a good idea, but since I own the
box I can't justify pretending to guess passwords. (A good tip for
pen-testing other systems, though.)

4.) As for user-land apps, I'm assuming you're talking about PHP scripts
and the like... Of which I have none (yet). Maybe I should do some
default-installs of various software (phpbb, etc) and play with breaking
that. Again, XSS is something I need to jump into.

5.) Though "Hackers" was a fun flick, I doubt I'll be flying around
databases with blinking garbage files filled with fractals any time
soon. ;-)

Thanks for the tips! If you know of any other good websites to research
from (other than Securityfocus and milw0rm) I'd like to know!

Again, thanks.


Serg B wrote:
Unless you want to start reading source code (recommended) and hunting
for some 0-days I suggest thinking a little higher than the underlying
server infrastructure.

For example, you can enumerate services (name, version number, etc)
and search for some exploits that could work on those ports. Also try
some default usernames and passwords, etc. Common configuration errors
are always fun. Brute forcing is not going to teach you much so in my
opinion you could skip that all together.

In regards to "thinking higher" (most of the time this is how an
attacker gets access) you could smoke a joint (thinking higher, get
it, get it, ha-ha) and enumerate user-land applications (i.e. those
running on the HTTP port) and try to exploit them. Remember that
gaining access does not necessarily mean you are going to execute an
exploit and you're in. XSS and session hi-jacking could very well get
you an account, as well as phishing, etc. So look for all
vulnerabilities, not just those that you saw in Hackers (movie).

Great starting points in my opinion are:

Learn to program (strongly recommended if you don't know already).
   C (at a minimum)
   Java/C# (pick one, same shit)
   Python/Perl/PHP (pick one, depending on what you want to do).

Read www.owasp.org (reference section).


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]