mailing list archives
Re: Pen-Testing New Server - Where to start?
From: Security <security () gridrunners com>
Date: Tue, 13 Nov 2007 21:44:34 -0600
Good ideas! Here are some of my (out of order) thoughts:
0.) Jamming through the code sounds interesting, but at the present
moment would seem to be counterproductive (see number 1 below). Maybe
once I get better at C... (I'm a PHP developer ATM.)
1.) I used to write in C/C++ but it's been a long time. I should pick it
up again, and start learning the more advanced workings of the language.
I've got a book on C#, and am learning python, so hopefully those will
be useful. (I'm running Linux tho, so I'll need mono for C#)
2.) I ran a nessus scan of the system and it returned information about
pop3/imap vulns, apache webserver vulns, and DNS vulns. The only one I
can consider exploitable ATM is the webserver, though I need to learn
more about XSS and exploiting TRACE for info.
3.) Default usernames//passwords are a good idea, but since I own the
box I can't justify pretending to guess passwords. (A good tip for
pen-testing other systems, though.)
4.) As for user-land apps, I'm assuming you're talking about PHP scripts
and the like... Of which I have none (yet). Maybe I should do some
default-installs of various software (phpbb, etc) and play with breaking
that. Again, XSS is something I need to jump into.
5.) Though "Hackers" was a fun flick, I doubt I'll be flying around
databases with blinking garbage files filled with fractals any time
Thanks for the tips! If you know of any other good websites to research
from (other than Securityfocus and milw0rm) I'd like to know!
Serg B wrote:
Unless you want to start reading source code (recommended) and hunting
for some 0-days I suggest thinking a little higher than the underlying
For example, you can enumerate services (name, version number, etc)
and search for some exploits that could work on those ports. Also try
some default usernames and passwords, etc. Common configuration errors
are always fun. Brute forcing is not going to teach you much so in my
opinion you could skip that all together.
In regards to "thinking higher" (most of the time this is how an
attacker gets access) you could smoke a joint (thinking higher, get
it, get it, ha-ha) and enumerate user-land applications (i.e. those
running on the HTTP port) and try to exploit them. Remember that
gaining access does not necessarily mean you are going to execute an
exploit and you're in. XSS and session hi-jacking could very well get
you an account, as well as phishing, etc. So look for all
vulnerabilities, not just those that you saw in Hackers (movie).
Great starting points in my opinion are:
Learn to program (strongly recommended if you don't know already).
C (at a minimum)
Java/C# (pick one, same shit)
Python/Perl/PHP (pick one, depending on what you want to do).
Read www.owasp.org (reference section).