CONFIGURATION MANAGEMENT TESTING

1. SSL/TLS Testing
SSL and TLS are two protocols that provide, with the support of cryptography, secure channels for the protection, confidentiality, and authentication of the information being transmitted. Considering the criticality of these security implementations, it is important to verify the usage of a strong cipher algorithm and its proper implementation.
 exemple test :
=>SSL service recognition via nmap
root@bt:~# nmap -F -sV akakom.ac.id
Starting Nmap 5.51 ( http://nmap.org ) at 2011-06-04 21:58 WIT
Nmap scan report for akakom.ac.id (110.76.151.2)
Host is up (0.96s latency).
rDNS record for 110.76.151.2: ns.akakom.ac.id
Not shown: 79 closed ports
PORT     STATE    SERVICE         VERSION
9/tcp    filtered discard
21/tcp   open     ftp?
22/tcp   open     ssh             OpenSSH 5.5 (protocol 2.0)
25/tcp   filtered smtp
37/tcp   filtered time
53/tcp   open     domain
80/tcp   open     http?
110/tcp  open     pop3?
135/tcp  filtered msrpc
139/tcp  filtered netbios-ssn
143/tcp  open     imap?
445/tcp  filtered microsoft-ds
465/tcp  filtered smtps
544/tcp  filtered kshell
587/tcp  open     submission?
993/tcp  open     imaps?
995/tcp  open     pop3s?
1433/tcp filtered ms-sql-s
5009/tcp filtered airport-admin
5666/tcp filtered nrpe
8081/tcp filtered blackice-icecap

Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 128.70 seconds

=>Manually audit weak SSL cipher levels with OpenSSL. The following will attempt to connect  to akakom.ac.id
root@bt:~# openssl s_client -no_tls1 -no_ssl3 -connect www.akakom.ac.id:443
CONNECTED(00000003)
3046:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake failure:s23_lib.c:188:

root@bt:~# openssl s_client -no_tls1 -connect www.akakom.ac.id:443
CONNECTED(00000003)
depth=0 /C=--/ST=SomeState/L=SomeCity/O=SomeOrganization/OU=SomeOrganizationalUnit/CN=localhost.localdomain/emailAddress=root@localhost.localdomain
verify error:num=18:self signed certificate
verify return:1
depth=0 /C=--/ST=SomeState/L=SomeCity/O=SomeOrganization/OU=SomeOrganizationalUnit/CN=localhost.localdomain/emailAddress=root@localhost.localdomain
verify error:num=10:certificate has expired
notAfter=Sep 18 11:51:59 2009 GMT
verify return:1
depth=0 /C=--/ST=SomeState/L=SomeCity/O=SomeOrganization/OU=SomeOrganizationalUnit/CN=localhost.localdomain/emailAddress=root@localhost.localdomain
notAfter=Sep 18 11:51:59 2009 GMT
verify return:1
---
Certificate chain
 0 s:/C=--/ST=SomeState/L=SomeCity/O=SomeOrganization/OU=SomeOrganizationalUnit/CN=localhost.localdomain/emailAddress=root@localhost.localdomain
   i:/C=--/ST=SomeState/L=SomeCity/O=SomeOrganization/OU=SomeOrganizationalUnit/CN=localhost.localdomain/emailAddress=root@localhost.localdomain
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIEDjCCA3egAwIBAgICYYAwDQYJKoZIhvcNAQEFBQAwgbsxCzAJBgNVBAYTAi0t
MRIwEAYDVQQIEwlTb21lU3RhdGUxETAPBgNVBAcTCFNvbWVDaXR5MRkwFwYDVQQK
ExBTb21lT3JnYW5pemF0aW9uMR8wHQYDVQQLExZTb21lT3JnYW5pemF0aW9uYWxV
bml0MR4wHAYDVQQDExVsb2NhbGhvc3QubG9jYWxkb21haW4xKTAnBgkqhkiG9w0B
CQEWGnJvb3RAbG9jYWxob3N0LmxvY2FsZG9tYWluMB4XDTA4MDkxODExNTE1OVoX
DTA5MDkxODExNTE1OVowgbsxCzAJBgNVBAYTAi0tMRIwEAYDVQQIEwlTb21lU3Rh
dGUxETAPBgNVBAcTCFNvbWVDaXR5MRkwFwYDVQQKExBTb21lT3JnYW5pemF0aW9u
MR8wHQYDVQQLExZTb21lT3JnYW5pemF0aW9uYWxVbml0MR4wHAYDVQQDExVsb2Nh
bGhvc3QubG9jYWxkb21haW4xKTAnBgkqhkiG9w0BCQEWGnJvb3RAbG9jYWxob3N0
LmxvY2FsZG9tYWluMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCk1G04ZZqc
FdKGvfPTke/ed7CAPz9/6GYUH1ZkkVznDoGiA2oK+EeAQKODU9Ud1HFo7cnUdiqb
LE4y/w64yPm5ICekZr6fKS91Y6hXqDeRMle0bTdkg7zYG54a3p1U/+0oesok3DbC
zHHqYExDgTojxdlPj1aHAxHvxu7iH/fYOwIDAQABo4IBHTCCARkwHQYDVR0OBBYE
FEGwfGoX9C9WvUPCU6bVc5Igzoj1MIHpBgNVHSMEgeEwgd6AFEGwfGoX9C9WvUPC
U6bVc5Igzoj1oYHBpIG+MIG7MQswCQYDVQQGEwItLTESMBAGA1UECBMJU29tZVN0
YXRlMREwDwYDVQQHEwhTb21lQ2l0eTEZMBcGA1UEChMQU29tZU9yZ2FuaXphdGlv
bjEfMB0GA1UECxMWU29tZU9yZ2FuaXphdGlvbmFsVW5pdDEeMBwGA1UEAxMVbG9j
YWxob3N0LmxvY2FsZG9tYWluMSkwJwYJKoZIhvcNAQkBFhpyb290QGxvY2FsaG9z
dC5sb2NhbGRvbWFpboICYYAwDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQUFAAOB
gQAdx3Uv0rHbmbd9zbi0wiN+O0h5oQijUy4KwwNfrgP1F1yEqPPOn1JP36KMorsE
A+7lEP1mekGEQjwyEWO0UidwyhMniLVB6+EChDlhbXodAJKO1nf9NIgqcy1udb9b
ou7o60PVGTEJjLbV+khpYFzz93cdbPHCUlVfc0ChFisR+w==
-----END CERTIFICATE-----
subject=/C=--/ST=SomeState/L=SomeCity/O=SomeOrganization/OU=SomeOrganizationalUnit/CN=localhost.localdomain/emailAddress=root@localhost.localdomain
issuer=/C=--/ST=SomeState/L=SomeCity/O=SomeOrganization/OU=SomeOrganizationalUnit/CN=localhost.localdomain/emailAddress=root@localhost.localdomain
---
No client certificate CA names sent
---
SSL handshake has read 1629 bytes and written 335 bytes
---
New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA
Server public key is 1024 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : SSLv3
    Cipher    : DHE-RSA-AES256-SHA
    Session-ID: E94511C7BB19BDB7E5309257B2C6BFFC53A61BC1B8DB37D3259940793EC04EFE
    Session-ID-ctx:
    Master-Key: 0A4AD681B128858C54E6477E4B403CDE781ACB2DD08B7DD17E636553A20FB90425AB4B47F6E43A7EC2EECA4C579F8167
    Key-Arg   : None
    Start Time: 1307200661
    Timeout   : 300 (sec)
    Verify return code: 10 (certificate has expired)
---
closed
Use nessus scanning for Identifying weak ciphers.
Port 443
SSL certificate information
Country: –
State/Province: SomeState
Locality: SomeCity
Organization: SomeOrganization
Organization Unit: SomeOrganizationalUnit
Common Name: localhost.localdomain
Email Address: root@localhost.localdomain
Issuer Name:
Country: –
State/Province: SomeState
Locality: SomeCity
Organization: SomeOrganization
Organization Unit: SomeOrganizationalUnit
Common Name: localhost.localdomain
Email Address: root@localhost.localdomain
Serial Number: 61 80
Version: 3
Signature Algorithm: SHA-1 With RSA Encryption
Not Valid Before: Sep 18 11:51:59 2008 GMT
Not Valid After: Sep 18 11:51:59 2009 GMT
Public Key Info:
Algorithm: RSA Encryption
Public Key: 00 A4 D4 6D 38 65 9A 9C 15 D2 86 BD F3 D3 91 EF DE 77 B0 80
3F 3F 7F E8 66 14 1F 56 64 91 5C E7 0E 81 A2 03 6A 0A F8 47
80 40 A3 83 53 D5 1D D4 71 68 ED C9 D4 76 2A 9B 2C 4E 32 FF
0E B8 C8 F9 B9 20 27 A4 66 BE 9F 29 2F 75 63 A8 57 A8 37 91
32 57 B4 6D 37 64 83 BC D8 1B 9E 1A DE 9D 54 FF ED 28 7A CA
24 DC 36 C2 CC 71 EA 60 4C 43 81 3A 23 C5 D9 4F 8F 56 87 03
11 EF C6 EE E2 1F F7 D8 3B
Exponent: 01 00 01
Signature: 00 1D C7 75 2F D2 B1 DB 99 B7 7D CD B8 B4 C2 23 7E 3B 48 79
A1 08 A3 53 2E 0A C3 03 5F AE 03 F5 17 5C 84 A8 F3 CE 9F 52
4F DF A2 8C A2 BB 04 03 EE E5 10 FD 66 7A 41 84 42 3C 32 11
63 B4 52 27 70 CA 13 27 88 B5 41 EB E1 02 84 39 61 6D 7A 1D
00 92 8E D6 77 FD 34 88 2A 73 2D 6E 75 BF 5B A2 EE E8 EB 43
D5 19 31 09 8C B6 D5 FA 48 69 60 5C F3 F7 77 1D 6C F1 C2 52
55 5F 73 40 A1 16 2B 11 FB
Extension: Subject Key Identifier (2.5.29.14)
Critical: 0
Subject Key Identifier: 41 B0 7C 6A 17 F4 2F 56 BD 43 C2 53 A6 D5 73 92 20 CE 88 F5
Extension: Authority Key Identifier (2.5.29.35)
Critical: 0
Extension: Basic Constraints (2.5.29.19)
Critical: 0
Data: 30 03 01 01 FF

2. DB Listener Testing
During the configuration of a database server, many DB administrators do not adequately consider the security of the DB listener component. The listener could reveal sensitive data as well as configuration settings or running database instances if insecurely configured and probed with manual or automated techniques. Information revealed will often be useful to a
tester serving as input to more impacting follow-on tests.

3. Infrastructure Configuration Management Testing
The intrinsic complexity of interconnected and heterogeneous web server infrastructure, which can count hundreds of web applications, makes configuration management and review a fundamental step in testing and deploying every single application. In fact it takes only a single vulnerability to undermine the security of the entire infrastructure, and even small
and (almost) unimportant problems may evolve into severe risks for another application on the same server. In order to address these problems, it is of utmost importance to perform an in-depth review of configuration and known security issues.
For collect information about configuration of the application.
I’m use mantra for looking server header :
Date: Sat, 04 Jun 2011 17:54:30 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.3.5
P3P: CP=”NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM”
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Vary: User-Agent,Accept
Expires: Mon, 1 Jan 2001 00:00:00 GMT
Last-Modified: Sat, 04 Jun 2011 17:54:31 GMT
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=utf-8


4. Application Configuration Management Testing
Web applications hide some information that is usually not considered during the development or configuration of the application itself. This data can be discovered in the source code, in the log files or in the default error codes of the web servers. A correct approach to this topic is fundamental during a security assessment.
For collect information files and directories
you can use google hack about the robots.txt file for know the web directories.
User-agent: *
Disallow: /administrator/
Disallow: /cache/
Disallow: /components/
Disallow: /images/
Disallow: /includes/
Disallow: /installation/
Disallow: /language/
Disallow: /libraries/
Disallow: /media/
Disallow: /modules/
Disallow: /plugins/
Disallow: /templates/
Disallow: /tmp/
Disallow: /xmlrpc/

5. Testing for File Extensions Handling
The file extensions present in a web server or a web application make it possible to identify the technologies which compose the target application, e.g. jsp and asp extensions. File extensions can also expose additional systems connected to the application.
root@bt:/pentest/web/nikto# ./nikto.pl -h akakom.ac.id
- Nikto v2.1.4
---------------------------------------------------------------------------
+ Target IP:          110.76.151.2
+ Target Hostname:    akakom.ac.id
+ Target Port:        80
+ Start Time:         2011-06-06 13:23:31
---------------------------------------------------------------------------
+ Server: Apache
+ Root page / redirects to: http://www.akakom.ac.id/
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ OSVDB-5737: WebLogic may reveal its internal IP or hostname in the Location header. The value is "http://www.akakom.ac.id/".
+ OSVDB-27071: /phpimageview.php?pic=javascript:alert(8754): PHP Image View 1.0 is vulnerable to Cross Site Scripting (XSS).  http://www.cert.org/advisories/CA-2000-02.html.
+ OSVDB-3931: /myphpnuke/links.php?op=search&query=[script]alert('Vulnerable);[/script]?query=: myphpnuke is vulnerable to Cross Site Scripting (XSS). http://www.cert.org/advisories/CA-2000-02.html.
+ OSVDB-3931: /myphpnuke/links.php?op=MostPopular&ratenum=[script]alert(document.cookie);[/script]&ratetype=percent: myphpnuke is vulnerable to Cross Site Scripting (XSS). http://www.cert.org/advisories/CA-2000-02.html.
+ /modules.php?op=modload&name=FAQ&file=index&myfaq=yes&id_cat=1&categories=%3Cimg%20src=javascript:alert(9456);%3E&parent_id=0: Post Nuke 0.7.2.3-Phoenix is vulnerable to Cross Site Scripting (XSS). http://www.cert.org/advisories/CA-2000-02.html.
+ /modules.php?letter=%22%3E%3Cimg%20src=javascript:alert(document.cookie);%3E&op=modload&name=Members_List&file=index: Post Nuke 0.7.2.3-Phoenix is vulnerable to Cross Site Scripting (XSS). http://www.cert.org/advisories/CA-2000-02.html.
+ OSVDB-4598: /members.asp?SF=%22;}alert('Vulnerable');function%20x(){v%20=%22: Web Wiz Forums ver. 7.01 and below is vulnerable to Cross Site Scripting (XSS). http://www.cert.org/advisories/CA-2000-02.html.
+ OSVDB-2946: /forum_members.asp?find=%22;}alert(9823);function%20x(){v%20=%22: Web Wiz Forums ver. 7.01 and below is vulnerable to Cross Site Scripting (XSS). http://www.cert.org/advisories/CA-2000-02.html.
+ 6448 items checked: 0 error(s) and 8 item(s) reported on remote host
+ End Time:           2011-06-06 13:23:54 (23 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested


6. Old, Backup and Unreferenced Files
Redundant, readable and downloadable files on a web server, such as old, backup and renamed files, are a big source of information leakage. It is necessary to verify the presence of these files because they may contain parts of source code, installation paths as well as passwords for applications and/or databases.

7. Infrastructure and Application Admin Interfaces
Many applications use a common path for administrative interfaces which can be used to guess or brute force administrative passwords. This test tends to find admin interfaces and understand if it is possible to exploit it to access to admin functionality.
i’m can’t find application admin interfaces, but i’m find the login for database login interface from www.akakom.ac.id/phpmyadmin. And i’m try to tampering login page.

8. Testing for HTTP Methods and XST
In this test we check that the web server is not configured to allow potentially dangerous HTTP commands (methods) and that Cross Site Tracing (XST) is not possible.

Comments

Post a Comment

Popular posts from this blog

Grabbing Proxy With Selenium and Python

Image
Selenium is automated browser that can be controlled by script. Selenium support for many programming language like Java, csharp, python, ruby, php, perl, and javascript. This simple script for grabbing proxy list from freeproxylist.net website created with python. 1. Install python selenium        # apt-get install python-pip        # pip install selenium 2. Download browser driver     Chrome : https://sites.google.com/a/chromium.org/chromedriver/downloads Edge : https://developer.microsoft.com/en-us/microsoft-edge/tools/webdriver/ Firefox : https://github.com/mozilla/geckodriver/releases Safari : https://webkit.org/blog/6900/webdriver-support-in-safari-10/ Chose favorite browser you want. 3.  Run this script import os from selenium import webdriver from bs4 import BeautifulSoup from selenium.webdriver.common.keys import Keys chromedriver = "./chromedriver" # replace with your browser driver os.environ["webdriver.chrome.driver"] = chromed
Read more

Authorization Testing

Image
1. Testing for Path Traversal First, we test if it is possible to find a way to execute a path traversal attack and access reserved information About input vector: 2. Testing for bypassing authorization schema This kind of test focuses on verifying how the authorization schema has been implemented for each role/privilege to get access to reserved functions/resources. 3. Testing for Privilege Escalation During this phase, the tester should verify that it is not possible for a user to modify his or her privileges/roles inside the application in ways that could allow privilege escalation attacks.
Read more

Bypass HTML Field Restrictions

This time I learn about Bypass HTML Field Restrictions. I bypass the html form . In order to pass this lesson , I must submit the form with each field containing the value of unallowed . I have to submit an invalid value for all six fields in one delivery form provided . that is : select field which has two choices , radio button which has two choices , input field which retricted to 5 character, and disableinput field with a form that can not be filled . And this some way that I have tried to bypass it : First I submibt that form as usual and I did not find any change Then I tried to intercept request by webscarab, I change values that not provided there. but I not find any changes too. I studied again after it there are only 5 fields in the request when the procedure mentioned there are 6 fields . then I add a new field that is itself disableinput field , the parameter I get from the source web page . but I not find
Read more