CONFIGURATION MANAGEMENT TESTING
1. SSL/TLS Testing
SSL and TLS are two protocols that provide, with the support of cryptography, secure channels for the protection, confidentiality, and authentication of the information being transmitted. Considering the criticality of these security implementations, it is important to verify the usage of a strong cipher algorithm and its proper implementation.
exemple test :
=>SSL service recognition via nmap
root@bt:~# nmap -F -sV akakom.ac.id
Starting Nmap 5.51 ( http://nmap.org ) at 2011-06-04 21:58 WIT
Nmap scan report for akakom.ac.id (110.76.151.2)
Host is up (0.96s latency).
rDNS record for 110.76.151.2: ns.akakom.ac.id
Not shown: 79 closed ports
PORT STATE SERVICE VERSION
9/tcp filtered discard
21/tcp open ftp?
22/tcp open ssh OpenSSH 5.5 (protocol 2.0)
25/tcp filtered smtp
37/tcp filtered time
53/tcp open domain
80/tcp open http?
110/tcp open pop3?
135/tcp filtered msrpc
139/tcp filtered netbios-ssn
143/tcp open imap?
445/tcp filtered microsoft-ds
465/tcp filtered smtps
544/tcp filtered kshell
587/tcp open submission?
993/tcp open imaps?
995/tcp open pop3s?
1433/tcp filtered ms-sql-s
5009/tcp filtered airport-admin
5666/tcp filtered nrpe
8081/tcp filtered blackice-icecap
Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 128.70 seconds
=>Manually audit weak SSL cipher levels with OpenSSL. The following will attempt to connect to akakom.ac.id
root@bt:~# openssl s_client -no_tls1 -no_ssl3 -connect www.akakom.ac.id:443
CONNECTED(00000003)
3046:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake failure:s23_lib.c:188:
root@bt:~# openssl s_client -no_tls1 -connect www.akakom.ac.id:443
CONNECTED(00000003)
depth=0 /C=--/ST=SomeState/L=SomeCity/O=SomeOrganization/OU=SomeOrganizationalUnit/CN=localhost.localdomain/emailAddress=root@localhost.localdomain
verify error:num=18:self signed certificate
verify return:1
depth=0 /C=--/ST=SomeState/L=SomeCity/O=SomeOrganization/OU=SomeOrganizationalUnit/CN=localhost.localdomain/emailAddress=root@localhost.localdomain
verify error:num=10:certificate has expired
notAfter=Sep 18 11:51:59 2009 GMT
verify return:1
depth=0 /C=--/ST=SomeState/L=SomeCity/O=SomeOrganization/OU=SomeOrganizationalUnit/CN=localhost.localdomain/emailAddress=root@localhost.localdomain
notAfter=Sep 18 11:51:59 2009 GMT
verify return:1
---
Certificate chain
0 s:/C=--/ST=SomeState/L=SomeCity/O=SomeOrganization/OU=SomeOrganizationalUnit/CN=localhost.localdomain/emailAddress=root@localhost.localdomain
i:/C=--/ST=SomeState/L=SomeCity/O=SomeOrganization/OU=SomeOrganizationalUnit/CN=localhost.localdomain/emailAddress=root@localhost.localdomain
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIEDjCCA3egAwIBAgICYYAwDQYJKoZIhvcNAQEFBQAwgbsxCzAJBgNVBAYTAi0t
MRIwEAYDVQQIEwlTb21lU3RhdGUxETAPBgNVBAcTCFNvbWVDaXR5MRkwFwYDVQQK
ExBTb21lT3JnYW5pemF0aW9uMR8wHQYDVQQLExZTb21lT3JnYW5pemF0aW9uYWxV
bml0MR4wHAYDVQQDExVsb2NhbGhvc3QubG9jYWxkb21haW4xKTAnBgkqhkiG9w0B
CQEWGnJvb3RAbG9jYWxob3N0LmxvY2FsZG9tYWluMB4XDTA4MDkxODExNTE1OVoX
DTA5MDkxODExNTE1OVowgbsxCzAJBgNVBAYTAi0tMRIwEAYDVQQIEwlTb21lU3Rh
dGUxETAPBgNVBAcTCFNvbWVDaXR5MRkwFwYDVQQKExBTb21lT3JnYW5pemF0aW9u
MR8wHQYDVQQLExZTb21lT3JnYW5pemF0aW9uYWxVbml0MR4wHAYDVQQDExVsb2Nh
bGhvc3QubG9jYWxkb21haW4xKTAnBgkqhkiG9w0BCQEWGnJvb3RAbG9jYWxob3N0
LmxvY2FsZG9tYWluMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCk1G04ZZqc
FdKGvfPTke/ed7CAPz9/6GYUH1ZkkVznDoGiA2oK+EeAQKODU9Ud1HFo7cnUdiqb
LE4y/w64yPm5ICekZr6fKS91Y6hXqDeRMle0bTdkg7zYG54a3p1U/+0oesok3DbC
zHHqYExDgTojxdlPj1aHAxHvxu7iH/fYOwIDAQABo4IBHTCCARkwHQYDVR0OBBYE
FEGwfGoX9C9WvUPCU6bVc5Igzoj1MIHpBgNVHSMEgeEwgd6AFEGwfGoX9C9WvUPC
U6bVc5Igzoj1oYHBpIG+MIG7MQswCQYDVQQGEwItLTESMBAGA1UECBMJU29tZVN0
YXRlMREwDwYDVQQHEwhTb21lQ2l0eTEZMBcGA1UEChMQU29tZU9yZ2FuaXphdGlv
bjEfMB0GA1UECxMWU29tZU9yZ2FuaXphdGlvbmFsVW5pdDEeMBwGA1UEAxMVbG9j
YWxob3N0LmxvY2FsZG9tYWluMSkwJwYJKoZIhvcNAQkBFhpyb290QGxvY2FsaG9z
dC5sb2NhbGRvbWFpboICYYAwDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQUFAAOB
gQAdx3Uv0rHbmbd9zbi0wiN+O0h5oQijUy4KwwNfrgP1F1yEqPPOn1JP36KMorsE
A+7lEP1mekGEQjwyEWO0UidwyhMniLVB6+EChDlhbXodAJKO1nf9NIgqcy1udb9b
ou7o60PVGTEJjLbV+khpYFzz93cdbPHCUlVfc0ChFisR+w==
-----END CERTIFICATE-----
subject=/C=--/ST=SomeState/L=SomeCity/O=SomeOrganization/OU=SomeOrganizationalUnit/CN=localhost.localdomain/emailAddress=root@localhost.localdomain
issuer=/C=--/ST=SomeState/L=SomeCity/O=SomeOrganization/OU=SomeOrganizationalUnit/CN=localhost.localdomain/emailAddress=root@localhost.localdomain
---
No client certificate CA names sent
---
SSL handshake has read 1629 bytes and written 335 bytes
---
New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA
Server public key is 1024 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : SSLv3
Cipher : DHE-RSA-AES256-SHA
Session-ID: E94511C7BB19BDB7E5309257B2C6BFFC53A61BC1B8DB37D3259940793EC04EFE
Session-ID-ctx:
Master-Key: 0A4AD681B128858C54E6477E4B403CDE781ACB2DD08B7DD17E636553A20FB90425AB4B47F6E43A7EC2EECA4C579F8167
Key-Arg : None
Start Time: 1307200661
Timeout : 300 (sec)
Verify return code: 10 (certificate has expired)
---
closed
Use nessus scanning for Identifying weak ciphers.
Port 443
SSL certificate information
Country: –
State/Province: SomeState
Locality: SomeCity
Organization: SomeOrganization
Organization Unit: SomeOrganizationalUnit
Common Name: localhost.localdomain
Email Address: root@localhost.localdomain
Issuer Name:
Country: –
State/Province: SomeState
Locality: SomeCity
Organization: SomeOrganization
Organization Unit: SomeOrganizationalUnit
Common Name: localhost.localdomain
Email Address: root@localhost.localdomain
Serial Number: 61 80
Version: 3
Signature Algorithm: SHA-1 With RSA Encryption
Not Valid Before: Sep 18 11:51:59 2008 GMT
Not Valid After: Sep 18 11:51:59 2009 GMT
Public Key Info:
Algorithm: RSA Encryption
Public Key: 00 A4 D4 6D 38 65 9A 9C 15 D2 86 BD F3 D3 91 EF DE 77 B0 80
3F 3F 7F E8 66 14 1F 56 64 91 5C E7 0E 81 A2 03 6A 0A F8 47
80 40 A3 83 53 D5 1D D4 71 68 ED C9 D4 76 2A 9B 2C 4E 32 FF
0E B8 C8 F9 B9 20 27 A4 66 BE 9F 29 2F 75 63 A8 57 A8 37 91
32 57 B4 6D 37 64 83 BC D8 1B 9E 1A DE 9D 54 FF ED 28 7A CA
24 DC 36 C2 CC 71 EA 60 4C 43 81 3A 23 C5 D9 4F 8F 56 87 03
11 EF C6 EE E2 1F F7 D8 3B
Exponent: 01 00 01
Signature: 00 1D C7 75 2F D2 B1 DB 99 B7 7D CD B8 B4 C2 23 7E 3B 48 79
A1 08 A3 53 2E 0A C3 03 5F AE 03 F5 17 5C 84 A8 F3 CE 9F 52
4F DF A2 8C A2 BB 04 03 EE E5 10 FD 66 7A 41 84 42 3C 32 11
63 B4 52 27 70 CA 13 27 88 B5 41 EB E1 02 84 39 61 6D 7A 1D
00 92 8E D6 77 FD 34 88 2A 73 2D 6E 75 BF 5B A2 EE E8 EB 43
D5 19 31 09 8C B6 D5 FA 48 69 60 5C F3 F7 77 1D 6C F1 C2 52
55 5F 73 40 A1 16 2B 11 FB
Extension: Subject Key Identifier (2.5.29.14)
Critical: 0
Subject Key Identifier: 41 B0 7C 6A 17 F4 2F 56 BD 43 C2 53 A6 D5 73 92 20 CE 88 F5
Extension: Authority Key Identifier (2.5.29.35)
Critical: 0
Extension: Basic Constraints (2.5.29.19)
Critical: 0
Data: 30 03 01 01 FF
2. DB Listener Testing
During the configuration of a database server, many DB administrators do not adequately consider the security of the DB listener component. The listener could reveal sensitive data as well as configuration settings or running database instances if insecurely configured and probed with manual or automated techniques. Information revealed will often be useful to a
tester serving as input to more impacting follow-on tests.
3. Infrastructure Configuration Management Testing
The intrinsic complexity of interconnected and heterogeneous web server infrastructure, which can count hundreds of web applications, makes configuration management and review a fundamental step in testing and deploying every single application. In fact it takes only a single vulnerability to undermine the security of the entire infrastructure, and even small
and (almost) unimportant problems may evolve into severe risks for another application on the same server. In order to address these problems, it is of utmost importance to perform an in-depth review of configuration and known security issues.
For collect information about configuration of the application.
I’m use mantra for looking server header :
Date: Sat, 04 Jun 2011 17:54:30 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.3.5
P3P: CP=”NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM”
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Vary: User-Agent,Accept
Expires: Mon, 1 Jan 2001 00:00:00 GMT
Last-Modified: Sat, 04 Jun 2011 17:54:31 GMT
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=utf-8
4. Application Configuration Management Testing
Web applications hide some information that is usually not considered during the development or configuration of the application itself. This data can be discovered in the source code, in the log files or in the default error codes of the web servers. A correct approach to this topic is fundamental during a security assessment.
For collect information files and directories
you can use google hack about the robots.txt file for know the web directories.
User-agent: *
Disallow: /administrator/
Disallow: /cache/
Disallow: /components/
Disallow: /images/
Disallow: /includes/
Disallow: /installation/
Disallow: /language/
Disallow: /libraries/
Disallow: /media/
Disallow: /modules/
Disallow: /plugins/
Disallow: /templates/
Disallow: /tmp/
Disallow: /xmlrpc/
5. Testing for File Extensions Handling
The file extensions present in a web server or a web application make it possible to identify the technologies which compose the target application, e.g. jsp and asp extensions. File extensions can also expose additional systems connected to the application.
root@bt:/pentest/web/nikto# ./nikto.pl -h akakom.ac.id
- Nikto v2.1.4
---------------------------------------------------------------------------
+ Target IP: 110.76.151.2
+ Target Hostname: akakom.ac.id
+ Target Port: 80
+ Start Time: 2011-06-06 13:23:31
---------------------------------------------------------------------------
+ Server: Apache
+ Root page / redirects to: http://www.akakom.ac.id/
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ OSVDB-5737: WebLogic may reveal its internal IP or hostname in the Location header. The value is "http://www.akakom.ac.id/".
+ OSVDB-27071: /phpimageview.php?pic=javascript:alert(8754): PHP Image View 1.0 is vulnerable to Cross Site Scripting (XSS). http://www.cert.org/advisories/CA-2000-02.html.
+ OSVDB-3931: /myphpnuke/links.php?op=search&query=[script]alert('Vulnerable);[/script]?query=: myphpnuke is vulnerable to Cross Site Scripting (XSS). http://www.cert.org/advisories/CA-2000-02.html.
+ OSVDB-3931: /myphpnuke/links.php?op=MostPopular&ratenum=[script]alert(document.cookie);[/script]&ratetype=percent: myphpnuke is vulnerable to Cross Site Scripting (XSS). http://www.cert.org/advisories/CA-2000-02.html.
+ /modules.php?op=modload&name=FAQ&file=index&myfaq=yes&id_cat=1&categories=%3Cimg%20src=javascript:alert(9456);%3E&parent_id=0: Post Nuke 0.7.2.3-Phoenix is vulnerable to Cross Site Scripting (XSS). http://www.cert.org/advisories/CA-2000-02.html.
+ /modules.php?letter=%22%3E%3Cimg%20src=javascript:alert(document.cookie);%3E&op=modload&name=Members_List&file=index: Post Nuke 0.7.2.3-Phoenix is vulnerable to Cross Site Scripting (XSS). http://www.cert.org/advisories/CA-2000-02.html.
+ OSVDB-4598: /members.asp?SF=%22;}alert('Vulnerable');function%20x(){v%20=%22: Web Wiz Forums ver. 7.01 and below is vulnerable to Cross Site Scripting (XSS). http://www.cert.org/advisories/CA-2000-02.html.
+ OSVDB-2946: /forum_members.asp?find=%22;}alert(9823);function%20x(){v%20=%22: Web Wiz Forums ver. 7.01 and below is vulnerable to Cross Site Scripting (XSS). http://www.cert.org/advisories/CA-2000-02.html.
+ 6448 items checked: 0 error(s) and 8 item(s) reported on remote host
+ End Time: 2011-06-06 13:23:54 (23 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested
6. Old, Backup and Unreferenced Files
Redundant, readable and downloadable files on a web server, such as old, backup and renamed files, are a big source of information leakage. It is necessary to verify the presence of these files because they may contain parts of source code, installation paths as well as passwords for applications and/or databases.
7. Infrastructure and Application Admin Interfaces
Many applications use a common path for administrative interfaces which can be used to guess or brute force administrative passwords. This test tends to find admin interfaces and understand if it is possible to exploit it to access to admin functionality.
i’m can’t find application admin interfaces, but i’m find the login for database login interface from www.akakom.ac.id/phpmyadmin. And i’m try to tampering login page.
8. Testing for HTTP Methods and XST
In this test we check that the web server is not configured to allow potentially dangerous HTTP commands (methods) and that Cross Site Tracing (XST) is not possible.
SSL and TLS are two protocols that provide, with the support of cryptography, secure channels for the protection, confidentiality, and authentication of the information being transmitted. Considering the criticality of these security implementations, it is important to verify the usage of a strong cipher algorithm and its proper implementation.
exemple test :
=>SSL service recognition via nmap
root@bt:~# nmap -F -sV akakom.ac.id
Starting Nmap 5.51 ( http://nmap.org ) at 2011-06-04 21:58 WIT
Nmap scan report for akakom.ac.id (110.76.151.2)
Host is up (0.96s latency).
rDNS record for 110.76.151.2: ns.akakom.ac.id
Not shown: 79 closed ports
PORT STATE SERVICE VERSION
9/tcp filtered discard
21/tcp open ftp?
22/tcp open ssh OpenSSH 5.5 (protocol 2.0)
25/tcp filtered smtp
37/tcp filtered time
53/tcp open domain
80/tcp open http?
110/tcp open pop3?
135/tcp filtered msrpc
139/tcp filtered netbios-ssn
143/tcp open imap?
445/tcp filtered microsoft-ds
465/tcp filtered smtps
544/tcp filtered kshell
587/tcp open submission?
993/tcp open imaps?
995/tcp open pop3s?
1433/tcp filtered ms-sql-s
5009/tcp filtered airport-admin
5666/tcp filtered nrpe
8081/tcp filtered blackice-icecap
Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 128.70 seconds
=>Manually audit weak SSL cipher levels with OpenSSL. The following will attempt to connect to akakom.ac.id
root@bt:~# openssl s_client -no_tls1 -no_ssl3 -connect www.akakom.ac.id:443
CONNECTED(00000003)
3046:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake failure:s23_lib.c:188:
root@bt:~# openssl s_client -no_tls1 -connect www.akakom.ac.id:443
CONNECTED(00000003)
depth=0 /C=--/ST=SomeState/L=SomeCity/O=SomeOrganization/OU=SomeOrganizationalUnit/CN=localhost.localdomain/emailAddress=root@localhost.localdomain
verify error:num=18:self signed certificate
verify return:1
depth=0 /C=--/ST=SomeState/L=SomeCity/O=SomeOrganization/OU=SomeOrganizationalUnit/CN=localhost.localdomain/emailAddress=root@localhost.localdomain
verify error:num=10:certificate has expired
notAfter=Sep 18 11:51:59 2009 GMT
verify return:1
depth=0 /C=--/ST=SomeState/L=SomeCity/O=SomeOrganization/OU=SomeOrganizationalUnit/CN=localhost.localdomain/emailAddress=root@localhost.localdomain
notAfter=Sep 18 11:51:59 2009 GMT
verify return:1
---
Certificate chain
0 s:/C=--/ST=SomeState/L=SomeCity/O=SomeOrganization/OU=SomeOrganizationalUnit/CN=localhost.localdomain/emailAddress=root@localhost.localdomain
i:/C=--/ST=SomeState/L=SomeCity/O=SomeOrganization/OU=SomeOrganizationalUnit/CN=localhost.localdomain/emailAddress=root@localhost.localdomain
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIEDjCCA3egAwIBAgICYYAwDQYJKoZIhvcNAQEFBQAwgbsxCzAJBgNVBAYTAi0t
MRIwEAYDVQQIEwlTb21lU3RhdGUxETAPBgNVBAcTCFNvbWVDaXR5MRkwFwYDVQQK
ExBTb21lT3JnYW5pemF0aW9uMR8wHQYDVQQLExZTb21lT3JnYW5pemF0aW9uYWxV
bml0MR4wHAYDVQQDExVsb2NhbGhvc3QubG9jYWxkb21haW4xKTAnBgkqhkiG9w0B
CQEWGnJvb3RAbG9jYWxob3N0LmxvY2FsZG9tYWluMB4XDTA4MDkxODExNTE1OVoX
DTA5MDkxODExNTE1OVowgbsxCzAJBgNVBAYTAi0tMRIwEAYDVQQIEwlTb21lU3Rh
dGUxETAPBgNVBAcTCFNvbWVDaXR5MRkwFwYDVQQKExBTb21lT3JnYW5pemF0aW9u
MR8wHQYDVQQLExZTb21lT3JnYW5pemF0aW9uYWxVbml0MR4wHAYDVQQDExVsb2Nh
bGhvc3QubG9jYWxkb21haW4xKTAnBgkqhkiG9w0BCQEWGnJvb3RAbG9jYWxob3N0
LmxvY2FsZG9tYWluMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCk1G04ZZqc
FdKGvfPTke/ed7CAPz9/6GYUH1ZkkVznDoGiA2oK+EeAQKODU9Ud1HFo7cnUdiqb
LE4y/w64yPm5ICekZr6fKS91Y6hXqDeRMle0bTdkg7zYG54a3p1U/+0oesok3DbC
zHHqYExDgTojxdlPj1aHAxHvxu7iH/fYOwIDAQABo4IBHTCCARkwHQYDVR0OBBYE
FEGwfGoX9C9WvUPCU6bVc5Igzoj1MIHpBgNVHSMEgeEwgd6AFEGwfGoX9C9WvUPC
U6bVc5Igzoj1oYHBpIG+MIG7MQswCQYDVQQGEwItLTESMBAGA1UECBMJU29tZVN0
YXRlMREwDwYDVQQHEwhTb21lQ2l0eTEZMBcGA1UEChMQU29tZU9yZ2FuaXphdGlv
bjEfMB0GA1UECxMWU29tZU9yZ2FuaXphdGlvbmFsVW5pdDEeMBwGA1UEAxMVbG9j
YWxob3N0LmxvY2FsZG9tYWluMSkwJwYJKoZIhvcNAQkBFhpyb290QGxvY2FsaG9z
dC5sb2NhbGRvbWFpboICYYAwDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQUFAAOB
gQAdx3Uv0rHbmbd9zbi0wiN+O0h5oQijUy4KwwNfrgP1F1yEqPPOn1JP36KMorsE
A+7lEP1mekGEQjwyEWO0UidwyhMniLVB6+EChDlhbXodAJKO1nf9NIgqcy1udb9b
ou7o60PVGTEJjLbV+khpYFzz93cdbPHCUlVfc0ChFisR+w==
-----END CERTIFICATE-----
subject=/C=--/ST=SomeState/L=SomeCity/O=SomeOrganization/OU=SomeOrganizationalUnit/CN=localhost.localdomain/emailAddress=root@localhost.localdomain
issuer=/C=--/ST=SomeState/L=SomeCity/O=SomeOrganization/OU=SomeOrganizationalUnit/CN=localhost.localdomain/emailAddress=root@localhost.localdomain
---
No client certificate CA names sent
---
SSL handshake has read 1629 bytes and written 335 bytes
---
New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA
Server public key is 1024 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : SSLv3
Cipher : DHE-RSA-AES256-SHA
Session-ID: E94511C7BB19BDB7E5309257B2C6BFFC53A61BC1B8DB37D3259940793EC04EFE
Session-ID-ctx:
Master-Key: 0A4AD681B128858C54E6477E4B403CDE781ACB2DD08B7DD17E636553A20FB90425AB4B47F6E43A7EC2EECA4C579F8167
Key-Arg : None
Start Time: 1307200661
Timeout : 300 (sec)
Verify return code: 10 (certificate has expired)
---
closed
Use nessus scanning for Identifying weak ciphers.
Port 443
SSL certificate information
Country: –
State/Province: SomeState
Locality: SomeCity
Organization: SomeOrganization
Organization Unit: SomeOrganizationalUnit
Common Name: localhost.localdomain
Email Address: root@localhost.localdomain
Issuer Name:
Country: –
State/Province: SomeState
Locality: SomeCity
Organization: SomeOrganization
Organization Unit: SomeOrganizationalUnit
Common Name: localhost.localdomain
Email Address: root@localhost.localdomain
Serial Number: 61 80
Version: 3
Signature Algorithm: SHA-1 With RSA Encryption
Not Valid Before: Sep 18 11:51:59 2008 GMT
Not Valid After: Sep 18 11:51:59 2009 GMT
Public Key Info:
Algorithm: RSA Encryption
Public Key: 00 A4 D4 6D 38 65 9A 9C 15 D2 86 BD F3 D3 91 EF DE 77 B0 80
3F 3F 7F E8 66 14 1F 56 64 91 5C E7 0E 81 A2 03 6A 0A F8 47
80 40 A3 83 53 D5 1D D4 71 68 ED C9 D4 76 2A 9B 2C 4E 32 FF
0E B8 C8 F9 B9 20 27 A4 66 BE 9F 29 2F 75 63 A8 57 A8 37 91
32 57 B4 6D 37 64 83 BC D8 1B 9E 1A DE 9D 54 FF ED 28 7A CA
24 DC 36 C2 CC 71 EA 60 4C 43 81 3A 23 C5 D9 4F 8F 56 87 03
11 EF C6 EE E2 1F F7 D8 3B
Exponent: 01 00 01
Signature: 00 1D C7 75 2F D2 B1 DB 99 B7 7D CD B8 B4 C2 23 7E 3B 48 79
A1 08 A3 53 2E 0A C3 03 5F AE 03 F5 17 5C 84 A8 F3 CE 9F 52
4F DF A2 8C A2 BB 04 03 EE E5 10 FD 66 7A 41 84 42 3C 32 11
63 B4 52 27 70 CA 13 27 88 B5 41 EB E1 02 84 39 61 6D 7A 1D
00 92 8E D6 77 FD 34 88 2A 73 2D 6E 75 BF 5B A2 EE E8 EB 43
D5 19 31 09 8C B6 D5 FA 48 69 60 5C F3 F7 77 1D 6C F1 C2 52
55 5F 73 40 A1 16 2B 11 FB
Extension: Subject Key Identifier (2.5.29.14)
Critical: 0
Subject Key Identifier: 41 B0 7C 6A 17 F4 2F 56 BD 43 C2 53 A6 D5 73 92 20 CE 88 F5
Extension: Authority Key Identifier (2.5.29.35)
Critical: 0
Extension: Basic Constraints (2.5.29.19)
Critical: 0
Data: 30 03 01 01 FF
2. DB Listener Testing
During the configuration of a database server, many DB administrators do not adequately consider the security of the DB listener component. The listener could reveal sensitive data as well as configuration settings or running database instances if insecurely configured and probed with manual or automated techniques. Information revealed will often be useful to a
tester serving as input to more impacting follow-on tests.
3. Infrastructure Configuration Management Testing
The intrinsic complexity of interconnected and heterogeneous web server infrastructure, which can count hundreds of web applications, makes configuration management and review a fundamental step in testing and deploying every single application. In fact it takes only a single vulnerability to undermine the security of the entire infrastructure, and even small
and (almost) unimportant problems may evolve into severe risks for another application on the same server. In order to address these problems, it is of utmost importance to perform an in-depth review of configuration and known security issues.
For collect information about configuration of the application.
I’m use mantra for looking server header :
Date: Sat, 04 Jun 2011 17:54:30 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.3.5
P3P: CP=”NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM”
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Vary: User-Agent,Accept
Expires: Mon, 1 Jan 2001 00:00:00 GMT
Last-Modified: Sat, 04 Jun 2011 17:54:31 GMT
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=utf-8
4. Application Configuration Management Testing
Web applications hide some information that is usually not considered during the development or configuration of the application itself. This data can be discovered in the source code, in the log files or in the default error codes of the web servers. A correct approach to this topic is fundamental during a security assessment.
For collect information files and directories
you can use google hack about the robots.txt file for know the web directories.
User-agent: *
Disallow: /administrator/
Disallow: /cache/
Disallow: /components/
Disallow: /images/
Disallow: /includes/
Disallow: /installation/
Disallow: /language/
Disallow: /libraries/
Disallow: /media/
Disallow: /modules/
Disallow: /plugins/
Disallow: /templates/
Disallow: /tmp/
Disallow: /xmlrpc/
5. Testing for File Extensions Handling
The file extensions present in a web server or a web application make it possible to identify the technologies which compose the target application, e.g. jsp and asp extensions. File extensions can also expose additional systems connected to the application.
root@bt:/pentest/web/nikto# ./nikto.pl -h akakom.ac.id
- Nikto v2.1.4
---------------------------------------------------------------------------
+ Target IP: 110.76.151.2
+ Target Hostname: akakom.ac.id
+ Target Port: 80
+ Start Time: 2011-06-06 13:23:31
---------------------------------------------------------------------------
+ Server: Apache
+ Root page / redirects to: http://www.akakom.ac.id/
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ OSVDB-5737: WebLogic may reveal its internal IP or hostname in the Location header. The value is "http://www.akakom.ac.id/".
+ OSVDB-27071: /phpimageview.php?pic=javascript:alert(8754): PHP Image View 1.0 is vulnerable to Cross Site Scripting (XSS). http://www.cert.org/advisories/CA-2000-02.html.
+ OSVDB-3931: /myphpnuke/links.php?op=search&query=[script]alert('Vulnerable);[/script]?query=: myphpnuke is vulnerable to Cross Site Scripting (XSS). http://www.cert.org/advisories/CA-2000-02.html.
+ OSVDB-3931: /myphpnuke/links.php?op=MostPopular&ratenum=[script]alert(document.cookie);[/script]&ratetype=percent: myphpnuke is vulnerable to Cross Site Scripting (XSS). http://www.cert.org/advisories/CA-2000-02.html.
+ /modules.php?op=modload&name=FAQ&file=index&myfaq=yes&id_cat=1&categories=%3Cimg%20src=javascript:alert(9456);%3E&parent_id=0: Post Nuke 0.7.2.3-Phoenix is vulnerable to Cross Site Scripting (XSS). http://www.cert.org/advisories/CA-2000-02.html.
+ /modules.php?letter=%22%3E%3Cimg%20src=javascript:alert(document.cookie);%3E&op=modload&name=Members_List&file=index: Post Nuke 0.7.2.3-Phoenix is vulnerable to Cross Site Scripting (XSS). http://www.cert.org/advisories/CA-2000-02.html.
+ OSVDB-4598: /members.asp?SF=%22;}alert('Vulnerable');function%20x(){v%20=%22: Web Wiz Forums ver. 7.01 and below is vulnerable to Cross Site Scripting (XSS). http://www.cert.org/advisories/CA-2000-02.html.
+ OSVDB-2946: /forum_members.asp?find=%22;}alert(9823);function%20x(){v%20=%22: Web Wiz Forums ver. 7.01 and below is vulnerable to Cross Site Scripting (XSS). http://www.cert.org/advisories/CA-2000-02.html.
+ 6448 items checked: 0 error(s) and 8 item(s) reported on remote host
+ End Time: 2011-06-06 13:23:54 (23 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested
6. Old, Backup and Unreferenced Files
Redundant, readable and downloadable files on a web server, such as old, backup and renamed files, are a big source of information leakage. It is necessary to verify the presence of these files because they may contain parts of source code, installation paths as well as passwords for applications and/or databases.
7. Infrastructure and Application Admin Interfaces
Many applications use a common path for administrative interfaces which can be used to guess or brute force administrative passwords. This test tends to find admin interfaces and understand if it is possible to exploit it to access to admin functionality.
i’m can’t find application admin interfaces, but i’m find the login for database login interface from www.akakom.ac.id/phpmyadmin. And i’m try to tampering login page.
8. Testing for HTTP Methods and XST
In this test we check that the web server is not configured to allow potentially dangerous HTTP commands (methods) and that Cross Site Tracing (XST) is not possible.
Comments
Post a Comment