HomeCalendarCertificationsColumnsFeaturesForumResourcesVitals
 
Image
 
linkedin_logo.png rss_logo.jpg
twitter_logo.png youtube_logo.jpg
Latest Additions
 
EH-Net Login
Welcome Guest.
Lost Password?
No account yet? Register
Who's Online
We have 53 guests and 2 members online
 
Advertisement

You are here: Home arrow Ethical Hacking Discussions and Related Certificationsarrow Network Pen Testingarrow The Value of an External Network Penetration Test
EH-Net
May 24, 2013, 06:31:08 AM *
Welcome, Guest. Please login or register.
Did you miss your activation email?

Login with username, password and session length
News: Go back to The Ethical Hacker Network Online Magazine Home Page
 
   Home   Help Calendar Login Register  
Pages: [1]   Go Down
« previous next »
  Print  
Author Topic: The Value of an External Network Penetration Test  (Read 3218 times)
0 Members and 1 Guest are viewing this topic.
T_Bone
Full Member
***
Offline Offline

Posts: 199


View Profile
« on: November 24, 2010, 11:22:08 AM »
The Value of an External Network Penetration Test

So, in my short lived career of a penetration tester, I have performed around 4 external security assessments.  Each assessment consisted of a scope of less than 20 public IP addresses, to which brute force and denial of services attacks were not permitted.  On each occassion 1 or more of the following services are identified in during a full TCP and UDP Port scan.

21,22
23
25
53
80
443
1723
8080

Taking away ports 80, 443 and 8080 where dependant on whether there is a website available publically and not secured so that only particular IP addresses can connect to it I often find that the assessment is not very fruitful.

So what testing do I perform? Well on an FTP service I will check to see if anonymous access is permitted, weak credentials are in use (without running hydra to bruteforce as apparently this is not permitted??), grab banner and check for vulnerabilities in software, on most ocassions I pretty much can only report on the fact that FTP is clear text! Am I missing something or is this how all external network penetration tests are?
Logged
MaXe
Hero Member
*****
Offline Offline

Posts: 669


I've just upgraded myself to a cyborg muahahaa!!1


View Profile WWW
« Reply #1 on: November 24, 2010, 12:23:10 PM »
Depending on which web application they are using on port 80, 443 and perhaps 8080, (and even alternative ports), try to replicate their setup as much as possible especially including addons. Then begin auditing / pentesting those addons locally and try to locate / find vulnerabilities in those, then if you're permitted, check if they work on the target site.

Furthermore, you can also try to replicate the software they use and fuzz that and hope you may find a 0day within that, simply by fuzzing the hell out of those services in a smart way of course.

Also, check how many vulnerabilities has been previously been found within the products / software and web applications they use, what kind of vulnerabilities are the most common to be found within these, and so forth. Your chances of finding a similar vulnerability is high in case the same type of vulnerability "respawns" within certain versions when new features are implemented.

For instance, Persistent and Non-Persistent Cross-Site Scripting vulnerabilities are quite common to be found within vBulletin, compared to SQL Injection, Local and Remote File Inclusion and especially Remote Code Execution. So if you had to pentest vBulletin, then your best bet would be Cross-Site Scripting.

There's a blog here, about a 0day found within vBulletin recently:
http://www.exploit-db.com/vbulletin-a-journey-into-0day-exploitation/

It was found by mistake, while I was doing some voluntary administrative work for another site, and after confirming the vulnerability I used a few days to research and develop a working exploit.

If the target is using custom coded software on their server it is harder to develop an exploit for of course, but if they're using a Web Application, then the possibility of a vulnerability existing is increasing on a major scale. Especially due to insufficient time for the developers to either code secure applications or learn how to do that, and of course, implementation issues  Smiley
Logged
I'm an InterN0T'er
H1t M0nk3y
Hero Member
*****
Offline Offline

Posts: 865



View Profile
« Reply #2 on: November 24, 2010, 01:02:59 PM »
Were these "Black Box" tests? Did you have access to their facilities? Because if you do have access, you may be able to run brute force attacks on their QA servers during a weekend (or something similar). In addition, being able to do a configuration review on the server always reveals little useful things.

Also, why do they need Telnet open on an external server? Maybe there is a special business need for that, but more likely than not, people could easily use SSH. And like you pointed yourself, why use FTP?

You can also test the NIDS, trying a slow and more stealthy scan. Check firewall rules, propose little improvements here and there!

Another good trick is to ask them up front what they are the most afraid of and spend more time on these things (or at least, made them obvious in the report).

I believe that, as pentesters, if we show our clients that we have looked at "everything" and we are proposing many subtle changes to their environment, then they will know we are professionals and we did look closely at their environment. Even if we didn't find a single big vulnerability, we can still provide good value...

And MaXe is right, only once I didn't find a vulnerability in a custom web application. So check them closely!!
Logged
OSCP, GPEN, GWAPT, GSEC, CEH, CISSP
chrisj
Hero Member
*****
Offline Offline

Posts: 1163


View Profile WWW
« Reply #3 on: November 24, 2010, 01:14:36 PM »
We sadly use FTP for some things here. Even though there is an SFTP box (same box actually) set up.

Our biggest issue is our customers not being able to get THEIR IT people to install the tool (we recommend filezilla) they need AND open the ports for ssh. In fact the majority of the customers access our FTP servers via web browsers.

that reminds me. I should test something I've been wondering about.
Logged
OSWP, Sec+
T_Bone
Full Member
***
Offline Offline

Posts: 199


View Profile
« Reply #4 on: November 24, 2010, 04:17:49 PM »
Hi Guys

Thanks for the responses but think maybe I should have explained myself a little better.  So staying away from ports 80, 443, 8080 and any other websites running on non standard ports (as I tend to always have some success attacking a web app/webserver).  I wanted to know whether I was missing something when attacking those other services in which i found commonly available during my external network tests i.e 21,22,23,25,53,1723 other than what I mentioned.  Obviously I would check the other services in a slightly different manner to ftp i.e 25 for mail relay, enumerating users using HELO, EXPN, VRFY etc etc but just wanted to know whether external tests always tend to be fairly boring..

@H1t M0nk3y  - They were blackbox tests and didnt have access to their facilities.
Logged
Pages: [1]   Go Up
  Print  
« previous next »
 
Jump to:  

Powered by MySQL Powered by PHP Powered by SMF 1.1.18 | SMF © 2013, Simple Machines
Joomla Bridge by JoomlaHacks.com 		Valid XHTML 1.0! Valid CSS!
Page created in 0.103 seconds with 22 queries.
 
Exclusive Deal

sansfire13_245x90_cw90.jpg
SANSFIRE 2013
June 15 - 22

5% Off w/ Code: EHN_5

SANS Deals 4 EH-Netters
5% OFF Any SANS Course in Any Format!
Coupon Code: EHN_5 Including SANS Rocky Mountain 2013 & SANS Boston 2013
Polls
Compared to this year, 2013 will be:
 
Recent Forum Topics
EH-Net News Feeds
Latest Additions
 
         
Advertisement

© 2013 The Ethical Hacker Network
Joomla! is Free Software released under the GNU/GPL License.