Audit "Black box"

In this article, I will offer you the “black box” audit technique that you can master without having special knowledge and apply it regarding your resources.

Naturally, the article can be translated into the technique of hacking resources. But to know how to protect - you need to know how to hack. Responsibility for the acquired knowledge you assume;)

And if you, as a developer, know at least some of the principles and techniques that hackers use - I think you will be a little calmer for them (resources) and the result of your activity will get a higher level
')
The article displays a baseline audit, keeping a low threshold for reading and understanding.

Resource summary

Before this block, you should refer to my previous article , since in it I have displayed very convenient and effective free tools that will help us.

Naturally, it all starts with a general analysis of the target resource. This will help us Nmap. One moment, it should be run from some external machine, and not locally. Most often, the firewall is configured to give access to everything from the local network, but correctly filters packets from outside. And we need an objective assessment.

nmap -A -T4 host

And we get something like

Starting Nmap 5.51 ( nmap.org ) at 2011-08-01 11:38 NOVST
Nmap scan report for host (12.34.56.78)
Host is up (0.020s latency).
Not shown: 994 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 5.3p1 Debian 3ubuntu7 (protocol 2.0)
80/tcp open http nginx 0.7.65
81/tcp open http Apache httpd 2.2.14 ((Ubuntu))
|_http-methods: No Allow or Public header in OPTIONS response (status code 200)
111/tcp open rpcbind 2 (rpc #100000)
443/tcp open http Apache httpd 2.2.14 ((Ubuntu))
|_http-title: 404 Not Found
8000/tcp open http Icecast streaming media server
|_http-title: Icecast Streaming Media Server
Service Info: OSs: Linux, Unix

While we are going to analyze the results of Nmap, you can run Nessus in parallel with the “Web app tests” policy. He will give us a similar summary, and at the same time he will check the sploity services on his base (IMHO, one of his priority “chips”, do not forget to update the base!). Why should we double check the same thing? As practice shows, sometimes Nmap can open services that no one of this kind of utilities can reveal.

And so, we immediately see the unconfigured firewall (81 is an obvious web-backend that is not closed). Installing software through a package manager ((Ubuntu) after service names. By the way, now we know that there is Ubuntu).
We also determined what was behind the web backend. But usually its version is revealed using https, and here it wasn’t necessary.

Regarding the line Not shown: 994 closed ports - by default, Nmap checks 1000 common ports on which services usually operate, for faster delivery of results. Found a port - minus 1 out of a thousand.

Forgive me, the guys from Positive Technologies , but here I’d also advised in parallel to launch XSpider, for example, version 7.7, which is generally available in cracked version (I apologize for that).

We will have its main goal - it is a check for common passwords (especially in the case of ftp). No, of course, there are still a lot of utilities for this, but we have an initial level of auditing, which implies the absence of dictionaries, skills and knowledge of such techniques. Yes, and maybe what XSpider itself will tell us is interesting (I would like to point out its very rare errors in the analysis)

The resource was “budded” both here and there. You can proceed to a more detailed "development" of the services available to us. If Nessus is still checking, then proceed to manual search for sploits. More or less relevant databases are:

• explot-db
• packet storm
• explot search
• securitylab

other. Usually, other sites are searching for exploits on neighboring sites, and almost before recursion, as in “Jumble”, who wrote off who:]

And here I will mark an important point. If it is written that an esploit is suitable for this version of the software that you are running, it is not a fact that it (the exploit) will work! It is possible that you have the version of the software that has already been patched.

Immediately we will connect the knowledge we have already received (from the previous article) on the use of Autopwn in Metasploit. It is especially useful if the version and / or name of the services could not be established.

I will not give the search results for exploits for our case, I simply describe the general analysis technique. And here Nessus should have finished, we will add its results (taking into account the subtlety of the approach to exploits) and at this the current stage in our version of the audit is over.

And so, what do we already have? General information about the system, running services, anonymous access / common passwords, exposure to exploits (which is in the public, do not forget about the underground;])
It is possible that at some of these stages the resource will already be compromised .

Web with its subtleties

More often, however, hacking occurs from this side. It is quite difficult to give any instructions here, since the situations here are very different. So just a general approach.
We start Acunetix, we connect Nikto, we wait for sad results. Close the hole that they found.

Audit scripts on the server

We check what is used on our server.
In the case of custom scripts - analyze the information that gave the scanners and try, try with pens! It all depends on your level.
The basic principle: the substitution of incoming data (such as $ _GET, $ _POST, $ _COOKIE ...) that they (according to the developer's idea) did not expect.
It all depends on your level, which you can improve on personal experience or by reading articles that are full of the Internet. A plus will be a developed deductive thinking.

What about third-party scripts?
We should determine their versions in order to find sploits for them (in the same bases that I cited above).

1. Usually the scripts output their version in footer. This is our moment, as auditors. It is necessary to remove the output version of the script, so that once you are not in the results of GHDB (Google Dorks, example )
2. More ways? For some reason, 99% of developers upload the folder / docs or similar to the server (human factor, ignorance, misunderstanding). Do you have phpbb? Or WordPress? And we will now have a little experience :)
   phpBB / docs / CHANGELOG.html
   wordpress / readme.html
   Voila, in 95% of cases we can find out the current version of the script.
3. Knowledge of the structure of the script and the difference in versions. Everything depends on your experience and knowledge, with the help of which you can analyze the script and understand which version is most likely used.

Check for floe. Here the situation is different than with the service software. Not so often that the exploit does not fit this version of the script, it is very rare that anyone patches the current one without being updated to the next.
But here is another point, sometimes registration is disabled, sometimes necessary bb codes are prohibited, everything is due to this particular situation, so you need to check everything manually. But as possible vulnerability it already takes place.

Not found sploitov, is the latest version of the script, you can calm down? NOT
Why do we manually test custom developer scripts, but do not do the same with popular scripts that have the latest version? It is necessary to get rid of stereotypes, and in particular - that they have already found everything for you, and you cannot be smarter or “luckier” than others.

What am I for? Not long ago, in my laboratory, I started analyzing PHPBB of the most recent version of it at the moment (3.0.9). Now I will give you one trick that will not give you privileges (unless in rare cases, the prefix of the tables), this is only an indicative moment

Profile -> Personal Settings -> General Settings
Date format field. We enter

  "" "" " 

we get
SQL ERROR [ mysqli ]
Data too long for column 'user_dateformat' at row 1 [1406]

The error is clear, the length of the incoming data is checked before applying htmlentities (), and the query is already going to the database with it, we get the corresponding result.

I told you this only in order to exclude from you the notion of the authority of scripts, resources, developers, etc.

Auditing is an important and not one-time thing. You need to at least be always aware of the release of exploits to public, so that later you don’t have to search for the last backup.

Conclusion

I considered here the scheme of the auditor’s work, combining it with the situation when you are checking yourself, this is where the “cross” situation and mixed pronouns go. I really hope that whoever decides to use this knowledge and finds something on a third-party resource, chooses the WhiteHat side and informs the administrator of the resource about everything. Since the responsibility is now all on you.

I also started writing about the “white box”, but decided to remove it, and so the article came out pretty big.
If anyone has anything to supplement the “black box” audit, please write in the comments, and not express your dissatisfaction because of a couple of missed moments minus the article. And remember, these are just the basics of auditing, with hooks for subtle points. More professional audit involves the use of special local proxy servers that will replace the data we need and other tools. Well, some specific techniques and checks for vulnerabilities or denial of service.

Series:

• Overview of free tools for auditing web-resources and not only
• Audit "Black box"
• Likbez on vulnerabilities in web applications, as well as the most frequent mistakes of developers
• Overview of free tools for pentest web-resources and not only v2