website security assessmentwebsite security assessment
to properly assess the security of a website it is necessary to gather as much
information as possible about the system and it s environment. firstly we'll set

footprinting
footprinting is the process of discovering information about the organisation
and the network where the web server is located. footprinting uses publicly
accessible information and utilities that would not alert a vigilant network
administrator. a suitable analogy would be a burglar viewing a house from the
road.
from the url supplied we started with the domain name: acme-widgets.co.uk. by
pinging the name www.acme-widgets.co.uk we get the ip address 10.0.0.21.

queries is to discover the machine names, and their associated ip addresses,
used by the target organisation.
dns queries can reveal information about the organisation such as internal
system names, ip addresses and types; contact details; and network topology.
publicly available dns should only list the minimum details of systems that are
publicly accessible.

a query for acme-widgets.co.uk using dns reveals the following:
servicenameip address
domain name serversns1.isp.net
ns2.isp.net172.16.32.35
172.16.32.37
mail exchange serversmail.acme-components.com14.168.200.25
other serverswww.acme-widgets.co.uk
dev.acme-widgets.co.uk10.0.0.21
192.168.200.5

the above information provides details of the isp and the email server that has
a domain name different from acme-widgets.co.uk and may be on a separate
network. also listed are the web server and another server named dev on a

separate network.
the mail server name and ip address indicates acme widgets ltd is part of a
group of companies and that another company within the group handles email. this
would represent another potential avenue of attack against acme.
subsequent work has shown that the server dev.acme-widgets.co.uk no longer
exists. however, the listed ip address is an internal address that should not be
accessible from the internet. records for internal servers should only be listed
on internal dns servers.
whois query
whois is a database system listing information about the registrant of a domain
name. information submitted should include only the minimum detail necessary.
the registrant information for acme-widgets.co.uk is:
acme widgets ltd
123 web way
aldermaston
rg12 3ab
berkshire
great britain (uk)
registered on 20th june 2000
registered by isp.net
this gives us the company name and address. it also confirms the isp acme use.
ripe query
ripe are an organisation that maintain the database of ip address allocations

for europe. a query will show the address space allocated to an organisation.
the information provided should be the minimum necessary. it is good practice to
use job titles, such as hostmaster instead of the names of individuals.

the person these were allocated to was:
dave mann
acme widgets ltd
99 acacia avenue
reading
rg3 4yz
berkshire
+44 118 111 9898
the above information gives us the range of ip addresses that acme will use for
systems accessible over the internet, acme s previous address and a name

usenet search
usenet is a vast collection of newsgroups, each devoted to a particular subject.
text, similar to an email, is posted to one or more groups; replies are posted
under the same heading, forming a thread.
a search of usenet can reveal contact details

questions regarding problems with applications, operating systems, etc.
posts to usenet should be done from a non-organisation related account and
should not reveal internal details.
a search of usenet for acme-widgets.co.uk found references to a request for

help in installing a software package to a windows nt server named acme1.
web meta search
the majority of web pages published on the internet are included in one or more
of the large search engines, such as yahoo, lycos and google. a meta search will
query the major search engines and extract information pertaining to the search
criteria entered.
most of the information has been gathered by spiders (also known as crawlers

search engine database for indexing, and then follows all the links from that
page, reading each subsequent page as it goes.
an organisation s personnel should never include their corporate smtp email

address within a web page or web submission.
a meta search for acme widgets failed to find any information beyond that stated
above.
ip scanning
having identified information about the acme network during the footprinting
stage, it is now necessary to delve a little deeper by probing the network
itself. using out burglar analogy of earlier we are now going to ring the
doorbell to see if anyone is in.
ping
with the ip address range identified by the ripe query above, it is now possible
to ascertain which ip addresses are allocated to systems accessible over the
internet.
ping is a utility to check network connectivity. it sends a request to an ip
address requiring a response. a ping scan was run against the ip address range.
the addresses that responded are shown in the following table:

addressname
10.0.0.2unknown
10.0.0.21www.acme-widgets.co.uk

it is useful to note that no response to a ping scan does not mean nothing is
there. ping scans can be blocked by a firewall or other gateway device.
traceroute
having identified the web server the traceroute utility is used to determine the
path to the system. this utility traverses the internet to the target,
requesting each hop to report back to the source it s ip address, name and the

trace complete.
the information returned shows the isp is isp.net and there is a system,
10.0.0.2, within the ip address range returned by the ripe query one hop before
the web server. as this system did not respond with a name it may be a firewall
or other gateway device.
port scan
internet communication is conducted by using ip addresses that uniquely identify
a system, and ports, used for applications to communicate.
a port scan identifies open ports on a system. the open ports will allow an
attacker to determine the applications running and even what operating system is
installed, thus tuning their attack for maximum effect.

were:
portstateservice
80/tcpopenhttp
443/tcpopenhttps

port 80 is for http traffic to a web server, port 443 is for secure http
traffic. as it is extremely unlikely these are the only ports open on a system,
it would be correct to conclude

web server is behind a firewall.
conclusion
publicly available information can be a rich source of data for an attacker.
information on acme is sparse but there is a member of acme s personnel listed,

a ddi phone number, an internal server name and ip address, a firewall ip
address and the nt name of a server; this is information that could assist an
attacker.
website hacking
this exercise uses a number of methods that would be employed in a real attack.
firstly we'll take a look at acme's website. by connecting to the ip address
instead of the name and seeing what is returned we can see whether this is a
virtual web server. if it was a different page or no page at all would be