LPTv4 Module 18 External Penetration Testing PDF

ECSA/LPT
Module XVIII
EC Council
EC-Council
External Penetration
Testing
Penetration Testing Roadmap
Start Here
Information Vulnerability External
Gathering Analysis Penetration Testing
Fi
Firewall
ll Router and Internal
Switches Network
Penetration Testing
Penetration Testing Penetration Testing
IDS Wireless Denial of

Network Service
Penetration Testing
Penetration Testing Penetration Testing
Cont’d
Stolen Laptop, PDAs Social Password

Application and Cell Phones Engineering Cracking
Penetration Testing Penetration Testing Penetration Testing Penetration Testing
Copyright © by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Penetration Testing Roadmap
(cont d)
(cont’d)
Cont’d
Physical Database VoIP
S
Security
i P
Penetration
i testing
i P
Penetration
i T Testing
i
Penetration Testing
Virus and
Vi d VPN
Trojan War Dialing
Penetration Testing
Detection
Log File Integrity Blue Tooth and

Management Checking Hand held
Penetration Testing Device
Penetration Testing
End Here
Telecommunication
Data Leakage Security Email Security
And Broadband
Penetration Testing Patches Penetration Testingg
Communication
Penetration Testing
Penetration Testing
External Intrusion Test and
Analysis
An external intrusion test and analysis identifies security
weaknesses and strengths of the client's systems and networks
as they appear from outside the client's security perimeter,
usually from the Internet.
The goal of an external intrusion test and analysis is to

d
demonstrate
t t th
the existence
i t off k
known vulnerabilities
l biliti ththatt could
ld b
be
exploited by an external attacker.
How is it Done?
Gather externally accessible configuration information
Scan client external network gateways to identify services and

t
topology
l
Scan client Internet servers for ports and services vulnerable to

attack
Attempt intrusion of vulnerable internal systems
Client Benefits
The external penetration testing allows the client to anticipate external

attacks that might cause security breaches and to proactively reduce
risks to its information, systems, and networks.
This proactive approach will improve the security of the client's

networked resources.
The external penetration testing can provide solutions for improving e-

business and e-commerce operations with increased confidence in their
ability to protect valuable data, resources, and reputation.
External Penetration Testing
Steps – Conduct External
Penetration Testing
1 • Inventory the company’s external infrastructure
2 • Create topological map of the network
3 • Identify the IP address of the targets
4 • Locate the traffic route that goes to the web servers
5 • Locate TCP traffic path to the destination
6 • Locate UDP traffic path to the destination
7 • Identify
Id if theh physical
h i l location
l i off the
h target servers
• Examine the use IPV6 at the remote location

8
9 • Lookup domain registry for IP information
Penetration Testing (cont
(cont’d)
d)
10 • Find IP block information about the target
11 • Locate the ISP servicing the client
12 • List open ports
13 • List closed ports
14 • List suspicious ports that are half open/close
15 • Port scan every port (65,536) on the target’s network
16 • Use SYN scan on the target and see the response
17 • Use connect scan on the target and see the response
18 • Use
U XMAS scan on the
th target
t t and
d see the
th response
(cont’d)
d)
19 • Use FIN scan on the target and see the response
20 • USE NULL scan on the target and see the response
21 • Firewalk on the router’s gateway and guess the access-list
22 • Examine TCP sequence number prediction
23 • Examine the use standard and non-standard protocols
24 • Examine IPID sequence number prediction
25 • Examine the system uptime of target
26 • Examine the operating system used for different targets
27 • Examine the applied patch to the operating system
28 • Locate DNS record of the domain and attempt DNS hijacking

(cont’d)
d)
• Download applications from the company’s website and reverse engineer the
29 binary code
• List programming languages used and application software to create various

30 programs from the target server
• Look for error and custom web pages

31
• Guess different sub domain names and analyze different responses

32
• Examine the session variables

33
• Examine cookies generated by the server

34
• Examine the access controls used in the web applications

35
(cont’d)
d)
• Brute force URL injections and session tokens
36
• Check for directory consistency and page naming syntax of the web pages
37
• Look for sensitive information in web page source code

38
• Attempt URL encodings on the web pages

39
• Try buffer overflow attempts at input fields

40
• Tryy Cross Site Scripting

p g ((XSS)) techniques
q
41
• Record and replay the traffic to the target web server and note the response
42
• Try various SQL injection techniques

43
(cont’d)
d)
• Examine hidden fields
44
45 • Examine e-commerce and payment gateways handled by the web server
46 • Examine welcome messages, error messages, and debug messages
47 • Probe the service by SMTP mail bouncing
48 • Grab the banner of HTTP servers
49 • Grab the banner of SMTP servers
50 • Grab the banner of POP3

3 servers
51 • Grab the banner of FTP servers
52 • Identify the web extensions used at the server
(cont’d)
d)
53 • Try to use an HTTPS tunnel to encapsulate traffic
54 • OS fingerprint target servers
55 • Check for ICMP responses (type 3, port unreachable)
56 • Check for ICMP responses (type 8, echo request)
57 • Check for ICMP responses (type 13, timestamp request)
58 • Check for ICMP responses (type 15, information request)
59 • Check for ICMP responses (type 17, subnet address mask request)
60 • Check for ICMP responses from broadcast address
61 • Port scan DNS servers (TCP/UDP 53)
62 • Port scan TFTP servers (Port 69)

(cont’d)
d)
63 • Test for NTP ports (Port 123)
64 • Test for SNMP ports (Port 161)
65 • Test for Telnet ports (Port 23)
66 • Test for LDAP ports ( Port 389)
67 • Test for NetBIOS ports ( Ports 135-139, 445)
68 • Test for SQL server ports (Port 1433, 1434)
69 • Test for Citrix ports (Port 1495)
70 • Test for Oracle ports (Port 1521)
71 • Test for NFS ports (Port 2049)
72 • Test for Compaq, HP Inside Manager ports (Port 2301, 2381)

(cont’d)
d)
73 • Test for Remote Desktop ports (Port 3389)
74 • Test for Sybase ports (Port 5000)
75 • Test for SIP ports (Port 5060)
76 • Test for VNC ports (Port 5900/5800)
77 • Test for X11 ports (Port 6000)
78 • Test for Jet Direct ports (Port 9100)
79 • Port scan FTP data (Port 20)
80 • Port scan web servers (Port 80)
81 • Port scan SSL servers (Port 443)
82 • Port scan Kerberos-Active directory (Port TCP/UDP 88)
83 • Port scan SSH servers (Port 22)
Step 1: Inventory Company’s
External Infrastructure
Locate all the external resource of the target’s networks
Look for the following:

• Server llocations
S i iin cities
ii
• Partners
• Links
• Vendors
Create an inventory list with a map
Inventory Company’s External
Infrastructure (cont
(cont’d)
d)
Step 2: Create Topological Map of the
Network
Draw a topological diagram of the external IT infrastructure.
The drawing must contain the following:
• Servers.
• Connection to ISP.
• Infrastructure used.
• How they are networked to other systems:
• Customers.
• Partners.
Create Topological Map of the
Network (cont
(cont’d)
d)
Step 3: Identify the IP Address
Identify the IP address of the target

network:
• Mail servers
• Web servers
• DNS servers
• Proxy servers, etc.
Tools:
• NeoTrace
• IP Address 2 Country
• IP Prober
Step 4: Locate the Traffic Route
that Goes to the Web Servers
The network's topological map (or matrix) can be manually verified by
logging into each device on the network and using built-in operating
system commands such as tracert (Windows) or traceroute (Unix).
These commands show the path taken by an ICMP

request as it traverses the network (hopping from
device to device)) to its ultimate destination:
• C::>tracert xweb.xsecurity.com Tracing route to xweb.xsecurity.com

[10.2.34.5] over a maximum of 30 hops: 1 69 ms 27 ms 14 ms
xboy.xsecurity.com
b it [10
[10.2.34.5]
2 3 ] 2 28 ms <10
10 ms 114 ms 10
10.2.34.4
23 3 411
ms 27 ms 14 ms xweb.xsecurity.com [10.2.34.5] Trace complete.
Tracert
Step 5/6: Locate TCP/UDP Traffic
Path to the Destination
TCP/UDP trace tools:
IGI
p
pathChirp
p
Pathload
Pathrate
tulip
Tcptrace
Netperf
Scriptroute
Step 7: Identify the Physical
Location of the Target Servers
Use Neotrace tools to identify physical location of the target
servers.
Step 8: Examine the Use IPV6 at
the Remote Location
Verifyy if the target
g servers are using
g IPv6 p
protocol.
Tools • 46Bouncer
Step 9: Lookup Domain Registry
for IP Information
All- Network tools include Whois, Traceroute,
Locate DNS servers Nettools.Com ping.
Completewhois Whois engine providing information on

Attempt DNS zone transfers domain ownership and IP address.
DNS Report Comprehensive report of NS records at

nameservers, SOA record, MX, Mail, and www
Look for primary and secondary servers records.
DNS Utilities Detailed domain and network information
Online including specific queries of domain records.
DNSstuff Whois and DNS lookup. Trace route, Ping.

Spam database lookup.
Global whois Global domain ownership information.

utility
Whois search - Reverse DNS lookup for American registry for

America Internet Numbers (ARIN)
Whois search - Reverse DNS lookup for Asia Pacific Network

Asia Pacific Information Center (APNIC)
Whois search - Reverse DNS lookup for Europe, Middle East

Europe and North Africa (RIPE)
Whois search - Latin American and Caribbean Internet

Latin America Addresses Registry (LACNIC)
WHOIS search Israel Internet Society (.il) domain name

for .il domain registry.
names
Step 10: Find IP Block
Information about the Target
Locate the IP block owned

by the company
Tools :
• SAM SPADE
• ARIN DATABASE
Step 11: Locate the ISP Servicing
the Client
Look for the following:
• Name of the ISP

• Pricing plans
• Services provided
• Which other companies are assigned IP address from the
same block
• Call the ISP and ask for the default equipment
q p (hardware)
( )
delivered if you sign up a similar plan used by the target
company
Step 12: List Open Ports
7 Echo
13 DayTime
17 Quote of the Dayy (QOTD)

Q (Q )
Look for the following open ports
20 and 21 File Transfer Protocol (FTP)
22 Secure Socket Shell (SSH)
23 Telnet
Tools:
25 SMTP
53 Domain Name System (DNS)
63 Whois
66 SQL*net (Oracle)
• Super Scanner
• NetScan Tools Pro
70 Gopher
79 Finger
80 HTTP • Nmap
88 Kerberos
101 Host Name Server
109 Post Office Protocol 2 (POP2)
110 Post Office Protocol 3 (POP3)
113 IDENT
115 Simple File Transfer Protocol (SFTP)
137, 138, and 139 NetBIOS
143 Internet Message Access Protocol (IMAP)
161 and 162 Simple Network Management Protocol (SNMP)
194 Internet Relay Chat (IRC)
443 Hypertext Transfer Protocol over Secure Socket Layer (HTTPS)

Open Ports on Web Server
Port 443
Port 23
Port 53 Port 21
Port 80
0
Step 13: List Closed Ports
Once a pport is closed,, anyy request

q made to a machine via the
closed port will result in a "this port is closed" acknowledgment
from the machine.
Port Scanning Tools
Cerberus Internet Scanner (formally NTInfoScan or NTIS) www.cerberus-infosec.co.uk
CyperCop Scanner www.nai.com
Firewalk www.packetfactory.net
HackerShield www.bindview.com
Hostscan www.savant-software.com
Internet Scanner www.iss.net
IpEye/WUPS www.ntsecurity.nu
Nessus www.nessus.org
Netcat www.atstake.com
Netcop www.cotse.com
NetScan Tools www.nwpsw.com
Nmap www.insecure.org
NmapNT www.eeye.com
SAINT/SATAN www.wwdsi.com
SARA www.www-arc.com
www.www arc.com
Scanport www.dataset.fr
Strobe www.freebsd.org
Super Scan/Fscan www.foundstone.com
Twwwscan www.search.iland.co.kr
Whisker www.wiretrip.net
Winscan www.prosolve.com
Step 14: List Suspicious Ports
that are Half Open/Close
Look out for stealth ports – stealth port will not generate
any kind of acknowledgement from the target machine.
This lack of acknowledgement will typically cause the

requesting machine to have to wait until its own internal
time-out mechanism gives up waiting for a reply.
The
h advantage
d off a stealth
l h port over a closed
l d port is that
h
the intruder's probing efforts are going to be slowed.
Step 15: Port Scan Every Port
((65,536)
5,53 ) on the Target’s
g Network
Scan for all ports,

ports including Trojan ports.
ports
This scan is tedious and can take a long time.

time
Carry the complete scan in stages – scanning 50 ports per hour.

hour
Step 16: Use SYN Scan on the
Target and See the Response
The syn scan, also

Th l called
ll d the
th "half
"h lf open"" scan, is
i the
th
ability to determine a port’s state without making a
full connection to the host.
Many systems do not log the attempt, and discard it

as a communications error.
error
You must first learn the three-way handshake to

understand the syn scan.
Step 17: Use Connect Scan on the
Use Nmap options to conduct a “connect”

connect scan and examine
the response returned by the server.
Step 18: Use XMAS Scan on the
Computer A Computer B
Xmas scan directed at open port:
192.5.5.92:4031 -----------FIN/URG/PSH----------->192.5.5.110:23
192.5.5.92:4031 <----------NO RESPONSE------------192.5.5.110:23
Xmas scan directed at closed port:
192.5.5.92:4031 -----------FIN/URG/PSH----------->192.5.5.110:23
FIN/URG/PSH >192.5.5.110:23
192.5.5.92:4031<-------------RST/ACK--------------192.5.5.110:23
Note:
• XMAS scan only works OS system's TCP/IP implementation is developed

according to RFC 793.
• Xmas scan will not work against any current version of Microsoft Windows.
• Xmas
X scans directed
di d at any Microsoft
Mi f system will
ill show
h all
ll ports on the
h host
h
as being closed.
Step 19: Use FIN Scan on the
FIN scan directed at open port:
192.5.5.92:4031 -----------FIN----------------->192.5.5.110:23
192.5.5.92:4031 <----------NO RESPONSE----------192.5.5.110:23
FIN scan directed at closed port:
192.5.5.92:4031 -------------FIN----------------192.5.5.110:23
192.5.5.92:4031<-------------RST/ACK------------192.5.5.110:23
Note:
• FIN scan only works OS system's TCP/IP implementation is developed

• FIN scan will not work against any current version of Microsoft Windows.
• FIN scans di
directed
d at any Mi
Microsoft
f system will
ill show
h all
ll ports on the
h hhost
as being closed.
Step 20: USE NULL Scan on the
NULL scan directed at open port:
192.5.5.92:4031 -----------NO FLAGS SET---------->192.5.5.110:23

192 5 5 92:4031 <----------NO
192.5.5.92:4031 < NO RESPONSE------------192
RESPONSE 192.5.5.110:23
5 5 110:23
NULL scan directed at closed port:
192.5.5.92:4031 -------------NO FLAGS SET---------192.5.5.110:23

192.5.5.92:4031<-------------RST/ACK--------------192.5.5.110:23
Note:
• NULL scan only works OS system's TCP/IP implementation is developed

• NULL scan will not work against any current version of Microsoft Windows.
• NULL scans didirected
t d att any Mi
Microsoft
ft system
t will
ill show
h all
ll ports
t on th
the h
hostt
as being closed.
Use Fragmentation Scanning and
Examine the Response
Instead of just sending the probe packet,

packet you break it into a
couple of small IP fragments.
You are splitting up the TCP header over several packets to

make it harder for packet filters and so forth to detect what you
are doing.
The -f switch instructs the specified SYN or FIN scan to use tiny
fragmented packets.
packets
Step 21: Firewalk on the Router’s
Gateway and Guess the Access-List
Access List
Firewalk is an active reconnaissance network security tool that attempts to

d
determine
i whath layer
l 4 protocols
l a given
i IP forwarding
f di device
d i willill pass.
Firewalk works by sending out TCP or UDP packets with a TTL one greater
than the targeted gateway.
If the g
gatewayy allows the traffic,, it will forward the p
packets to the next hop
p
where they will expire and elicit an ICMP_TIME_EXCEEDED message.
If the gateway host does not allow the traffic, it is likely to drop the packets
on the floor and we will see no response.
Step 22: Examine TCP Sequence
Number Prediction
C:\> nmapnt -O -p 130-140 10.0.0.1
Starting nmapNT V. 2.53 by ryan@eEye.com
Use tools like nmap and predict eEye
y Digital
g Securityy ( http://www.eEye.com
p // y )
the sequence numbers generated based on nmap by fyodor@insecure.org

( www.insecure.org/nmap/ )
by the targeted server.
Interesting ports on baseman.xsecurity.com
(10.0.0.1):
(The 9 ports scanned but not shown
below are in state: closed)
This information can be used for Port State Service
135/tcp open unknown
session hijacking techniques. 139/tcp open unknown
TCP Sequence Prediction:

Class=random positive increments
Difficulty=14168 (Worthy challenge)
Remote operating system guess:
Windows
d 2000 RC1 through
h h ffinall release
l
Nmap run completed -- 1 IP address

(1 host up) scanned in 10 seconds
Step 23: Examine the Use of Standard
and Non
Non-Standard
Standard Protocols
The use of new protocols has an important impact on the Intrusion

detection tools.
The IDSes must support each protocol to identify signs of misuse or

anomaly
l b
behaviors.
h i
The appearance of new protocols affects the NIDS (Network-based IDS)

t l
tools.
Almost no NIDS p
products can decode IPv6.
Attacks can enable IPv6 tunneling within IPv4 blinding detection

technologies
technologies.
Step 24: Examine IPID Sequence
Number Prediction
Sequential IPID numbers expose the number of packets sent by a host

over a given period.
This can be used to estimate web site traffic, determine when people log
on, etc.
Large sites use load balancing equipment so that a single address maps
to a small farm of servers.
By noting the IPID values you can determine how many machines are
behind the load balancer and which one you are connected with.
Hping2 IPID Example
For example,
p , the "id" fields in the hping2
p g execution reveals that
beta.search.microsoft.com is handled by two machines behind a load
balancer (207.46.197.115).
# hping2 -c 10 -i 1 -p 80 -S beta.search.microsoft.com.
HPING beta.search.microsoft.com. (eth0 207.46.197.115): S set, 40 headers + 0 data bytes
46 bytes from 207.46.197.115: flags=SA seq=0 ttl=56 id=57645 win=16616 rtt=21.2 ms
46 bytes from 207.46.197.115: flags=RA seq=2 ttl=56 id=18574 win=0 rtt=21.3 ms
46 bytes from 207
207.46.197.115:
46 197 115: flags=RA seq=3 ttl=56 id=18587 win=0 rtt=21
rtt=21.1
1 ms
--- beta.search.microsoft.com. hping statistic ---

10 packets tramitted, 10 packets received, 0% packet loss
round-trip min/avg/max = 21.1/21.3/21.7 ms
Step 25: Examine the System
Uptime of Target Server
Look for the following
i f
information:
i
• When was the last time the server

rebooted?
• When was the last time the server
crashed?
• When was the last time the server was
under
d a DDoS
DD S attack?
tt k?
• What is the uptime of the server?
Tools:
• Netcraft
• Uptime
Step 26: Examine Operating
System Used for Different Targets
Use banner grabbing techniques to identify remote OS.
Look out for honey pots, packet crafters, and banner fakers.
Tools:
Nmap
Telnet
Nc
Netcraft
OS fingerprinting tool
Step 27: Examine the Applied
Patch to the Operating System
List the dates for

patches applied to the
server.
Look for version

number,, OS level,,
and the date.
Tools: • Netcraft
Step 28: Locate DNS Record of the
Domain and Attempt DNS Hijacking
Locate the domain vendor

responsible for the DNS of
the target server
Guess passwords and

attempt to logon
Step 29: Download Applications From the
Company’s Website and Reverse Engineer the
Bi
Binary C
Code
d
Download program executables from the remote website:
• Ja
Java
apprograms
og ams
• Exe programs
• Flash programs
Reverse engineer the

h bbinary code
d
Look for:
• Programmer s name
Programmer’s
• Comments
• Sensitive information
• Programming style
Tools:
• IDA Pro
• Java Engineer
• Fl hS
FlashSaver
• REC Decompiler
IDA Pro
Step 30: List Programming Languages Used
and Application Software to Create Various
Programs From the Target Server
Check
h k for
f in-house
i h d
developed
l d application
li i
Check for commercial application
Step 30: List Programming Languages Used and
Application Software to Create Various Programs
From the Target Server (cont
(cont’d)
d)
Identify the programming languages used by the web application:
• AppleScript
•C
• AWK
• C++
• JavaScript
• C#
• Perl
• COBOL
• PHP
• Java
• Python
• J++
• Ruby
R b
• J#
• Tcl
• PowerBuilder
• VBScript
• Visual Basic
Step 31: Look for Error and
Custom Web Pages
Try various URL strings and look for

strange messages thrown by the
server.
Example:
• http://www.xsecurity.com/slkdjfslkdfj
• http://www.xsecurity.com/sdkfjsdlf.asp
p // y / j p
• http://www.xsecurity.com/global.asa
• http://www.xsecurity.com/sdlfkj.aspx
• http://www.xsecurity.com/sdfsdf/php?
• http://www.xsecurity.com/login?
Step 32: Guess Different Sub Domain
Names and Analyzey Responses
p
Web servers sometimes operate under different sub domain names
They are not published and used for internal purposes only
Guess the sub-domain names
Example: xsecurity.com:
• sales.xsecurity.com
• marketing.xsecurity.com
• i
internal.xsecurity.com
l i
• intranet.xsecurity.com
• devl.xsecurity.com
• test.xsecurity.com
• b k
backup.xsecurity.com
it
• partner.xsecurity.com
• beta.xsecurity.com
• secret.xsecurity.com
• preview.xsecurity.com
i it
• temp.xsecurity.com
Step 33: Examine the Session
Variables
Session hijacking, grabbing someone’s URL and stealing their session, is one of
the biggest security concerns.
concerns
Try to alter session strings in URL.
Example:
• http://example.com/cgi-bin/phf?%0aid==haqr==_phone=
http://example com/cgi bin/phf?%0aid==haqr== phone=
• http://example.com/cgi-bin/phf?%0als%20-
la%20%7Esomeuser==haqr==_phone=
• http://example.com/cgi-
bin/phf?%0acp%20/etc/passwd%20%7Esomeuser/passwd%0A==haqr==_phone=
• http://example.com/~someuser/passwd
• http://example.com/cgi-
bin/phf?%0arm%20%7Esomeuser/passwd==haqr==_phone=
Step 34: Examine Cookies
Generated by the Server
Cookies offer a way to check the identity of the user by means of storing the CFID and
CFTOKEN in client side cookies and using that information to uniquely identify the user.
Log on to the web application as a normal user.
Select YES if the site offers “Keep me logged on this computer”.
A cookie will be downloaded to your computer.
Examine the cookie:
• If encrypted
• Expiry
E i d date
t
• Content stored
Step 35: Examine the Access Controls
Used by the Webb Application
pp
Look for login pages and identify the

authentication
th ti ti used dbby th
the web
b server:
• Form authentication
• Windows authentication
• Biometrics authentication
• Secret question authentication
• Session based authentication
• Digital certificates
• Microsoft single
single-sign
sign on
Step 36: Brute Force URL
Injections and Session Tokens
Some web applications embed user IDs and other sensitive information into a
URL, typically as parameters in the query component of the URL (the fields that
occur after
f theh ? symbol
b l in
i a URL).
URL)
Inject strings into the URL of a page and examine the response.
Inject into the

following fields: Attempt
p injection
j here
Sessions Forms User ID Login Access
Step 37: Check for Directory Consistency
and Page
g Naming g Syntax
y of the Web Pages
g
A well-designed web application will

have the following:
• Logical directory.
• Files named based on naming conventions.
• Repository for images, PDFs, and other documents.
• Repository for sensitive information.
information
• Structured links and pages.
• Site outline.
Step 37: Check for Directory Consistency
and Page Naming Syntax of the Web Pages
(cont d)
(cont’d)
Step 38: Look for Sensitive
o at o in Web Page
Information age Source
Sou ce Code
HTML source might reveal the

f ll i iinformation:
following f i
• Web authors.
• D l
Developer iinformation.
f i
• User comments.
• Login information.
• Temp variables.
i bl
• Revision numbers.
• Project deadline.
• Dates.
Step 39: Attempt URL
Encodings on the Web Pages
Try to access the website using various URL encodings.
Server might send different response when accessed using URL encodings.
Step 40: Try Buffer Overflow
Attempts in Input Fields
Input
p large
g amounts of data into the form and examine the response.
p
Servers sometimes behave differently when large amounts of data is

sent to the form.
Tools:
• NTOM
NTOMax at www.foundstone.com
f d
• Hailstrom (www.cenzic.com)
Look for Invalid Rages in Input
Fields
A web developer may decide to use some of the built-in validation
capabilities
bili i off a client-side
li id language
l ( h as HTML,
(such HTML JavaScript,
J S i or
VBScript) to ensure that an input value is no longer (or shorter) than
expected.
Try random selection of input values or a large range of numbers testing

techniques
q such as equivalence
q partitioning
p g and boundary y value
analysis.
Attempt Escape Character
Injection
Some operating systems will execute system-level commands if they are
embedded in an application
application'ss data input stream.
stream
This can occur when the system command is hidden in input data that is prefixed
by special control (escape) characters, such as $$.
The application may permit the command to escape up to the process that is
currently running the application.
The receiving process then attempts to execute the system command using its
own system privileges.
T ti tools:
Testing t l
• APSwww.stratum8.com
• G-Serverwww.gilian.com
• iBroker SecureWebwww.elitesecureweb.com
SecureWebwww elitesecureweb com
• URLScanwww.microsoft.com
Step 41: Try Cross Site Scripting
(XSS) Techniques
Modify the script and send

the page to the server
Examine various responses

generated by the server
Look for weakness

in scripts:
• JavaScript
p
• VBScript
Step 42: Record and Replay the Traffic to the
Target
g Web Server and Note the Response
p
Record and playback browser sessions.
Recording browser sessions allows you to

automate web site logins, and any other web
t k that
task th t you perform
f with
ith your computer.
t
A recording session will record everything you
do, including keystrokes, scrolling, link clicks
etc. - and can then replay the entire session at
any time with the click of a button.
Look for anomalies.
anomalies
• CruiseControl
Tools:
oo s: • Webload (www.radview.com)
• e-Test Suite (www.empirix.com)
Step 43: Try Various SQL Injection
Techniques
Attempt SQL injection techniques to
the following:
• Form fields.
• Directly in URL.
• Login screens.
• Feedback
db k forms.
f
• Guestbook.
Try the following:
• ' or 1=1--
• " or 1=1--
Attempt SQL Injection
• or 1=1--
here
• ' or 'a'='a
• " or "a"="a
• ') or ('a'='a
• ") or ("a"="a
(" " "
Step 44: Examine Hidden Fields
Hidden fields in web pages could reveal the

f ll i iinformation:
following f ti
• Price.
• Username.
• Password.
• Session.
• URL characters.
• Special instructors.
• Encryption used.
• Web page behaviors.
Examine Server Side Includes
(SSI)
Server Side Includes (SSI) are placeholders (or
markers)
k ) in
i an HTML d document that
h theh web b server
will dynamically replace with data just before sending
the requested document to a browser:
• <HTML>
• <HEAD><TITLE>Show SSI at work</TITLE></HEAD>
• <BODY>
• <P>Lots of really Interesting stuff to read</P>
• 
• </BODY>
/BODY
• </HTML>
Examine Server Side Includes
(SSI) (cont
(cont’d)
d)
The danger with an include command comes when an intruder is able

to manipulate a web page into including a file that would otherwise not
be available.
For example, if an intruder is able to gain write access to a directory on

a Unix web server (possibly a .temp directory that didn't have any
sensitive information stored in it and was therefore not locked down),
the intruder could upload a .shtml web page containing the following
i l d statement:
include
• <!

>
Step 45: Examine E-commerce and Payment
Gatewaysy Handled byy the Web Server
Look out for the following information:
In-house built e-commerce gateway
Outsourced ee-commerce
commerce gateway
Program logic
How payments are handled
Check for confirmation emails
Minimum order amount
Account and merchant ID

Step 46: Examine Welcome Messages,
Error Messages,
g , and Debug
g Messages
g
D
Document the
h ffollowing
ll i iinformation:
f i
• Web application welcome message

• Web application error messages
• Web application intrusion warning messages
• Web application debugging messages
• Web application site maintenance messages
Step 47: Probe the Service by
SMTP Mail Bouncing
SMTP mail bouncing indicates that the user does not exist on that
server.
Bounced mail carries information about SMTP server such as server

name, version,
i and
d various
i services
i running
i on server.
Step 48: Grab the Banner of
HTTP Servers
httprint is a web server fingerprinting tool which captures the
b
banner off htt
http servers.
It identifies http web servers despite the banner string.

string
SMTP Servers
GNIT NT vulnerabilityy scanner captures

p banner message
g
from an SMTP server.
Install the following:
• perl Makefile.PL
• make
• make test
• make install
Required libraries:
• Class::Accessor::Fast
POP3 Servers
GNIT NT vulnerability scanner captures the banner of POP3 servers.
Step 51: Grab the Banner of FTP
Servers
Use netcat to banner grab an FTP server.

server
Step 52: Identify the Web
Extensions Used at the Server
GNIT NT vulnerability scanner determines the web extensions at the server.
The scanner displays web server type and version.
-It scans for 84 known vulnerable URL structures (easily modified).
Step 53: Try to use HTTPS
Tunnel to Encapsulate Traffic
Install the GNU freeware tunneling software ‘HTTPTunnel’.
Encapsulate all P2P traffic as HTTP and forward to the corporate

network's default gateway over Port 80.
Traffic takes the reverse p

path and appears
pp as a legitimate
g web
request.
Step 54: OS Fingerprint Target
Servers
Identifies OS using only ICMP packets
Tools for OS fingerprint:

• NetScanTools Pro
• nmap
Step 55: Check for ICMP Responses
((Type
yp 3, Port Unreachable)
b )
SYN scan is the default and most popular scan option for good reasons.
It can be performed quickly, scanning thousands of ports per second on

a fast network not hampered by intrusive firewalls.
firewalls
The port is also marked filtered if an ICMP unreachable error (type 3,

code 1,2,
12 3 3, 9,
9 10
10, or 13) is received.
received
((Type
yp 8,, Echo Request)
q )
The Echo request

q is an ICMP messageg that sends a packet
p of data to the
host and expects that data to be sent in return in an Echo reply.
The host must respond to all Echo requests with an Echo reply
containing the exact data received in the request message.
((Type
yp 13,
3, Timestampp Request)
q )
SYN scan is the default and most popular scan option for good reasons.
reasons
It can be performed quickly, scanning thousands of ports per second on

a fast network not hampered by intrusive firewalls.
The port is also marked filtered if an ICMP unreachable error (type 3,

3
code 1,2, 3, 9, 10, or 13) is received.
Use the following nmap command:
• nmap -sS –p X x.x.x.x
(Type 15, Information Request)
Enables a host to learn the network part of an IP address on its

subnet by sending a message with the source address in the IP
header filled and all zeros in the destination address field.
Step 59: Check for ICMP responses (Type
17,
7, Subnet Address Mask Request)
q )
Requests for the correct subnet mask to be used
from Broadcast Address
Specifies the broadcast address in use on the client's subnet.
Check for a broadcast IP address by setting the net and subnet

(if used) fields to all 1s and check if the address is all 1s.
Step 61: Port Scan DNS Servers
(TCP/UDP 53)
Use Nmap to scan for DNS servers on TCP/UDP port 53.

53
UDP scan is activated with the -sU option. It can be combined with a TCP scan
type such as SYN scan ((-sS)
sS) to check both protocols during the same run.
UDP scan works by sending an empty (no data) UDP header to every targeted
port.
Step 62: Port Scan TFTP Servers
(Port 69)
By default, the TFTP server listens on UDP Port 69.
PortQry is a command-line utility that you can use to help

troubleshoot TCP/IP connectivity issues.
This utility reports the port status of target TCP and User
D t
Datagram P
Protocol
t l (UDP) ports
t on a llocall computer
t or on
a remote computer.
type a command that is similar to the following command:

portqry -n myserver.example.com -p udp -e 69
You receive the following output:
Step 63: Test for NTP Ports
(Port 123)
Use nmap to scan for NTP ports.
By default, NTP Ports listen on port 123.
Use the following command to find the NTP service on the network:
nmap
p -sU –p
p 123 x.x.x.x
Step 64: Test for SNMP Ports
(Port 161)
By default, SNMP listens on Ports 161 and 162.
Use nmap to locate the SNMP service on the network.
Use the following command to find the NTP service on the

network:
• nmap –sU –p 161 x.x.x.x

• nmap -sU –p 162 x.x.x.x
Step 65: Test for Telnet Ports
(Port 23)
Use nmap to scan for Telnet ports.

ports
By default, Telnet listens on port 23.
Step 66: Test for LDAP Ports
(Port 389)
PortQry
Q y version 1.22 is a TCP/IP
/ connectivityy testing
g utilityy that is
included with the Microsoft Windows Server 2003 support tools.
PortQry can send an LDAP query by using both TCP and UDP and
interpret an LDAP server's response to that query correctly.
PortQry parses, formats, and then returns the response from the LDAP
server to the user.
For example, type the following command:

portqry -n
n myserver -p
p udp -ee 389
LDAP Query Response
Step 67: Test for NetBIOS Ports
(Ports 135
135-139,
139, 445)
The default
Th d f l ports used
d by
b NNetBIOS
BIOS service
i are 135,136,137,138,139,
6 8 and
d
445.
Use nmap to scan for open NetBIOS ports.
You can also use NAT (NetBIOS Auditing Tool) for checking open
NetBIOS ports.
Step 68: Test for SQL Server
Ports (Port 1433, 1434)
By default, the SQL server listens on port 1433 and 1434.
Use a network scanner to identify open SQL server ports.
Step 69: Test for Citrix Ports
(Port 1495)
B default,
By d f l CiCitrix
i li
listens on P
Port 1495.
Scan for the service using a network port scanner.
Step 70: Test for Oracle Ports
(Port 1521)
1521 is the typical port number used by Oracle.
Oracle uses port 1521 for networking services.
Use a port scanner such as Nmap to scan services on port

1521.
Step 71: Test for NFS Ports
(Port 2049)
Use RPC scan of nmap to discover NFS ports.
By default, NFS listens on port 2049.
Use the following command to detect

NFS port:
• nmap -v –sR –p 2049 x.x.x.x
Step 72: Test for Compaq, HP Inside
g p
Manager ports ((Port 2301,
3 , 2381)
3 )
Port 2301 is used for the Compaq Insight Management Web

Agents.
Port 2381 is also known as Compaq-https port.
Step 73: Test for Remote Desktop
Ports (Port 3389)
Port 3389 is typically blocked to enhance network security.

security
Remote Desktop connections use port 3389.

3389
Use a network port scanner to scan for port 3389.

3389
Use the command in nmap to detect the remote desktop service:
• nmap –sT –p 3389 X.X.X.X
Step 74: Test for Sybase Ports
(Port 5000)
By default,
default Sybase listens on port 5000
5000.
Use a network scanner to detect the service.
For nmap use the following command:
• nmap –sT -p 5000 x.x.x.x
Step 75: Test for SIP Ports (Port
5060)
SIP can be regarded as the enabler protocol for telephony

and voice over IP (VoIP) services.
By default, SIP listens on port 5060.
Run a port scan on the network to find whether any VoIP

g
service is running.
Step 76: Test for VNC Ports (Port
5900/5800)
Scan for these

VNC works on The Java Viewer
default p
ports
P t 5900 b
Port by works
k on Port
P t
using network
default. 5800.
scanner.
Step 77: Test for X11 Ports (Port
6000)
By default, the X
server listens on port
6000 for incoming
connections.
Scan for port 6000

using nmap.
nmap
Step 78: Test for Jet Direct Ports
(Port 9100)
Test for Jet Direct ports (Port 9100) by using the:
• Nmap tool.
HP printers use this port for the JetDirect protocol.
Step 79: Port Scan FTP Data
(Port 20)
In PORT mode, the FTP

server always sends data
from TCP port 20.
Use nmap to scan the

network for open FTP
ports.
Step 80: Port Scan Web Servers
(Port 80)
Determines TCP
C and U
UDP p ports that use p
port 80 for
transporting HTTP data from a web server
Step 81: Port Scan SSL Servers
(Port 443)
Scan with nmap scanner:
• “–sV”
sV scan option is able to identify SSL services
nmap -F
F -sV
V x.x.x.x
Step 82: Port Scan Kerberos-Active
Directoryy ((Port TCP/UDP
/ 88))
Kerberos Active Directory uses port 88 as its default port.

Kerberos-Active port
P t scan the
Port th network
t k ffor services
i li
listening
t i on portt 88
88.
Step 83: Port Scan SSH Servers
(Port 22)
By default,
default SSH servers listen on port 22
22.
Use nmap to identify the service:
• nmap -sS
sS -p
p 22 x.x.x.x
Summary
We have reviewed the various steps involved in external

penetration testing.
We have scanned for default p

ports of various services.

LPTv4 Module 18 External Penetration Testing PDF

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

LPTv4 Module 18 External Penetration Testing PDF

Uploaded by

Copyright:

Available Formats

ECSA/LPT

IDS Wireless Denial of

Stolen Laptop, PDAs Social Password

Log File Integrity Blue Tooth and

The goal of an external intrusion test and analysis is to

Gather externally accessible configuration information

Scan client external network gateways to identify services and

Scan client Internet servers for ports and services vulnerable to

Attempt intrusion of vulnerable internal systems

The external penetration testing allows the client to anticipate external

This proactive approach will improve the security of the client's

The external penetration testing can provide solutions for improving e-

2 • Create topological map of the network

3 • Identify the IP address of the targets

4 • Locate the traffic route that goes to the web servers

5 • Locate TCP traffic path to the destination

6 • Locate UDP traffic path to the destination

• Examine the use IPV6 at the remote location

9 • Lookup domain registry for IP information

11 • Locate the ISP servicing the client

12 • List open ports

13 • List closed ports

14 • List suspicious ports that are half open/close

15 • Port scan every port (65,536) on the target’s network

16 • Use SYN scan on the target and see the response

17 • Use connect scan on the target and see the response

20 • USE NULL scan on the target and see the response

21 • Firewalk on the router’s gateway and guess the access-list

22 • Examine TCP sequence number prediction

23 • Examine the use standard and non-standard protocols

24 • Examine IPID sequence number prediction

25 • Examine the system uptime of target

26 • Examine the operating system used for different targets

27 • Examine the applied patch to the operating system

28 • Locate DNS record of the domain and attempt DNS hijacking

• List programming languages used and application software to create various

• Look for error and custom web pages

• Guess different sub domain names and analyze different responses

• Examine the session variables

• Examine cookies generated by the server

• Examine the access controls used in the web applications

• Look for sensitive information in web page source code

• Attempt URL encodings on the web pages

• Try buffer overflow attempts at input fields

• Tryy Cross Site Scripting

• Try various SQL injection techniques

45 • Examine e-commerce and payment gateways handled by the web server

46 • Examine welcome messages, error messages, and debug messages

47 • Probe the service by SMTP mail bouncing

48 • Grab the banner of HTTP servers

49 • Grab the banner of SMTP servers

50 • Grab the banner of POP3

51 • Grab the banner of FTP servers

52 • Identify the web extensions used at the server

55 • Check for ICMP responses (type 3, port unreachable)

56 • Check for ICMP responses (type 8, echo request)

57 • Check for ICMP responses (type 13, timestamp request)

58 • Check for ICMP responses (type 15, information request)

60 • Check for ICMP responses from broadcast address

61 • Port scan DNS servers (TCP/UDP 53)

62 • Port scan TFTP servers (Port 69)

64 • Test for SNMP ports (Port 161)

65 • Test for Telnet ports (Port 23)