Audit "Black box"
In this article I will offer you a black box audit technique that you can master without special knowledge and apply it with respect to your resources. Naturally, the article can be translated into the technique of hacking resources. But in order to know how to protect, you need to know how to hack. Responsibility for the acquired knowledge you assume;)
And if you, as a developer, will know at least some of the principles and techniques that they use hackers - I think you would be a bit quieter for them (resources) and the result of your work will get a higher level
Article baseline audit is displayed, we maintain a low threshold for reading and understanding.

Resource Summary
Before this block, you should refer to my previous article , since in it I displayed very convenient and effective free tools that will help us.
Naturally, it all starts with a general analysis of the target resource. Nmap will help us with this. One moment, it should be launched from some external machine, and not locally. Most often, the firewall is configured to give access to everything from the local network, but it correctly filters packets from outside. And we need an objective assessment.
nmap -A -T4 hostAnd get something like
Starting Nmap 5.51 ( nmap.org ) at 2011-08-01 11:38 NOVST
Nmap scan report for host (12.34.56.78)
Host is up (0.020s latency).
Not shown: 994 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 5.3p1 Debian 3ubuntu7 (protocol 2.0)
80/tcp open http nginx 0.7.65
81/tcp open http Apache httpd 2.2.14 ((Ubuntu))
|_http-methods: No Allow or Public header in OPTIONS response (status code 200)
111/tcp open rpcbind 2 (rpc #100000)
443/tcp open http Apache httpd 2.2.14 ((Ubuntu))
|_http-title: 404 Not Found
8000/tcp open http Icecast streaming media server
|_http-title: Icecast Streaming Media Server
Service Info: OSs: Linux, UnixWhile we are going to analyze the results of Nmap, we can run Nessus in parallel with the "Web app tests" policy. He will give us a similar summary, and at the same time he will check the services for sploits in his database (IMHO, one of his “tricks” priority, do not forget to update the database!). Why do we need to double-check the same thing? As practice shows, sometimes Nmap can reveal services that none of these utilities disclose.
And so, we see immediately an unconfigured firewall (81 is an obvious web-backend that is not closed). Installing the software through the package manager ((Ubuntu) after the service names. By the way, now we know that there is Ubuntu).
We also determined what kind of web backend there. But usually its version is revealed using https, and here this was not required.
About the lineNot shown: 994 closed ports - by default, Nmap checks 1000 common ports on which services usually work, for faster output of the result. Found a port - minus 1 out of a thousand.
Yes, the guys from Positive Technologies will forgive me , but here I would also advise in parallel to launch XSpider, for example, version 7.7, which is publicly available in the cracked version (I apologize for this in fact).
Its main goal we will have is to check for common passwords (especially in the case of ftp). No, of course, there are still a lot of utilities for this, but we have an initial level of audit, which involves the absence of dictionaries, skills and knowledge of similar techniques. Yes, and maybe what XSpider itself will tell us interesting (I would like to note its very rare errors in the analysis)
They "stoked" the resource both here and here. You can proceed to a more detailed "development" of the services available to us. If Nessus is still checking, then let's move on to a manual search for sploits. More or less relevant are the bases:
other. Usually, other sites are searching for exploits on neighboring sites, and almost to recursion, as in Yeralash, who wrote them off from anyone:]
And here I will indicate an important point. If it is written that the exploit is suitable for this version of the software that you are running, it is not a fact that it (exploit) will work! It is possible that you have the version of software that is already patched.
We will immediately connect the knowledge we have already gained (from the previous article) on using Autopwn in Metasploit. It is especially useful if the versions and / or names of services could not be installed.
I will not give the results of exploit searches for our case, I just describe the general analysis technique. And here already Nessus should have finished, we’ll add its results (taking into account the subtlety of the approach to exploits) and at this point the current stage in our audit version is over.
And so what do we already have? General information about the system, running services, anonymous access / common passwords, exposure to exploits (which is in the public, do not forget about underground;])
It is quite possible that at some of these stages the resource will already be compromised .
Web with its subtleties
More often than not, hacking occurs precisely from this side. It is quite difficult to give any instructions here, since the situations here are very different. So just a general approach.
We start Acunetix, we connect Nikto, we wait for
Audit scripts on the server
We check what is used on our server.
In the case of custom scripts - we analyze the information that scanners gave and try, try with pens! It all depends on your level.
The main principle: the replacement of incoming data (such as $ _GET, $ _POST, $ _COOKIE ...) with something that they (as intended by the developer) did not expect.
It all depends on your level, which you can improve on personal experience or by reading articles that the Internet is full of. A plus will be developed deductive thinking.
What about third-party scripts?
We should determine their versions in order to find sploits for them (in the same databases that I cited above).
- Typically, scripts display their version in the footer. This is right for us, as the auditors of the moment. It’s worth removing the output of the script version so that once you aren’t in the GHDB results (Google Dorks example )
- More ways? For some reason, 99% of developers upload the / docs folder or a similar folder to the server (human factor, ignorance, misunderstanding). Do you have phpbb? Or WordPress? And now we will have a little experience :)
phpBB / docs / CHANGELOG.html
wordpress / readme.html
Voila, in 95% of cases we can find out the current version of the script. - Knowledge of the structure of the script and the difference in versions. Everything depends on your experience and knowledge, with the help of which you can analyze the script and understand which version is most likely to be used.
But here is another point, sometimes registration is turned off, sometimes the necessary bb codes are prohibited, everything is due to this particular situation, so you need to check everything manually. But as possible vulnerability this already takes place.
They didn’t find sploits, there is the latest version of the script, can I calm down? NO
Why do we manually test custom developer scripts, but don’t do the same with popular scripts with the latest version? It is necessary to get rid of stereotypes, and in particular - that everyone has already found everything for you, but you cannot be smarter or “more successful” than others
Why am I? Not so long ago,
Profile -> Personal settings -> General settings
Field "Date format". We introduce
"" "" "
we get the error is understandable, the length of the incoming data is checked even before htmlentities () is applied, and the request is already in the database with it, we get the corresponding result. I told you this only in order to exclude from you the notion of authority of scripts, a resource, developers, etc. Audit is an important and not a one-time thing . You must at least always be aware of the release of exploits in the public, so that later you do not have to look for the last backup.
SQL ERROR [ mysqli ]
Data too long for column 'user_dateformat' at row 1 [1406]Conclusion
I examined here the scheme of the auditor’s work, combining it with the situation when you check yourself, this is where the “cross” situation and mixed pronouns go. I really hope that someone who decides to use the knowledge gained and finds something on a third-party resource, selects the WhiteHat side and informs the resource administrator about everything. Since responsibility is now all on you.
I also started writing about the “white box”, but I decided to remove it, and so the article came out pretty big.
If there is anyone who needs to supplement the audit of the “black box”, please write in the comments and not express your dissatisfaction due to a couple of missed points minus the article. And remember, these are just the basics of the audit, with clues for subtle points. A more professional audit involves the use of special local proxy servers, which will replace the data we need and other tools. Well, some specific techniques and checks for vulnerabilities or denial of service.
Series: