Reconnaissance and Profiling the Web Server

  • include the following tasks:

    • IP adddress,subdomains,whois records,Dns servers,search engines
    • using google,bing,yahoo,and shodan,archive.org
    • social networking sites:Facebook,Flick,Instagram,Twitter,Maltego
    • Determining the physical location of the target using Geo IP database,satelite images from Google Maps and Bing Maps
    • Spidering the web application and creating sitemaps:Burp Suite,HTTP Track,and ZAP

  • whois

  • Identifying hosts using DNS

  • Zone transfer using dig:

  • Brute force DNS records using Nmap:it makes use of the dictionary files vhosts-defaults.lstsndvhosts-full.lst,which contain a large list of common hostnames :nmap --scirpt dns-brute --script-args dns-brute.domain=pentesting-lab.com

  • The Recon-ng tool-a framework for information gathering:Recon-nguses many different sources to gather data:google,Twitter,and Shodan.

  • Scanning Phase:

    • Port scanning
    • Operating system fingerprinting
    • Web server version identification
    • Underlying infrastruture analysis
    • Application identification

  • Nmap:

    • -packet-trace(or Different options for port scan)

    • packet-trace

    • Evading firewalls and IPS using Nmap

      • ACK scan(-sA)
      • Hardcoded source port in firewall rules(–source-port)
      • Custom packet size(–data-length)
      • Custom MTU(–mtu)
      • MAC address spoofing(–spoof-mac )

    • Spotting a firewall using back checksum option in Nmap:--badsum

    • Identifying the operating system using Nmap:-o -v(second opinion using a tool such as Amap)

    • Profiling the server

    • Application version fingerprinting

    • The Nmap version scan:-sV -A

    • The --version-traceoption will make Nmap print out debugging information about the version scanning and the underlying tests that run.

  • The Amap version scan:invoke Amap using the -bqv options,which only report the open ports,print the response received in ASCII,and print some detailed informaiton related to it.

  • Fingerprinting the web application framework:

    • The HTTP header
    • The Whatweb scanner
    • BlindElephant:conducting a penetration test of a contest management system.

  • Identifying virtual hosts:When interacting and crafing an attack for the website,it becomes important to identify the type of hosting.If the IP address hosting multiple websites,then you have to include the correct host header value in your attacks or you won’t get the desired results. This could also affect the other websites hosted on that Ip address.Directly attacking with the IP address will have undesirable results and will also affect the scope of the penetration test.

    • Dns tools such as dig and nslookup can be used to identify domains returning similar IP addersses.
    • www.my-ip-neighbors.com
    • The virtual host lookup module in Recon-ng

  • Identifying load balancers

    • Cookie-based load balancer

    • Few other ways to identify a device such as a load balancer are listed as follows:

      • Analyzing SSL differences
      • Redicting to a different URL
      • DNS records for load balancers
      • Load balancer detector(lbd in Kali Linux)
      • Web application firewall(WAF) to thwart attacks:Wafw00f in Kali Linux is able to detect whether any WAF device exists in the path.

  • Scanning web servers for vulnerabilities and misconfigurations.

    • Identifying HTTP methods using Nmap (DELETE,PUT,TRACE should be disabled on the web server.),--script=http-methods.nseby default,the script probes the target with a user agent as Mozilla and also **reveals that the packet was generated by the Nmap scripting engine.**And can change the user-agent with the http.useragentscript argument and hide any Nmap informaiton from being leaked:nmap --script=http-methods.nse --script-args http.useragent="Scan Done by Penetration testing team" 192.168.1.8

    • firstly,have to identify what methods are supported by the web server.Using Netcat to open a connection to the web server and query the web server with the OPTIONS method.

    • Testing web servers using auxiliary modules in Metasploit:

      • Dir_listing:determine whether target directory browsing enables on it
      • Dir_scanner
      • Enum_wayback:
      • Files_dir:use to scan the server for data leakage vulnerabilities by locating backups of configuration files and source code files.
      • http_login
      • robots_txt
      • webdav_scanner:this module can be used to find out if WebDav is enabled on the server,which basically turns the web server into a file server.

    • Automating scanning using the WMAP web scanner plugin in metasploit:

      1. define a site:wmap_site -a <site name/IP address>
      2. identify the site ID:wmap_site -l
      3. add the weebsite as target:wmap_target -d 0
      4. look at the modules which tool is going to run wmap_run -t
      5. start scan wmap_run -e
      6. Once the test is complete,you can check out the vulnerabilities found using the vulns command

    • Vulnerability scanning and graphical reports-the skipfish web application scanner.

  • Spidering web applicaitons

    • The burp spider

burpspider