1. Configuration Management Testing
Often analysis of the infrastructure and topology architecture can reveal a great deal about a web application. Information such as source code, HTTP methods permitted, administrative functionality, authentication methods, and infrastructural configurations can be obtained.
2. Authentication Testing
Authentication is the act of estabilishing or confirming something (or someone) as authentic, that is, that claims made by or about the thing are true. In computer security, authentication is the process of attempting to verify the digital of the sender of a communication.
1.1 SSL/TLS Testing
We used nmap:
root@elha:~# nmap -F -sV www.akakom.ac.id
Starting Nmap 5.51 ( http://nmap.org ) at 2011-06-05 11:00 WIT
Nmap scan report for www.akakom.ac.id (110.76.151.4)
Host is up (0.085s latency).
Not shown: 95 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 4.3 (protocol 2.0)
53/tcp open domain Mikrotik RouterOS named or OpenDNS Updater
80/tcp open http Apache httpd 2.2.3 ((CentOS))
443/tcp open ssl/http Apache httpd 2.2.3 ((CentOS))
445/tcp filtered microsoft-ds
Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 14.27 seconds
With OpenSSL:
root@elha:~# openssl s_client -no_tls1 -no_ssl3 -connect www.akakom.ac.id:443
CONNECTED(00000003)
3064:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake failure:s23_lib.c:188:
root@elha:~# openssl s_client -no_tls1 -connect www.akakom.ac.id:443
CONNECTED(00000003)
depth=0 /C=--/ST=SomeState/L=SomeCity/O=SomeOrganization/OU=SomeOrganizationalUnit/CN=localhost.localdomain/emailAddress=root@localhost.localdomain
verify error:num=18:self signed certificate
verify return:1
depth=0 /C=--/ST=SomeState/L=SomeCity/O=SomeOrganization/OU=SomeOrganizationalUnit/CN=localhost.localdomain/emailAddress=root@localhost.localdomain
verify error:num=10:certificate has expired
notAfter=Sep 18 11:51:59 2009 GMT
verify return:1
depth=0 /C=--/ST=SomeState/L=SomeCity/O=SomeOrganization/OU=SomeOrganizationalUnit/CN=localhost.localdomain/emailAddress=root@localhost.localdomain
notAfter=Sep 18 11:51:59 2009 GMT
verify return:1
---
Certificate chain
0 s:/C=--/ST=SomeState/L=SomeCity/O=SomeOrganization/OU=SomeOrganizationalUnit/CN=localhost.localdomain/emailAddress=root@localhost.localdomain
i:/C=--/ST=SomeState/L=SomeCity/O=SomeOrganization/OU=SomeOrganizationalUnit/CN=localhost.localdomain/emailAddress=root@localhost.localdomain
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIEDjCCA3egAwIBAgICYYAwDQYJKoZIhvcNAQEFBQAwgbsxCzAJBgNVBAYTAi0t
MRIwEAYDVQQIEwlTb21lU3RhdGUxETAPBgNVBAcTCFNvbWVDaXR5MRkwFwYDVQQK
ExBTb21lT3JnYW5pemF0aW9uMR8wHQYDVQQLExZTb21lT3JnYW5pemF0aW9uYWxV
bml0MR4wHAYDVQQDExVsb2NhbGhvc3QubG9jYWxkb21haW4xKTAnBgkqhkiG9w0B
CQEWGnJvb3RAbG9jYWxob3N0LmxvY2FsZG9tYWluMB4XDTA4MDkxODExNTE1OVoX
DTA5MDkxODExNTE1OVowgbsxCzAJBgNVBAYTAi0tMRIwEAYDVQQIEwlTb21lU3Rh
dGUxETAPBgNVBAcTCFNvbWVDaXR5MRkwFwYDVQQKExBTb21lT3JnYW5pemF0aW9u
MR8wHQYDVQQLExZTb21lT3JnYW5pemF0aW9uYWxVbml0MR4wHAYDVQQDExVsb2Nh
bGhvc3QubG9jYWxkb21haW4xKTAnBgkqhkiG9w0BCQEWGnJvb3RAbG9jYWxob3N0
LmxvY2FsZG9tYWluMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCk1G04ZZqc
FdKGvfPTke/ed7CAPz9/6GYUH1ZkkVznDoGiA2oK+EeAQKODU9Ud1HFo7cnUdiqb
LE4y/w64yPm5ICekZr6fKS91Y6hXqDeRMle0bTdkg7zYG54a3p1U/+0oesok3DbC
zHHqYExDgTojxdlPj1aHAxHvxu7iH/fYOwIDAQABo4IBHTCCARkwHQYDVR0OBBYE
FEGwfGoX9C9WvUPCU6bVc5Igzoj1MIHpBgNVHSMEgeEwgd6AFEGwfGoX9C9WvUPC
U6bVc5Igzoj1oYHBpIG+MIG7MQswCQYDVQQGEwItLTESMBAGA1UECBMJU29tZVN0
YXRlMREwDwYDVQQHEwhTb21lQ2l0eTEZMBcGA1UEChMQU29tZU9yZ2FuaXphdGlv
bjEfMB0GA1UECxMWU29tZU9yZ2FuaXphdGlvbmFsVW5pdDEeMBwGA1UEAxMVbG9j
YWxob3N0LmxvY2FsZG9tYWluMSkwJwYJKoZIhvcNAQkBFhpyb290QGxvY2FsaG9z
dC5sb2NhbGRvbWFpboICYYAwDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQUFAAOB
gQAdx3Uv0rHbmbd9zbi0wiN+O0h5oQijUy4KwwNfrgP1F1yEqPPOn1JP36KMorsE
A+7lEP1mekGEQjwyEWO0UidwyhMniLVB6+EChDlhbXodAJKO1nf9NIgqcy1udb9b
ou7o60PVGTEJjLbV+khpYFzz93cdbPHCUlVfc0ChFisR+w==
-----END CERTIFICATE-----
subject=/C=--/ST=SomeState/L=SomeCity/O=SomeOrganization/OU=SomeOrganizationalUnit/CN=localhost.localdomain/emailAddress=root@localhost.localdomain
issuer=/C=--/ST=SomeState/L=SomeCity/O=SomeOrganization/OU=SomeOrganizationalUnit/CN=localhost.localdomain/emailAddress=root@localhost.localdomain
---
No client certificate CA names sent
---
SSL handshake has read 1629 bytes and written 335 bytes
---
New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA
Server public key is 1024 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : SSLv3
Cipher : DHE-RSA-AES256-SHA
Session-ID: CB6FB0DCB744A30479E8259ABFC32F48E44A4BA9A237ECE14FDC8DB3AB2B937F
Session-ID-ctx:
Master-Key: 35FEADC9F62CBDD7963AA7F7C18EB6343B00A1DA4CF47C61AAF5B9FC2E4ACF9EED05276B639241F0F543CDDE24EEBFB9
Key-Arg : None
Start Time: 1307246768
Timeout : 300 (sec)
Verify return code: 10 (certificate has expired)
---
closed
With nessus:
Then, we download the report and the name of file is "nessus_report_akakom.nessus".I coudn't copied this report because the report make computer freezed.
1.2 DB Listener Testing
During the configuration of a database server, many DB administrators do not adequately consider the security of the DB listener component. The listener could reveal sensitive data as well as configuration settings or running database instances if insecurely configured and probed with manual or automated techniques. Information revealed will often be useful to a
tester serving as input to more impacting follow-on tests. The target haven't oracle database, so this phase passed.
1.3 Infrastructure Configuration Management Testing
We looked from http header,
http://www.akakom.ac.id/
GET / HTTP/1.1
Host: www.akakom.ac.id
User-Agent: Mozilla/5.0 (X11; Linux i686; rv:2.0.1) Gecko/20100101 Firefox/4.0.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Cookie: 69cb2eb0a19889c0e172765110b05475=bv2dp52k97laolmhl6134j9b93; akakom_tpl=akakom
DNT: 1
Connection: keep-alive
HTTP/1.0 200 OK
Date: Sun, 05 Jun 2011 03:59:43 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.3.5
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM"
Set-Cookie: 69cb2eb0a19889c0e172765110b05475=deleted; expires=Sat, 05-Jun-2010 03:59:42 GMT; path=/
Set-Cookie: 69cb2eb0a19889c0e172765110b05475=60baff457c2c3978e5237abe47d2c88d; path=/
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Vary: User-Agent,Accept
Expires: Mon, 1 Jan 2001 00:00:00 GMT
Last-Modified: Sun, 05 Jun 2011 03:59:44 GMT
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=utf-8
1.4 Application Configuration Management Testing
With robots.txt from the target,
User-agent: *
Disallow: /administrator/
Disallow: /cache/
Disallow: /components/
Disallow: /images/
Disallow: /includes/
Disallow: /installation/
Disallow: /language/
Disallow: /libraries/
Disallow: /media/
Disallow: /modules/
Disallow: /plugins/
Disallow: /templates/
Disallow: /tmp/
Disallow: /xmlrpc/
1.5 Testing for File Extensions Handling
The file extensions present in a web server or a web application make it possible to identify the technologies which compose the target application, e.g. jsp and asp extensions. File extensions can also expose additional systems connected to the application.
1.6 Old, Backup and Unreferenced Files
Redundant, readable and downloadable files on a web server, such as old, backup and renamed files, are a big source of information leakage. It is necessary to verify the presence of these files because they may contain parts of source code, installation paths as well as passwords for applications and/or databases.
1.7 Infrastructure and Application Admin Interfaces
From the target, we got phpmyadmin page, so we tampered:
1.8 Testing for HTTP Methods and XST
In this test we check that the web server is not configured to allow potentially dangerous HTTP commands (methods) and that Cross Site Tracing (XST) is not possible.
2.1 Credentials transport over an encrypted channel
Here, the tester will just try to understand if the data that users put into the web form, in order to log into a web site, are transmitted using secure protocols that protect them from an attacker or not.
2.2 Testing for user enumeration
The scope of this test is to verify if it is possible to collect a set of valid users by interacting with the authentication mechanism of the application. This test will be useful for the brute force testing, in which we verify if, given a valid username, it is possible to find the corresponding password.
2.3 Testing for Guessable (Dictionary) User Account
Here we test if there are default user accounts or guessable username/password combinations (dictionary testing)
2.4 Brute Force Testing
When a dictionary type attack fails, a tester can attempt to use brute force methods to gain authentication. Brute force testing is not easy to accomplish for testers because of the time required and the possible lockout of the tester.
So, we tried to brute force
2.5 Testing for bypassing authentication schema
Other passive testing methods attempt to bypass the authentication schema by recognizing that not all of the application's resources are adequately protected. The tester can access these resources without authentication.
2.6 Testing for vulnerable remember password and pwd reset
Here we test how the application manages the process of "password forgotten". We also check whether the application allows the user to store the password in the browser ("remember password" function).
0 comments:
Post a Comment