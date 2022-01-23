Successfully reported this slideshow.
Penetration Testing Report

Jan. 23, 2022
A penetration testing report submitted during internship at ICT Academy, IIT Kanpur. This report contains a basic flow how to perform penetration testing, from reconnaissance to finding vulnerability. This should be helpful for security researchers who are looking to write a penetration testing for their project.

  1. 1. Project: Penetration Testing on Webserver Aman Srivastava Summer Training Program Batch, EICT, IITK Website: http://certifiedhacker.com
  2. 2. <Footprinting and Reconnaissance> 1. About: Site: http://www.certifiedhacker.com Domain: certifiedhacker.com Netblock Owner: Unified Layer Nameserver: ns1.bluehost.com Hosting Company: Endurance International Group Organisation: 5335 Gate Parkway care of Network Solutions, Jacksonville, 32256, US Top Level Domain: Commercial entities (.com) DNS Admin: dnsadmin@box5331.bluehost.com 2. IP address of Website: 162.241.216.11 3. Location of sever: 4. Operating System of Server: Red Hat Enterprise Linux 6 5. Web Server Technology and version: Apache 6. Built-in Technology: jQuery clueTIP Jquery bgiframe Fancybox Cufon SPF jQuery Easing jQuery UI BlueHost Hover Intent
  3. 3. 7. Website First Seen: December 2002 8. Previous Technology used by website: 9. ISP IP Server Range: 10. Other Domains on Same Server: 11. Ports open on webserver: 110 587 143 21 53 2222 993 443 26 22 995 5432 80 3306 465 12. Registrar info:
  4. 4. 13. Email ID of some employees of company: NOT FOUND 14. Social Networking Profiles of employees: NOT FOUND 15. LinkedIn Search for profiles with company name: NOT FOUND 16. Location of Company: NOT FOUND 17. Director/CEO of Company: NOT FOUND 18. Firewall: Load Balancer: DNS-Loadbalancing: NOT FOUND HTTP-Loadbalancing: NOT FOUND 19. Directory Listing:
  5. 5. While dorking confidential file found, which is whole webserver’s backup/compressed file: =>http://certifiedhacker.com/certifiedhacker.zip 20. Files such as robots.txt and sites.xml: NOT FOUND <Vulnerabilities> 1. XSS Vector in Document Body Vulnerability Description: The entire tainted data flow from source to sink takes place in the browser. Insecure reference and use (in a client side code) of DOM objects that are not fully controlled by the server provided page. Affected Item: http://certifiedhacker.com/P-folio/images/500.php/.htaccess.aspx--%3E%22%3E'%3E'%22%3Csfi000317v352289%3E Memo: injected '<sfi...>' tag seen in HTML POC: === REQUEST === GET /P-folio/images/500.php/.htaccess.aspx-->">'>'"<sfi000317v352289> HTTP/1.1 Host: certifiedhacker.com Accept-Encoding: gzip Connection: keep-alive User-Agent: Mozilla/5.0 SF/2.10b Range: bytes=0-399999 Referer: http://certifiedhacker.com/ === RESPONSE === HTTP/1.1 200 Partial Content Date: Sun, 30 Aug 2020 06:23:52 GMT Server: Apache Vary: Accept-Encoding
  6. 6. Content-Encoding: gzip host-header: c2hhcmVkLmJsdWVob3N0LmNvbQ== Content-Range: bytes 0-274/275 Content-Length: 275 Keep-Alive: timeout=5, max=54 Connection: Keep-Alive Content-Type: text/html; charset=UTF-8 <!-- PHP Wrapper - 500 Server Error --> <html><head><title>500 Server Error</title></head> <body bgcolor=white> <h1>500 Server Error</h1> A misconfiguration on the server caused a hiccup. Check the server logs, fix the problem, then try again. <hr> URL: http://certifiedhacker.com/P-folio/images/500.php/.htaccess.aspx-->">'>'"<sfi000317v352289><br> </body></html> === END OF DATA === Possible remediations or prevention methods: Avoiding client side document rewriting, redirection, or other sensitive actions, using client side data. Analysing and hardening the client side (Javascript) code. Reference: https://www.a2hosting.in/kb/developer-corner/php/500-internal-server-error-while-running-php https://owasp.org/www-community/attacks/xss/ 2. External content embedded on a page Vulnerability Description: External content embedded on a page means something isn't right with the site – wrong – yet some way or another we appear to continue building sites that do. This can prompt issues, for example identity theft. The content is usually sent through email and directs users to an http site instead of https. Affected Items: →Higher Risk:- http://certifiedhacker.com/Online%20Booking/ Memo: http://www.google.com/jsapi?autoload={'modules':[{name:'maps',version:3,other_params:'sensor=false'}]} →Lower Risk:- http://certifiedhacker.com/Turbo%20Max/js/jquery.prettyPhoto.js Memo: http://www.youtube.com/v/'+grab_param('v',images[setPosition])+'
  7. 7. http://certifiedhacker.com/Turbo%20Max/js/jquery.prettyPhoto.js Memo: http://www.apple.com/qtactivex/qtplugin.cab Possible Countermeasures: i. Ensure that external content is embedded using HTTPs. ii. Acknowledge that all the HTTP segments of the correspondence stay powerless hence you have to ensure against the SSL hostile to designs. 3. HTML Form Without CSRF Protection Vulnerability: Vulnerability Description: Cross-site request forgery, also known as a one-click attack or session riding and abbreviated as CSRF or XSRF, is a type of malicious exploit of a website whereby unauthorized commands are transmitted from a user that the website trusts. I found a HTML form with no apparent CSRF protection implemented. Affected Items: 1. http://certifiedhacker.com/ 2. http://certifiedhacker.com/corporate-learning-website/01-homepage.html 3. http://certifiedhacker.com/corporate-learning-website/contact_us.html 4. http://certifiedhacker.com/corporate-learning-website/most_popular_schools_california.html 5. http://certifiedhacker.com/corporate-learning-website/most_popular_schools_North%20Carolina.html 6. http://certifiedhacker.com/corporate-learning-website/most_popular_schools_usa.html 7. http://certifiedhacker.com/Online%20Booking/?lang=1¤cy=1 8. http://certifiedhacker.com/Social%20Media/ 9. http://certifiedhacker.com/Social%20Media/about-us.html 10. http://certifiedhacker.com/Social%20Media/sample-blog.html 11. http://certifiedhacker.com/Social%20Media/sample-portfolio.html 12. http://certifiedhacker.com/Turbo%20Max/ The impact of this vulnerability: An attacker may force the users of a web application to execute actions of the attacker's choosing. A successful CSRF exploit can compromise end user data and operation in case of normal user. If the targeted end user is the administrator account, this can compromise the entire web application. POC: Form name<empty> Form action: http://certifiedhacker.com/corporate-learning-website/contact_us.html Form method: POST
  8. 8. How to fix this vulnerability: Check if this form requires CSRF protection and implement CSRF countermeasures if necessary. 4. Fingerprinted CMS Components’ Vulnerabilities: i.
  9. 9. Reference: CWE-79 – Cross-site-scripting CWE-400—Prototype-Pollution ii. 5. Missing Required HTTP Headers and their description: i. Strict-Transport-Security: HTTP Strict-Transport-Security (HSTS) header forces browser to access the website via HTTPS. ii. X-Frame-Options: X-Frame-Options header specifies whether the website should allow itself to be framed, and from which origin. Blocking framing helps defend against attacks such as Clickjacking. iii. X-XSS-Protection: X-XSS-Protection defines how browsers should enforce XSS protection. iv. X-Content-Type-Options: X-Content-Type-Options direct browsers to disable the ability to sniff the pages content-type and only to use the content-type-defined in the directive itself. This provides protection against XSS or Drive-by-Download attacks. v. Expect-CT: Expect-CT header allows a website to determine if it is ready for the upcoming Chrome requirements and/or enforce their policy. vi. Feature-Policy: Feature-Policy header allows to enable, disable, or modify behaviour of web browser’s APIs(e.g. access to camera, Geolocation, etc.). <Pentesting Services Running on Server>
  10. 10. i. Service=ftp Version=Pure-FTPd Known vulnerabilities: External Authentication Bash Environment Variable Code Injection I tried to exploit this vulnerability but error occurred: Reference: https://www.exploit-db.com/exploits/34862 Then I tried: Enumerating users and passwords using hydra:
  11. 11. Conclusion: There may be some kind of firewall rules which are rate limiting the brute-forcing, that’s why after one or two attempt hydra aborts. ii. Service=ssh Version=OpenSSH 5.3 Known vulnerabilities: Not Found Enumerating users using msf module: Brute Forcing password for user “hacker”: Then, checked for false positives: Conclusion: There may be some honeypot which is giving every input for user as true and firewall is rate limiting the attempt, that’s why after one or two attempt hydra aborts. iii. Service=smtp Version=Exim smtpd 4.93 Known vulnerabilities: Not Found
  12. 12. Reference: https://www.cvedetails.com/vulnerability-list/vendor_id-10919/product_id-19563/Exim-Exim.html iv. Service=smtp Version=Exim smtpd 4.93 Known vulnerabilities: Found Reference: https://www.cvedetails.com/vulnerability-list/vendor_id-64/product_id-144/version_id-127585/ISC-Bind-9.8.2.html https://nvd.nist.gov/vuln/search/results?adv_search=true&cpe_version=cpe%3a%2fa%3aisc%3abind%3a9.8.2%3arc1 v. Service=imap/pop3 Version=imap3d/pop3d Known vulnerabilities: Found Reference: https://www.cvedetails.com/cve/CVE-2019-7524/ https://www.cvedetails.com/cve/CVE-2019-11500/ <Database> Database found: i. MySQL ii. PostgreSQL DB Checked for SQLi on every single webpage but didn’t found any webpage that is vulnerable to SQLi. Ran sqlmap but that aborts due to WAF. Then ran again with following parameters: Result: Result: As no SQLi parameter is found, it’s database can’t be dumped.
  13. 13. FINAL CONCLUSION: Initial reconnaissance of certifiedhacer.com resulted in the discovery of directory listing and firewall on the website and no load balancer was found. Some other domains were also found on the same server the website in running, which provides the larger area to pentest(I didn’t test those…). While dorking whole website’s zip file found, which can be useful for security researchers to look at and see for bugs in programming of website. An examination of web interface revealed that external content was embedded on a page, which means something is isn’t right with the site. This can prompt issues, for example identity theft. After closer examination, two vulnerabilities found, (a) HTML Form without CSRF Protection, which may attacker force the users of a web application to execute actions of the attacker’s choosing and a successful exploit can compromise end user data and operation in case of normal user AND (b) XSS Vector in Document Body on the 500 server page. After some more deep examination, some Required HTTP Headers were missing and some vulnerabilities were found in CMS Components. Then I went for pentesting services which are running on server. FTP service was running on port21 of version Pure-FTPd which later I found an vulnerability and exploit for that, but was not able to exploit this vulnerability and firewall is rate limiting the attempt, so user enumeration can’t be done. And same for SSH some kind of honeypot and firewall rules results in false positives on user enumeration. After researching for versions of other services, some known vulnerabilities were found(which again I was not able to exploit). Then it comes for Database testing, I went through all the webpages manually and didn’t any SQLi vulnerability then I ran sqlmap which also was not able to any. So I ended not able to dump the database. Now as far as security of the website is concerned, it is secured but some minor vulnerabilities are there which can be exploited but overall the website is pretty much secured.

