A penetration testing report submitted during internship at ICT Academy, IIT Kanpur. This report contains a basic flow how to perform penetration testing, from reconnaissance to finding vulnerability. This should be helpful for security researchers who are looking to write a penetration testing for their project.
Introduction to Web Application Penetration TestingAnurag Srivastava
Web Application Pentesting
* Process to check and penetrate the security of a web application or a website
* process involves an active analysis of the application for any weaknesses, technical flaws, or vulnerabilities
* Any security issues that are found will be presented to the system owner, together with an assessment of the impact, a proposal for mitigation or a technical solution.
This presentation will provide an overview of what a penetration test is, why companies pay for them, and what role they play in most IT security programs. It will also include a brief overview of the common skill sets and tools used by today’s security professionals. Finally, it will offer some basic advice for getting started in penetration testing. This should be interesting to aspiring pentesters trying to gain a better understanding of how penetration testing fits into the larger IT security world.
Additional resources can be found in the blog below:
https://www.netspi.com/blog/entryid/140/resources-for-aspiring-penetration-testers
More security blogs by the authors can be found @
https://www.netspi.com/blog/
Introduction of Ethical Hacking, Life cycle of Hacking, Introduction of Penetration testing, Steps in Penetration Testing, Foot printing Module, Scanning Module, Live Demos on Finding Vulnerabilities a) Bypass Authentication b) Sql Injection c) Cross site Scripting d) File upload Vulnerability (Web Server Hacking) Countermeasures of Securing Web applications
Ethical Hacking n VAPT presentation by Suvrat jainSuvrat Jain
a perfect example of your 6 weeks summer training ppt. Course-Ethical Hacking , its info and VAPT- Vulnerability Assessment n Penetration testing. about how vulnerability scanning , tools used , cracking password , etc.
Introduction to Web Application Penetration TestingNetsparker
These slides give an introduction to all the different things and stages that make a complete web application penetration test. It starts from the very basics, including how to define a Scope of Engagement.
These slides are part of the course Introduction to Web Application Security and Penetration Testing with Netsparker, which can be found here: https://www.netsparker.com/blog/web-security/introduction-web-application-penetration-testing/
Introduction to Web Application Penetration TestingAnurag Srivastava
Web Application Pentesting
* Process to check and penetrate the security of a web application or a website
* process involves an active analysis of the application for any weaknesses, technical flaws, or vulnerabilities
* Any security issues that are found will be presented to the system owner, together with an assessment of the impact, a proposal for mitigation or a technical solution.
This presentation will provide an overview of what a penetration test is, why companies pay for them, and what role they play in most IT security programs. It will also include a brief overview of the common skill sets and tools used by today’s security professionals. Finally, it will offer some basic advice for getting started in penetration testing. This should be interesting to aspiring pentesters trying to gain a better understanding of how penetration testing fits into the larger IT security world.
Additional resources can be found in the blog below:
https://www.netspi.com/blog/entryid/140/resources-for-aspiring-penetration-testers
More security blogs by the authors can be found @
https://www.netspi.com/blog/
Introduction of Ethical Hacking, Life cycle of Hacking, Introduction of Penetration testing, Steps in Penetration Testing, Foot printing Module, Scanning Module, Live Demos on Finding Vulnerabilities a) Bypass Authentication b) Sql Injection c) Cross site Scripting d) File upload Vulnerability (Web Server Hacking) Countermeasures of Securing Web applications
Ethical Hacking n VAPT presentation by Suvrat jainSuvrat Jain
a perfect example of your 6 weeks summer training ppt. Course-Ethical Hacking , its info and VAPT- Vulnerability Assessment n Penetration testing. about how vulnerability scanning , tools used , cracking password , etc.
Introduction to Web Application Penetration TestingNetsparker
These slides give an introduction to all the different things and stages that make a complete web application penetration test. It starts from the very basics, including how to define a Scope of Engagement.
These slides are part of the course Introduction to Web Application Security and Penetration Testing with Netsparker, which can be found here: https://www.netsparker.com/blog/web-security/introduction-web-application-penetration-testing/
This is a bug bounty hunter presentation given at Nullcon 2016 by Bugcrowd's Faraz Khan.
Learn more about Bugcrowd here: https://bugcrowd.com/join-the-crowd
The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016Frans Rosén
Frans Rosén has reported hundreds of security issues using his big white hat since 2012. He have recieved the biggest bounty ever paid on HackerOne, and is one of the highest ranked bug bounty researchers of all time. He's been bug bounty hunting with an iPhone in Thailand, in a penthouse suite in Las Vegas and without even being present using automation. He'll share his stories about how to act when a company's CISO is screaming "SH******T F*CK" in a phone call 02:30 a Friday night, what to do when companies are sending him money without any reason and why Doctors without Borders are trying to hunt him down.
Web App Security Presentation by Ryan Holland - 05-31-2017TriNimbus
Web App Security - A presentation by Ryan Holland, Sr. Director, Cloud Architecture at Alert Logic for the Vancouver AWS User Group Meetup on May 31, 2017.
Vulnerabilities in modern web applicationsNiyas Nazar
Microsoft powerpoint presentation for BTech academic seminar.This seminar discuses about penetration testing, penetration testing tools, web application vulnerabilities, impact of vulnerabilities and security recommendations.
XSS is much more than just <script>alert(1)</script>. Thousands of unique vectors can be built and more complex payloads to evade filters and WAFs. In these slides, cool techniques to bypass them are described, from HTML to javascript. See also http://brutelogic.com.br/blog
Insecure Direct Object References occur when an application provides direct access to objects based on user-supplied input. As a result of this vulnerability attackers can bypass authorization and access resources in the system directly, for example database records or files.
This presentation explain how to discover this vulnerability in application, how to test and how to mitigate the risk.
What is security testing and why it is so important?ONE BCG
Security Testing is described as a type of Software Testing that assures software systems and applications are free from any vulnerabilities, threats, risks that may cause a big loss. Security testing of any system is about uncovering all likely loopholes and weaknesses of the system which might end up in a loss of information, revenue, repute at the hands of the employees or outsiders of the Organization.
This is a bug bounty hunter presentation given at Nullcon 2016 by Bugcrowd's Faraz Khan.
Learn more about Bugcrowd here: https://bugcrowd.com/join-the-crowd
The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016Frans Rosén
Frans Rosén has reported hundreds of security issues using his big white hat since 2012. He have recieved the biggest bounty ever paid on HackerOne, and is one of the highest ranked bug bounty researchers of all time. He's been bug bounty hunting with an iPhone in Thailand, in a penthouse suite in Las Vegas and without even being present using automation. He'll share his stories about how to act when a company's CISO is screaming "SH******T F*CK" in a phone call 02:30 a Friday night, what to do when companies are sending him money without any reason and why Doctors without Borders are trying to hunt him down.
Web App Security Presentation by Ryan Holland - 05-31-2017TriNimbus
Web App Security - A presentation by Ryan Holland, Sr. Director, Cloud Architecture at Alert Logic for the Vancouver AWS User Group Meetup on May 31, 2017.
Vulnerabilities in modern web applicationsNiyas Nazar
Microsoft powerpoint presentation for BTech academic seminar.This seminar discuses about penetration testing, penetration testing tools, web application vulnerabilities, impact of vulnerabilities and security recommendations.
XSS is much more than just <script>alert(1)</script>. Thousands of unique vectors can be built and more complex payloads to evade filters and WAFs. In these slides, cool techniques to bypass them are described, from HTML to javascript. See also http://brutelogic.com.br/blog
Insecure Direct Object References occur when an application provides direct access to objects based on user-supplied input. As a result of this vulnerability attackers can bypass authorization and access resources in the system directly, for example database records or files.
This presentation explain how to discover this vulnerability in application, how to test and how to mitigate the risk.
What is security testing and why it is so important?ONE BCG
Security Testing is described as a type of Software Testing that assures software systems and applications are free from any vulnerabilities, threats, risks that may cause a big loss. Security testing of any system is about uncovering all likely loopholes and weaknesses of the system which might end up in a loss of information, revenue, repute at the hands of the employees or outsiders of the Organization.
Since 2007 GOFORTUTION.coM is the search engine of tutors & Students in Delhi and all over India .It provides cheapest and best home tutors to students and it also helps to Tutors who are seeking students for home tution. We at Mentor Me provide highly qualified, result oriented, enthusiastic and responsible tutors for all classes, all subjects and in all locations across Delhi & all over India. Here we have tutors for all subjects of CBSE, ICSE,B.com, B.Sc, BBA, BCA,MBA,CA,CS,MCA,BCA,”O” Level, “A” Level etc.GOFORTUTION is a best portal for tutors and students it is not only a site.
What do we expect? A total compromise.
• Account Takeover
• Logic Bypass
• Remote Code Execution
• Easy Exploitation
What do we get? OWASP daily work.
• XSS
• CSRF
• Session Fixation
• IDOR
• Information Disclosure
• Unlimited Email Spam
• ARP poisoning
• Mountable NFS volumes
What are we bored of in the reports?
• Versions
• Ciphers
• Headers
• Checklists
• False Positives
• Automatic Reports
How to get an empty pretest report?
This presentation will introduce the Lockheed Martin Cyber Kill Chain and MITRE ATT&CK frameworks. By working through 4 different practical scenarios in a fictional company https://sensenet-library.com, the attendees will learn how they can use those frameworks to measure their security response in today's diverse security threat landscape. We'll go through categorising security controls, responding to a vulnerability report, assessing a threat intel report and decide on future of the company's toolset where you will be able to answer a question if you should continue investing in a tool or should you buy a new one.
GraphRAG is All You need? LLM & Knowledge GraphGuy Korland
Guy Korland, CEO and Co-founder of FalkorDB, will review two articles on the integration of language models with knowledge graphs.
1. Unifying Large Language Models and Knowledge Graphs: A Roadmap.
https://arxiv.org/abs/2306.08302
2. Microsoft Research's GraphRAG paper and a review paper on various uses of knowledge graphs:
https://www.microsoft.com/en-us/research/blog/graphrag-unlocking-llm-discovery-on-narrative-private-data/
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024Albert Hoitingh
In this session I delve into the encryption technology used in Microsoft 365 and Microsoft Purview. Including the concepts of Customer Key and Double Key Encryption.
Transcript: Selling digital books in 2024: Insights from industry leaders - T...BookNet Canada
The publishing industry has been selling digital audiobooks and ebooks for over a decade and has found its groove. What’s changed? What has stayed the same? Where do we go from here? Join a group of leading sales peers from across the industry for a conversation about the lessons learned since the popularization of digital books, best practices, digital book supply chain management, and more.
Link to video recording: https://bnctechforum.ca/sessions/selling-digital-books-in-2024-insights-from-industry-leaders/
Presented by BookNet Canada on May 28, 2024, with support from the Department of Canadian Heritage.
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...UiPathCommunity
💥 Speed, accuracy, and scaling – discover the superpowers of GenAI in action with UiPath Document Understanding and Communications Mining™:
See how to accelerate model training and optimize model performance with active learning
Learn about the latest enhancements to out-of-the-box document processing – with little to no training required
Get an exclusive demo of the new family of UiPath LLMs – GenAI models specialized for processing different types of documents and messages
This is a hands-on session specifically designed for automation developers and AI enthusiasts seeking to enhance their knowledge in leveraging the latest intelligent document processing capabilities offered by UiPath.
Speakers:
👨🏫 Andras Palfi, Senior Product Manager, UiPath
👩🏫 Lenka Dulovicova, Product Program Manager, UiPath
Elevating Tactical DDD Patterns Through Object CalisthenicsDorra BARTAGUIZ
After immersing yourself in the blue book and its red counterpart, attending DDD-focused conferences, and applying tactical patterns, you're left with a crucial question: How do I ensure my design is effective? Tactical patterns within Domain-Driven Design (DDD) serve as guiding principles for creating clear and manageable domain models. However, achieving success with these patterns requires additional guidance. Interestingly, we've observed that a set of constraints initially designed for training purposes remarkably aligns with effective pattern implementation, offering a more ‘mechanical’ approach. Let's explore together how Object Calisthenics can elevate the design of your tactical DDD patterns, offering concrete help for those venturing into DDD for the first time!
Essentials of Automations: Optimizing FME Workflows with ParametersSafe Software
Are you looking to streamline your workflows and boost your projects’ efficiency? Do you find yourself searching for ways to add flexibility and control over your FME workflows? If so, you’re in the right place.
Join us for an insightful dive into the world of FME parameters, a critical element in optimizing workflow efficiency. This webinar marks the beginning of our three-part “Essentials of Automation” series. This first webinar is designed to equip you with the knowledge and skills to utilize parameters effectively: enhancing the flexibility, maintainability, and user control of your FME projects.
Here’s what you’ll gain:
- Essentials of FME Parameters: Understand the pivotal role of parameters, including Reader/Writer, Transformer, User, and FME Flow categories. Discover how they are the key to unlocking automation and optimization within your workflows.
- Practical Applications in FME Form: Delve into key user parameter types including choice, connections, and file URLs. Allow users to control how a workflow runs, making your workflows more reusable. Learn to import values and deliver the best user experience for your workflows while enhancing accuracy.
- Optimization Strategies in FME Flow: Explore the creation and strategic deployment of parameters in FME Flow, including the use of deployment and geometry parameters, to maximize workflow efficiency.
- Pro Tips for Success: Gain insights on parameterizing connections and leveraging new features like Conditional Visibility for clarity and simplicity.
We’ll wrap up with a glimpse into future webinars, followed by a Q&A session to address your specific questions surrounding this topic.
Don’t miss this opportunity to elevate your FME expertise and drive your projects to new heights of efficiency.
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdfPaige Cruz
Monitoring and observability aren’t traditionally found in software curriculums and many of us cobble this knowledge together from whatever vendor or ecosystem we were first introduced to and whatever is a part of your current company’s observability stack.
While the dev and ops silo continues to crumble….many organizations still relegate monitoring & observability as the purview of ops, infra and SRE teams. This is a mistake - achieving a highly observable system requires collaboration up and down the stack.
I, a former op, would like to extend an invitation to all application developers to join the observability party will share these foundational concepts to build on:
A tale of scale & speed: How the US Navy is enabling software delivery from l...sonjaschweigert1
Rapid and secure feature delivery is a goal across every application team and every branch of the DoD. The Navy’s DevSecOps platform, Party Barge, has achieved:
- Reduction in onboarding time from 5 weeks to 1 day
- Improved developer experience and productivity through actionable findings and reduction of false positives
- Maintenance of superior security standards and inherent policy enforcement with Authorization to Operate (ATO)
Development teams can ship efficiently and ensure applications are cyber ready for Navy Authorizing Officials (AOs). In this webinar, Sigma Defense and Anchore will give attendees a look behind the scenes and demo secure pipeline automation and security artifacts that speed up application ATO and time to production.
We will cover:
- How to remove silos in DevSecOps
- How to build efficient development pipeline roles and component templates
- How to deliver security artifacts that matter for ATO’s (SBOMs, vulnerability reports, and policy evidence)
- How to streamline operations with automated policy checks on container images
Accelerate your Kubernetes clusters with Varnish CachingThijs Feryn
A presentation about the usage and availability of Varnish on Kubernetes. This talk explores the capabilities of Varnish caching and shows how to use the Varnish Helm chart to deploy it to Kubernetes.
This presentation was delivered at K8SUG Singapore. See https://feryn.eu/presentations/accelerate-your-kubernetes-clusters-with-varnish-caching-k8sug-singapore-28-2024 for more details.
Key Trends Shaping the Future of Infrastructure.pdfCheryl Hung
Keynote at DIGIT West Expo, Glasgow on 29 May 2024.
Cheryl Hung, ochery.com
Sr Director, Infrastructure Ecosystem, Arm.
The key trends across hardware, cloud and open-source; exploring how these areas are likely to mature and develop over the short and long-term, and then considering how organisations can position themselves to adapt and thrive.
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf91mobiles
91mobiles recently conducted a Smart TV Buyer Insights Survey in which we asked over 3,000 respondents about the TV they own, aspects they look at on a new TV, and their TV buying preferences.
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf
Penetration Testing Report
1.
2. Project:
Penetration Testing on Webserver
Aman Srivastava
Summer Training Program Batch, EICT, IITK
Website: http://certifiedhacker.com
3. <Footprinting and Reconnaissance>
1. About:
Site: http://www.certifiedhacker.com Domain: certifiedhacker.com
Netblock Owner: Unified Layer Nameserver: ns1.bluehost.com
Hosting Company: Endurance International Group Organisation: 5335 Gate Parkway care of Network Solutions, Jacksonville,
32256, US
Top Level Domain: Commercial entities (.com) DNS Admin: dnsadmin@box5331.bluehost.com
2. IP address of Website: 162.241.216.11
3. Location of sever:
4. Operating System of Server: Red Hat Enterprise Linux 6
5. Web Server Technology and version: Apache
6. Built-in Technology:
jQuery
clueTIP
Jquery bgiframe
Fancybox
Cufon
SPF
jQuery Easing
jQuery UI
BlueHost
Hover Intent
4. 7. Website First Seen: December 2002
8. Previous Technology used by website:
9. ISP IP Server Range:
10. Other Domains on Same Server:
11. Ports open on webserver:
110 587 143
21 53 2222
993 443 26
22 995 5432
80 3306 465
12. Registrar info:
5. 13. Email ID of some employees of company: NOT FOUND
14. Social Networking Profiles of employees: NOT FOUND
15. LinkedIn Search for profiles with company name: NOT FOUND
16. Location of Company: NOT FOUND
17. Director/CEO of Company: NOT FOUND
18. Firewall:
Load Balancer:
DNS-Loadbalancing: NOT FOUND
HTTP-Loadbalancing: NOT FOUND
19. Directory Listing:
6. While dorking confidential file found, which is whole webserver’s backup/compressed file:
=>http://certifiedhacker.com/certifiedhacker.zip
20. Files such as robots.txt and sites.xml: NOT FOUND
<Vulnerabilities>
1. XSS Vector in Document Body
Vulnerability Description:
The entire tainted data flow from source to sink takes place in the browser. Insecure reference and use (in a
client side code) of DOM objects that are not fully controlled by the server provided page.
Affected Item:
http://certifiedhacker.com/P-folio/images/500.php/.htaccess.aspx--%3E%22%3E'%3E'%22%3Csfi000317v352289%3E
Memo: injected '<sfi...>' tag seen in HTML
POC:
=== REQUEST ===
GET /P-folio/images/500.php/.htaccess.aspx-->">'>'"<sfi000317v352289> HTTP/1.1
Host: certifiedhacker.com
Accept-Encoding: gzip
Connection: keep-alive
User-Agent: Mozilla/5.0 SF/2.10b
Range: bytes=0-399999
Referer: http://certifiedhacker.com/
=== RESPONSE ===
HTTP/1.1 200 Partial Content
Date: Sun, 30 Aug 2020 06:23:52 GMT
Server: Apache
Vary: Accept-Encoding
7. Content-Encoding: gzip
host-header: c2hhcmVkLmJsdWVob3N0LmNvbQ==
Content-Range: bytes 0-274/275
Content-Length: 275
Keep-Alive: timeout=5, max=54
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
<!-- PHP Wrapper - 500 Server Error -->
<html><head><title>500 Server Error</title></head>
<body bgcolor=white>
<h1>500 Server Error</h1>
A misconfiguration on the server caused a hiccup.
Check the server logs, fix the problem, then try again.
<hr>
URL: http://certifiedhacker.com/P-folio/images/500.php/.htaccess.aspx-->">'>'"<sfi000317v352289><br>
</body></html>
=== END OF DATA ===
Possible remediations or prevention methods:
Avoiding client side document rewriting, redirection, or other sensitive actions, using client side data.
Analysing and hardening the client side (Javascript) code.
Reference: https://www.a2hosting.in/kb/developer-corner/php/500-internal-server-error-while-running-php
https://owasp.org/www-community/attacks/xss/
2. External content embedded on a page
Vulnerability Description:
External content embedded on a page means something isn't right with the site – wrong – yet some way or
another we appear to continue building sites that do. This can prompt issues, for example identity theft. The
content is usually sent through email and directs users to an http site instead of https.
Affected Items:
→Higher Risk:-
http://certifiedhacker.com/Online%20Booking/
Memo:
http://www.google.com/jsapi?autoload={'modules':[{name:'maps',version:3,other_params:'sensor=false'}]}
→Lower Risk:-
http://certifiedhacker.com/Turbo%20Max/js/jquery.prettyPhoto.js
Memo: http://www.youtube.com/v/'+grab_param('v',images[setPosition])+'
8. http://certifiedhacker.com/Turbo%20Max/js/jquery.prettyPhoto.js
Memo: http://www.apple.com/qtactivex/qtplugin.cab
Possible Countermeasures:
i. Ensure that external content is embedded using HTTPs.
ii. Acknowledge that all the HTTP segments of the correspondence stay powerless hence you have to
ensure against the SSL hostile to designs.
3. HTML Form Without CSRF Protection Vulnerability:
Vulnerability Description:
Cross-site request forgery, also known as a one-click attack or session riding and abbreviated as CSRF or XSRF, is a type of
malicious exploit of a website whereby unauthorized commands are transmitted from a user that the website trusts. I found a
HTML form with no apparent CSRF protection implemented.
Affected Items:
1. http://certifiedhacker.com/
2. http://certifiedhacker.com/corporate-learning-website/01-homepage.html
3. http://certifiedhacker.com/corporate-learning-website/contact_us.html
4. http://certifiedhacker.com/corporate-learning-website/most_popular_schools_california.html
5. http://certifiedhacker.com/corporate-learning-website/most_popular_schools_North%20Carolina.html
6. http://certifiedhacker.com/corporate-learning-website/most_popular_schools_usa.html
7. http://certifiedhacker.com/Online%20Booking/?lang=1¤cy=1
8. http://certifiedhacker.com/Social%20Media/
9. http://certifiedhacker.com/Social%20Media/about-us.html
10. http://certifiedhacker.com/Social%20Media/sample-blog.html
11. http://certifiedhacker.com/Social%20Media/sample-portfolio.html
12. http://certifiedhacker.com/Turbo%20Max/
The impact of this vulnerability:
An attacker may force the users of a web application to execute actions of the attacker's choosing. A successful
CSRF exploit can compromise end user data and operation in case of normal user. If the targeted end user is the
administrator account, this can compromise the entire web application.
POC:
Form name<empty>
Form action: http://certifiedhacker.com/corporate-learning-website/contact_us.html
Form method: POST
9. How to fix this vulnerability:
Check if this form requires CSRF protection and implement CSRF countermeasures if necessary.
4. Fingerprinted CMS Components’ Vulnerabilities:
i.
10. Reference:
CWE-79 – Cross-site-scripting
CWE-400—Prototype-Pollution
ii.
5. Missing Required HTTP Headers and their description:
i. Strict-Transport-Security: HTTP Strict-Transport-Security (HSTS) header forces browser to
access the website via HTTPS.
ii. X-Frame-Options: X-Frame-Options header specifies whether the website should allow itself
to be framed, and from which origin. Blocking framing helps defend against attacks such as Clickjacking.
iii. X-XSS-Protection: X-XSS-Protection defines how browsers should enforce XSS protection.
iv. X-Content-Type-Options: X-Content-Type-Options direct browsers to disable the ability
to sniff the pages content-type and only to use the content-type-defined in the directive itself. This
provides protection against XSS or Drive-by-Download attacks.
v. Expect-CT: Expect-CT header allows a website to determine if it is ready for the upcoming
Chrome requirements and/or enforce their policy.
vi. Feature-Policy: Feature-Policy header allows to enable, disable, or modify behaviour of web
browser’s APIs(e.g. access to camera, Geolocation, etc.).
<Pentesting Services Running on Server>
11. i. Service=ftp Version=Pure-FTPd
Known vulnerabilities: External Authentication Bash Environment Variable Code Injection
I tried to exploit this vulnerability but error occurred:
Reference: https://www.exploit-db.com/exploits/34862
Then I tried:
Enumerating users and passwords using hydra:
12. Conclusion: There may be some kind of firewall rules which are rate limiting the
brute-forcing, that’s why after one or two attempt hydra aborts.
ii. Service=ssh Version=OpenSSH 5.3
Known vulnerabilities: Not Found
Enumerating users using msf module:
Brute Forcing password for user “hacker”:
Then, checked for false positives:
Conclusion: There may be some honeypot which is giving every input for user as true and
firewall is rate limiting the attempt, that’s why after one or two attempt hydra aborts.
iii. Service=smtp Version=Exim smtpd 4.93
Known vulnerabilities: Not Found
13. Reference:
https://www.cvedetails.com/vulnerability-list/vendor_id-10919/product_id-19563/Exim-Exim.html
iv. Service=smtp Version=Exim smtpd 4.93
Known vulnerabilities: Found
Reference:
https://www.cvedetails.com/vulnerability-list/vendor_id-64/product_id-144/version_id-127585/ISC-Bind-9.8.2.html
https://nvd.nist.gov/vuln/search/results?adv_search=true&cpe_version=cpe%3a%2fa%3aisc%3abind%3a9.8.2%3arc1
v. Service=imap/pop3 Version=imap3d/pop3d
Known vulnerabilities: Found
Reference:
https://www.cvedetails.com/cve/CVE-2019-7524/
https://www.cvedetails.com/cve/CVE-2019-11500/
<Database>
Database found:
i. MySQL
ii. PostgreSQL DB
Checked for SQLi on every single webpage but didn’t found any webpage that is vulnerable to SQLi.
Ran sqlmap but that aborts due to WAF.
Then ran again with following parameters:
Result:
Result: As no SQLi parameter is found, it’s database can’t be dumped.
14. FINAL CONCLUSION:
Initial reconnaissance of certifiedhacer.com resulted in the discovery of directory listing and firewall on the website and
no load balancer was found. Some other domains were also found on the same server the website in running, which
provides the larger area to pentest(I didn’t test those…). While dorking whole website’s zip file found, which can be
useful for security researchers to look at and see for bugs in programming of website.
An examination of web interface revealed that external content was embedded on a page, which means something is
isn’t right with the site. This can prompt issues, for example identity theft. After closer examination, two vulnerabilities
found, (a) HTML Form without CSRF Protection, which may attacker force the users of a web application to execute
actions of the attacker’s choosing and a successful exploit can compromise end user data and operation in case of normal
user AND (b) XSS Vector in Document Body on the 500 server page. After some more deep examination, some Required
HTTP Headers were missing and some vulnerabilities were found in CMS Components.
Then I went for pentesting services which are running on server. FTP service was running on port21 of version Pure-FTPd
which later I found an vulnerability and exploit for that, but was not able to exploit this vulnerability and firewall is rate
limiting the attempt, so user enumeration can’t be done. And same for SSH some kind of honeypot and firewall rules
results in false positives on user enumeration. After researching for versions of other services, some known
vulnerabilities were found(which again I was not able to exploit).
Then it comes for Database testing, I went through all the webpages manually and didn’t any SQLi vulnerability then I ran
sqlmap which also was not able to any. So I ended not able to dump the database.
Now as far as security of the website is concerned, it is secured but some minor vulnerabilities are there which can be
exploited but overall the website is pretty much secured.