SlideShare a Scribd company logo

Penetration Testing Report

A
Aman Srivastava

A penetration testing report submitted during internship at ICT Academy, IIT Kanpur. This report contains a basic flow how to perform penetration testing, from reconnaissance to finding vulnerability. This should be helpful for security researchers who are looking to write a penetration testing for their project.

1 of 14
Download to read offline
Project: Penetration Testing on Webserver Aman Srivastava Summer Training Program Batch, EICT, IITK Website: http://certifiedhacker.com
<Footprinting and Reconnaissance> 1. About: Site: http://www.certifiedhacker.com Domain: certifiedhacker.com Netblock Owner: Unified Layer Nameserver: ns1.bluehost.com Hosting Company: Endurance International Group Organisation: 5335 Gate Parkway care of Network Solutions, Jacksonville, 32256, US Top Level Domain: Commercial entities (.com) DNS Admin: dnsadmin@box5331.bluehost.com 2. IP address of Website: 162.241.216.11 3. Location of sever: 4. Operating System of Server: Red Hat Enterprise Linux 6 5. Web Server Technology and version: Apache 6. Built-in Technology: jQuery clueTIP Jquery bgiframe Fancybox Cufon SPF jQuery Easing jQuery UI BlueHost Hover Intent
7. Website First Seen: December 2002 8. Previous Technology used by website: 9. ISP IP Server Range: 10. Other Domains on Same Server: 11. Ports open on webserver: 110 587 143 21 53 2222 993 443 26 22 995 5432 80 3306 465 12. Registrar info:
13. Email ID of some employees of company: NOT FOUND 14. Social Networking Profiles of employees: NOT FOUND 15. LinkedIn Search for profiles with company name: NOT FOUND 16. Location of Company: NOT FOUND 17. Director/CEO of Company: NOT FOUND 18. Firewall: Load Balancer: DNS-Loadbalancing: NOT FOUND HTTP-Loadbalancing: NOT FOUND 19. Directory Listing:
While dorking confidential file found, which is whole webserver’s backup/compressed file: =>http://certifiedhacker.com/certifiedhacker.zip 20. Files such as robots.txt and sites.xml: NOT FOUND <Vulnerabilities> 1. XSS Vector in Document Body Vulnerability Description: The entire tainted data flow from source to sink takes place in the browser. Insecure reference and use (in a client side code) of DOM objects that are not fully controlled by the server provided page. Affected Item: http://certifiedhacker.com/P-folio/images/500.php/.htaccess.aspx--%3E%22%3E'%3E'%22%3Csfi000317v352289%3E Memo: injected '<sfi...>' tag seen in HTML POC: === REQUEST === GET /P-folio/images/500.php/.htaccess.aspx-->">'>'"<sfi000317v352289> HTTP/1.1 Host: certifiedhacker.com Accept-Encoding: gzip Connection: keep-alive User-Agent: Mozilla/5.0 SF/2.10b Range: bytes=0-399999 Referer: http://certifiedhacker.com/ === RESPONSE === HTTP/1.1 200 Partial Content Date: Sun, 30 Aug 2020 06:23:52 GMT Server: Apache Vary: Accept-Encoding
Content-Encoding: gzip host-header: c2hhcmVkLmJsdWVob3N0LmNvbQ== Content-Range: bytes 0-274/275 Content-Length: 275 Keep-Alive: timeout=5, max=54 Connection: Keep-Alive Content-Type: text/html; charset=UTF-8 <!-- PHP Wrapper - 500 Server Error --> <html><head><title>500 Server Error</title></head> <body bgcolor=white> <h1>500 Server Error</h1> A misconfiguration on the server caused a hiccup. Check the server logs, fix the problem, then try again. <hr> URL: http://certifiedhacker.com/P-folio/images/500.php/.htaccess.aspx-->">'>'"<sfi000317v352289><br> </body></html> === END OF DATA === Possible remediations or prevention methods: Avoiding client side document rewriting, redirection, or other sensitive actions, using client side data. Analysing and hardening the client side (Javascript) code. Reference: https://www.a2hosting.in/kb/developer-corner/php/500-internal-server-error-while-running-php https://owasp.org/www-community/attacks/xss/ 2. External content embedded on a page Vulnerability Description: External content embedded on a page means something isn't right with the site – wrong – yet some way or another we appear to continue building sites that do. This can prompt issues, for example identity theft. The content is usually sent through email and directs users to an http site instead of https. Affected Items: →Higher Risk:- http://certifiedhacker.com/Online%20Booking/ Memo: http://www.google.com/jsapi?autoload={'modules':[{name:'maps',version:3,other_params:'sensor=false'}]} →Lower Risk:- http://certifiedhacker.com/Turbo%20Max/js/jquery.prettyPhoto.js Memo: http://www.youtube.com/v/'+grab_param('v',images[setPosition])+'
http://certifiedhacker.com/Turbo%20Max/js/jquery.prettyPhoto.js Memo: http://www.apple.com/qtactivex/qtplugin.cab Possible Countermeasures: i. Ensure that external content is embedded using HTTPs. ii. Acknowledge that all the HTTP segments of the correspondence stay powerless hence you have to ensure against the SSL hostile to designs. 3. HTML Form Without CSRF Protection Vulnerability: Vulnerability Description: Cross-site request forgery, also known as a one-click attack or session riding and abbreviated as CSRF or XSRF, is a type of malicious exploit of a website whereby unauthorized commands are transmitted from a user that the website trusts. I found a HTML form with no apparent CSRF protection implemented. Affected Items: 1. http://certifiedhacker.com/ 2. http://certifiedhacker.com/corporate-learning-website/01-homepage.html 3. http://certifiedhacker.com/corporate-learning-website/contact_us.html 4. http://certifiedhacker.com/corporate-learning-website/most_popular_schools_california.html 5. http://certifiedhacker.com/corporate-learning-website/most_popular_schools_North%20Carolina.html 6. http://certifiedhacker.com/corporate-learning-website/most_popular_schools_usa.html 7. http://certifiedhacker.com/Online%20Booking/?lang=1¤cy=1 8. http://certifiedhacker.com/Social%20Media/ 9. http://certifiedhacker.com/Social%20Media/about-us.html 10. http://certifiedhacker.com/Social%20Media/sample-blog.html 11. http://certifiedhacker.com/Social%20Media/sample-portfolio.html 12. http://certifiedhacker.com/Turbo%20Max/ The impact of this vulnerability: An attacker may force the users of a web application to execute actions of the attacker's choosing. A successful CSRF exploit can compromise end user data and operation in case of normal user. If the targeted end user is the administrator account, this can compromise the entire web application. POC: Form name<empty> Form action: http://certifiedhacker.com/corporate-learning-website/contact_us.html Form method: POST
How to fix this vulnerability: Check if this form requires CSRF protection and implement CSRF countermeasures if necessary. 4. Fingerprinted CMS Components’ Vulnerabilities: i.
Reference: CWE-79 – Cross-site-scripting CWE-400—Prototype-Pollution ii. 5. Missing Required HTTP Headers and their description: i. Strict-Transport-Security: HTTP Strict-Transport-Security (HSTS) header forces browser to access the website via HTTPS. ii. X-Frame-Options: X-Frame-Options header specifies whether the website should allow itself to be framed, and from which origin. Blocking framing helps defend against attacks such as Clickjacking. iii. X-XSS-Protection: X-XSS-Protection defines how browsers should enforce XSS protection. iv. X-Content-Type-Options: X-Content-Type-Options direct browsers to disable the ability to sniff the pages content-type and only to use the content-type-defined in the directive itself. This provides protection against XSS or Drive-by-Download attacks. v. Expect-CT: Expect-CT header allows a website to determine if it is ready for the upcoming Chrome requirements and/or enforce their policy. vi. Feature-Policy: Feature-Policy header allows to enable, disable, or modify behaviour of web browser’s APIs(e.g. access to camera, Geolocation, etc.). <Pentesting Services Running on Server>
i. Service=ftp Version=Pure-FTPd Known vulnerabilities: External Authentication Bash Environment Variable Code Injection I tried to exploit this vulnerability but error occurred: Reference: https://www.exploit-db.com/exploits/34862 Then I tried: Enumerating users and passwords using hydra:
Conclusion: There may be some kind of firewall rules which are rate limiting the brute-forcing, that’s why after one or two attempt hydra aborts. ii. Service=ssh Version=OpenSSH 5.3 Known vulnerabilities: Not Found Enumerating users using msf module: Brute Forcing password for user “hacker”: Then, checked for false positives: Conclusion: There may be some honeypot which is giving every input for user as true and firewall is rate limiting the attempt, that’s why after one or two attempt hydra aborts. iii. Service=smtp Version=Exim smtpd 4.93 Known vulnerabilities: Not Found
Reference: https://www.cvedetails.com/vulnerability-list/vendor_id-10919/product_id-19563/Exim-Exim.html iv. Service=smtp Version=Exim smtpd 4.93 Known vulnerabilities: Found Reference: https://www.cvedetails.com/vulnerability-list/vendor_id-64/product_id-144/version_id-127585/ISC-Bind-9.8.2.html https://nvd.nist.gov/vuln/search/results?adv_search=true&cpe_version=cpe%3a%2fa%3aisc%3abind%3a9.8.2%3arc1 v. Service=imap/pop3 Version=imap3d/pop3d Known vulnerabilities: Found Reference: https://www.cvedetails.com/cve/CVE-2019-7524/ https://www.cvedetails.com/cve/CVE-2019-11500/ <Database> Database found: i. MySQL ii. PostgreSQL DB Checked for SQLi on every single webpage but didn’t found any webpage that is vulnerable to SQLi. Ran sqlmap but that aborts due to WAF. Then ran again with following parameters: Result: Result: As no SQLi parameter is found, it’s database can’t be dumped.
FINAL CONCLUSION: Initial reconnaissance of certifiedhacer.com resulted in the discovery of directory listing and firewall on the website and no load balancer was found. Some other domains were also found on the same server the website in running, which provides the larger area to pentest(I didn’t test those…). While dorking whole website’s zip file found, which can be useful for security researchers to look at and see for bugs in programming of website. An examination of web interface revealed that external content was embedded on a page, which means something is isn’t right with the site. This can prompt issues, for example identity theft. After closer examination, two vulnerabilities found, (a) HTML Form without CSRF Protection, which may attacker force the users of a web application to execute actions of the attacker’s choosing and a successful exploit can compromise end user data and operation in case of normal user AND (b) XSS Vector in Document Body on the 500 server page. After some more deep examination, some Required HTTP Headers were missing and some vulnerabilities were found in CMS Components. Then I went for pentesting services which are running on server. FTP service was running on port21 of version Pure-FTPd which later I found an vulnerability and exploit for that, but was not able to exploit this vulnerability and firewall is rate limiting the attempt, so user enumeration can’t be done. And same for SSH some kind of honeypot and firewall rules results in false positives on user enumeration. After researching for versions of other services, some known vulnerabilities were found(which again I was not able to exploit). Then it comes for Database testing, I went through all the webpages manually and didn’t any SQLi vulnerability then I ran sqlmap which also was not able to any. So I ended not able to dump the database. Now as far as security of the website is concerned, it is secured but some minor vulnerabilities are there which can be exploited but overall the website is pretty much secured.

Recommended

Introduction to Web Application Penetration Testing
Introduction to Web Application Penetration TestingIntroduction to Web Application Penetration Testing
Introduction to Web Application Penetration Testing
Anurag Srivastava
 
Penetration Testing Basics
Penetration Testing BasicsPenetration Testing Basics
Penetration Testing Basics
Rick Wanner
 
WTF is Penetration Testing v.2
WTF is Penetration Testing v.2WTF is Penetration Testing v.2
WTF is Penetration Testing v.2
Scott Sutherland
 
Web Application Penetration Testing
Web Application Penetration Testing Web Application Penetration Testing
Web Application Penetration Testing
Priyanka Aash
 
Ethical Hacking n VAPT presentation by Suvrat jain
Ethical Hacking n VAPT presentation by Suvrat jainEthical Hacking n VAPT presentation by Suvrat jain
Ethical Hacking n VAPT presentation by Suvrat jain
Suvrat Jain
 
Web Cache Poisoning
Web Cache PoisoningWeb Cache Poisoning
Web Cache Poisoning
KuldeepPandya5
 
Introduction to Web Application Penetration Testing
Introduction to Web Application Penetration TestingIntroduction to Web Application Penetration Testing
Introduction to Web Application Penetration Testing
Netsparker
 
Burp suite
Burp suiteBurp suite
Burp suite
SOURABH DESHMUKH
 

Recommended

Introduction to Web Application Penetration Testing
Introduction to Web Application Penetration TestingIntroduction to Web Application Penetration Testing
Introduction to Web Application Penetration Testing
Anurag Srivastava
 
Penetration Testing Basics
Penetration Testing BasicsPenetration Testing Basics
Penetration Testing Basics
Rick Wanner
 
WTF is Penetration Testing v.2
WTF is Penetration Testing v.2WTF is Penetration Testing v.2
WTF is Penetration Testing v.2
Scott Sutherland
 
Web Application Penetration Testing
Web Application Penetration Testing Web Application Penetration Testing
Web Application Penetration Testing
Priyanka Aash
 
Ethical Hacking n VAPT presentation by Suvrat jain
Ethical Hacking n VAPT presentation by Suvrat jainEthical Hacking n VAPT presentation by Suvrat jain
Ethical Hacking n VAPT presentation by Suvrat jain
Suvrat Jain
 
Web Cache Poisoning
Web Cache PoisoningWeb Cache Poisoning
Web Cache Poisoning
KuldeepPandya5
 
Introduction to Web Application Penetration Testing
Introduction to Web Application Penetration TestingIntroduction to Web Application Penetration Testing
Introduction to Web Application Penetration Testing
Netsparker
 
Burp suite
Burp suiteBurp suite
Burp suite
SOURABH DESHMUKH
 
Bug Bounty Hunter Methodology - Nullcon 2016
Bug Bounty Hunter Methodology - Nullcon 2016Bug Bounty Hunter Methodology - Nullcon 2016
Bug Bounty Hunter Methodology - Nullcon 2016
bugcrowd
 
The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016
The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016
The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016
Frans Rosén
 
Web App Security Presentation by Ryan Holland - 05-31-2017
Web App Security Presentation by Ryan Holland - 05-31-2017Web App Security Presentation by Ryan Holland - 05-31-2017
Web App Security Presentation by Ryan Holland - 05-31-2017
TriNimbus
 
Vulnerabilities in modern web applications
Vulnerabilities in modern web applicationsVulnerabilities in modern web applications
Vulnerabilities in modern web applications
Niyas Nazar
 
Networking and penetration testing
Networking and penetration testingNetworking and penetration testing
Networking and penetration testing
Mohit Belwal
 
Penetration testing & Ethical Hacking
Penetration testing & Ethical HackingPenetration testing & Ethical Hacking
Penetration testing & Ethical Hacking
S.E. CTS CERT-GOV-MD
 
Security testing
Security testingSecurity testing
Security testing
Khizra Sammad
 
Building Advanced XSS Vectors
Building Advanced XSS VectorsBuilding Advanced XSS Vectors
Building Advanced XSS Vectors
Rodolfo Assis (Brute)
 
Security Exploit of Business Logic Flaws, Business Logic Attacks
Security Exploit of Business Logic Flaws, Business Logic AttacksSecurity Exploit of Business Logic Flaws, Business Logic Attacks
Security Exploit of Business Logic Flaws, Business Logic Attacks
Marco Morana
 
Vulnerability Assessment and Penetration Testing Framework by Falgun Rathod
Vulnerability Assessment and Penetration Testing Framework by Falgun RathodVulnerability Assessment and Penetration Testing Framework by Falgun Rathod
Vulnerability Assessment and Penetration Testing Framework by Falgun Rathod
Falgun Rathod
 
Cross Site Request Forgery
Cross Site Request ForgeryCross Site Request Forgery
Cross Site Request Forgery
Tony Bibbs
 
Vapt pci dss methodology ppt v1.0
Vapt pci dss methodology ppt v1.0Vapt pci dss methodology ppt v1.0
Vapt pci dss methodology ppt v1.0
Network Intelligence India
 
SSRF For Bug Bounties
SSRF For Bug BountiesSSRF For Bug Bounties
SSRF For Bug Bounties
OWASP Nagpur
 
OWASP Top 10 A4 – Insecure Direct Object Reference
OWASP Top 10 A4 – Insecure Direct Object ReferenceOWASP Top 10 A4 – Insecure Direct Object Reference
OWASP Top 10 A4 – Insecure Direct Object Reference
Narudom Roongsiriwong, CISSP
 
NETWORK PENETRATION TESTING
NETWORK PENETRATION TESTINGNETWORK PENETRATION TESTING
NETWORK PENETRATION TESTING
Er Vivek Rana
 
ETHICAL HACKING
ETHICAL HACKING ETHICAL HACKING
ETHICAL HACKING Sweta Leena Panda
 
Vulnerability Assessment Report
Vulnerability Assessment ReportVulnerability Assessment Report
Vulnerability Assessment ReportHarshit Singh Bhatia
 
Web Application Penetration Testing Introduction
Web Application Penetration Testing IntroductionWeb Application Penetration Testing Introduction
Web Application Penetration Testing Introductiongbud7
 
What is security testing and why it is so important?
What is security testing and why it is so important?What is security testing and why it is so important?
What is security testing and why it is so important?
ONE BCG
 
Web application security & Testing
Web application security & TestingWeb application security & Testing
Web application security & TestingDeepu S Nath
 
Web Exploitation Security
Web Exploitation SecurityWeb Exploitation Security
Web Exploitation Security
Aman Singh
 
Security in php
Security in phpSecurity in php
Security in php
Jalpesh Vasa
 

More Related Content

What's hot

Bug Bounty Hunter Methodology - Nullcon 2016
Bug Bounty Hunter Methodology - Nullcon 2016Bug Bounty Hunter Methodology - Nullcon 2016
Bug Bounty Hunter Methodology - Nullcon 2016
bugcrowd
 
The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016
The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016
The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016
Frans Rosén
 
Web App Security Presentation by Ryan Holland - 05-31-2017
Web App Security Presentation by Ryan Holland - 05-31-2017Web App Security Presentation by Ryan Holland - 05-31-2017
Web App Security Presentation by Ryan Holland - 05-31-2017
TriNimbus
 
Vulnerabilities in modern web applications
Vulnerabilities in modern web applicationsVulnerabilities in modern web applications
Vulnerabilities in modern web applications
Niyas Nazar
 
Networking and penetration testing
Networking and penetration testingNetworking and penetration testing
Networking and penetration testing
Mohit Belwal
 
Penetration testing & Ethical Hacking
Penetration testing & Ethical HackingPenetration testing & Ethical Hacking
Penetration testing & Ethical Hacking
S.E. CTS CERT-GOV-MD
 
Security testing
Security testingSecurity testing
Security testing
Khizra Sammad
 
Building Advanced XSS Vectors
Building Advanced XSS VectorsBuilding Advanced XSS Vectors
Building Advanced XSS Vectors
Rodolfo Assis (Brute)
 
Security Exploit of Business Logic Flaws, Business Logic Attacks
Security Exploit of Business Logic Flaws, Business Logic AttacksSecurity Exploit of Business Logic Flaws, Business Logic Attacks
Security Exploit of Business Logic Flaws, Business Logic Attacks
Marco Morana
 
Vulnerability Assessment and Penetration Testing Framework by Falgun Rathod
Vulnerability Assessment and Penetration Testing Framework by Falgun RathodVulnerability Assessment and Penetration Testing Framework by Falgun Rathod
Vulnerability Assessment and Penetration Testing Framework by Falgun Rathod
Falgun Rathod
 
Cross Site Request Forgery
Cross Site Request ForgeryCross Site Request Forgery
Cross Site Request Forgery
Tony Bibbs
 
Vapt pci dss methodology ppt v1.0
Vapt pci dss methodology ppt v1.0Vapt pci dss methodology ppt v1.0
Vapt pci dss methodology ppt v1.0
Network Intelligence India
 
SSRF For Bug Bounties
SSRF For Bug BountiesSSRF For Bug Bounties
SSRF For Bug Bounties
OWASP Nagpur
 
OWASP Top 10 A4 – Insecure Direct Object Reference
OWASP Top 10 A4 – Insecure Direct Object ReferenceOWASP Top 10 A4 – Insecure Direct Object Reference
OWASP Top 10 A4 – Insecure Direct Object Reference
Narudom Roongsiriwong, CISSP
 
NETWORK PENETRATION TESTING
NETWORK PENETRATION TESTINGNETWORK PENETRATION TESTING
NETWORK PENETRATION TESTING
Er Vivek Rana
 
Web Application Penetration Testing Introduction
Web Application Penetration Testing IntroductionWeb Application Penetration Testing Introduction
Web Application Penetration Testing Introductiongbud7
 
What is security testing and why it is so important?
What is security testing and why it is so important?What is security testing and why it is so important?
What is security testing and why it is so important?
ONE BCG
 
Web application security & Testing
Web application security & TestingWeb application security & Testing
Web application security & TestingDeepu S Nath
 

What's hot (20)

Bug Bounty Hunter Methodology - Nullcon 2016
Bug Bounty Hunter Methodology - Nullcon 2016Bug Bounty Hunter Methodology - Nullcon 2016
Bug Bounty Hunter Methodology - Nullcon 2016
 
The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016
The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016
The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016
 
Web App Security Presentation by Ryan Holland - 05-31-2017
Web App Security Presentation by Ryan Holland - 05-31-2017Web App Security Presentation by Ryan Holland - 05-31-2017
Web App Security Presentation by Ryan Holland - 05-31-2017
 
Vulnerabilities in modern web applications
Vulnerabilities in modern web applicationsVulnerabilities in modern web applications
Vulnerabilities in modern web applications
 
Networking and penetration testing
Networking and penetration testingNetworking and penetration testing
Networking and penetration testing
 
Penetration testing & Ethical Hacking
Penetration testing & Ethical HackingPenetration testing & Ethical Hacking
Penetration testing & Ethical Hacking
 
Security testing
Security testingSecurity testing
Security testing
 
Building Advanced XSS Vectors
Building Advanced XSS VectorsBuilding Advanced XSS Vectors
Building Advanced XSS Vectors
 
Security Exploit of Business Logic Flaws, Business Logic Attacks
Security Exploit of Business Logic Flaws, Business Logic AttacksSecurity Exploit of Business Logic Flaws, Business Logic Attacks
Security Exploit of Business Logic Flaws, Business Logic Attacks
 
Vulnerability Assessment and Penetration Testing Framework by Falgun Rathod
Vulnerability Assessment and Penetration Testing Framework by Falgun RathodVulnerability Assessment and Penetration Testing Framework by Falgun Rathod
Vulnerability Assessment and Penetration Testing Framework by Falgun Rathod
 
Cross Site Request Forgery
Cross Site Request ForgeryCross Site Request Forgery
Cross Site Request Forgery
 
Vapt pci dss methodology ppt v1.0
Vapt pci dss methodology ppt v1.0Vapt pci dss methodology ppt v1.0
Vapt pci dss methodology ppt v1.0
 
SSRF For Bug Bounties
SSRF For Bug BountiesSSRF For Bug Bounties
SSRF For Bug Bounties
 
OWASP Top 10 A4 – Insecure Direct Object Reference
OWASP Top 10 A4 – Insecure Direct Object ReferenceOWASP Top 10 A4 – Insecure Direct Object Reference
OWASP Top 10 A4 – Insecure Direct Object Reference
 
NETWORK PENETRATION TESTING
NETWORK PENETRATION TESTINGNETWORK PENETRATION TESTING
NETWORK PENETRATION TESTING
 
ETHICAL HACKING
ETHICAL HACKING ETHICAL HACKING
ETHICAL HACKING
 
Vulnerability Assessment Report
Vulnerability Assessment ReportVulnerability Assessment Report
Vulnerability Assessment Report
 
Web Application Penetration Testing Introduction
Web Application Penetration Testing IntroductionWeb Application Penetration Testing Introduction
Web Application Penetration Testing Introduction
 
What is security testing and why it is so important?
What is security testing and why it is so important?What is security testing and why it is so important?
What is security testing and why it is so important?
 
Web application security & Testing
Web application security & TestingWeb application security & Testing
Web application security & Testing
 

Similar to Penetration Testing Report

Web Exploitation Security
Web Exploitation SecurityWeb Exploitation Security
Web Exploitation Security
Aman Singh
 
Security in php
Security in phpSecurity in php
Security in php
Jalpesh Vasa
 
Hacking Client Side Insecurities
Hacking Client Side InsecuritiesHacking Client Side Insecurities
Hacking Client Side Insecuritiesamiable_indian
 
gofortution
gofortutiongofortution
gofortution
gofortution
 
Pentest Expectations
Pentest ExpectationsPentest Expectations
Pentest Expectations
Ihor Uzhvenko
 
Ruby on Rails Security Guide
Ruby on Rails Security GuideRuby on Rails Security Guide
Ruby on Rails Security Guide
ihji
 
Owasp top 10 2013
Owasp top 10 2013Owasp top 10 2013
Owasp top 10 2013
Edouard de Lansalut
 
How to measure your security response readiness?
How to measure your security response readiness?How to measure your security response readiness?
How to measure your security response readiness?
Tomasz Jakubowski
 
Cross Site Attacks
Cross Site AttacksCross Site Attacks
Cross Site Attacks
UTD Computer Security Group
 
Fix me if you can - DrupalCon prague
Fix me if you can - DrupalCon pragueFix me if you can - DrupalCon prague
Fix me if you can - DrupalCon praguehernanibf
 
21 05-2018
21 05-201821 05-2018
21 05-2018
Praaveen Vr
 
Chapter5-Bypass-ClientSide-Control-Presentation.pptx
Chapter5-Bypass-ClientSide-Control-Presentation.pptxChapter5-Bypass-ClientSide-Control-Presentation.pptx
Chapter5-Bypass-ClientSide-Control-Presentation.pptx
ilhamilyas5
 
Consuming GRIN GLOBAL Webservices
Consuming GRIN GLOBAL WebservicesConsuming GRIN GLOBAL Webservices
Consuming GRIN GLOBAL Webservices
Edwin Rojas
 
Null bhopal Sep 2016: What it Takes to Secure a Web Application
Null bhopal Sep 2016: What it Takes to Secure a Web ApplicationNull bhopal Sep 2016: What it Takes to Secure a Web Application
Null bhopal Sep 2016: What it Takes to Secure a Web Application
Anant Shrivastava
 
Aeon mike guide transparent ssl filtering
Aeon mike guide transparent ssl filteringAeon mike guide transparent ssl filtering
Aeon mike guide transparent ssl filteringConrad Cruz
 
Aeon mike guide transparent ssl filtering (1)
Aeon mike guide transparent ssl filtering (1)Aeon mike guide transparent ssl filtering (1)
Aeon mike guide transparent ssl filtering (1)Conrad Cruz
 
LAMP security practices
LAMP security practicesLAMP security practices
LAMP security practicesAmit Kejriwal
 
Php through the eyes of a hoster: PHPNW10
Php through the eyes of a hoster: PHPNW10Php through the eyes of a hoster: PHPNW10
Php through the eyes of a hoster: PHPNW10
Combell NV
 

Similar to Penetration Testing Report (20)

Web Exploitation Security
Web Exploitation SecurityWeb Exploitation Security
Web Exploitation Security
 
Security in php
Security in phpSecurity in php
Security in php
 
Hacking Client Side Insecurities
Hacking Client Side InsecuritiesHacking Client Side Insecurities
Hacking Client Side Insecurities
 
gofortution
gofortutiongofortution
gofortution
 
Pentest Expectations
Pentest ExpectationsPentest Expectations
Pentest Expectations
 
Ruby on Rails Security Guide
Ruby on Rails Security GuideRuby on Rails Security Guide
Ruby on Rails Security Guide
 
Owasp top 10 2013
Owasp top 10 2013Owasp top 10 2013
Owasp top 10 2013
 
Web Application Security
Web Application SecurityWeb Application Security
Web Application Security
 
How to measure your security response readiness?
How to measure your security response readiness?How to measure your security response readiness?
How to measure your security response readiness?
 
Cross Site Attacks
Cross Site AttacksCross Site Attacks
Cross Site Attacks
 
Fix me if you can - DrupalCon prague
Fix me if you can - DrupalCon pragueFix me if you can - DrupalCon prague
Fix me if you can - DrupalCon prague
 
21 05-2018
21 05-201821 05-2018
21 05-2018
 
Web Security - CSP & Web Cryptography
Web Security - CSP & Web CryptographyWeb Security - CSP & Web Cryptography
Web Security - CSP & Web Cryptography
 
Chapter5-Bypass-ClientSide-Control-Presentation.pptx
Chapter5-Bypass-ClientSide-Control-Presentation.pptxChapter5-Bypass-ClientSide-Control-Presentation.pptx
Chapter5-Bypass-ClientSide-Control-Presentation.pptx
 
Consuming GRIN GLOBAL Webservices
Consuming GRIN GLOBAL WebservicesConsuming GRIN GLOBAL Webservices
Consuming GRIN GLOBAL Webservices
 
Null bhopal Sep 2016: What it Takes to Secure a Web Application
Null bhopal Sep 2016: What it Takes to Secure a Web ApplicationNull bhopal Sep 2016: What it Takes to Secure a Web Application
Null bhopal Sep 2016: What it Takes to Secure a Web Application
 
Aeon mike guide transparent ssl filtering
Aeon mike guide transparent ssl filteringAeon mike guide transparent ssl filtering
Aeon mike guide transparent ssl filtering
 
Aeon mike guide transparent ssl filtering (1)
Aeon mike guide transparent ssl filtering (1)Aeon mike guide transparent ssl filtering (1)
Aeon mike guide transparent ssl filtering (1)
 
LAMP security practices
LAMP security practicesLAMP security practices
LAMP security practices
 
Php through the eyes of a hoster: PHPNW10
Php through the eyes of a hoster: PHPNW10Php through the eyes of a hoster: PHPNW10
Php through the eyes of a hoster: PHPNW10
 

Recently uploaded

The Future of Platform Engineering
The Future of Platform EngineeringThe Future of Platform Engineering
The Future of Platform Engineering
Jemma Hussein Allen
 
GraphRAG is All You need? LLM & Knowledge Graph
GraphRAG is All You need? LLM & Knowledge GraphGraphRAG is All You need? LLM & Knowledge Graph
GraphRAG is All You need? LLM & Knowledge Graph
Guy Korland
 
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Albert Hoitingh
 
Transcript: Selling digital books in 2024: Insights from industry leaders - T...
Transcript: Selling digital books in 2024: Insights from industry leaders - T...Transcript: Selling digital books in 2024: Insights from industry leaders - T...
Transcript: Selling digital books in 2024: Insights from industry leaders - T...
BookNet Canada
 
De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...
De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...
De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...
Product School
 
Bits & Pixels using AI for Good.........
Bits & Pixels using AI for Good.........Bits & Pixels using AI for Good.........
Bits & Pixels using AI for Good.........
Alison B. Lowndes
 
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
UiPathCommunity
 
Elevating Tactical DDD Patterns Through Object Calisthenics
Elevating Tactical DDD Patterns Through Object CalisthenicsElevating Tactical DDD Patterns Through Object Calisthenics
Elevating Tactical DDD Patterns Through Object Calisthenics
Dorra BARTAGUIZ
 
Free Complete Python - A step towards Data Science
Free Complete Python - A step towards Data ScienceFree Complete Python - A step towards Data Science
Free Complete Python - A step towards Data Science
RinaMondal9
 
Quantum Computing: Current Landscape and the Future Role of APIs
Quantum Computing: Current Landscape and the Future Role of APIsQuantum Computing: Current Landscape and the Future Role of APIs
Quantum Computing: Current Landscape and the Future Role of APIs
Vlad Stirbu
 
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdfFIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
FIDO Alliance
 
Essentials of Automations: Optimizing FME Workflows with Parameters
Essentials of Automations: Optimizing FME Workflows with ParametersEssentials of Automations: Optimizing FME Workflows with Parameters
Essentials of Automations: Optimizing FME Workflows with Parameters
Safe Software
 
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdf
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdfObservability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdf
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdf
Paige Cruz
 
A tale of scale & speed: How the US Navy is enabling software delivery from l...
A tale of scale & speed: How the US Navy is enabling software delivery from l...A tale of scale & speed: How the US Navy is enabling software delivery from l...
A tale of scale & speed: How the US Navy is enabling software delivery from l...
sonjaschweigert1
 
Accelerate your Kubernetes clusters with Varnish Caching
Accelerate your Kubernetes clusters with Varnish CachingAccelerate your Kubernetes clusters with Varnish Caching
Accelerate your Kubernetes clusters with Varnish Caching
Thijs Feryn
 
FIDO Alliance Osaka Seminar: Overview.pdf
FIDO Alliance Osaka Seminar: Overview.pdfFIDO Alliance Osaka Seminar: Overview.pdf
FIDO Alliance Osaka Seminar: Overview.pdf
FIDO Alliance
 
Assure Contact Center Experiences for Your Customers With ThousandEyes
Assure Contact Center Experiences for Your Customers With ThousandEyesAssure Contact Center Experiences for Your Customers With ThousandEyes
Assure Contact Center Experiences for Your Customers With ThousandEyes
ThousandEyes
 
Key Trends Shaping the Future of Infrastructure.pdf
Key Trends Shaping the Future of Infrastructure.pdfKey Trends Shaping the Future of Infrastructure.pdf
Key Trends Shaping the Future of Infrastructure.pdf
Cheryl Hung
 
PCI PIN Basics Webinar from the Controlcase Team
PCI PIN Basics Webinar from the Controlcase TeamPCI PIN Basics Webinar from the Controlcase Team
PCI PIN Basics Webinar from the Controlcase Team
ControlCase
 
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdfSmart TV Buyer Insights Survey 2024 by 91mobiles.pdf
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf
91mobiles
 

Recently uploaded (20)

The Future of Platform Engineering
The Future of Platform EngineeringThe Future of Platform Engineering
The Future of Platform Engineering
 
GraphRAG is All You need? LLM & Knowledge Graph
GraphRAG is All You need? LLM & Knowledge GraphGraphRAG is All You need? LLM & Knowledge Graph
GraphRAG is All You need? LLM & Knowledge Graph
 
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
 
Transcript: Selling digital books in 2024: Insights from industry leaders - T...
Transcript: Selling digital books in 2024: Insights from industry leaders - T...Transcript: Selling digital books in 2024: Insights from industry leaders - T...
Transcript: Selling digital books in 2024: Insights from industry leaders - T...
 
De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...
De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...
De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...
 
Bits & Pixels using AI for Good.........
Bits & Pixels using AI for Good.........Bits & Pixels using AI for Good.........
Bits & Pixels using AI for Good.........
 
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
 
Elevating Tactical DDD Patterns Through Object Calisthenics
Elevating Tactical DDD Patterns Through Object CalisthenicsElevating Tactical DDD Patterns Through Object Calisthenics
Elevating Tactical DDD Patterns Through Object Calisthenics
 
Free Complete Python - A step towards Data Science
Free Complete Python - A step towards Data ScienceFree Complete Python - A step towards Data Science
Free Complete Python - A step towards Data Science
 
Quantum Computing: Current Landscape and the Future Role of APIs
Quantum Computing: Current Landscape and the Future Role of APIsQuantum Computing: Current Landscape and the Future Role of APIs
Quantum Computing: Current Landscape and the Future Role of APIs
 
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdfFIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
FIDO Alliance Osaka Seminar: Passkeys and the Road Ahead.pdf
 
Essentials of Automations: Optimizing FME Workflows with Parameters
Essentials of Automations: Optimizing FME Workflows with ParametersEssentials of Automations: Optimizing FME Workflows with Parameters
Essentials of Automations: Optimizing FME Workflows with Parameters
 
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdf
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdfObservability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdf
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdf
 
A tale of scale & speed: How the US Navy is enabling software delivery from l...
A tale of scale & speed: How the US Navy is enabling software delivery from l...A tale of scale & speed: How the US Navy is enabling software delivery from l...
A tale of scale & speed: How the US Navy is enabling software delivery from l...
 
Accelerate your Kubernetes clusters with Varnish Caching
Accelerate your Kubernetes clusters with Varnish CachingAccelerate your Kubernetes clusters with Varnish Caching
Accelerate your Kubernetes clusters with Varnish Caching
 
FIDO Alliance Osaka Seminar: Overview.pdf
FIDO Alliance Osaka Seminar: Overview.pdfFIDO Alliance Osaka Seminar: Overview.pdf
FIDO Alliance Osaka Seminar: Overview.pdf
 
Assure Contact Center Experiences for Your Customers With ThousandEyes
Assure Contact Center Experiences for Your Customers With ThousandEyesAssure Contact Center Experiences for Your Customers With ThousandEyes
Assure Contact Center Experiences for Your Customers With ThousandEyes
 
Key Trends Shaping the Future of Infrastructure.pdf
Key Trends Shaping the Future of Infrastructure.pdfKey Trends Shaping the Future of Infrastructure.pdf
Key Trends Shaping the Future of Infrastructure.pdf
 
PCI PIN Basics Webinar from the Controlcase Team
PCI PIN Basics Webinar from the Controlcase TeamPCI PIN Basics Webinar from the Controlcase Team
PCI PIN Basics Webinar from the Controlcase Team
 
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdfSmart TV Buyer Insights Survey 2024 by 91mobiles.pdf
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf
 

Penetration Testing Report

  • 1.
  • 2. Project: Penetration Testing on Webserver Aman Srivastava Summer Training Program Batch, EICT, IITK Website: http://certifiedhacker.com
  • 3. <Footprinting and Reconnaissance> 1. About: Site: http://www.certifiedhacker.com Domain: certifiedhacker.com Netblock Owner: Unified Layer Nameserver: ns1.bluehost.com Hosting Company: Endurance International Group Organisation: 5335 Gate Parkway care of Network Solutions, Jacksonville, 32256, US Top Level Domain: Commercial entities (.com) DNS Admin: dnsadmin@box5331.bluehost.com 2. IP address of Website: 162.241.216.11 3. Location of sever: 4. Operating System of Server: Red Hat Enterprise Linux 6 5. Web Server Technology and version: Apache 6. Built-in Technology: jQuery clueTIP Jquery bgiframe Fancybox Cufon SPF jQuery Easing jQuery UI BlueHost Hover Intent
  • 4. 7. Website First Seen: December 2002 8. Previous Technology used by website: 9. ISP IP Server Range: 10. Other Domains on Same Server: 11. Ports open on webserver: 110 587 143 21 53 2222 993 443 26 22 995 5432 80 3306 465 12. Registrar info:
  • 5. 13. Email ID of some employees of company: NOT FOUND 14. Social Networking Profiles of employees: NOT FOUND 15. LinkedIn Search for profiles with company name: NOT FOUND 16. Location of Company: NOT FOUND 17. Director/CEO of Company: NOT FOUND 18. Firewall: Load Balancer: DNS-Loadbalancing: NOT FOUND HTTP-Loadbalancing: NOT FOUND 19. Directory Listing:
  • 6. While dorking confidential file found, which is whole webserver’s backup/compressed file: =>http://certifiedhacker.com/certifiedhacker.zip 20. Files such as robots.txt and sites.xml: NOT FOUND <Vulnerabilities> 1. XSS Vector in Document Body Vulnerability Description: The entire tainted data flow from source to sink takes place in the browser. Insecure reference and use (in a client side code) of DOM objects that are not fully controlled by the server provided page. Affected Item: http://certifiedhacker.com/P-folio/images/500.php/.htaccess.aspx--%3E%22%3E'%3E'%22%3Csfi000317v352289%3E Memo: injected '<sfi...>' tag seen in HTML POC: === REQUEST === GET /P-folio/images/500.php/.htaccess.aspx-->">'>'"<sfi000317v352289> HTTP/1.1 Host: certifiedhacker.com Accept-Encoding: gzip Connection: keep-alive User-Agent: Mozilla/5.0 SF/2.10b Range: bytes=0-399999 Referer: http://certifiedhacker.com/ === RESPONSE === HTTP/1.1 200 Partial Content Date: Sun, 30 Aug 2020 06:23:52 GMT Server: Apache Vary: Accept-Encoding
  • 7. Content-Encoding: gzip host-header: c2hhcmVkLmJsdWVob3N0LmNvbQ== Content-Range: bytes 0-274/275 Content-Length: 275 Keep-Alive: timeout=5, max=54 Connection: Keep-Alive Content-Type: text/html; charset=UTF-8 <!-- PHP Wrapper - 500 Server Error --> <html><head><title>500 Server Error</title></head> <body bgcolor=white> <h1>500 Server Error</h1> A misconfiguration on the server caused a hiccup. Check the server logs, fix the problem, then try again. <hr> URL: http://certifiedhacker.com/P-folio/images/500.php/.htaccess.aspx-->">'>'"<sfi000317v352289><br> </body></html> === END OF DATA === Possible remediations or prevention methods: Avoiding client side document rewriting, redirection, or other sensitive actions, using client side data. Analysing and hardening the client side (Javascript) code. Reference: https://www.a2hosting.in/kb/developer-corner/php/500-internal-server-error-while-running-php https://owasp.org/www-community/attacks/xss/ 2. External content embedded on a page Vulnerability Description: External content embedded on a page means something isn't right with the site – wrong – yet some way or another we appear to continue building sites that do. This can prompt issues, for example identity theft. The content is usually sent through email and directs users to an http site instead of https. Affected Items: →Higher Risk:- http://certifiedhacker.com/Online%20Booking/ Memo: http://www.google.com/jsapi?autoload={'modules':[{name:'maps',version:3,other_params:'sensor=false'}]} →Lower Risk:- http://certifiedhacker.com/Turbo%20Max/js/jquery.prettyPhoto.js Memo: http://www.youtube.com/v/'+grab_param('v',images[setPosition])+'
  • 8. http://certifiedhacker.com/Turbo%20Max/js/jquery.prettyPhoto.js Memo: http://www.apple.com/qtactivex/qtplugin.cab Possible Countermeasures: i. Ensure that external content is embedded using HTTPs. ii. Acknowledge that all the HTTP segments of the correspondence stay powerless hence you have to ensure against the SSL hostile to designs. 3. HTML Form Without CSRF Protection Vulnerability: Vulnerability Description: Cross-site request forgery, also known as a one-click attack or session riding and abbreviated as CSRF or XSRF, is a type of malicious exploit of a website whereby unauthorized commands are transmitted from a user that the website trusts. I found a HTML form with no apparent CSRF protection implemented. Affected Items: 1. http://certifiedhacker.com/ 2. http://certifiedhacker.com/corporate-learning-website/01-homepage.html 3. http://certifiedhacker.com/corporate-learning-website/contact_us.html 4. http://certifiedhacker.com/corporate-learning-website/most_popular_schools_california.html 5. http://certifiedhacker.com/corporate-learning-website/most_popular_schools_North%20Carolina.html 6. http://certifiedhacker.com/corporate-learning-website/most_popular_schools_usa.html 7. http://certifiedhacker.com/Online%20Booking/?lang=1¤cy=1 8. http://certifiedhacker.com/Social%20Media/ 9. http://certifiedhacker.com/Social%20Media/about-us.html 10. http://certifiedhacker.com/Social%20Media/sample-blog.html 11. http://certifiedhacker.com/Social%20Media/sample-portfolio.html 12. http://certifiedhacker.com/Turbo%20Max/ The impact of this vulnerability: An attacker may force the users of a web application to execute actions of the attacker's choosing. A successful CSRF exploit can compromise end user data and operation in case of normal user. If the targeted end user is the administrator account, this can compromise the entire web application. POC: Form name<empty> Form action: http://certifiedhacker.com/corporate-learning-website/contact_us.html Form method: POST
  • 9. How to fix this vulnerability: Check if this form requires CSRF protection and implement CSRF countermeasures if necessary. 4. Fingerprinted CMS Components’ Vulnerabilities: i.
  • 10. Reference: CWE-79 – Cross-site-scripting CWE-400—Prototype-Pollution ii. 5. Missing Required HTTP Headers and their description: i. Strict-Transport-Security: HTTP Strict-Transport-Security (HSTS) header forces browser to access the website via HTTPS. ii. X-Frame-Options: X-Frame-Options header specifies whether the website should allow itself to be framed, and from which origin. Blocking framing helps defend against attacks such as Clickjacking. iii. X-XSS-Protection: X-XSS-Protection defines how browsers should enforce XSS protection. iv. X-Content-Type-Options: X-Content-Type-Options direct browsers to disable the ability to sniff the pages content-type and only to use the content-type-defined in the directive itself. This provides protection against XSS or Drive-by-Download attacks. v. Expect-CT: Expect-CT header allows a website to determine if it is ready for the upcoming Chrome requirements and/or enforce their policy. vi. Feature-Policy: Feature-Policy header allows to enable, disable, or modify behaviour of web browser’s APIs(e.g. access to camera, Geolocation, etc.). <Pentesting Services Running on Server>
  • 11. i. Service=ftp Version=Pure-FTPd Known vulnerabilities: External Authentication Bash Environment Variable Code Injection I tried to exploit this vulnerability but error occurred: Reference: https://www.exploit-db.com/exploits/34862 Then I tried: Enumerating users and passwords using hydra:
  • 12. Conclusion: There may be some kind of firewall rules which are rate limiting the brute-forcing, that’s why after one or two attempt hydra aborts. ii. Service=ssh Version=OpenSSH 5.3 Known vulnerabilities: Not Found Enumerating users using msf module: Brute Forcing password for user “hacker”: Then, checked for false positives: Conclusion: There may be some honeypot which is giving every input for user as true and firewall is rate limiting the attempt, that’s why after one or two attempt hydra aborts. iii. Service=smtp Version=Exim smtpd 4.93 Known vulnerabilities: Not Found
  • 13. Reference: https://www.cvedetails.com/vulnerability-list/vendor_id-10919/product_id-19563/Exim-Exim.html iv. Service=smtp Version=Exim smtpd 4.93 Known vulnerabilities: Found Reference: https://www.cvedetails.com/vulnerability-list/vendor_id-64/product_id-144/version_id-127585/ISC-Bind-9.8.2.html https://nvd.nist.gov/vuln/search/results?adv_search=true&cpe_version=cpe%3a%2fa%3aisc%3abind%3a9.8.2%3arc1 v. Service=imap/pop3 Version=imap3d/pop3d Known vulnerabilities: Found Reference: https://www.cvedetails.com/cve/CVE-2019-7524/ https://www.cvedetails.com/cve/CVE-2019-11500/ <Database> Database found: i. MySQL ii. PostgreSQL DB Checked for SQLi on every single webpage but didn’t found any webpage that is vulnerable to SQLi. Ran sqlmap but that aborts due to WAF. Then ran again with following parameters: Result: Result: As no SQLi parameter is found, it’s database can’t be dumped.
  • 14. FINAL CONCLUSION: Initial reconnaissance of certifiedhacer.com resulted in the discovery of directory listing and firewall on the website and no load balancer was found. Some other domains were also found on the same server the website in running, which provides the larger area to pentest(I didn’t test those…). While dorking whole website’s zip file found, which can be useful for security researchers to look at and see for bugs in programming of website. An examination of web interface revealed that external content was embedded on a page, which means something is isn’t right with the site. This can prompt issues, for example identity theft. After closer examination, two vulnerabilities found, (a) HTML Form without CSRF Protection, which may attacker force the users of a web application to execute actions of the attacker’s choosing and a successful exploit can compromise end user data and operation in case of normal user AND (b) XSS Vector in Document Body on the 500 server page. After some more deep examination, some Required HTTP Headers were missing and some vulnerabilities were found in CMS Components. Then I went for pentesting services which are running on server. FTP service was running on port21 of version Pure-FTPd which later I found an vulnerability and exploit for that, but was not able to exploit this vulnerability and firewall is rate limiting the attempt, so user enumeration can’t be done. And same for SSH some kind of honeypot and firewall rules results in false positives on user enumeration. After researching for versions of other services, some known vulnerabilities were found(which again I was not able to exploit). Then it comes for Database testing, I went through all the webpages manually and didn’t any SQLi vulnerability then I ran sqlmap which also was not able to any. So I ended not able to dump the database. Now as far as security of the website is concerned, it is secured but some minor vulnerabilities are there which can be exploited but overall the website is pretty much secured.