Penetration Testing with Kali Linux OffSec
|
|
Figure 26: Searching MegaCorp One’s domain with Shodan
In this case, Shodan lists the IPs, services, and banner information. All of this is gathered passively, avoiding interacting with the client’s web site. This information gives us a snapshot of our target’s internet footprint. For example, there are four servers running SSH. We can drill down to refine our results by clicking on SSH under Top Ports on the left pane. Penetration Testing with Kali Linux PWK - Copyright © 2023 OffSec Services Limited. All rights reserved. 128 Figure 27: MegaCorp One servers running SSH Based on Shodan’s results, we know exactly which version of OpenSSH is running on each server. If we click on an IP address, we can retrieve a summary of the host. Penetration Testing with Kali Linux PWK - Copyright © 2023 OffSec Services Limited. All rights reserved. 129 Figure 28: Shodan Host Summary We can review the ports, services, and technologies used by the server on this page. Shodan will also reveal if there are any published vulnerabilities for any of the identified services or technologies running on the same host. This information is invaluable when determining where to start when we move to active testing. 6.2.6 Security Headers and SSL/TLS There are several other specialty websites that we can use to gather information about a website or domain’s security posture. Some of these sites blur the line between passive and active information gathering, but the key point for our purposes is that a third-party is initiating any scans or checks. One such site, Security Headers , 236 will analyze HTTP response headers and provide basic analysis of the target site’s security posture. We can use this to get an idea of an organization’s coding and security practices based on the results. Let’s scan www.megacorpone.com and check the results. 236 (Scott Helme, 2022), https://securityheaders.com/ Penetration Testing with Kali Linux PWK - Copyright © 2023 OffSec Services Limited. All rights reserved. 130 Figure 29: Scan results for www.megacorpone.com The site is missing several defensive headers, such as Content-Security-Policy 237 and X-Frame- Options . 238 These missing headers are not necessarily vulnerabilities in and of themselves, but they could indicate web developers or server admins that are not familiar with server hardening . 239 Server hardening is the overall process of securing a server via configuration. This includes processes such as disabling unneeded services, removing unused services or user accounts, rotating default passwords, setting appropriate server headers, and so forth. We don’t need to know all the ins and outs of configuring every type of server, but understanding the concepts and what to search for can help us determine how best to approach a potential target. Another scanning tool we can use is the SSL Server Test from Qualys SSL Labs. 240 This tool analyzes a server’s SSL/TLS configuration and compares it against current best practices. It will also identify some SSL/TLS related vulnerabilities, such as Poodle 241 or Heartbleed. 242 Let’s scan www.megacorpone.com and check the results. 237 (Wikipedia, 2022), https://en.wikipedia.org/wiki/Content_Security_Policy 238 (Mozilla, 2022, https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options 239 (NIST, 2022), https://csrc.nist.gov/publications/detail/sp/800-123/final 240 (Qualys, 2022), https://www.ssllabs.com/ssltest/ 241 (Wikipedia, 2022), https://en.wikipedia.org/wiki/POODLE 242 (Wikipedia, 2022), https://en.wikipedia.org/wiki/Heartbleed Penetration Testing with Kali Linux PWK - Copyright © 2023 OffSec Services Limited. All rights reserved. 131 Yüklə Dostları ilə paylaş:
|