dblog

Penetration testing target: pentest.id

The basic penetration testing process was used for this project. There were 4 processes: Discovery/Reconnaissance, Scanning, Exploitation, and Post-Exploitation. (5 Important Questions to Ask Your Next Penetration Tester, 2015).

The main purpose of this testing:

• Discover the vulnerabilities based on the findings using certain tools that provide us with certain information that is visible only by enumerating the website with blackbox approach.
• Attempt to break into the website using the vulnerabilities discovered.

The tools used for this testing:

Online platforms:

• Pentest-Tools.com
• Sucuri
• UpGuard
• Observatory 
• Censys
• Google

Kali Linux tools:

• Nikto 
• Whatweb
• Nmap
• Owasp Zap
• Skipfish
• Wpscan
• Cupp
• Metasploit

I found quite a lot of findings but I could not explain it all in this blog. So, I only showed some of the findings below using some tools mention above.

I tried to find the passwords using a brute force attack after I got the valid usernames using the same tool with the help of cupp to generate the list of possible passwords.

I also tried to brute force the FTP server using Metasploit.

We found the vulnerabilities of the website:

Due to missing HTTP headers (Content Security Policy, X-XSS-Protection, HSTS, X-Content-Type-Options, and X-Frame-Options):

• Cross-site scripting (XSS) 
• Clickjacking
• MIME Sniffing downgrade attacks
• SSL-stripping man-in-the-middle attacks
• Cookie-hijacking protections weakening.

Unfortunately, I did not manage to break into the website as I cannot find the passwords of the username and XMLRPC Denial of Service had failed to provide us with more valuable information and give us access to the website.

In conclusion, the risk is medium as it is hard to break into the website. However, attackers may design their attacks based on the software server was outdated and that’s why it needs to be updated. The features and components of the website are easily found which need to be avoided such as disabling features like wp-cron.php that may cause vulnerabilities and remove entries from the exposed file like robots.txt. The owner also needs to implement the missing HTTP headers to avoid vulnerabilities.

References:

5 Important Questions to Ask Your Next Penetration Tester. (2015). Retrieved 18 June 2020, from https://blog.redcanari.com/2015/10/26/top-5-questions-to-ask-your-next-penetration-tester/

Pentest-Tools.com. (2020). Website Vulnerability Scanner Report (Light). Pentest-Tools.com.

Week 1

This week was our first meeting. We were introduced to the course. We were also informed about the projects that need to be complete to pass this course.

Week 2

This week, we learned about information gathering included target scoping. The objectives of the week were using web tools for footprinting, conduct competitive intelligence, and describe DNS zone transfers. We practiced certain web tools such as Whois, Sam Spade, Dig, Host, and Paros.

Week 3

This week, we learned about utilizing search engines. The objectives of the week were using Kali Linux tools to search on the Internet and gather the necessary information about the target. We practiced Kali Linux tools such as theharvester, maltego, and google dorks.

Week 4

This week, we learned about target discovery. We learned about port scanning, Idle scan, IPID prediction, OS fingerprinting, and TCP/IP stack fingerprinting. We practiced nmap and dnstrails.com for this week. We also tried to find real IP behind the firewall.

Week 5

This week, we learned about enumerating target. We practiced it using nbtscan, netbios, net view, net use, dumpSec, hyena , wpscan, and jooscan. We also reviewed the previous tools which were theharvester and nmap.

Week 6

This week, we learned about vulnerability mapping. We learned different types of vulnerabilities. We practiced the mapping using Burp Suite.

Week 7

This week, we learned about the Social Engineering Toolkit (SET). We learned the definition and how to install it. We learned and practiced one of the SET methods which was Credential Harvester. We practiced it step.-by-step. Then, we did the task given where we need to explain the step-by-step of another method, the advantages, and disadvantages. I chose Web Jacking Attack Method to be explained.

Week 8

This week, we continued to learn about social engineering. We practiced step-by-step the SET methods again. Before that, we recalled the previous weeks’ topics.

Week 9

This week, we learned about target exploitation. We learned how to do vulnerabilities research and the skills required. Then, we practiced several exploit websites. At last, we practiced exploitation using the Metasploit tool with the exploit method and also searchsploit.

Week 10

This week, we learned about privilege escalation. We learned how to attack the passwords. There two types of password attacks offline attacks and online attacks In offline attacks, hackers need physical access to the machine to be able to perform this attack, whereas, in an online attack, the attack can be done from a remote location. The tools used in an offline attack could be  John the Ripper or Ophcrack. The tools used in the online attack could be Hydra or Wireshark. We also learned about network spoofing tool, Arpspoof, and Ettercap.

Week 11

This week, we learned about maintaining access. It is useful as we do not need Reinventing the wheel, previous vulnerabilities already patched, Sysadmin hardens the system, and saving the time. However, it is unethical after we did the penetration testing. We can create OS Backdoors, Tunnelling, and Web Based Backdoors to maintain access. The example of the tools is Cymothoa, nc / netcat, WeBaCoo, and Weevely.

The tool used – Sherlock

Sherlock is a tool that can be used to find social media accounts across many varieties’ websites that may be related to the real target. Each social media may contain links to others that use different screen names and provide us with new information that can be. Images from profile photos are easy to put into a reverse image search, allowing you to find other profiles using the same image whenever the target has a preferred profile photo.

The additional tool needed to make Sherlock work:

Python 3.6 or higher

Step-By-Step:

1. Open Kali Linux and launch the terminal.

• Installation:

1. Clone the repository “sherlock” provided by the “sherlock-project”. In the terminal, enter git clone https://github.com/sherlock-project/sherlock.git.

• After finished cloning, enter ls command to view the content of the directory.

• We can see that the sherlock tool present in the directory and we change the working directory to sherlock by entering cd sherlock in the terminal.

•  Install python3 and python3-pip if they are not installed (I already installed).

• Install the requirements by entering python3 -m pip install -r requirements.txt in terminal.

• Usage:

1. In the terminal, enter python3 sherlock –help to view the way to use the tool

• Then to run this tool and search for users in the terminal:

• Enter “python3 sherlock {{username}}” to search one user.

Example: python3 sherlock elizabethchan

• Enter “python3 sherlock {{username username username}}” to search for more than one user.

Example: python3 sherlock elizabethchan elizabethw chanelizabeth

From the result of the search above, I used my own username as my target. The Sherlock tool had successfully found my accounts on several websites including Duolingo. Eventually, I also got additional results of usernames to belong to people with similar names and I can find out about them.