External Inf

Needs updated!

Prior to test starting

  1. Check for signed consent and PO in Client Docs.

  2. Check ownership of IP addresses.

  3. Check third-parties have been made aware of testing, and client has provided evidence.

  4. Get testing authorisation signed.

  5. Confirm with the client whether there are delicate targets or critical services we need to be aware of and more in general if there is anything that may suffer under intensive scanning

Tools to run (all tests)

Tools to run (HTTP services)

Test Services

Category

Service

Test

Test Description

Scanning

Qualys

Nessus

Nmap TCP

Nmap UDP

Testing

FTP

Anonymous access

Nmap script scan should pick this up, as will Qualys and Nessus. Can also check it manually.

FTP

Software version (banner grab) & check vulnerabilities

Nessus, Nmap and Qualys should pick this up. Can also check manually using Ncat or Telnet. Search for applicable software vulnerabilities as well.

FTP

Insecure (plaintext) connection

Qualys will pick this up, but should be confirmed manually as well. Check you can send credentials without providing AUTH TLS. Can be verified with FileZilla, as some companies run and use an FTPS service normally but the plain text version may also be available and accept creds.

FTP

Bounce attack

Nmap script scan should pick this up, as will Qualys.

FTP

Brute-force attack

Manual check using FTP client, send several requests and see whether or not you get blocked. Nmap also has a script.

SSH

Brute-force attack

Connect to the service and launch several authentication requests, you'll get disconnected and the available authentication methods should be shown in brackets. The service should be vulnerable if Password authentication is permitted. Try again, and see whether or not you can reconnect and send requests.

SSH

Software version (banner grab) & check vulnerabilities

Nessus, Nmap and Qualys should pick this up. Can also check manually using Ncat or Telnet. Search for applicable software vulnerabilities as well.

Telnet

Brute-force attack

Connect to the service and launch several requests, keep going until you get locked out or hit a minimum threshold (e.g. 10).

Telnet

Software version (banner grab) & check vulnerabilities

Nessus, Nmap and Qualys should pick this up. Can also check manually using Ncat. Search for applicable software vulnerabilities as well.

Telnet

Search for and try default credentials for identified version

search Google for <software> default credentials and try them as appropriate.

Telnet

Insecure (plaintext) connection

Qualys and Nessus should pick this up, but should be confirmed manually too.

SMTP

Mail relay

For manual testing follow this link ( http://www.cs.cf.ac.uk/Dave/PERL/node175.html ). Nmap also has a script to check for this.

SMTP

SMTP VRFY User Enumeration

Nmap has a script for this.

SMTP POP IMAP

Brute-force attack

Nmap and Metasploit have modules for this, can also check manually by repeatedly connecting to the service and supplying false credentials.

SMTP POP IMAP

Insecure (plaintext) connection

The tools should pick this up, however you can check manually simply by connecting to the service using ncat/telnet.

SMTP POP IMAP

Software version (banner grab) & check vulnerabilities

Nessus, Nmap and Qualys should pick this up. Can also check manually using Ncat. Search for applicable software vulnerabilities as well.

SIP

Check for plaintext and/or over UDP

Plaintext SIP runs over 5060/tcp and TLS SIP runs over 5061/tcp

SIP

Check for method enumeration

It is a text-based request/response protocol like HTTP, request methods include REGISTER/INVITE/ACK/BYE

DNS

DNS Zone Transfer

Qualys should pick this up and nmap also has a script for it. For manual verification type: #host -t ns domainname, then, #host -l domainname dnsservername

DNS

Software version (banner grab) & check vulnerabilities

Nessus, Nmap and Qualys should pick this up. Can also check manually using Ncat. Search for applicable software vulnerabilities as well.

HTTP/S

Software version (banner grab) & check vulnerabilities

Nessus, Nmap and Qualys should pick this up. Can also check manually using Ncat. Search for applicable software vulnerabilities as well.

HTTP/S

Web inteface examination

For a large number of discovered web interfaces on a number of Ips, EyeWitness can be used to do a scan of all of these for a bulk examination of the ones discovered

HTTP/S

Brute-force attack

Check directories discovered by Nmap/Dirbuster/Qualys and browse to them. Is there any clear sign of two-factor authentication enabled? Is the interface accessible over HTTP? Do any of the interfaces look as though they might lead to administrative functions?

HTTP/S

Look for Basic and NTLM authentication prompts

Check directories discovered by Nmap/Dirbuster/Qualys and browse to them.Is the interface accessible over HTTP? Check the server response using ncat/telnet/burp and see if Basic or NTLM is mentioned. Is there an internal IP address in the Basic header?

HTTP/S

NTLM authentication information disclosure

If NTLM login prompts are discovered, it's likely that NTLM authentication will diclose information about the server. Nmap has a script to check for this, you might need to specify the folder for the NTLM login prompt.

HTTP/S

Run Dirbuster to check for directories.

Let dirbuster run in the background while you perform other tests. Don't let the number of threads go too high otherwise you may crash the server. 3 threads is usually a good number, it shouldn't exceed about 70 requests/second

HTTP/S

Run nikto

Nikto checks for a variety of web-based vulnerabilites and should be run on all web services.

HTTP/S

Check robots.txt

These tools should locate the file if it exists. Browse to it and see if you can find anything sensitive.

HTTP/S

Internal IP address disclosure

All the tools should find this. You can confirm using ncat or telnet

HTTP/S

Error messages

Dirbuster may find 500 responses, check these for software version leakage. For IIS servers, request /|.aspx and see what is returned.

HTTP/S

WordPress

If you find WordPress, run wpscan and explore its findings, such as vulnerabilites for installed plugins, username enumeration, administrative login etc.

HTTP/S

HTTP methods

Check HTTP methods, looking for PUT/DELETE or other WebDAV methods. The tools should pick this up manually. If you find PUT, use Metasploit module. However with modern web apps running on the server, these methods are sometimes reserved for APIs within the applications

LDAP

Check for network enumeration

Nmap and Qualys will both pick up information if it exists. Use the Ldap browser in Windows to look at this manually

HTTPS

Look at certificate to determine host name

browse to the 443/tcp port. Click on the small icon to the left of the url to reveal the name of the certification used. Does this indicate another potential target (i.e. url?). This can also be retrieved by running SSLScan and looking at the URI in the subject name. Sometimes browsing to this URI will reroute to an interface when simply using the IP won't, due to virtual hosting. Try to browse to this and record your findings

HTTPS

Check strength of SSL certificate

These tools will find issues with the certificate such as expired or weak signing.

HTTPS

Run SSL Labs

Browse to https://www.ssllabs.com and enter the domain name (if one has been identified). Also remember to tick the box which prevents results from showing on the board.

HTTPS

Check SSL ciphers

Qualys and Nessus will pick this up, you can double check using sslscan.

HTTPS

BREACH Attack

Qualys will pick this up as an informational finding. Can also use openssl to verify - if the following commands return a compressed message, it's vulnerable. Openssl s_client -connect [IP:port] GET / HTTP/1.1 Host: [IP] Accept-Encoding: compress, gzip CRLF x2

SMB

Run nmap SMB scripts

Run the following scripts http://nmap.org/nsedoc/scripts/smb-check-vulns.html, http://nmap.org/nsedoc/scripts/smb-enum-shares.html, http://nmap.org/nsedoc/scripts/smb-enum-users.html and http://nmap.org/nsedoc/scripts/smb-brute.html.

PPTP

Check service

Both tools will find this automatically.

RDP

Check connection, NLA and weak ciphers

Run rdp-sec-check and see if you can connect to the service via rdesktop. If so it can be brute-forced, if it returns a CredSSP error it may be vulnerable to DoS

RDP

Run nmap MS12-020 module to check for vuln

run the following: nmap -sV --script=rdp-ms12-020 -p 3389 <target> . For more details browse to http://nmap.org/nsedoc/scripts/rdp-vuln-ms12-020.html

NTP

Gather information

Qualys and Nmap have options to check for this.

SNMP

Default community strings

Qualys and Nmap have options to check for this.

SNMP

Check SNMP version

Nmap -sV should determine the version of SNMP running. This can also be done by looking at Wireshark stream when you do nmap scan.

ISAKMP

Check Aggressive mode and weak psk

The tools should pick this up.

###

Software version (banner grab) & check vulnerabilities

For all unrecognised ports, check what Nmap and Qualys have returned, and check the port online. Try connecting to it, and checking whether or not SSL is supported. If it is, run through the typical SSL tests.

###

Check firewall rules

Do you notice a large number of closed ports after a full nmap scan? Does it look like a perimeter device, such as a router? If not, it should be reported on. If it's something like a home or business router that has 135/tcp-139/tcp filtered but most other things closed then this is not reported on

ICMP

Check ICMP replies

We only care about echo, timestamp and address mask.

Tools

Tool

Type

Location

Bursuite

Web Page Analysis

Kali

Dirbuster

HTTP directory brute force

Kali

iker.py

VPN checker

Portcullis

ike-scan

VPN checker

Kali

Metasploit

Vulnerablity Exploitation

Kali

Ncat

Connect to services

Kali

Nessus

Vulnerability Scanner

Test laptop

Nikto

HTTP service scanner

Kali

Nmap

Port and script scans

Kali

Qualys

Vulnerability Scanner

Cloud-based

rdp-sec-check.pl

RDP checker

Portcullis

SSLlabs

Check HTTPS ciphers

Web

SSLscan

Check SSL/TLS ciphers

Kali

Wireshark

Packet capture

Kali

WPscan

WordPress interface scanner

Kali

Useful Sites

Site

Purpose

URL

SSLlabs

Check HTTPS strength

ARIN.net

Check IP ownership (America)

RIPE.net

Check IP ownership (Europe)

rdp-sec-check download

Check RDP services

iker download

Check ISAKMP services

ASafaWeb

IIS Server Scanner

Microsoft Security Bulletin

Microsoft Vulnerability Searcher

Wikipedia

List of TCP and UDP ports

Last updated