Hello and welcome back to our (hopefully) exciting series about network penetration testing. If you missed the first part of this series, take a few minutes to read that and get caught up. You will need to get up to speed, because today we are putting our virtual crosshairs on specific targets we want to attack!
To do a quick recap, we first used a combination of the nmap and Eyewitness tools to scan our network for open ports, then we gathered a whole slew of information about those open ports and carved it down into a nice, easy-to-read Web page format. So lets start going through these results and see if we can find some “interesting” targets to attack. (Note: the system in this demonstration is intentionally configured to be vulnerable – I’ll revisit this later and show you how you can easily setup your own test systems to safely hammer away on.)
Here is a screenshot for a system on my network that appears to be running some sort of Web service:
Crawl the content
Whenever you come across a Web site that you suspect may hold interesting content or vulnerabilities, one of the first and easiest things you can do is “crawl” it. Crawling is essentially automating the process of clicking through all the various links and mapping out the site structure for further investigation. One way to do this is by using a command line tool called dirb (which is built right into Kali Linux) like so:
dirb http://10.0.0.25 /usr/share/wordlists/dirb/big.txt
Here’s the breakdown of the commands:
- dirb – calls the dirb tool into action!
- http://10.0.0.25 – this is the Web site we’re going to crawl
- /usr/share/wordlists/dirb/big.txt – points to a word list we will use for crawling.
So when dirb kicks off, it is going to crawl the structure of the 10.0.0.25 Web site and use the big.txt wordlist to look for files and folders that may not be directly linkable. For example, dirb will try finding folders such as:
- …and so on..
Lets take a look at what dirb turned up:
Hmm, dirb has located a URL called http://10.0.0.25/cgi-bin/status that looks interesting. Lets pull that up in a browser:
This is some sort of status message that may reveal sensitive information about the system, or a foothold we can use for further exploitation. When in doubt, Google is always our friend:
Aha – very interesting! It looks like this server might possibly be at risk for the Shellshock vulnerability, which FRSecure has written about in the past.
From the information gathered thus far, it looks like we have identified a target with a vulnerability we may be able to exploit. The next step is figuring out how we might actually carry out an attack, and we will cover that in next month’s article. On that note, if you’re interested in playing along at home, download the virtual machine (which is preconfigured to be vulnerable), as well as a copy of Kali Linux, and then we’ll go through everything together, step by step.
Conclusion? Hardly! We have our target identified and are ready to launch an attack, but next month is when the real fun starts J. However, if you have questions at any point during this blog series, please do not hesitate to reach out. I can be reached at 952-467-6385 or at [email protected]