Web server pen testing performing under 3 major category which is identity, Analyse, Report Vulnerabilities such as authentication weakness, configuration errors, protocol Relation vulnerabilities.
“Conduct a serial of methodical and Repeatable tests “ is the best way to test the web server along with this to work through all of the different application Vulnerabilities.
- “Collecting as Much as Information” about an organization Ranging from operation environment is the main area to concentrate with the initial stage of web server Pen testing.
- Performing web server Authentication Testing , use Social engineering techniques to collect the information about the Human Resources , contact Details and other Social Related information.
- Gathering Information about the Target, use whois database query tools to get the Details such as Domain name, IPaddress, Administrative Details, autonomous system number, DNS etc.
- Fingerprint web server to gather information such as server name, server type, operating systems, application running on the server etc use fingerprint scanning tools such as , Netcraft, HTTPrecon , ID Serve .
- Crawel Website to gather Specific information from web pages, such as email addresses
- Enumerate web server Directories to extract important information about web functionalities, login forms etc.
- Perform Directory traversal Attack to access Restricted Directories and execute the command from outside of the Web server root directories.
- Performing vulnerability scanning to identify the weakness in the network use the vulnerability scanning tools such as HPwebinspect, Nessus . and determine if the system can be exploited.
- Perform we cache poisoning attack to force the web server’s cache to flush its actual cache content and send a specifically crafted request which will be stored in the cache.
- Performing HTTP response splitting attack to pass malicious data to a vulnerable application that includes the data in an HTTP response header.
- Bruteforce SSH,FTP, and other services login credentials to gain unauthorized access.
- Perform session hijacking to capture valid session cookies and ID’s,use tools such as Burb suite , Firesheep ,jhijack to automated session hijacking.
- Performing MITM attack to access the sensitive information by intercepting the altering the communications between the end users and web servers.
- Use tools such as webalizer, AWStats to examine the web server logs .
CORE Impact pro
CORE Impact pro is the software solution for assessing and testing the vulnerabilities in the organization’s web servers , Nerwork system’s , Endpoint systems , wireless networks , network devices ,Mobile devices ,IDS/IPS .
Important Checklist Suggested by Microsoft
- Unnecessary Windows services are disabled.
- Services are running with least-privileged accounts.
- FTP, SMTP, and NNTP services are disabled if they are not required.
- Telnet service is disabled.
- WebDAV is disabled if not used by the application OR it is secured if it is required.
- TCP/IP stack is hardened
- NetBIOS and SMB are disabled (closes ports 137, 138, 139, and 445).
- Unused accounts are removed from the server.
- Guest account is disabled.
- IUSR_MACHINE account is disabled if it is not used by the application.
- If your applications require anonymous access, a custom least-privileged anonymous account is created.
- The anonymous account does not have write access to Web content directories and cannot execute command-line tools.
- Strong account and password policies are enforced for the server.
- Remote logons are restricted. (The “Access this computer from the network” user-right is removed from the Everyone group.)
- Accounts are not shared among administrators.
- Null sessions (anonymous logons) are disabled.
- Approval is required for account delegation.
- Users and administrators do not share accounts.
- No more than two accounts exist in the Administrators group.
- Administrators are required to log on locally OR the remote administration solution is secure.
Files and Directories
- Files and directories are contained on NTFS volumes
- Web site content is located on a non-system NTFS volume.
- Log files are located on a non-system NTFS volume and not on the same volume where the Web site content resides.
- The Everyone group is restricted (no access to \WINNT\system32 or Web directories).
- Web site root directory has deny write ACE for anonymous Internet accounts.
- Content directories have deny write ACE for anonymous Internet accounts.
- Remote administration application is removed
- Resource kit tools, utilities, and SDKs are removed.
- Sample applications are removed
- All unnecessary shares are removed (including default administration shares).
- Access to required shares is restricted (the Everyone group does not have access).
- Administrative shares (C$ and Admin$) are removed if they are not required (Microsoft Management Server (SMS) and Microsoft Operations Manager (MOM) require these shares).
- Internet-facing interfaces are restricted to port 80 (and 443 if SSL is used)
- Intranet traffic is encrypted (for example, with SSL) or restricted if you do not have a secure data center infrastructure.
- Remote registry access is restricted.
- SAM is secured (HKLM\System\CurrentControlSet\Control\LSA\NoLMHash).
Auditing and Logging
- Failed logon attempts are audited.
- IIS log files are relocated and secured.
- Log files are configured with an appropriate size depending on the application security requirement.
- Log files are regularly archived and analyzed.
- Access to the Metabase.bin file is audited.
- IIS is configured for W3C Extended log file format auditing.
- Ensure certificate date ranges are valid.
- Only use certificates for their intended purpose (For example, the server certificate is not used for e-mail).
- Ensure the certificate’s public key is valid, all the way to a trusted root authority.
- Confirm that the certificate has not been revoked.