Profiling a Website for Penetration Testing
1 – Analyzing your target
You’re a penetration tester. You’ve been commissioned by a company to exploit their systems in any way you can. Before you jump into your phone calls and coding, take a minute to do a basic assessment of your target. This step is far too often overlooked in the process of “hacking”. For example; if your client is a Fortune 500 company, would you try to run a string of public exploits? If your target is a small, privately owned website, would you spend hours and days creating a detailed profile of the website architecture? Take a minute to search the internet for information relating to your website of interest, and give yourself an idea of what you’re up against. [Protip: Revenue and Budget figures, if posted publicly, can offer quite a bit of insight. If their IT sector has a relatively low budget (the average engineer makes around $100,000 a year, do the math) then there’s probably a better chance that he/she/them missed something. Now, once you have a basic idea of what you’re up against, let’s move on to the next step.
Far too often people open up Acunetix, plug in that website URL, and let the automated software go to work. The (main) problem with this approach (as there are many), is that it’s essentially notifying every single webmaster in control of that site that you’re trying to break in. This is a NEWBIE mistake, and can often lead to you getting firewalled from the site and inevitably fired. If you’re going to use Acunetix, set it to Quick mode.
Another thing to be wary of it port scanning. Port Scanning sends off a serious red flag to any competent webmaster. If your site is of reasonable size, an its traffic of reasonable density, a port scan is often completely worthless. No intelligent IT Engineer would leave crucial ports open, and there are better ways to find open ports than to run a port scan.
One other thing we should take note of here is the “scanning profile”. This is a pretty cool feature of Acunetix (and other vulnerability scanners) that allows you to search for vulnerabilities within a certain set of parameters. This not only allows for you to remain stealthier, but it saves you some time. Use your knowledge of the company infrastructure to determine which profile would best suit your case. XSS is a fairly common vulnerability, so you may want to set it to scan for XSS.
The point with all of this though, essentially, is to get a basic idea of how your website is laid out. Make note of robots.txt (sometimes valuable links can be stored here), what OS the site is running on, what type of FTP manager they’re using, etc. [Much information of relevance can often be found on the 404 page, depending on the website. Make use of it ^_^. In this tutorial, I’m not going to teach to you XSS, how to SQLi or LFI/RFI, or how to shell a website. There are plenty of tutorials around here for that, my goal is to teach you the ways of the scout.
Computers are anonymous, indirect, discrete. Talking over the phone is, well, a tad bit more personal. The majority of today’s “hackers” simply lack the confidence to get down and dirty on the telephone or in person. At this step you actually make a phone call to the website owners that have hired you for the penetration testing .
The First step here is to gain the confidence . I would advice that if you dont have an experience in Social engineering , first practice by talking to some customer care . This way you will be more confident in talking to unknown people . This step is very crucial as it is here you gain the confidence of the target during a Black hat Penetration test .
Have a Plan before you make the call and have your points on what information you have to extract .
1.4 – Put the Extracted Information to use
You have the information on your website, use it. You extracted the billing information from the willing customer support, so make another call and recover “your account”. You obtained Employee IDs and names for several IT Engineers, so call and get yourself administrative access to that website. This section really depends on what your situation is, so it’s deliberately vague. The information for proper SE is included in this tutorial, so apply it to whatever you need it for. Impersonation is your Golden Ticket to the Chocolate Factory that is your company. Combine your information with your computer knowledge and deface the entire website, it truly is up to you.
#Post is purely for educational Purpose . Any Misuse is Illegal .