Wednesday, June 20, 2012

Efficient Pentesting (Interesting Web Servers)

I have seen a few blog posts discussing specific techniques of parsing through lots of data and quickly identifying avenues of the highest potential return on investment during a pentest. More specifically giving ways to prioritize interesting web servers due to the fact that an initial network scan can return lots of potentially fun web ports to check out. This one particular tool is really cool and I will talk more about it in just a minute, but I think it is important to grasp the bigger-picture idea behind this.

When working under time constraints towards a particular goal and there are multiple routes to get there, actions must be prioritized based on greatest potential success rate and highest "return on investment"

Ok, but what does this mean for pentesting?

When working on a project under time constraints, this is a very important topic because if the pentester wants to provide the best value to the customer that they can, given the specified time frame, they need to be able to quickly prioritize their actions and find the avenues of attack they want to spend their time on.

All that being said, when a tool, idea, or technique presents itself that will help save time, it has the potential to help pentesters do their job better by freeing up time that would have been spent doing one task (ie. manually crunching through web servers looking for say, exposed admin interfaces) and allow for more time to be spent on other areas.

Enter webscour.pl

With this awesome little perl script, nmap(and other) scan results can be piped into it, and it will spit out a web page with a screenshot of the potentially interesting web pages and header info about the HTTP connection. If the screenshot or headers look promising, all you have to do is click the link or the screenshot itself to visit the page all from the comfort of your favorite web browser. Here is my tweak to what these other guys have done with this already. I used grepable nmap output for my data source.

Dependencies: gnome-web-photo and gnmap.pl(if you want to view ports other than just 80)


cat netscan_nmap | ./gnmap.pl | grep -E 'http|https' | cut -d, -f1,2 | tr ',' ':' | ./webscour.pl sites.htm


All credit for this kung fu goes to the following sites:

http://blog.cyberis.co.uk/2011/04/finding-interesting-web-servers-on.html
http://www.pentesticles.com/2012/05/we-have-port-scans-what-now.html
http://pauldotcom.com/wiki/index.php/Episode291#Tech_Segment:_What.27s_That_Web_Server.3F