Web Application Pentesting and Network Pentesting are two separate beasts to tame. Usually when a WAPT is conducted, the focus is on the application and not on the server running it but it’s not the other way round. During a Network assessment the pentester might encounter different types of services and applications. So it becomes crucial to have WAPT skills while penetrating a Network. Similarly there are multiple resources which are worth a visit before performing any active test on a network. Here we will discuss such areas which should be looked into during a network pentest exercise.
Internet Search Engines
It is always good to have the knowledge of open ports, services running and their banners before diving into a network. Internet search engines such as Shodan and ZoomEye provide such information related to public IP addresses. As a pentester, this allows to be prepared with tools and clients for different services and learn exploitation of technologies which we have not encountered before. For example during an engagement it was identified through Shodan that a specific public IP was running a memcache service. A quick google search came up with exploit techniques for it, this played a crucial role in the success of the pentest. Shown below is an example search for a public IP.
It is a ruby script which looks for vulnerable 3rd party web applications in a network such as jmx-consoles, administrative interfaces etc. It can perform a port scan, look for open web-based ports and also perform a brute force attack on the discovered paths. The figure below demonstrates the usage of the tool. It can be downloaded from https://github.com/0xsauby/yasuo
The basic definition of this term is ‘data about data’. Most of the files contain some kind of metadata, such as the date and time they were create, software used to create them etc. Be it an internal or external Pentest, it is always a good idea to extract all the metadata from files hosted on the website of the organization. Through this we can identify information such as Usernames, Operating Systems, Software versions being used, server and much more. This information will help us to create list of usernames to perform a brute force attack, be ready with exploits for specific softwares, launch a spear phishing attack etc. There are many tools which can automate the process of metadata extraction from a website, such as FOCA and Metagoofil.
Web Interface on Network Devices
In an organization there are multiple types of devices such as Switches, Routers etc. running different networks. Sometimes pentesters focus only on attacking user machines and ignore these devices but should not, as they provide much more leverage than a single machine. Apart from their usual services, such devices also run a web application, SSH service etc. These services are sometimes insecure and can be used to get a foothold into the network or simply the administrator might be using the default password. For example Wi-Fi access points have web interface for administrative usage and sometimes they are easily exploitable.