Basically, the website that participates in the security test (penetration test) may have the following vulnerabilities more or less: SQL injection vulnerability, cross-site scripting attack vulnerability, login background management page, IIS short file/folder vulnerability, system sensitivity Information disclosure.
It is understood that these security tests generally collect data first, and then carry out related penetration testing work to obtain some sensitive data of websites or systems, which may achieve the purpose of controlling or destroying the system.
The first step is information collection, which collects information such as IP addresses, DNS records, software version information, and IP segments. The methods that can be used are:
1) Obtain basic network information;
2) Ping the target network to obtain information such as IP address and TTL;
3) Tcptraceroute and Traceroute results; 4
) Whois results;
Server information;
6) Curl obtains the basic information of the target web;
7) Nmap performs port scanning on the website and determines the operating system type;
8) Search engines such as Google, Yahoo, Baidu and other search engines obtain target information;
9) FWtester, Hping3 and other tools implement firewall rules Probe;
10) Others.
The second step is to conduct a penetration test, and further obtain sensitive website data based on the data obtained earlier. If this stage is successful, ordinary permissions may be obtained. There are the following methods
1) Conventional vulnerability scanning and inspection using commercial software;
2) Vulnerability scanning using commercial or free scanning tools such as ISS and Nessus;
3) Searching and discovering network devices using SolarWinds;
4) Using Nikto, Webinspect and other software Scan common web vulnerabilities;
5) Use commercial software such as AppDetectiv to scan and analyze databases;
6) Analyze web and database applications;
7) Use tools such as WebProxy, SPIKEProxy, Webscarab, ParosProxy, and Absinthe to analyze;
8) Use Ethereal to capture packets to assist in the analysis;
9) Use Webscan and Fuzzer to conduct preliminary analysis of SQL injection and XSS vulnerabilities;
10) Manually detect SQL injection and XSS vulnerabilities;
11) Use tools similar to OScanner to analyze the database;
12) Based on general Attacks on devices, databases, operating systems, and applications; using a variety of public and private buffer overflow code, but also using a collection of exploits such as MetasploitFramework.
13) Application-based attacks. Attacks are based on the weaknesses of Web, database or specific B/S or C/S network applications.
14) Password guessing technology. For password guessing, tools such as X-Scan, Brutus, Hydra, and Snow Tracking can be used.
The third step is to try to escalate from ordinary privileges to administrator privileges to gain full control over the system. Re-run from Phase 1 if necessary, as time permits. using ways
1) Password sniffing and keylogging. Software such as sniffing, keylogging, and Trojan horses have simple functions, but they are required not to be detected by antivirus software, so they usually need to be developed or modified by themselves.
2) Password cracking. There are many famous password cracking software such as L0phtCrack, John the Ripper, Cain etc.
Some of the above are the steps they test, but we don’t necessarily need to pay attention to these procedural things. We may pay more attention to the results of their feedback, because there may be a lot of security loopholes waiting for us to fix.