Penetrating "Secure" Websites By Increasing Attack Vectors
// Intended Audience
This tutorial transcends the legal boundaries of what a penetration tester is often authorized to audit. In which case, the intended audience is "blackhat" hackers. Also, if you consider yourself "elite," then this article is most likely not for you.
// Introduction
All too often, we notice websites boasting their security in the form of a "McAfee SECURE" banner or similar. This banner indicates that the website has been audited for numerous commonly exploited vulnerabilities and has successfully passed all tests, therefore the website is declared secure by the vendors standards. Now if we proceed to audit the particular website, occasionally we will find an exploitable vulnerability, but for the most part, our audit will result in a similar conclusion: secure.
// So What's Next?
First, a little explanation seems appropriate before we continue. Typically, what you will notice when performing an audit on behalf of a client, is that your clients' website is hosted in a virtual environment as opposed to that of a dedicated server. In a virtual hosting environment, it's common practice to host not only the website(s) of one customer, but to host the websites of many customers. Unfortunately for the client who has contracted an audit on his website, the penetration tester is not legally authorized to perform audits on websites belonging to other customers, regardless of the fact that they are hosted on the same physical server. A hacker on the other hand, does not abide by any particular set of laws imposed by a governing body. So we shall continue from the perspective of a hacker as a penetration testers job is now complete.
// I'm A Criminal Baby, Let's Perpetrate A Crime.
At this point, we've finished our initial scans of the target website which likely resulted in no known vulnerabilities which could be leveraged in order to gain access. So what do we do? We ping that bitch. Here's an example:
[email protected]:/# ping shadow.net
PING shadow.net (123.123.123.123) 56(84) bytes of data.
...and for you *nix based users, ignore the above and use:
[email protected]:/# resolveip shadow.net
IP address of shadow.net is 123.123.123.123
Now we have the IP address of our target, 123.123.123.123, which we will save/log for our records as it will come in handy shortly. Our goal now is to determine what websites, if any, are hosted on the same server in a virtual environment. Now that we have the IP address, we can load up a very handy tool developed by our friends at Micro$oft: Bing! So open up your favorite web browser and navigate to http://www.bing.com and use the following query:
"ip:123.123.123.123"
This particular query should be self-explanatory. If there are any additional websites hosted on the given IP address, they will be displayed in the resulting pages. These days, more often than not, you will now have a list of potential targets courtesy of Micro$oft. Now that you have greatly expanded your attack vectors to include all websites hosted on the server, you have consequently greatly increased your odds of locating an exploitable vulnerability. Once you have successfully exploited a particular vulnerability and managed to obtain local access, you can shift your focus over to privilege escalation via exploitation of a local vulnerability. Once you've finished up, you have now accomplished what is commonly referred to as a "mass hack." Don't forget to install a sexy little backdoor and take care of those pesty logs.
Check for Part 2 of this tutorial which should be released reasonably soon.
// No Required Reading Below This Line
That concludes my brief tutorial. I wanted to name this tutorial "The Hypocrisy of Penetration Testing" or something similar. Also, I am most certainly aware that many will consider this common knowledge. If you fall into this category, please realize that this article was obviously not intended for you.
SAYONARA BROSIF GWIBBLES.