4.0
1NSchAb
1NSchAb
- No tags were found...
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
69<br />
Web Application Penetration Testing<br />
• Try the following usernames - “admin”, “administrator”, “root”,<br />
“system”, “guest”, “operator”, or “super”.<br />
These are popular among system administrators and are often<br />
used. Additionally you could try “qa”, “test”, “test1”, “testing” and<br />
similar names. Attempt any combination of the above in both the<br />
username and the password fields. If the application is vulnerable<br />
to username enumeration, and you manage to successfully<br />
identify any of the above usernames, attempt passwords in a<br />
similar manner. In addition try an empty password or one of<br />
the following “password”, “pass123”, “password123”, “admin”,<br />
or “guest” with the above accounts or any other enumerated<br />
accounts.<br />
Further permutations of the above can also be attempted. If<br />
these passwords fail, it may be worth using a common username<br />
and password list and attempting multiple requests against the<br />
application. This can, of course, be scripted to save time.<br />
• Application administrative users are often named after the<br />
application or organization.<br />
This means if you are testing an application named “Obscurity”,<br />
try using obscurity/obscurity or any other similar combination as<br />
the username and password.<br />
• When performing a test for a customer, attempt using names<br />
of contacts you have received as usernames with any common<br />
passwords. Customer email addresses mail reveal the user<br />
accounts naming convention: if employee John Doe has the email<br />
address jdoe@example.com, you can try to find the names of<br />
system administrators on social media and guess their username<br />
by applying the same naming convention to their name.<br />
• Attempt using all the above usernames with blank passwords.<br />
• Review the page source and JavaScript either through a proxy<br />
or by viewing the source. Look for any references to users and<br />
passwords in the source.<br />
For example “If username=’admin’ then starturl=/admin.asp<br />
else /index.asp” (for a successful log in versus a failed log in).<br />
Also, if you have a valid account, then log in and view every<br />
request and response for a valid log in versus an invalid log in,<br />
such as additional hidden parameters, interesting GET request<br />
(login=yes), etc.<br />
• Look for account names and passwords written in comments<br />
in the source code. Also look in backup directories for source<br />
code (or backups of source code) that may contain interesting<br />
comments and code.<br />
Testing for default password of new accounts<br />
It can also occur that when a new account is created in an application<br />
the account is assigned a default password. This password<br />
could have some standard characteristics making it predictable. If<br />
the user does not change it on first usage (this often happens if<br />
the user is not forced to change it) or if the user has not yet logged<br />
on to the application, this can lead an attacker to gain unauthorized<br />
access to the application.<br />
The advice given before about a possible lockout policy and verbose<br />
error messages are also applicable here when testing for<br />
default passwords.<br />
The following steps can be applied to test for these types of default<br />
credentials:<br />
• Looking at the User Registration page may help to determine the<br />
expected format and minimum or maximum length of the<br />
application usernames and passwords. If a user registration page<br />
does not exist, determine if the organization uses a standard<br />
naming convention for user names such as their email address or<br />
the name before the “@” in the email.<br />
• Try to extrapolate from the application how usernames are<br />
generated.<br />
For example, can a user choose his/her own username or does<br />
the system generate an account name for the user based on<br />
some personal information or by using a predictable sequence? If<br />
the application does generate the account names in a predictable<br />
sequence, such as user7811, try fuzzing all possible accounts<br />
recursively.<br />
If you can identify a different response from the application when<br />
using a valid username and a wrong password, then you can try a<br />
brute force attack on the valid username (or quickly try any of the<br />
identified common passwords above or in the reference section).<br />
• Try to determine if the system generated password is predictable.<br />
To do this, create many new accounts quickly after one another<br />
so that you can compare and determine if the passwords<br />
are predictable. If predictable, try to correlate these with the<br />
usernames, or any enumerated accounts, and use them as a<br />
basis for a brute force attack.<br />
• If you have identified the correct naming convention for the user<br />
name, try to “brute force” passwords with some common<br />
predictable sequence like for example dates of birth.<br />
• Attempt using all the above usernames with blank passwords or<br />
using the username also as password value.<br />
Gray Box testing<br />
The following steps rely on an entirely Gray Box approach. If only<br />
some of this information is available to you, refer to black box<br />
testing to fill the gaps.<br />
• Talk to the IT personnel to determine which passwords they<br />
use for administrative access and how administration of the<br />
application is undertaken.<br />
• Ask IT personnel if default passwords are changed and if default<br />
user accounts are disabled.<br />
• Examine the user database for default credentials as described<br />
in the Black Box testing section. Also check for empty password<br />
fields.<br />
• Examine the code for hard coded usernames and passwords.<br />
• Check for configuration files that contain usernames<br />
and passwords.<br />
• Examine the password policy and, if the application generates its<br />
own passwords for new users, check the policy in use for this<br />
procedure.<br />
Tools<br />
• Burp Intruder: http: /portswigger.net/burp/intruder.html<br />
• THC Hydra: http: /www.thc.org/thc-hydra/<br />
• Brutus: http: /www.hoobie.net/brutus/<br />
• Nikto 2: http: /www.cirt.net/nikto2<br />
References<br />
Whitepapers<br />
• CIRT http: /www.cirt.net/passwords<br />
• Government Security - Default Logins and Passwords for<br />
Networked Devices http: /www.governmentsecurity.org/<br />
articles/DefaultLoginsandPasswordsforNetworkedDevices.php<br />
• Virus.org http: /www.virus.org/default-password/