Webserver Checklist Pentest

Download as docx, pdf, or txt
Download as docx, pdf, or txt
You are on page 1of 5

Sunday, May 23, 2021

 Home
 kalitutorials
 Malware
 Ransomware
 Cryptocurrency hack
 SOC Resources
 Advertise
 GBH Team

GBHackers On Security

 Home
 Hacks
 THREATS
 PENTEST
 KALI
 SOC
 Infosec
 TECH
 TOOLS
 Courses

 PENTESTING
 Web Server Pentesting

Most Important Web Server Penetration


Testing Checklist
By
BALAJI N
-
May 6, 2021
12

Web server pentesting performing under 3 major category which is identity, Analyse, Report
Vulnerabilities such as authentication weakness, configuration errors, protocol Relation
vulnerabilities.

 1.  “Conduct a serial of methodical and Repeatable tests “ is the best way to test the web
server along with this to work through all of the different application Vulnerabilities.

2.  “Collecting as Much as Information” about an organization Ranging from operation


environment is the main area to concentrate on the initial stage of web server Pen testing.

3.  Performing web server Authentication Testing, use Social engineering techniques to collect
the information about the Human Resources, Contact Details, and other  Social Related
information.

4.  Gathering Information about Target, use whois database query tools to get the Details such
as Domain name, IP address, Administrative Details, autonomous system number, DNS etc.

5.  Fingerprint webserver to gather information such as server name, server type, operating
systems, an application running on the server etc use fingerprint scanning tools such as,
Netcraft, HTTPrecon, ID Serve.
6.  Crawel Website to gather Specific information  from web pages, such as email addresses

7.  Enumerate web server Directories to extract important information about web
functionalities, login forms etc.

8.  Perform Directory traversal Attack to access Restricted Directories and execute the
command from outside of the Web server root directories.

9.  Performing vulnerability scanning to identify the weakness in the network use the
vulnerability scanning tools such as HPwebinspect, Nessus . and determine if the system can be
exploited.

10. Perform we cache poisoning attack to force the web server’s cache to flush its actual cache
content and send a specifically crafted request which will be stored in the cache.

11. Performing HTTP response splitting attack to pass malicious data to a vulnerable
application that includes the data in an HTTP response header.

12. Bruteforce SSH,FTP, and other services login credentials to gain unauthorized access.13.
Perform session hijacking to capture valid session cookies and ID’s,use tools such as Burb
suite , Firesheep ,jhijack to automated session hijacking.

14. Performing a MITM attack to access sensitive information by intercepting the


communications between the end-users and web servers.

15. Use tools such as  Webalizer, AWStats to examine the web server logs .

Important Checklist Suggested by Microsoft


Services

 Unnecessary Windows services are disabled.


 Services are running with least-privileged accounts.
 FTP, SMTP, and NNTP services are disabled if they are not required.
 Telnet service is disabled.

Protocols

 WebDAV is disabled if not used by the application OR it is secured if it is required.


 TCP/IP stack is hardened
 NetBIOS and SMB are disabled (closes ports 137, 138, 139, and 445).

Accounts

 Unused accounts are removed from the server.


 Guest account is disabled.
 IUSR_MACHINE account is disabled if it is not used by the application.
 If your applications require anonymous access, a custom least-privileged anonymous
account is created.
 The anonymous account does not have write access to Web content directories and
cannot execute command-line tools.
 Strong account and password policies are enforced for the server.
 Remote logons are restricted. (The “Access this computer from the network” user-right is
removed from the Everyone group.)
 Accounts are not shared among administrators.
 Null sessions (anonymous logons) are disabled.
 Approval is required for account delegation.
 Users and administrators do not share accounts.
 No more than two accounts exist in the Administrators group.
 Administrators are required to log on locally OR the remote administration solution is
secure.

Files and Directories

 Files and directories are contained on NTFS volumes


 Web site content is located on a non-system NTFS volume.
 Log files are located on a non-system NTFS volume and not on the same volume where
the Web site content resides.
 The Everyone group is restricted (no access to \WINNT\system32 or Web directories).
 Web site root directory has denied write ACE for anonymous Internet accounts.
 Content directories have deny write ACE for anonymous Internet accounts.
 Remote  administration application is removed
 Resource kit tools, utilities, and SDKs are removed.
 Sample applications are removed

Shares

 All unnecessary shares are removed (including default administration shares).


 Access to required shares is restricted (the Everyone group does not have access).
 Administrative shares (C$ and Admin$) are removed if they are not required (Microsoft
Management Server (SMS) and Microsoft Operations Manager (MOM) require these
shares).

Ports

 Internet-facing interfaces are restricted to port 80 (and 443 if SSL is used)


 Intranet traffic is encrypted (for example, with SSL) or restricted if you do not have a
secure data center infrastructure.
Registry

 Remote registry access is restricted.


 SAM is secured (HKLM\System\CurrentControlSet\Control\LSA\NoLMHash).

Auditing and Logging

  Failed logon attempts are audited.


  IIS log files are relocated and secured.
 Log files are configured with an appropriate size depending on the application security
requirement.
 Log files are regularly archived and analyzed.
 Access to the Metabase.bin file is audited.
 IIS is configured for W3C Extended log file format auditing.

Server Certificates

 Ensure certificate date ranges are valid.


 Only use certificates for their intended purpose (For example, the server certificate is not
used for e-mail).
  Ensure the certificate’s public key is valid, all the way to a trusted root authority.
 Confirm that the certificate has not been revoked.

You might also like