The Pentesting Guide
TwitterBlog
  • The Pentesting Guide
  • â„šī¸0 - Pre-Engagement
  • 🔍1 - Information Gathering
  • Passive (OSINT)
  • Active
    • đŸ•ĩī¸HUMINT
    • WIFI
    • IP & Port Scanning
    • Services
      • 21 - FTP
      • 22 - SSH
      • 25 - SMTP
      • 53 - DNS
      • 80,443 - WEB
      • 88 - Kerberos
      • 110 - POP3
      • 111 - rpcbind
      • 161 - SNMP
      • 389 - LDAP
      • 139,445 - SMB
      • Active Directory
  • đŸ’Ŗ2 - Exploitation
  • Brute Forcing
  • WEB
    • Apache Tomcat
    • Authentication
    • Broken Access Control
    • Cache poisoning
    • Clickjacking
    • CORS
    • CSRF
    • File Inclusion
    • Host Header Injection
    • HTTP Request Smuggling
    • Information disclosure
    • JWT
    • OS command injection
    • PHP deserialisation
    • SQLi
    • SSRF
    • SSTI
    • Shellshock
    • Unrestricted File Upload
    • XSS
    • XXE
  • Web (OWASP Test cases)
    • 4.1 Information Gathering
    • 4.2 Configuration and Deployment Management Testing
    • 4.3 Identity Management Testing
    • 4.4 Authentication Testing
    • 4.5 Authorization Testing
    • 4.6 Session Management Testing
    • 4.7 Input Validation Testing
    • 4.8 Testing for Error Handling
    • 4.9 Testing for Weak Cryptography
    • 4.10 Business Logic Testing
    • 4.11 Client-side Testing
    • 4.12 API Testing
  • WIFI
  • HUMINT
    • đŸŽŖGophish (Phishing)
    • Malicious Phishing Files
    • Phishing Evaluation
  • BoF - Windows(x86)
  • Active Directory
    • Kerberos
    • GPOs
    • Certificates
    • LAPS
    • Domain Trusts
  • đŸ‘ŋ3 - Post Exploitation
  • File transfer
  • Shells
  • Situational Awareness
    • Containers and VMs
    • Linux
    • Windows
      • Dumping Credentials
      • Countermeasure Evasion
    • Active Directory
      • BloodHound & SharpHound
  • General
    • Linux
    • Windows
  • Local Privilege Escalation
    • Linux
    • Windows
  • Persistance
    • Windows
  • Cracking
  • Pivoting
    • Tunnelling & Port Forwarding
  • Lateral Movement
  • WIFI
  • 📓4 - Report
  • 🧹5 - House cleaning
Powered by GitBook
On this page
  • Configuration and Deployment Management Testing
  • 4.2.1 Test Network Infrastructure Configuration
  • 4.2.2 Test Application Platform Configuration
  • 4.2.3 Test File Extensions Handling for Sensitive Information
  • 4.2.4 Review Old Backup and Unreferenced Files for Sensitive Information
  • 4.2.5 Enumerate Infrastructure and Application Admin Interfaces
  • 4.2.6 Test HTTP Methods
  • 4.2.7 Test HTTP Strict Transport Security
  • 4.2.8 Test RIA Cross Domain Policy
  • 4.2.9 Test File Permission
  • 4.2.10 Test for Subdomain Takeover
  • 4.2.11 Test Cloud Storage
  1. Web (OWASP Test cases)

4.2 Configuration and Deployment Management Testing

Last updated 5 months ago

4.2.1

Once obtained all the services that composes the application such as MySQL, APIs, different domains, etc. then:

Evidence:

​

4.2.2

ffuf -ac -w /usr/share/wordlists/SecLists/Discovery/Web-Content/raft-medium-files-lowercase.txt -u https://<DOMAIN>/FUZZ -e .bak,.config,.old,.txt,.pdf,cgi -of md -o conf_files.md

Evidence:

​
ffuf -ac -w /usr/share/wordlists/SecLists/Discovery/Web-Content/raft-medium-files-lowercase.txt -u https://<DOMAIN>/FUZZ -e .asa,.inc,.config,.zip,.tar,.gz,.tgz,.rar,.java,.pdf,.docx,.rtf,.xlsx,.pptx -of md -o conf_files.md

Check:

ffuf -w <WORDLIST> -e .bak,.backup,.old,.tmp,.swp,.bkp -of md -o backup_files.md -u https://<DOMAIN>/FUZZ 
ffuf -ac -w /usr/share/wordlists/backup_files_with_path.txt -u https://<DOMAIN>/FUZZ
ffuf -ac -w /usr/share/wordlists/backup_files_only.txt -u https://<DOMAIN>/FUZZ

Evidence:

​

Identify hidden administrator interfaces, functionality, cookies, etc.

List of default web page:

# WebSphere
admin
admin-authz.xml
admin.conf
admin.passwd
admin/
admin/logon.jsp
admin/secure/logon.jsp
administration
# PHP
phpinfo
phpmyadmin/
phpMyAdmin/
mysqladmin/
MySQLadmin
MySQLAdmin
login.php
logon.php
xmlrpc.php
dbadmin
# FrontPage
admin.dll
admin.exe
administrators.pwd
author.dll
author.exe
author.log
authors.pwd
cgi-bin
# WebLogic
AdminCaptureRootCA
AdminClients
AdminConnections
AdminEvents
AdminJDBC
AdminLicense
AdminMain
AdminProps
AdminRealm
AdminThreads
# WordPress
wp-admin/
wp-admin/about.php
wp-admin/admin-ajax.php
wp-admin/admin-db.php
wp-admin/admin-footer.php
wp-admin/admin-functions.php
wp-admin/admin-header.php

Evidence:

​
curl -sq -X OPTIONS  -I <URL> -H "User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.6613.120 Safari/537.36" | grep -i "allow"
CONNECT <OASTIFY>:80 HTTP/1.1
Host: <DOMAIN>:443
echo '<html><body><h1>RTG</h1></body></html>' > /tmp/test.html
curl -sq -D - -X PUT -T /tmp/test.html https://<DOMAIN>/ -H "Content-Type: text/html" | head -n 1
​
curl -sq -D - https://<DOMAIN>/test.html | head -n 1
curl -sq -D - -X DELETE <URL_IMAGE> | head -n 1

Evidence:

​
curl -sq -D- <URL> | grep -i "Strict-Transport-Security:" --color

Evidence:

​
curl -D- -sq https://<URL>/crossdomain.xml -b "<COOKIE>"; echo
curl -D- -sq https://<URL>/clientaccesspolicy.xml -b "<COOKIE>"; echo

Evidence:

​

Evidence:

​

A subdomain of the company is pointing to a third-party service with a name not registered. If you can create an account in this third party service and register the name being in use, you can perform the subdomain takeover.

  1. Go to Burp's sitemap, select all the domains that has been found using the app, right click "Copy select URLs" and saved them into a file

  2. Then perform an HTTP request to all the domains looking for a domain that returns a 404.

cat burp_urls.txt  | awk -F/ '{print $1"//"$3}' | sort -u > domains_url.txt
meg -d 10 -c 200 / domains_url.txt requests
grep -iRl 404 requests/ | awk -F/ '{print $2}' > domains_to_be_checked.txt
  1. Check if the domain exists or not (look for the URL on burp), and if it can be registered by a malicious attacker.

Evidence:

​

Evidence:

​

4.2.3

4.2.4

4.2.5

4.2.6

4.2.7

4.2.8

4.2.9

4.2.10

4.2.11

Configuration and Deployment Management Testing
Test Network Infrastructure Configuration
Test Application Platform Configuration
Test File Extensions Handling for Sensitive Information
Review Old Backup and Unreferenced Files for Sensitive Information
backup_files_only.txt
backup_files_with_path.txt
extensions-compressed.fuzz.txt
Enumerate Infrastructure and Application Admin Interfaces
Test HTTP Methods
Test HTTP Strict Transport Security
Test RIA Cross Domain Policy
Test File Permission
Test for Subdomain Takeover
Test Cloud Storage
Test with AWS-CLI