Web server pentesting carrying out under 3 significant category which is identity, Analyse, Report Vulnerabilities such as authentication weakness, setup mistakes, protocol Relation vulnerabilities.
1. “Conduct a serial of repeatable and systematic tests” is the very best way to evaluate the web server in addition to this to overcome all of the different application Vulnerabilities.
2. “Collecting as Much as Information” about an organization Ranging from operation environment is the main area to focus on the preliminary phase of web server Pen testing.
3. Performing web server Authentication Testing, utilize Social engineering strategies to collect the information about the Human Resources, Contact Details, and other Social Related information.
4. Gathering Information about Target, use whois database query tools to get the Details such as Domain name, IP address, Administrative Details, autonomous system number, DNS etc.
5. Fingerprint webserver to collect information such as server name, server type, running systems, an application running on the server etc usage finger print scanning tools such as, Netcraft, HTTPrecon, ID Serve.
6. Crawel Website to gather Specific details from websites, such as email addresses
7. Identify web server Directories to extract crucial details about web performances, login forms and so on
8. Perform Directory traversal Attack to gain access to Restricted Directories and carry out the command from beyond the Web server root directories.
9. Carrying out vulnerability scanning to recognize the weakness in the network utilize the vulnerability scanning tools such as HPwebinspect, Nessus. and identify if the system can be made use of.
10. Perform we cache poisoning attack to require the web servers cache to flush its actual cache material and send a particularly crafted demand which will be saved in the cache.
11. Carrying out HTTP response splitting attack to pass harmful data to a susceptible application that includes the data in an HTTP reaction header.
12. Bruteforce SSH, FTP, and other services login credentials to acquire unapproved access.13. Carry out session hijacking to capture legitimate session cookies and IDs, usage tools such as Burb suite, Firesheep, jhijack to automated session hijacking.
14. Performing a MITM attack to gain access to sensitive details by obstructing the communications between the end-users and web servers.
15. Usage tools such as Webalizer, AWStats to analyze the web server logs.
Important Checklist Suggested by Microsoft
Unnecessary Windows services are handicapped.
Solutions are keeping up least-privileged accounts.
FTP, SMTP, and NNTP services are disabled if they are not required.
Telnet service is handicapped.
WebDAV is disabled if not utilized by the application OR it is protected if it is needed.
TCP/IP stack is solidified
NetBIOS and SMB are disabled (closes ports 137, 138, 139, and 445).
Directories and files are contained on NTFS volumes.
Website content is situated on a non-system NTFS volume.
Log files are situated on a non-system NTFS volume and not on the exact same volume where the Web site content resides.
The Everyone group is limited (no access to WINNTsystem32 or Web directory sites).
Web site root directory has rejected write ACE for anonymous Internet accounts.
Material directories have deny write ACE for anonymous Internet accounts.
Remote administration application is gotten rid of.
Resource set tools, sdks, and utilities are gotten rid of.
Test applications are gotten rid of.
Files and Directories.
Carrying out vulnerability scanning to identify the weak point in the network utilize the vulnerability scanning tools such as HPwebinspect, Nessus. Bruteforce SSH, FTP, and other services login qualifications to acquire unauthorized access.13. Carry out session hijacking to catch valid session cookies and IDs, usage tools such as Burb suite, Firesheep, jhijack to automated session hijacking.
Stopped working logon attempts are examined.
IIS log files are relocated and protected.
Log files are configured with an appropriate size depending on the application security requirement.
Log files are routinely archived and analyzed.
Access to the Metabase.bin file is investigated.
IIS is set up for W3C Extended log file format auditing.
Internet-facing user interfaces are limited to port 80 (and 443 if SSL is used).
Intranet traffic is encrypted (for example, with SSL) or restricted if you do not have a safe and secure data center facilities.
Finger print webserver to collect information such as server name, server type, operating systems, an application running on the server etc usage fingerprint scanning tools such as, Netcraft, HTTPrecon, ID Serve.
Auditing and Logging.
Make sure certificate date ranges stand.
Only use certificates for their desired purpose (For example, the server certificate is not used for e-mail).
Make sure the certificates public key stands, all the way to a trusted root authority.
Confirm that the certificate has not been withdrawed.
You can follow us on Linkedin, Twitter, Facebook for everyday Cybersecurity updates.
Remote computer system registry gain access to is limited.
SAM is protected (HKLMSystemCurrentControlSetControlLSANoLMHash).
Also Read Penetration testing Android Application list.
Unused accounts are removed from the server.
Visitor account is handicapped.
If it is not utilized by the application, iusr_machine account is handicapped.
If your applications need confidential gain access to, a custom least-privileged anonymous account is developed.
The confidential account does not have compose access to Web material directories and can not carry out command-line tools.
Strong account and password policies are implemented for the server.
Remote logons are limited. (The “Access this computer system from the network” user-right is removed from the Everyone group.).
Accounts are not shared amongst administrators.
Null sessions (anonymous logons) are handicapped.
Approval is required for account delegation.
Administrators and users do not share accounts.
No more than 2 accounts exist in the Administrators group.
Administrators are needed to log on locally OR the remote administration option is safe and secure.
Perform Directory traversal Attack to gain access to Restricted Directories and perform the command from outside of the Web server root directory sites.
All unnecessary shares are gotten rid of (including default administration shares).
Access to needed shares is restricted (the Everyone group does not have gain access to).
Administrative shares (C$ and Admin$) are eliminated if they are not required (Microsoft Management Server (SMS) and Microsoft Operations Manager (MOM) require these shares).