Common Applications

NMAP Web Discovery

$ nmap -p 80,443,8000,8080,8180,8888,1000 --open -oA web_discovery -iL scope_list

Screenshotting Tools

Using EyeWitness

$ sudo apt install eyewitness
$ eyewitness --web -x web_discovery.xml -d inlanefreight_eyewitness

Using Aquatone

$ wget https://github.com/michenriksen/aquatone/releases/download/v1.7.0/aquatone_linux_amd64_1.7.0.zip
$ unzip aquatone_linux_amd64_1.7.0.zip 
$ cat web_discovery.xml | ./aquatone -nmap

---

Example Note Taking

External Penetration Test - <Client Name>

• Scope (including in-scope IP addresses/ranges, URLs, any fragile hosts, testing timeframes, and any limitations or other relative information we need handy)

• Client Points of Contact

• Credentials

• Discovery/Enumeration

  • Scans

  • Live hosts

• Application Discovery

  • Scans

  • Interesting/Notable Hosts

• Exploitation

  • <Hostname or IP>

  • <Hostname or IP>

• Post-Exploitation

  • <Hostname or IP>

  • <<Hostname or IP>

Application Hardening

General Hardening Tips

The applications discussed in this section should be hardened to prevent compromise using these techniques and others. Below are some important measures that can help secure deployments of WordPress, Drupal, Joomla, Tomcat, Jenkins, osTicket, GitLab, PRTG Network Monitor, and Splunk in any environment.

• Secure authentication: Applications should enforce strong passwords during registration and setup, and default administrative account passwords should be changed. If possible, the default administrative accounts should be disabled, with new custom administrative accounts created. Some applications inherently support 2FA authentication, which should be made mandatory for at least administrator-level users.

• Access controls: Proper access control mechanisms should be implemented per application. For example, login pages should not be accessible from the external network unless there is a valid business reason for this access. Similarly, file and folder permissions can be configured to deny uploads or application deployments.

• Disable unsafe features: Features such as PHP code editing in WordPress can be disabled to prevent code execution if the server is compromised.

• Regular updates: Applications should be updated regularly, and patches supplied by vendors should be applied as soon as possible.

• Backups: System administrators should always configure website and database backups, allowing the application to be quickly restored in case of a compromise.

• Security monitoring: There are various tools and plugins that can be used to monitor the status and various security-related issues for our applications. Another option is a Web Application Firewall (WAF). While not a silver bullet, a WAF can help add an extra layer of protection provided all the measures above have already been taken.

• LDAP integration with Active Directory: Integrating applications with Active Directory single sign-on can increase ease of access, provide more auditing functionality (especially if synced with Azure), and make managing credentials and service accounts more streamlined. It also decreases the number of accounts and passwords that a user will have to remember and give fine-grained control over the password policy.

Application-Specific Hardening Tips

Though the general concepts for application hardening apply to all applications that we discussed in this module and will encounter in the real world, we can take some more specific measures. Here are a few:

Application	Hardening Category	Discussion
WordPress	Security monitoring	Use a security plugin such as WordFence which includes security monitoring, blocking of suspicious activity, country blocking, two-factor authentication, and more
Joomla	Access controls	A plugin such as AdminExile can be used to require a secret key to log in to the Joomla admin page such as http://joomla.inlanefreight.local/administrator?thisismysecretkey
Drupal	Access controls	Disable, hide, or move the admin login page
Tomcat	Access controls	Limit access to the Tomcat Manager and Host-Manager applications to only localhost. If these must be exposed externally, enforce IP whitelisting and set a very strong password and non-standard username.
Jenkins	Access controls	Configure permissions using the Matrix Authorization Strategy plugin
Splunk	Regular updates	Make sure to change the default password and ensure that Splunk is properly licensed to enforce authentication
PRTG Network Monitor	Secure authentication	Make sure to stay up-to-date and change the default PRTG password
osTicket	Access controls	Limit access from the internet if possible
GitLab	Secure authentication	Enforce sign-up restrictions such as requiring admin approval for new sign-ups, configuring allowed and denied domains