SecSite - 302 Mystery

Discuss the many weaknesses of browser security and ways to mitigate the threat

SecSite - 302 Mystery

Post by Okeymaker on Fri Jan 06, 2012 6:41 am
([msg=63565]see SecSite - 302 Mystery[/msg])

Target: A website that offers security services. I know from a source that one of the persons who works there is a real hacker with who once hacked a gov site so maybe they are proffessional.

STORY: When I was using Havij to find the admin page to a website, it gave me 302 responses on every try. Ofc they were all false and when I tried them in a browser I got 402 as pageresult. I wonder how this could be?

CLUES: I know that they uses MysQl on port 3306 - That is the only clue I have. They dont have any ports open except 21 an 80. But they do use 443 for https. Nmap aggressive OS guesses that they use OpenBSD 4."X" and says that 996 ports are filtered. I dont know how to interpret that?
~SEEK AND HEAL~ Failure
User avatar
Okeymaker
Experienced User
Experienced User
 
Posts: 59
Joined: Tue Jan 04, 2011 11:22 am
Blog: View Blog (0)


Re: SecSite - 302 Mystery

Post by LoGiCaL__ on Fri Jan 06, 2012 9:26 am
([msg=63567]see Re: SecSite - 302 Mystery[/msg])

It's unclear to me what your end game is here. Without jumping the gun, if you're asking for help to hack a website then you should know no one here will be able to help you out. About your nmap question. The filtered ports are probably behind a firewall and that's why nmap is showing them as filtered.
User avatar
LoGiCaL__
Addict
Addict
 
Posts: 1060
Joined: Sun May 30, 2010 12:33 pm
Blog: View Blog (0)


Re: SecSite - 302 Mystery

Post by limdis on Fri Jan 06, 2012 12:32 pm
([msg=63568]see Re: SecSite - 302 Mystery[/msg])

Right, kinda vague. Just going to take a stab in the dark here cause yes not really sure if you want someone to figure this out or explain it. Being you are getting both 302 and 402 it is possible that you have found what you want to find, but their .htaccess file only allows their specific range of IPs, thus resulting in those errors. Just my thoughts given your description.
"The quieter you become, the more you are able to hear..."
"Drink all the booze, hack all the things."
User avatar
limdis
Moderator
Moderator
 
Posts: 1341
Joined: Mon Jun 28, 2010 5:45 pm
Blog: View Blog (0)


Re: SecSite - 302 Mystery

Post by Okeymaker on Wed Jan 11, 2012 2:26 pm
([msg=63651]see Re: SecSite - 302 Mystery[/msg])

I dont wanna hack the page, I just wanna know wehere they put admin page.
limdis wrote:Right, kinda vague. Just going to take a stab in the dark here cause yes not really sure if you want someone to figure this out or explain it. Being you are getting both 302 and 402 it is possible that you have found what you want to find, but their .htaccess file only allows their specific range of IPs, thus resulting in those errors. Just my thoughts given your description.


Impossible. The reason why I posted this here its because its so strange. Havij simply test all common logon adresses. It got over 50 matches. But they result in 402 error when browsing them. So I thought that maybe the sceurity site is supermega awesome skilled and can fool programs like that just to mess with the hackers. But how? Maybe through letting ASP tell MySql when ha bot/program strikes and generate lots of fake pages? I dunno.

LOGICAL: Zenmap use to say WHICH ports are filtered, but it didnt in this case. A bit strange, because what website uses exactly 1000 ports?
~SEEK AND HEAL~ Failure
User avatar
Okeymaker
Experienced User
Experienced User
 
Posts: 59
Joined: Tue Jan 04, 2011 11:22 am
Blog: View Blog (0)


Re: SecSite - 302 Mystery

Post by tremor77 on Wed Jan 11, 2012 3:14 pm
([msg=63652]see Re: SecSite - 302 Mystery[/msg])

First you say " Nmap aggressive OS guesses that they use OpenBSD 4."X" and says that 996 ports are filtered. I dont know how to interpret that?"

And then you mention ASP.

So my guess is that you are dealing with an IIS website running a .NET CMS, perhaps Umbraco or Sitefinity. These are pretty strong systems. It's likely the site responds to any page request... have you been able to actual get a real 404? The Nmap result is probably returning the OS of a hardware firewall... perhaps a Watchguard Firebox Edge series - I believe they run OpenBSD but don't quote me on that. If you ask wtfpancake? Why would someone be running an IIS Server behind a Firebox? Reason - it may be also an Exchange or AD server. Or even more likely - it's a nice big HoneyPot and you're being trolled.
Image
User avatar
tremor77
Contributor
Contributor
 
Posts: 870
Joined: Wed Mar 31, 2010 12:00 pm
Location: New York
Blog: View Blog (0)


Re: SecSite - 302 Mystery

Post by Okeymaker on Fri Jan 13, 2012 2:22 am
([msg=63669]see Re: SecSite - 302 Mystery[/msg])

trempr77: That was the best reply I ever got on this site. Thanx!
I will do a closer check on it. Someday. And again: Im not so stupid that Im gonna attack this site. I dont know how to hack something so dont worry.
~SEEK AND HEAL~ Failure
User avatar
Okeymaker
Experienced User
Experienced User
 
Posts: 59
Joined: Tue Jan 04, 2011 11:22 am
Blog: View Blog (0)


Re: SecSite - 302 Mystery

Post by wzrd1985 on Fri Feb 17, 2012 8:18 am
([msg=64431]see Re: SecSite - 302 Mystery[/msg])

I may not be an expert, but have you taken into consideration ModSecurity? It has the ability to differentiate between requests, act as a honeypot, and provide header and OS disimulations as you said, even disimulate the platform.
wzrd1985
New User
New User
 
Posts: 1
Joined: Fri Feb 17, 2012 8:14 am
Blog: View Blog (0)



Return to Web

Who is online

Users browsing this forum: No registered users and 0 guests