Pentest Vectors

Enginsight's automated pentest consists of four elements:

  1. Information Gathering: Through base and deep scans, Hacktor creates a footprint of the application environment.

  2. CVE scan: Hacktor scans the detected applications for known vulnerabilities.

  3. Service Bruteforce: Automated testing of user password combinations reveals insecure login data.

  4. Service Discovery: Special checks, e.g. of the encryption, authentication and privileges of certain services, reveal security-relevant configuration deficiencies.

Engnisight automatically determines which tests to use for each target system. Only those services that we have implemented are tested. In the following you will learn in detail what Hacktor can check.

Information Gathering

The goal of information gathering is to create as comprehensive a footprint as possible of the systems under investigation. Footprinting is the collection of information that is used for subsequent hacking attacks. This procedure is also used by real hackers to assess which attack vectors are promising. Therefore, from a security perspective, it is best to disclose as little as possible about the technologies used to the outside world.

The Enginsight Hacktor uses different approaches for footprinting. On the one hand, there are the basic scans: Ports and HTTP headers are examined. On the other hand, deep scans, where the web application and SNMP are examined, among other things.

Basic Scan

Service

Description

Ports

Open ports are examined for the application behind them and whether the version used is revealed.

HTTP-Header

HTTP headers (especially X-Mod pagespeed and server) often reveal information about the system in an avoidable way.

Deep Scan

Service

Description

Webapplication

Using statistical methods, web applications are examined for the technologies used (e.g. CMS, programming languages and libraries).

SNMP (Operating system)

If necessary, the operating system used can be revealed via SNMP. A very valuable piece of information for attackers.

SNMP (installed packages)

It may be possible to access the installed packages via SNMP. This is highly sensitive information.

Accessible Remote Control Service

Services via which remote maintenance can be carried out must be viewed critically from a security perspective.

Accessible mDNS service

Enabled multicast DNS (mDNS) functionality can be abused to spy information and prepare attacks. Check whether mDNS is needed, disable it if necessary, or make sure that it is only accessible to trusted clients.

CVE-Scan

In addition, Hacktor checks the software versions used to provide the services for CVEs. This is a network-side area scan for security vulnerabilities.

If Hacktor finds a security vulnerability (CVE), it tries to validate it. This means that it checks whether the vulnerability is effective in the corresponding operating system, i.e. whether it can be exploited. If this is the case, the vulnerability is marked "validated". It may not be possible for Hacktor to determine the operating system beyond doubt. In this case, the vulnerability cannot be validated. It still appears in the audit report, but is marked "invalidated". In this case, the user must check for himself whether the vulnerability is effective on this system.

Service Bruteforce

As part of the bruteforce attack, the hacker attempts to gain access to your system by trying out passwords en masse. If it succeeds, it will try to penetrate deeper into the system with "Extended Bruteforce Usage" enabled.

Bruteforce is offered for the following services:

  • SSH

  • Telnet

  • FTP

  • MySQL

  • Mongo DB

  • MS SQL

  • Redis

  • Maria DB

  • Rabbit MQ

  • PostgrSQL

  • HTTP Basic Auth

  • SNMP

Password lists

You have the choice to either use Enginsight password lists and/or include custom lists. In addition, Hacktor tests service-specific standard authentications.

Service Discovery

In the discovery phase, Hacktor examines the detected services for specific, common configuration flaws. It tests authentication methods, privilege assignments, and encryption methods, among others.

Cross-service checks

Title
Description

Vulnerable to Log4Shell (CVE-2021-44228)

A vulnerable version of the Java framework Log4j, which can be exploited for Log4Shell attacks, is used (CVE-2021-44228). Caution: Connectivity from the target system to Hacktor (port range: 1-1000) must be ensured for the check to return correct results. (HTTP, SSH, FTP, SMTP, IMAP).

DNS (Domain Name System)

Title

Description

Bruteforce HTTP Basic Auth

For HTTP Basic Auth, one or more insecure user password combinations are used.

Bruteforce MongoDB

For MongoDB, one or more insecure user password combinations are used.

Deprecated SPF version

Check the used SPF version (v), currently only SPF1 exists.

Invalid Contact Address for DNS CAA

The specified e-mail address of the certification authority does not correspond to the valid e-mail format (abc@xyz.com).

Invalid DKIM syntax

DomainKeys Identified Mail (DKIM) enables the detection of spoofed email senders.

Invalid DMARC aggregate report email

The report e-mail address contains invalid characters or an invalid e-mail format (not abc@def.com)

Invalid DMARC filtering percentage

The optional percentage filter specification (pct) can be used to define what percentage of the messages are subjected to filtering. The value must therefore be between 1 and 100.

Invalid DMARC policy

The DMARC policy (p) has no ordinary value. Ordinary values are: none, quarantine and reject.

Invalid DMARC protocol version

The version of DMARC (v) must be DMARC1.

Invalid DMARC record content

The content of the DMARC record is not valid because one or more tags in the DMARC record are not set.

Invalid DMARC spf alignment mode

The adjustment mode does not have one of the usual indications strict (s) or relaxed (r).

Invalid DMARC subdomain policy

The DMARC subdomain policy (sp) has no ordinary value. Ordinary values are: none, quarantine and reject.

Invalid SPF syntax

The entry contains unknown entries (known are: spf1, mx, ip4, ip6, exists, include, all, a, redirect, exp, ptr) and/or unauthorized characters.

Missing CDNSKEY Record

CDNSKEY records are used in the context of DNSSEC. They are useful when changes are made to the DNSKEY.

Missing CDS Record

CDS records are used in the context of DNSSEC. They are useful when changes are made to the DNSKEY.

Missing Contact Address for DNS CAA

No contact address is given for the Certification Authority Authorization (CAA) that issued the certificate for the domain.

Missing DMARC record

Domain-based Message Authentication, Reporting and Conformance (DMARC) is based on SPF. It allows the sender domain to specify how the recipient should handle the e-mail in the event of a violation.

Missing DNS CAA record

DNS Certification Authority Authorization (CAA) records are used to authorize certain certification authorities (CAs) to issue a certificate for the domain. This prevents certificates from being issued for a domain by mistake.

Missing DNSKEY Record

DNSKEY records are used in the context of DNSSEC to make the public key accessible via a publicly accessible server.

Missing DS DNS Record

DS Records are used within DNSSEC to establish a chain of trust that can be validated using a single public key.

Missing NSEC Record

NSEC records are used within DNSSEC to concatenate all existing entries in alphabetical order. This allows the non-existence of DNS records to be verified.

Missing NSEC3 Record

NSEC3 records are used in the context of DNSSEC. They provide an alternative way to NSEC to verify the non-existence of entries. NSEC3 uses hash values instead of plain text.

Missing RRSIG Record

RRSIG records are used in the context of DNSSEC. They contain the signature of a DNS resource record set.

Missing SPF record

The SPF protocol allows to authorize IP address to send e-mails with the domain. Thus, third parties can be prohibited from misusing the domain name.

Multiple SPF Records found

Never use multiple SPF entries. Instead, combine multiple SPFs into a single entry.

No Support for DNSSEC

Domain Name System Security Extensions (DNSSEC) enables signatures to verify the authenticity and integrity of received data. This prevents data from being diverted or modified.

SPF record contains characters after ALL

No further entries may follow the optional ALL entry.

Uncommon Certification Authority

The certification authority used (issue, wildissue) is not on our whitelist.

FTP (File Transfer Protocol)

Title

Description

Anonymous Access to root (/) Directory

Anonymous Users i.e. Users with username \"anonymous\" without password authentication can easily access the contents of the root directory. This gives easy admin rights to the unauthenticated user.

Anonymous Change Working Directory (cwd) Access

Anonymous Users i.e. Users with username \"anonymous\" without password authentication can change the current working directory using the \"cwd\" command to the specified new path.

Anonymous FTP Session

Anonymous Users i.e. Users with username \"anonymous\" without password authentication can login into the instance.

Anonymous Remove File Permission

Anonymous Users i.e. Users with username \"anonymous\" without password authentication have Remove File Permissions. They can easily delete files on the server.

Anonymous Write File Permission

Anonymous Users i.e. Users with username \"anonymous\" without password authentication have Write File Permissions. They can write into files on server.

HTTP (Hypertext Transfer Protocol)

Title

Description

Allows Access to Credential Store

Set of files that should be securely hidden away are publicly accessible. File set containing information related to user authentication.

Allows Access to Database Dump

Set of files that should be securely hidden away are publicly accessible. File set containing database files.

Allows Open Redirect

The Host allows incorporation of custom data into redirect targets. An attacker can introduce a URL within the application thus redirecting users to an arbitary external domain. Thereby vulnerbale to Phishing attacks against users visiting the web page.

Common Source Leak

Set of files that should be securely hidden away are publicly accessible. They may reveal important information that makes the target potentially more vulnerable.

Cross Site Scripting (XSS)

The Host is vulnerable to injection of malicious code in the form browser side scripts. The Web Application has insufficient input validations and encoding.

Directory Listing is enabled

Directory Listing is a web server function that is left enabled it discloses the contents of a directory that does not have an index file. An attacker can easily gain access to private content on the web server.

Email-address Harvesting

The Host is vulnerable to Email Address Harvesting. Malicious bots can scrape these contacts from the website and store them for later use like illegitimate bulk scam mails i.e. phishing scams.

Missing HTTPS Redirect

The Host contains a redirect. The landing page of the URL further redirects the user to another URL. The call this redirected site does not use HTTPS and hence not secure.

Mixed HTTP content found

The webpage is securely accessed over HTTPS but the content consists of links that are called over insecure HTTP.

Public accessible Backend

The backend is publicly accessible. Restrict the access, e.g. with a VPN.

SQL Injection

In an SQL injection, an attacker attempts to inject their own database commands into an SQL database in order to spy on data or gain control of the system.

Supports Command Injection

The Host has insufficient form input validations. It is susceptible to the execution of arbitary commands on the host Operating System.

Supports File Inclusion

The Host is vulnerable due Local File Inclusion. An attacker can obtain access to root/admin level files and folders thus posing possibilities to read sensitive information, write or execute arbitary commands further causing damage.

Supports Unvalidated Redirects

The web application accepts untrusted input. An attacker can use this to redirect to an untrusted URL.

HTTP-Header

Title

Description

Exposed X-Mod-Pagespeed Header

The X-Mod-Pagespeed Header should be disabled to avoid revealing unneeded information.

Exposed X-Powered-By Header

Many servers are very permissive in their default configuration with the disclosure of information. This concerns especially the X-Powered-By and Server-Header. These should always be deactivated for security reasons.

Insecure Set-Cookie

The set cookie HTTP header is used to transfer cookies from the server to the browser.

Missing Content-Security-Policy Header

The HTTP Content Security Policy regulates which resources can be loaded or executed in the browser in a certain way.

Missing Feature-Policy Header

The feature policy determines which functions or APIs of a browser may be used.

Missing HTTP header flag "secure"

When using HTTPS, all cookies should have a \"secure\"flag. This prevents unwanted reading in the network if the cookie is sent unencrypted.

Missing Referrer-Policy Header

The Referrer-Policy Header is used to access referrer information used website in analytics. Exposing this header makes analytics information to be publicly available.

Missing Strict-Transport-Security

HTTP Strict Transport Security (HSTS) is a security mechanism for HTTPS connections that protects against both connection encryption being overridden and session hijacking.

Missing X-Content-Type-Options Header

The only defined value \"nosniff\" prevents Internet Explorer from determining and applying a content type other than the declared one by MIME sniffing.

Missing X-Frame-Options Header

The X-frame options can be used to determine whether a calling browser is allowed to embed the target page in a <frame>, <iframe> or <object> render.

Missing X-XSS-Protection Header

The X-XSS protection can prevent browsers from loading a target page if a Cross-Site Scripting (XSS) attack is detected.

Uncommon HTTP Headers

An unknown HTTP header was detected, potentially revealing information. Please check the necessity of the HTTP header and remove it.

LDAP (Lightweight Directory Access Protocol)

Title
Description

Allowed Unauthenticated Bind

If authentication as a user fails (because an empty password was entered by mistake), no warning is issued and anonymous access is granted. As a result, there is a risk of uploading sensitive data for public access.

Allows unsecured Simple Bind

Passwords in clear text may only be transmitted over confidential connections. If the server receives a password in clear text over an unencrypted connection, it must return confidentialityRequired as an error code, regardless of whether the password is correct.

Mongo DB

Title

Description

Allows access to Admin DB

Allows unauthenticated access to Admin Database for the MongoDB instance.

Allows access to Config DB

Allows unauthenticated access to Config Database for the MongoDB instance.

Allows access to diverse DBs

Allows unauthenticated access to various other Databases present in the MongoDB instance.

Allows access to Local DB

Allows unauthenticated access to Local Database for the MongoDB instance.

Allows anonymous login

When a MongoDB is created, no authentication mechanisms are active and the user has all privileges. To increase the security of mongodb, anonymous access should be disabled.

Allows Insert into collection

Allows unauthencticated write access into the available databases. An attacker can insert MongoDB documents without valid authentication into one or all of the databases in Host.

Allows to Delete collection

Allows unauthencticated drop of available databases. An attacker can drop MongoDB documents without valid authentication for one or all of the databases in Host.

MySQL

Title

Description

Access performance_schema DB

MySQL Performance Schema is a feature for monitoring MySQL executions. This information should not be publicly available.

Alter user privileges

The role of users can be changed, for example to a user with administrator rights. In this way, unauthorized access can be enabled.

Anonymous connection from root user

Host Database is accessible without authentication. Anyone without a password can connect to the database.

Anonymous User found

Setting up MySQL instance creates an anonymous user, allowing anyone to log into the database without having a user account setup. It is intented only for testing purposes and must be removed immediately after installation or atleast before moving into production.

Can create new user

Your MySQL database should be configured in such a way that it is not possible for unauthorized persons to create a new user.

Test DB found

Setting up MySQL instance creates a default \"test\" database, which can be accessed by anyone. It is intented only for testing purposes and must be removed immediately after installation or atleast before moving into production.

User found with remote access from any host

The Mysql instance contains user profiles without any password. Thus allowing unauthenticated logins.

User found without password

A secure password should be set for each user of the MySQL database.

RDP (Remote Desktop Protocol)

Title
Description

Missing RDP Network Level Authentication

The login screen is accessible without requiring authentication at the network level. It should be secured using network-level authentication to ensure a secure authentication method.

SMB (Server Message Block: microsoft-ds and netbios-ssn*)

Title

Description

Existing Open Network Shares

A share exists that does not fall under the standard shares.

Allows guest access

If the login is incorrect, guest access is automatically granted, which may have access rights.

Allows read access

Read access to shared folders is possible via SMB.

Allows write access

Write access to shared folders that are not set by default is possible via SMB.

*Netbios-SSN is currently supported only for Linux and not for Windows.

SMTP(Simple Mail Transfer Protocol)

Title
Description

Enables user renumeration via EXPN

The SMTP EXPN command outputs a list of alias addresses with associated destinations. It can be misused to spy out valid usernames or to collect email addresses for spam.

Enables user renumeration via VRFY

The SMTP VRFY command allows to check if an e-mail address exists. It can be misused to spy out valid usernames or collect email addresses for spam.

Allows sending external emails without authentication

Unauthenticated users are allowed to send messages to external e-mail addresses and with external e-mail addresses via the mail relay. The mail server can therefore be misused for phishing attacks or spam messages.

Allows sending internal e-mails without authentication

Unauthenticated users are allowed to send messages from internal e-mail addresses to internal e-mail addresses via the mail relay. The mail server can therefore be misused for spoofing.

SNMP (Simple Network Management Protocol)

Title

Description

Uses ordinary community string

For SNMP, one or more community strings are used for user authentication, which are commonly used and therefore particularly insecure.

Allows read access

Read access to Object Identifier (OID) is possible via SNMP.

Allows write access

Write access to Object Identifier (OID) is possible via SNMP.

SSH (Secure Shell)

Title

Description

Insecure Encryption Algorithms

During the SSH connection setup, a key exchange takes place. During this process, the client and server agree on a common encryption algorithm. A secure encryption method should be selected.

Insecure Key Exchange Algorithms

A key exchange takes place as part of the SSH connection setup. The shared session key is used for authentication and encryption of the session. If an insecure key exchange method is used, the security of the connection is compromised.

Insecure Mac Algorithms

The Message Authentication Code (MAC) is used to obtain certainty about the origin of data and to check its integrity. This verification is secured by means of a keyed-hash message authentication code (HMAC). A secure procedure should be used for this.

Insecure Public Key

The server authenticates itself to its client. Exchange messages from the server receive a public key that the client can use to check the authenticity. A secure procedure should be used for this.

Insecure Server Host Key Algorithms

A key exchange takes place as part of the SSH connection setup. The shared session key is used for authentication and encryption of the session. If an insecure key exchange method is used, the security of the connection is compromised.

Insecure SSH Version

In 2006, SSH-1 was replaced by the revised version network protocol (SSH-2). SSH-1 is no longer considered secure due to cryptographic weaknesses and should therefore not be used.

No Support for SSH Public Key Authentication

The client should have to authenticate itself to the server using a public key, since passwords can be insecure and thus vulnerable to bruteforce.

Supports SSH Password Authentication

Authentication based on asymmetric keys is considered more secure than via a password. Therefore, the option of authentication via password should usually be disabled.

SSL/TLS (Secure Sockets Layer/Transport Layer Security)

Title

Description

Authority and issuer serial number mismatch

Certification body and issuer's serial number do not match.

Authority and subject key identifier mismatch

Certification body and issuer's serial number do not match.

Certificate chain too long

Certificate not trusted

The certificate used is not considered trustworthy.

Certificate rejected

The used certificate causes problems and is therefore rejected.

Certificate revoked

The certificate used has been revoked and should no longer be used.

Cipher supports MD5

MD5 is no longer considered sufficiently safe and should therefore not be used.

Expired Certificate

If the certificate is expired it becomes invalid, you will no longer be able to run secure transactions.

Format error in certificate's notafter field

The notafter field contains an invalid time.

Format error in certificate's notbefore field

The notbefore-field contains an invalid time.

Format error in crl's lastupdate field

The lastupdate field contains an invalid time.

Format error in crl's nextupdate field

The nextupdate field contains an invalid time.

Insecure SSL/TLS Protocol

Only secure protocols should be offered for encryption.

Insecure SSL/TLS Protocol

Only secure protocols should be offered for encryption.

Insecure SSL/TLS Protocol

Only secure protocols should be offered for encryption.

Insecure SSL/TLS Protocol

Only secure protocols should be offered for encryption.

Invalid CA certificate

The certificate issued by the Certificate Authority is invalid.

Invalid certificate

Invalid certificates have had their trust revoked. They should no longer be used.

Invalid Certificate

If the certificate is invalid, you will no longer be able to run secure transactions.

Invalid Certificate Expiry

The expiration date of the certificate used is incorrect.

Invalid certificate signature

Invalid CRL (Certificate Revokation List)

The certificate-revocation-list used is invalid.

Invalid CRL (Certificate Revokation List) expiry

The validity period of the certificate-revocation list used has expired.

Invalid CRL (Certificate Revokation List) signature

Invalid Hostname Validation

The certificate does not contain the host name of the target system.

Key usage does not include certificate signing

No Support for authenticated encryption (AEAD) ciphers

Authenticated Encryption simplifies the realization of confidentiality and authenticity and is therefore recommended.

No Support for latest Protocol (TLSv1.3)

The newest and most secure protocol TLSv1.3 is not being supported.

No Support for Perfect Forward Secrecy

Perfect Forward Secrecy ensures that the newly negotiated session-key cannot be reconstructed from the long-term-key.

No Support for Secure Renegotiation

Secure Renegotiation ensures that no overloading is possible if a client constantly requests new keys. Requests are then blocked and a DDos attack prevented.

Path length constraint exceeded

Self signed certificate

Self-signed certificates are not able to confirm authenticity and are therefore not recommended.

Self signed certificate in certificate chain

Self-signed certificates are not able to confirm authenticity and are therefore not recommended.

Subject issuer mismatch

Certification-body and -issuer do not match.

Supports Anonymous Ciphers

Anonymous ciphers are insecure and should not be used.

Supports Beast Vulnerable Ciphers

Ciphers that contain insecure cryptographic procedures should not be offered.

Supports Common Diffie-Hellman Prime

Using an insecure Diffie-Hellman prime compromises the encryption.

Supports Null Encryption Cipher

A null-cipher means that no encryption is used. This is never recommended except for test purposes.

Supports RC4 Ciphers

RC4 is no longer considered sufficiently safe and should therefore not be used.

Supports SSL/TLS compression

It is not recommended to use compression because it makes SSL/TLS attackable (especially for CRIME, Compression Ratio Info-leak Made Easy).

Supports vulnerable poodle attack ciphers

Poodle attacks use a vulnerability in SSL 3.0 so that encrypted informations of a SSL 3.0 connection can be disclosed.

Supports Weak Protocols

Weak, outdated protocols endanger the security of the SSL/TLS connection.

Supports Weak SSL/TLS Cipher (Algorithm)

SSL/TLS ciphers define which encryption algorithms are used to exchange keys and how the communication gets secured. If insecure SSL/TLS ciphers get offered, the established connection is no longer secure.

Supports Weak SSL/TLS Cipher (Algorithm)

SSL/TLS ciphers define which encryption algorithms are used to exchange keys and how the communication gets secured. If insecure SSL/TLS ciphers get offered, the established connection is no longer secure.

Supports Weak SSL/TLS Cipher (Algorithm)

SSL/TLS ciphers define which encryption algorithms are used to exchange keys and how the communication gets secured. If insecure SSL/TLS ciphers get offered, the established connection is no longer secure.

Supports Weak SSL/TLS Cipher (Algorithm)

SSL/TLS ciphers define which encryption algorithms are used to exchange keys and how the communication gets secured. If insecure SSL/TLS ciphers get offered, the established connection is no longer secure.

Supports Weak SSL/TLS Cipher (Parameter)

SSL/TLS ciphers define which encryption algorithms are used to exchange keys and how the communication gets secured. If insecure SSL/TLS ciphers get offered, the established connection is no longer secure.

Supports Weak SSL/TLS Cipher (Parameter)

SSL/TLS ciphers define which encryption algorithms are used to exchange keys and how the communication gets secured. If insecure SSL/TLS ciphers get offered, the established connection is no longer secure.

Unable to decode issuer public key

The public key is used to enable a secure key-exchange. It should therefore be decodable.

Unable to decrypt certificate's signature

The signature of a certificate enables a third party to confirm the identity of the certificate owner. It should therefore be readable.

Unable to decrypt crl's signature

Unable to get certificate crl

Unable to get issuer certificate

SSL/TLS certificates are issued by Certification Authorities (CA). The issuer must be identifiable.

Unable to get local issuer certificate

Unable to verify the first certificate

Unsupported certificate purpose

Vulnerable according to BSI

The SSL/TLS encryption does not meet the requirements of the BSI.

Vulnerable according to GDPR

The SSL/TLS encryption is contrary to the current state of the technology and therefore violates Art. 32 DSVGO.

Vulnerable against DROWN

Using the outdated SSLv2, recorded TLS traffic can be hacked.

Vulnerable against FREAK

During a FREAK attack, the communication partners are forced to agree on an insecure encryption method, although secure methods are available.

Vulnerable against logjam attack

By exploiting a vulnerability in the Diffie-Hellman-key-exchange, attackers can obtain the secret keys.

Vulnerable against NULL Pointer Dereference

By sending a malicious certificate, an attacker can cause a denial-of-service condition.

Vulnerable against NULL Pointer Dereference

By sending a malicious certificate, an attacker can cause a denial-of-service condition.

Vulnerable against SLOTH attack

Weak hash functions (MD5, SHA-1) allow a SLOTH (Security Losses from Obsolete and Truncated Transcript Hashes) attack.

Vulnerable against Sweet32 attack

The RC4 stream cipher makes the connection vulnerable to Sweet32 attacks.

Weak Diffie-Hellman Parameter

A weak Diffie-Hellman parameter makes the key exchange vulnerable to attacks.

Telnet

Title

Description

No Authentication Required

Telnet is outdated due to its lack of encryption and should not be used anymore if possible. If you want to use Telnet anyway, an authentication method must be used in any case.

Standard User with Administrator Privileges

A standard user should not have admin rights for security reasons.

Last updated