Links

Pentest Vectors

Enginsight's automated pentest consists of four elements:
  1. 1.
    Information Gathering: Through base and deep scans, Hacktor creates a footprint of the application environment.
  2. 2.
    CVE scan: Hacktor scans the detected applications for known vulnerabilities.
  3. 3.
    Service Bruteforce: Automated testing of user password combinations reveals insecure login data.
  4. 4.
    Service Discovery: Special checks, e.g. of the encryption, authentication and privileges of certain services, reveal security-relevant configuration deficiencies.
Engnisight automatically determines which tests to use for each target system. Only those services that we have implemented are tested. In the following you will learn in detail what Hacktor can check.

Information Gathering

The goal of information gathering is to create as comprehensive a footprint as possible of the systems under investigation. Footprinting is the collection of information that is used for subsequent hacking attacks. This procedure is also used by real hackers to assess which attack vectors are promising. Therefore, from a security perspective, it is best to disclose as little as possible about the technologies used to the outside world.
The Enginsight Hacktor uses different approaches for footprinting. On the one hand, there are the basic scans: Ports and HTTP headers are examined. On the other hand, deep scans, where the web application and SNMP are examined, among other things.

Basic Scan

Service
Description
Ports
Open ports are examined for the application behind them and whether the version used is revealed.
HTTP-Header
HTTP headers (especially X-Mod pagespeed and server) often reveal information about the system in an avoidable way.

Deep Scan

Service
Description
Webapplication
Using statistical methods, web applications are examined for the technologies used (e.g. CMS, programming languages and libraries).
SNMP (Operating system)
If necessary, the operating system used can be revealed via SNMP. A very valuable piece of information for attackers.
SNMP (installed packages)
It may be possible to access the installed packages via SNMP. This is highly sensitive information.
Accessible Remote Control Service
Services via which remote maintenance can be carried out must be viewed critically from a security perspective.
Accessible mDNS service
Enabled multicast DNS (mDNS) functionality can be abused to spy information and prepare attacks. Check whether mDNS is needed, disable it if necessary, or make sure that it is only accessible to trusted clients.

CVE-Scan

In addition, Hacktor checks the software versions used to provide the services for CVEs. This is a network-side area scan for security vulnerabilities.
If Hacktor finds a security vulnerability (CVE), it tries to validate it. This means that it checks whether the vulnerability is effective in the corresponding operating system, i.e. whether it can be exploited. If this is the case, the vulnerability is marked "validated". It may not be possible for Hacktor to determine the operating system beyond doubt. In this case, the vulnerability cannot be validated. It still appears in the audit report, but is marked "invalidated". In this case, the user must check for himself whether the vulnerability is effective on this system.

Service Bruteforce

As part of the bruteforce attack, the hacker attempts to gain access to your system by trying out passwords en masse. If it succeeds, it will try to penetrate deeper into the system with "Extended Bruteforce Usage" enabled.
Bruteforce is offered for the following services:
  • SSH
  • Telnet
  • FTP
  • MySQL
  • Mongo DB
  • MS SQL
  • Redis
  • Maria DB
  • Rabbit MQ
  • PostgrSQL
  • HTTP Basic Auth
  • SNMP

Password lists

You have the choice to either use Enginsight password lists and/or include custom lists. In addition, Hacktor tests service-specific standard authentications.

Service Discovery

In the discovery phase, Hacktor examines the detected services for specific, common configuration flaws. It tests authentication methods, privilege assignments, and encryption methods, among others.

Cross-service checks

Title
Description
Vulnerable to Log4Shell (CVE-2021-44228)
A vulnerable version of the Java framework Log4j, which can be exploited for Log4Shell attacks, is used (CVE-2021-44228). Caution: Connectivity from the target system to Hacktor (port range: 1-1000) must be ensured for the check to return correct results. (HTTP, SSH, FTP, SMTP, IMAP).

DNS (Domain Name System)

Title
Description
Bruteforce HTTP Basic Auth
For HTTP Basic Auth, one or more insecure user password combinations are used.
Bruteforce MongoDB
For MongoDB, one or more insecure user password combinations are used.
Deprecated SPF version
Check the used SPF version (v), currently only SPF1 exists.
Invalid Contact Address for DNS CAA
The specified e-mail address of the certification authority does not correspond to the valid e-mail format ([email protected]).
Invalid DKIM syntax
DomainKeys Identified Mail (DKIM) enables the detection of spoofed email senders.
Invalid DMARC aggregate report email
The report e-mail address contains invalid characters or an invalid e-mail format (not [email protected])
Invalid DMARC filtering percentage
The optional percentage filter specification (pct) can be used to define what percentage of the messages are subjected to filtering. The value must therefore be between 1 and 100.
Invalid DMARC policy
The DMARC policy (p) has no ordinary value. Ordinary values are: none, quarantine and reject.
Invalid DMARC protocol version
The version of DMARC (v) must be DMARC1.
Invalid DMARC record content
The content of the DMARC record is not valid because one or more tags in the DMARC record are not set.
Invalid DMARC spf alignment mode
The adjustment mode does not have one of the usual indications strict (s) or relaxed (r).
Invalid DMARC subdomain policy
The DMARC subdomain policy (sp) has no ordinary value. Ordinary values are: none, quarantine and reject.
Invalid SPF syntax
The entry contains unknown entries (known are: spf1, mx, ip4, ip6, exists, include, all, a, redirect, exp, ptr) and/or unauthorized characters.
Missing CDNSKEY Record
CDNSKEY records are used in the context of DNSSEC. They are useful when changes are made to the DNSKEY.
Missing CDS Record
CDS records are used in the context of DNSSEC. They are useful when changes are made to the DNSKEY.
Missing Contact Address for DNS CAA
No contact address is given for the Certification Authority Authorization (CAA) that issued the certificate for the domain.
Missing DMARC record
Domain-based Message Authentication, Reporting and Conformance (DMARC) is based on SPF. It allows the sender domain to specify how the recipient should handle the e-mail in the event of a violation.
Missing DNS CAA record
DNS Certification Authority Authorization (CAA) records are used to authorize certain certification authorities (CAs) to issue a certificate for the domain. This prevents certificates from being issued for a domain by mistake.
Missing DNSKEY Record
DNSKEY records are used in the context of DNSSEC to make the public key accessible via a publicly accessible server.
Missing DS DNS Record
DS Records are used within DNSSEC to establish a chain of trust that can be validated using a single public key.
Missing NSEC Record
NSEC records are used within DNSSEC to concatenate all existing entries in alphabetical order. This allows the non-existence of DNS records to be verified.
Missing NSEC3 Record
NSEC3 records are used in the context of DNSSEC. They provide an alternative way to NSEC to verify the non-existence of entries. NSEC3 uses hash values instead of plain text.
Missing RRSIG Record
RRSIG records are used in the context of DNSSEC. They contain the signature of a DNS resource record set.
Missing SPF record
The SPF protocol allows to authorize IP address to send e-mails with the domain. Thus, third parties can be prohibited from misusing the domain name.
Multiple SPF Records found
Never use multiple SPF entries. Instead, combine multiple SPFs into a single entry.
No Support for DNSSEC
Domain Name System Security Extensions (DNSSEC) enables signatures to verify the authenticity and integrity of received data. This prevents data from being diverted or modified.
SPF record contains characters after ALL
No further entries may follow the optional ALL entry.
Uncommon Certification Authority
The certification authority used (issue, wildissue) is not on our whitelist.

FTP (File Transfer Protocol)

Title
Description
Anonymous Access to root (/) Directory
Anonymous Users i.e. Users with username \"anonymous\" without password authentication can easily access the contents of the root directory. This gives easy admin rights to the unauthenticated user.
Anonymous Change Working Directory (cwd) Access
Anonymous Users i.e. Users with username \"anonymous\" without password authentication can change the current working directory using the \"cwd\" command to the specified new path.
Anonymous FTP Session
Anonymous Users i.e. Users with username \"anonymous\" without password authentication can login into the instance.
Anonymous Remove File Permission
Anonymous Users i.e. Users with username \"anonymous\" without password authentication have Remove File Permissions. They can easily delete files on the server.
Anonymous Write File Permission
Anonymous Users i.e. Users with username \"anonymous\" without password authentication have Write File Permissions. They can write into files on server.

HTTP (Hypertext Transfer Protocol)

Title
Description
Allows Access to Credential Store
Set of files that should be securely hidden away are publicly accessible. File set containing information related to user authentication.
Allows Access to Database Dump
Set of files that should be securely hidden away are publicly accessible. File set containing database files.
Allows Open Redirect
The Host allows incorporation of custom data into redirect targets. An attacker can introduce a URL within the application thus redirecting users to an arbitary external domain. Thereby vulnerbale to Phishing attacks against users visiting the web page.
Common Source Leak
Set of files that should be securely hidden away are publicly accessible. They may reveal important information that makes the target potentially more vulnerable.
Cross Site Scripting (XSS)
The Host is vulnerable to injection of malicious code in the form browser side scripts. The Web Application has insufficient input validations and encoding.
Directory Listing is enabled
Directory Listing is a web server function that is left enabled it discloses the contents of a directory that does not have an index file. An attacker can easily gain access to private content on the web server.
Email-address Harvesting
The Host is vulnerable to Email Address Harvesting. Malicious bots can scrape these contacts from the website and store them for later use like illegitimate bulk scam mails i.e. phishing scams.
Missing HTTPS Redirect
The Host contains a redirect. The landing page of the URL further redirects the user to another URL. The call this redirected site does not use HTTPS and hence not secure.
Mixed HTTP content found
The webpage is securely accessed over HTTPS but the content consists of links that are called over insecure HTTP.
Public accessible Backend
The backend is publicly accessible. Restrict the access, e.g. with a VPN.
SQL Injection
In an SQL injection, an attacker attempts to inject their own database commands into an SQL database in order to spy on data or gain control of the system.
Supports Command Injection
The Host has insufficient form input validations. It is susceptible to the execution of arbitary commands on the host Operating System.
Supports File Inclusion
The Host is vulnerable due Local File Inclusion. An attacker can obtain access to root/admin level files and folders thus posing possibilities to read sensitive information, write or execute arbitary commands further causing damage.
Supports Unvalidated Redirects
The web application accepts untrusted input. An attacker can use this to redirect to an untrusted URL.

HTTP-Header

Title
Description
Exposed X-Mod-Pagespeed Header
The X-Mod-Pagespeed Header should be disabled to avoid revealing unneeded information.
Exposed X-Powered-By Header
Many servers are very permissive in their default configuration with the disclosure of information. This concerns especially the X-Powered-By and Server-Header. These should always be deactivated for security reasons.
Insecure Set-Cookie
The set cookie HTTP header is used to transfer cookies from the server to the browser.
Missing Content-Security-Policy Header
The HTTP Content Security Policy regulates which resources can be loaded or executed in the browser in a certain way.
Missing Feature-Policy Header
The feature policy determines which functions or APIs of a browser may be used.
Missing HTTP header flag "secure"
When using HTTPS, all cookies should have a \"secure\"flag. This prevents unwanted reading in the network if the cookie is sent unencrypted.
Missing Referrer-Policy Header
The Referrer-Policy Header is used to access referrer information used website in analytics. Exposing this header makes analytics information to be publicly available.
Missing Strict-Transport-Security
HTTP Strict Transport Security (HSTS) is a security mechanism for HTTPS connections that protects against both connection encryption being overridden and session hijacking.
Missing X-Content-Type-Options Header
The only defined value \"nosniff\" prevents Internet Explorer from determining and applying a content type other than the declared one by MIME sniffing.
Missing X-Frame-Options Header
The X-frame options can be used to determine whether a calling browser is allowed to embed the target page in a <frame>, <iframe> or <object> render.
Missing X-XSS-Protection Header
The X-XSS protection can prevent browsers from loading a target page if a Cross-Site Scripting (XSS) attack is detected.
Uncommon HTTP Headers
An unknown HTTP header was detected, potentially revealing information. Please check the necessity of the HTTP header and remove it.

LDAP (Lightweight Directory Access Protocol)

Title
Description
Allowed Unauthenticated Bind
If authentication as a user fails (because an empty password was entered by mistake), no warning is issued and anonymous access is granted. As a result, there is a risk of uploading sensitive data for public access.
Allows unsecured Simple Bind
Passwords in clear text may only be transmitted over confidential connections. If the server receives a password in clear text over an unencrypted connection, it must return confidentialityRequired as an error code, regardless of whether the password is correct.

Mongo DB

Title
Description
Allows access to Admin DB
Allows unauthenticated access to Admin Database for the MongoDB instance.
Allows access to Config DB
Allows unauthenticated access to Config Database for the MongoDB instance.
Allows access to diverse DBs
Allows unauthenticated access to various other Databases present in the MongoDB instance.
Allows access to Local DB
Allows unauthenticated access to Local Database for the MongoDB instance.
Allows anonymous login
When a MongoDB is created, no authentication mechanisms are active and the user has all privileges. To increase the security of mongodb, anonymous access should be disabled.
Allows Insert into collection
Allows unauthencticated write access into the available databases. An attacker can insert MongoDB documents without valid authentication into one or all of the databases in Host.
Allows to Delete collection
Allows unauthencticated drop of available databases. An attacker can drop MongoDB documents without valid authentication for one or all of the databases in Host.

MySQL

Title
Description
Access performance_schema DB
MySQL Performance Schema is a feature for monitoring MySQL executions. This information should not be publicly available.
Alter user privileges
The role of users can be changed, for example to a user with administrator rights. In this way, unauthorized access can be enabled.
Anonymous connection from root user
Host Database is accessible without authentication. Anyone without a password can connect to the database.
Anonymous User found
Setting up MySQL instance creates an anonymous user, allowing anyone to log into the database without having a user account setup. It is intented only for testing purposes and must be removed immediately after installation or atleast before moving into production.
Can create new user
Your MySQL database should be configured in such a way that it is not possible for unauthorized persons to create a new user.
Test DB found
Setting up MySQL instance creates a default \"test\" database, which can be accessed by anyone. It is intented only for testing purposes and must be removed immediately after installation or atleast before moving into production.
User found with remote access from any host
The Mysql instance contains user profiles without any password. Thus allowing unauthenticated logins.
User found without password
A secure password should be set for each user of the MySQL database.

RDP (Remote Desktop Protocol)

Title
Description
Missing RDP Network Level Authentication
The login screen is accessible without requiring authentication at the network level. It should be secured using network-level authentication to ensure a secure authentication method.

SMB (Server Message Block: microsoft-ds and netbios-ssn*)

Title
Description
Existing Open Network Shares
A share exists that does not fall under the standard shares.
Allows guest access
If the login is incorrect, guest access is automatically granted, which may have access rights.
Allows read access
Read access to shared folders is possible via SMB.
Allows write access
Write access to shared folders that are not set by default is possible via SMB.
*Netbios-SSN is currently supported only for Linux and not for Windows.

SMTP(Simple Mail Transfer Protocol)

Title
Description
Enables user renumeration via EXPN
The SMTP EXPN command outputs a list of alias addresses with associated destinations. It can be misused to spy out valid usernames or to collect email addresses for spam.
Enables user renumeration via VRFY
The SMTP VRFY command allows to check if an e-mail address exists. It can be misused to spy out valid usernames or collect email addresses for spam.
Allows sending external emails without authentication
Unauthenticated users are allowed to send messages to external e-mail addresses and with external e-mail addresses via the mail relay. The mail server can therefore be misused for phishing attacks or spam messages.
Allows sending internal e-mails without authentication
Unauthenticated users are allowed to send messages from internal e-mail addresses to internal e-mail addresses via the mail relay. The mail server can therefore be misused for spoofing.

SNMP (Simple Network Management Protocol)

Title
Description
Uses ordinary community string
For SNMP, one or more community strings are used for user authentication, which are commonly used and therefore particularly insecure.
Allows read access
Read access to Object Identifier (OID) is possible via SNMP.
Allows write access
Write access to Object Identifier (OID) is possible via SNMP.

SSH (Secure Shell)

Title
Description
Insecure Encryption Algorithms
During the SSH connection setup, a key exchange takes place. During this process, the client and server agree on a common encryption algorithm. A secure encryption method should be selected.
Insecure Key Exchange Algorithms
A key exchange takes place as part of the SSH connection setup. The shared session key is used for authentication and encryption of the session. If an insecure key exchange method is used, the security of the connection is compromised.
Insecure Mac Algorithms
The Message Authentication Code (MAC) is used to obtain certainty about the origin of data and to check its integrity. This verification is secured by means of a keyed-hash message authentication code (HMAC). A secure procedure should be used for this.
Insecure Public Key
The server authenticates itself to its client. Exchange messages from the server receive a public key that the client can use to check the authenticity. A secure procedure should be used for this.
Insecure Server Host Key Algorithms
A key exchange takes place as part of the SSH connection setup. The shared session key is used for authentication and encryption of the session. If an insecure key exchange method is used, the security of the connection is compromised.
Insecure SSH Version
In 2006, SSH-1 was replaced by the revised version network protocol (SSH-2). SSH-1 is no longer considered secure due to cryptographic weaknesses and should therefore not be used.
No Support for SSH Public Key Authentication
The client should have to authenticate itself to the server using a public key, since passwords can be insecure and thus vulnerable to bruteforce.
Supports SSH Password Authentication
Authentication based on asymmetric keys is considered more secure than via a password. Therefore, the option of authentication via password should usually be disabled.

SSL/TLS (Secure Sockets Layer/Transport Layer Security)

Title
Description
Authority and issuer serial number mismatch
Certification body and issuer's serial number do not match.
Authority and subject key identifier mismatch
Certification body and issuer's serial number do not match.
Certificate chain too long
Certificate not trusted
The certificate used is not considered trustworthy.
Certificate rejected
The used certificate causes problems and is therefore rejected.
Certificate revoked
The certificate used has been revoked and should no longer be used.
Cipher supports MD5
MD5 is no longer considered sufficiently safe and should therefore not be used.
Expired Certificate
If the certificate is expired it becomes invalid, you will no longer be able to run secure transactions.
Format error in certificate's notafter field
The notafter field contains an invalid time.
Format error in certificate's notbefore field
The notbefore-field contains an invalid time.
Format error in crl's lastupdate field
The lastupdate field contains an invalid time.
Format error in crl's nextupdate field
The nextupdate field contains an invalid time.
Insecure SSL/TLS Protocol
Only secure protocols should be offered for encryption.
Insecure SSL/TLS Protocol
Only secure protocols should be offered for encryption.
Insecure SSL/TLS Protocol
Only secure protocols should be offered for encryption.
Insecure SSL/TLS Protocol
Only secure protocols should be offered for encryption.
Invalid CA certificate
The certificate issued by the Certificate Authority is invalid.
Invalid certificate
Invalid certificates have had their trust revoked. They should no longer be used.
Invalid Certificate
If the certificate is invalid, you will no longer be able to run secure transactions.
Invalid Certificate Expiry
The expiration date of the certificate used is incorrect.
Invalid certificate signature
Invalid CRL (Certificate Revokation List)
The certificate-revocation-list used is invalid.
Invalid CRL (Certificate Revokation List) expiry
The validity period of the certificate-revocation list used has expired.
Invalid CRL (Certificate Revokation List) signature
Invalid Hostname Validation
The certificate does not contain the host name of the target system.
Key usage does not include certificate signing
No Support for authenticated encryption (AEAD) ciphers
Authenticated Encryption simplifies the realization of confidentiality and authenticity and is therefore recommended.
No Support for latest Protocol (TLSv1.3)
The newest and most secure protocol TLSv1.3 is not being supported.
No Support for Perfect Forward Secrecy
Perfect Forward Secrecy ensures that the newly negotiated session-key cannot be reconstructed from the long-term-key.
No Support for Secure Renegotiation
Secure Renegotiation ensures that no overloading is possible if a client constantly requests new keys. Requests are then blocked and a DDos attack prevented.
Path length constraint exceeded
Self signed certificate
Self-signed certificates are not able to confirm authenticity and are therefore not recommended.
Self signed certificate in certificate chain
Self-signed certificates are not able to confirm authenticity and are therefore not recommended.
Subject issuer mismatch
Certification-body and -issuer do not match.
Supports Anonymous Ciphers
Anonymous ciphers are insecure and should not be used.
Supports Beast Vulnerable Ciphers
Ciphers that contain insecure cryptographic procedures should not be offered.
Supports Common Diffie-Hellman Prime
Using an insecure Diffie-Hellman prime compromises the encryption.
Supports Null Encryption Cipher
A null-cipher means that no encryption is used. This is never recommended except for test purposes.
Supports RC4 Ciphers
RC4 is no longer considered sufficiently safe and should therefore not be used.
Supports SSL/TLS compression
It is not recommended to use compression because it makes SSL/TLS attackable (especially for CRIME, Compression Ratio Info-leak Made Easy).
Supports vulnerable poodle attack ciphers
Poodle attacks use a vulnerability in SSL 3.0 so that encrypted informations of a SSL 3.0 connection can be disclosed.
Supports Weak Protocols
Weak, outdated protocols endanger the security of the SSL/TLS connection.
Supports Weak SSL/TLS Cipher (Algorithm)
SSL/TLS ciphers define which encryption algorithms are used to exchange keys and how the communication gets secured. If insecure SSL/TLS ciphers get offered, the established connection is no longer secure.
Supports Weak SSL/TLS Cipher (Algorithm)
SSL/TLS ciphers define which encryption algorithms are used to exchange keys and how the communication gets secured. If insecure SSL/TLS ciphers get offered, the established connection is no longer secure.
Supports Weak SSL/TLS Cipher (Algorithm)
SSL/TLS ciphers define which encryption algorithms are used to exchange keys and how the communication gets secured. If insecure SSL/TLS ciphers get offered, the established connection is no longer secure.
Supports Weak SSL/TLS Cipher (Algorithm)
SSL/TLS ciphers define which encryption algorithms are used to exchange keys and how the communication gets secured. If insecure SSL/TLS ciphers get offered, the established connection is no longer secure.
Supports Weak SSL/TLS Cipher (Parameter)
SSL/TLS ciphers define which encryption algorithms are used to exchange keys and how the communication gets secured. If insecure SSL/TLS ciphers get offered, the established connection is no longer secure.
Supports Weak SSL/TLS Cipher (Parameter)
SSL/TLS ciphers define which encryption algorithms are used to exchange keys and how the communication gets secured. If insecure SSL/TLS ciphers get offered, the established connection is no longer secure.
Unable to decode issuer public key
The public key is used to enable a secure key-exchange. It should therefore be decodable.
Unable to decrypt certificate's signature
The signature of a certificate enables a third party to confirm the identity of the certificate owner. It should therefore be readable.
Unable to decrypt crl's signature
Unable to get certificate crl
Unable to get issuer certificate
SSL/TLS certificates are issued by Certification Authorities (CA). The issuer must be identifiable.
Unable to get local issuer certificate
Unable to verify the first certificate
Unsupported certificate purpose
Vulnerable according to BSI
The SSL/TLS encryption does not meet the requirements of the BSI.
Vulnerable according to GDPR
The SSL/TLS encryption is contrary to the current state of the technology and therefore violates Art. 32 DSVGO.
Vulnerable against DROWN
Using the outdated SSLv2, recorded TLS traffic can be hacked.
Vulnerable against FREAK
During a FREAK attack, the communication partners are forced to agree on an insecure encryption method, although secure methods are available.
Vulnerable against logjam attack
By exploiting a vulnerability in the Diffie-Hellman-key-exchange, attackers can obtain the secret keys.
Vulnerable against NULL Pointer Dereference
By sending a malicious certificate, an attacker can cause a denial-of-service condition.
Vulnerable against NULL Pointer Dereference
By sending a malicious certificate, an attacker can cause a denial-of-service condition.
Vulnerable against SLOTH attack
Weak hash functions (MD5, SHA-1) allow a SLOTH (Security Losses from Obsolete and Truncated Transcript Hashes) attack.
Vulnerable against Sweet32 attack
The RC4 stream cipher makes the connection vulnerable to Sweet32 attacks.
Weak Diffie-Hellman Parameter
A weak Diffie-Hellman parameter makes the key exchange vulnerable to attacks.

Telnet

Title
Description
No Authentication Required
Telnet is outdated due to its lack of encryption and should not be used anymore if possible. If you want to use Telnet anyway, an authentication method must be used in any case.
Standard User with Administrator Privileges
A standard user should not have admin rights for security reasons.