Finding Interesting Web Servers on a Penetration Test

Large internal infrastructure tests with few constraints on testing can be fun. It's rare to conduct a test that doesn't lead to Domain Admin one way or another, but that's only half the battle. A good tester should always strive to cover as much of the infrastructure as possible within the given window, leaving no stone unturned. It's not uncommon to have hundreds, or in some cases thousands of hosts, with the majority hosting some form of vulnerability. So where do you start?

Tools can obviously help, vulnerability scanners can help point out potentially exploitable services whether due to missing patches or simple misconfiguration. Port scanning steers a tester in the right direction for identifying common services of interest. However, a common frustration I encounter on a regular basis is finding interesting web servers. Finding web servers is obviously easy enough, but I often find myself verifying the contents of each web server manually in a browser to determine whether any are worthy of further investigation/exploitation. The majority will usually be running default content - maybe IIS in it's default state, but quicklyidentifying administrative interfaces or sites running custom applications can be very beneficial in concentrating efforts and importantly - saving time.

I've written a small Perl script to do just that - a quick visual overview of web sites and response capture from a list of hostnames/ports fed via STDIN. Pipe straight from your favourite port scanner, grep for http[s] intowebscour.pl, and you'll get a nicely formatted HTML page containing thumbnails and the response headers from each site.

Out
 

echo -e "www.google.co.uk:80\nwww.yahoo.co.uk" | ./webscour.pl /tmp/out.htm


The idea is you should be able to dismiss uninteresting sites very quickly, and identify more interesting sites for further manual examination. The script is clever enough to work out whether or not the site is running HTTPS, just fire it a list of hosts and optionally ports.

Any improvements/enhancements, please get in touch. Currently the only dependency other than a few common Perl modules is gnome-web-photo, but you could replace this with your favourite thumbnailer to get the same effect.

Download here. Enjoy.