i have been working on this pentesting project, for which i started using linux, and getting familiar with this new realm of "linux" things.
so, my prelim setup is such having,
-a configuring system; OS: BackTrack 5 (for setting up and monitoring the hardware firewall)
-an internal system; OS: Ubuntu 12.04 (probable victim)
-an external system; OS: Ubuntu 12.04 (supposed attacker)
I have used nmap and nikto to successfully scan and report any and everything possible, the final output of these scans in brief is that the firewall has a vulnerability, HTTP Trace method is active, OSVDB-877.
now if the HTTP Trace method is active, it suggests that an XSS attack is possible using this trace method and henceforth the document.cookie token can be accessed to retrieve login credentials. I have been able to track down all of this using the on board tools available in backtrack 5 and direct access to the web application GUI for the firewall.
All of it sounds cool, seems pretty much functional that all there is to break the firewall is just that single cookie "document.cookie".
Well, the fact of the matter is that I am supposed to create a real-world environment where an external pc, tries to break through the firewall and harm the internal systems protected by the firewall.
But if I do not get access to that login page, how am I supposed to even try to use the HTTP Trace method attacks or other online password attacks. I need an external IP or a URL so that i can reach that login page of the firewall, which is only possible if the remote connection is allowed from the firewall to a specified IP, and why would anyone do that for a potential attacker who would want to harm the secure proceedings of the firewall!
Any help/suggestions/ideas/thoughts would be appreciated!