Vulnerability Scanning & Discovery Conducting Manual Protocol Testing

Manual protocol testing goes beyond automated vulnerability scans by allowing you to directly interact with network services and applications. This hands-on approach helps you validate automated findings, uncover complex logic flaws, and identify vulnerabilities that scanners often miss.

Why Manual Testing Matters

While automated vulnerability scanners are excellent for covering a large number of ports and standard services quickly, they have a margin of error. Instabilities in network connectivity or custom application logic can lead to false positives or missed vulnerabilities.

Manually connecting to a target system allows you to:

  • Visually confirm the results of automated tools.

  • Identify services running on non-standard ports.

  • Test custom logic that automated signatures cannot understand.

Automated scanners often struggle with complex authentication mechanisms (like VPNs) or custom web applications. Always manually verify critical infrastructure to ensure an accurate risk profile.

flowchart TD
    A[Automated Scan Results] --> B(Manual Visual Confirmation)
    B --> C{Vulnerability Confirmed?}
    C -->|Yes| D[Vulnerability Research]
    C -->|No| E[Discard False Positive]
    D --> F[Setup Isolated Lab Replica]
    F --> G[Execute Manual Exploit/Test]

Protocol-Specific Testing Guidelines

Different protocols require different manual testing strategies. Automated tools often lack the specific protocol negotiations needed to accurately assess these services.

VPN (Virtual Private Networks)

Conventional scanners usually cannot perform correct protocol negotiations with VPN devices using Internet Key Exchange (IKE). Manually use specialized VPN toolkits to fingerprint the device version, identify authentication mechanisms, and test for weaknesses like static pre-shared keys or default group IDs.

Web Services

Web services are frequently found running on multiple ports across a single system. Because administrators might only harden standard ports (like 80 or 443), you should manually inspect all web interfaces. Test for insecure HTTP methods, directory traversal, and custom application logic flaws.

Mail Servers

Mail servers can leak an abundance of information. Manually interact with the server to confirm valid email accounts, which can be used to build username lists for brute-force attacks. Test for mail relaying vulnerabilities (which attackers use for phishing) and manually assess any web-based remote access interfaces.

DNS (Domain Name Systems)

Improperly hardened DNS servers offer a wealth of data. Manually request version information for accurate fingerprinting, and attempt zone transfers. A successful zone transfer provides an exhaustive list of additional targets and potentially sensitive organizational data.

Citrix Appliances

Default installations or poorly configured Citrix appliances often allow unauthenticated users to enumerate published applications. Manually check for information leakage that reveals valid usernames, and attempt to break out of predefined profiles for authorized users.

Testing Insecure HTTP Methods

When manually testing web services, always check the enabled HTTP methods. Several methods are inherently insecure or easily misconfigured, allowing you to gain varying levels of access.

HTTP MethodPotential Security RiskManual Testing Goal
OPTIONSInformation DisclosureEnumerate which HTTP methods the target server accepts.
PUT / DELETEContent AlterationAttempt to upload a benign file (PUT) or remove a test resource (DELETE) to check for unauthorized write access.
TRACEInformation DisclosureSend a request to see if the server echoes it back, which can be abused for Cross-Site Tracing (XST).
WebDAVVarious (Buffer overflow, RCE)Test extensions like PROPFIND, MOVE, or MKCOL for improper handling of user requests or privilege escalation.

Modern REST APIs use PUT and DELETE legitimately (Create = POST, Read = GET, Update = PUT, Delete = DELETE). Always verify if the method is actually exposed insecurely, or if it is properly authenticated API behavior.

Researching Vulnerabilities

Once you manually identify a service and its version, the next step is researching known flaws and common misconfigurations.

  1. Check Vulnerability Databases: Search the CVE (Common Vulnerabilities and Exposures) database, OSVDB, or Bugtraq to verify if the specific version is vulnerable. Keep in mind that a flaw might exist on one operating system (e.g., Windows) but not another (e.g., Linux).

  2. Review Vendor Advisories: Vendors often release change logs and security advisories. If a researcher hasn't published exploit details, a vendor's change log might be the only clue that a vulnerability exists.

  3. Hunt for Default Credentials: Administrators frequently leave default passwords in place. Search online for the hardware/software manual, check vendor mailing lists, and consult default password databases.

  4. Consult Hardening Guides: Reviewing a hardening guide for the target system highlights its weakest parts. It also helps you gauge the diligence of the system administrator based on how many recommendations they actually implemented.

Safe Testing in an Isolated Lab

Testing exploits or running aggressive manual techniques (like directory brute-forcing or fuzzing) directly against a production environment can cause unintended downtime. To ensure accuracy and safety, replicate the target environment in an isolated lab.

  1. 1

    Identify the target environment

    Gather exact details from your manual fingerprinting, including the operating system, service pack level, and specific application version.

  2. 2

    Provision a replica Virtual Machine (VM)

    Spin up a VM that mimics the target environment. Maintain a library of base images (Windows, Linux, macOS) to quickly clone and deploy the exact setup you need.

  3. 3

    Test configurations and exploits

    Use your replica to explore configuration parameters, test exploits, and observe the application's behavior without risking the actual target. Use VM snapshots to easily revert changes and reproduce bugs.

  4. 4

    Perform advanced testing (Fuzzing)

    If you suspect a custom application flaw, use fuzzing (fault injection) in your lab. Attach a debugger to the application and programmatically submit unexpected or invalid input to identify crash states and potential buffer overflows.

Creating an Attack Tree as you progress through your manual testing is highly recommended. As you uncover new services and vulnerabilities, map them out. A single point of entry discovered in your lab might be repeatable across other vectors in the live environment.