Penetration Testing Framework 0.58
by
kevin orrey
5.0 stars - 16 reviews
range from 0 to 5
Manual Testing
Create Batch File (cmd.bat)
AT Command - priviledge escalation
Keyboard Shortcuts/ Hotkeys
X11 port 6000^ open
X11 Enumeration
X11 Exploitation
Examine Configuration Files
pwdump [-h][-o][-u][-p] machineName
Nabil contributed the AS/400 section.
Back end files
.exe / .txt / .doc / .ppt / .pdf / .vbs / .pl / .sh / .bat / .sql / .xls / .mdb / .conf
Set objShell = CreateObject("WScript.Shell")
Check visible areas for sensitive information.
InitialProgram=c:\windows\system32\cmd.exe
txdns --verbose -fm wordlist.dic --server ip_address -rr SOA domain_name -h c: \hostlist.txt
Network Footprinting (Reconnaissance) The tester would attempt to gather as much information as possible about the selected network. Reconnaissance can take two forms i.e. active and passive. A passive attack is always the best starting point as this would normally defeat intrusion detection systems and other forms of protection etc. afforded to the network. This would usually involve trying to discover publicly available information by utilising a web browser and visiting newsgroups etc. An active form would be more intrusive and may show up in audit logs and may take the form of an attempted DNS zone transfer or a social engineering type of attack.
Untitled
Internet Search
DNS Record Retrieval from publically available servers
Social Engineering
Dumpster Diving
Web Site copy
Discovery & Probing. Enumeration can serve two distinct purposes in an assessment: OS Fingerprinting Remote applications being served. OS fingerprinting or TCP/IP stack fingerprinting is the process of determining the operating system being utilised on a remote host. This is carried out by analyzing packets received from the host in question. There are two distinct ways to OS fingerprint, actively (i.e. nmap) or passively (i.e. scanrand). Passive OS fingerprinting determines the remote OS utilising the packets received only and does not require any packets to be sent. Active OS fingerprinting is very noisy and requires packets to be sent to the remote host and waits for a reply, (or lack thereof). Disparate OS's respond differently to certain types of packet, (the response is governed by an RFC and any proprietary responses the vendor (notably Microsoft) has enabled within the system) and so custom packets may be sent. Remote applications being served on a host can be determined by an open port on that host. By port scanning it is then possible to build up a picture of what applications are running and tailor the test accordingly.
Default Port Lists
Enumeration tools and techniques - The vast majority can be used generically, however, certain bespoke application require there own specific toolsets to be used. Default passwords are platform and vendor specific
Active Hosts
Enumeration
Daytime port 13 open
FTP port 21 open
SSH port 22 open
Telnet port 23 open
Sendmail Port 25 open
DNS port 53 open
perl qtrace.pl [ip_address_file] [output_file]
TFTP port 69 open
Finger Port 79 open
Web Ports 80,8080 etc. open
Portmapper port 111 open
NTP Port 123 open
NetBIOS Ports 135-139,445 open
SNMP port 161 open
LDAP Port 389 Open
PPTP/L2TP/VPN port 500/1723 open
Modbus port 502 open
rlogin port 513 open
rsh port 514 open
SQL Server Port 1433 1434 open
Citrix port 1494 open
Oracle Port 1521 Open
NFS Port 2049 open
Compaq/HP Insight Manager Port 2301,2381open
MySQL port 3306 open
RDesktop port 3389 open
Sybase Port 5000+ open
SIP Port 5060 open
VNC port 5900^ open
Tor Port 9001, 9030 open
Jet Direct 9100 open
Password cracking
L0phtcrack (Note: - This tool was aquired by Symantec from @Stake and it is there policy not to ship outside the USA and Canada
Vulnerability Assessment - Utilising vulnerability scanners all discovered hosts can then be tested for vulnerabilities. The result would then be analysed to determine if there any vulnerabilities that could be exploited to gain access to a target host on a network. A number of tests carried out by these scanners are just banner grabbing/ obtaining version information, once these details are known, the version is compared with any common vulnerabilities and exploits (CVE) that have been released and reported to the user. Other tools actually use manual pen testing methods and display the output received i.e. showmount -e ip_address would display the NFS shares available to the scanner whcih would then need to be verified by the tester.
Manual
Automated
Tools
Resources
Blogs
AS/400 Auditing
Remote
Local
Bluetooth Specific Testing
Exploit Frameworks
Resources
Cisco Specific Testing
Methodology
Scan & Fingerprint.
Password Guessing.
SNMP Attacks.
Connecting.
Known Bugs.
Configuration Files.
References.
Citrix Specific Testing
Citrix provides remote access services to multiple users across a wide range of platforms. The following information I have put together which will hopefully help you conduct a vulnerability assessment/ penetration test against Citrix
Enumeration
Scanning
Exploitation
Brute Force
Review Configuration Files
References
Network Backbone
Generic Toolset
Penetration - An exploit usually relates to the existence of some flaw or vulnerability in an application or operating system that if used could lead to privilege escalation or denial of service against the computer system that is being attacked. Exploits can be compiled and used manually or various engines exist that are essentially at the lowest level pre-compiled point and shoot tools. These engines do also have a number of other extra underlying features for more advanced users.
Password Attacks
Exploits
Tools
Server Specific Tests
Databases
Mail
VPN
Web
VoIP Security
Sniffing Tools
Scanning and Enumeration Tools
Packet Creation and Flooding Tools
Fuzzing Tools
Signaling Manipulation Tools
Media Manipulation Tools
Generic Software Suites
References
Wireless Penetration
Wireless Assessment. The following information should ideally be obtained/enumerated when carrying out your wireless assessment. All this information is needed to give the tester, (and hence, the customer), a clear and concise picture of the network you are assessing. A brief overview of the network during a pre-site meeting weith the customer should allow you to estimate the timescales required to carry the assessment out.
./redirectpoison interface target_source_ip target_source_port "<contact_information i.e. sip:100.77.50.52;line=xtrfgy>"
Wireless Toolkit
WLAN discovery
Physical Security
Building Security
Perimeter Security
Entry Points
Office Waste
Contributors
Matt Byrne (WirelessDefence.org)
Arvind Doraiswamy (Paladion.net)
Lee Lawson (Dns.co.uk)
Nabil OUCHN (Security-database.com)
