Online Mind Mapping and Brainstorming

Create your own awesome maps

Online Mind Mapping and Brainstorming

Even on the go

with our free apps for iPhone, iPad and Android

Get Started

Already have an account? Log In

Penetration Testing Framework 0.58 by Mind Map: Penetration Testing Framework 0.58
5.0 stars - 16 reviews range from 0 to 5

Penetration Testing Framework 0.58

Manual Testing

Create Batch File (cmd.bat)

Host Scripting File (cmd.vbs)


AT Command - priviledge escalation

Keyboard Shortcuts/ Hotkeys


X11 port 6000^ open

X11 Enumeration

X11 Exploitation

Examine Configuration Files

pwdump [-h][-o][-u][-p] machineName

Nabil contributed the AS/400 section.

Client Side Security

Back end files

.exe / .txt / .doc / .ppt / .pdf / .vbs / .pl / .sh / .bat / .sql / .xls / .mdb / .conf

Set objShell = CreateObject("WScript.Shell")

Check visible areas for sensitive information.


txdns --verbose -fm wordlist.dic --server ip_address -rr SOA domain_name -h c: \hostlist.txt

Pre-Inspection Visit - template

Network Footprinting (Reconnaissance) The tester would attempt to gather as much information as possible about the selected network. Reconnaissance can take two forms i.e. active and passive. A passive attack is always the best starting point as this would normally defeat intrusion detection systems and other forms of protection etc. afforded to the network. This would usually involve trying to discover publicly available information by utilising a web browser and visiting newsgroups etc. An active form would be more intrusive and may show up in audit logs and may take the form of an attempted DNS zone transfer or a social engineering type of attack.


Internet Search

DNS Record Retrieval from publically available servers

Social Engineering

Dumpster Diving

Web Site copy

Discovery & Probing. Enumeration can serve two distinct purposes in an assessment: OS Fingerprinting Remote applications being served. OS fingerprinting or TCP/IP stack fingerprinting is the process of determining the operating system being utilised on a remote host. This is carried out by analyzing packets received from the host in question. There are two distinct ways to OS fingerprint, actively (i.e. nmap) or passively (i.e. scanrand). Passive OS fingerprinting determines the remote OS utilising the packets received only and does not require any packets to be sent. Active OS fingerprinting is very noisy and requires packets to be sent to the remote host and waits for a reply, (or lack thereof). Disparate OS's respond differently to certain types of packet, (the response is governed by an RFC and any proprietary responses the vendor (notably Microsoft) has enabled within the system) and so custom packets may be sent. Remote applications being served on a host can be determined by an open port on that host. By port scanning it is then possible to build up a picture of what applications are running and tailor the test accordingly.

Default Port Lists

Enumeration tools and techniques - The vast majority can be used generically, however, certain bespoke application require there own specific toolsets to be used. Default passwords are platform and vendor specific

Active Hosts


Daytime port 13 open

FTP port 21 open

SSH port 22 open

Telnet port 23 open

Sendmail Port 25 open

DNS port 53 open

perl [ip_address_file] [output_file]

TFTP port 69 open

Finger Port 79 open

Web Ports 80,8080 etc. open

Portmapper port 111 open

NTP Port 123 open

NetBIOS Ports 135-139,445 open

SNMP port 161 open

LDAP Port 389 Open

PPTP/L2TP/VPN port 500/1723 open

Modbus port 502 open

rlogin port 513 open

rsh port 514 open

SQL Server Port 1433 1434 open

Citrix port 1494 open

Oracle Port 1521 Open

NFS Port 2049 open

Compaq/HP Insight Manager Port 2301,2381open

MySQL port 3306 open

RDesktop port 3389 open

Sybase Port 5000+ open

SIP Port 5060 open

VNC port 5900^ open

Tor Port 9001, 9030 open

Jet Direct 9100 open

Password cracking

Rainbow crack


Cain & Abel

John the Ripper





L0phtcrack (Note: - This tool was aquired by Symantec from @Stake and it is there policy not to ship outside the USA and Canada


Vulnerability Assessment - Utilising vulnerability scanners all discovered hosts can then be tested for vulnerabilities. The result would then be analysed to determine if there any vulnerabilities that could be exploited to gain access to a target host on a network. A number of tests carried out by these scanners are just banner grabbing/ obtaining version information, once these details are known, the version is compared with any common vulnerabilities and exploits (CVE) that have been released and reported to the user. Other tools actually use manual pen testing methods and display the output received i.e. showmount -e ip_address would display the NFS shares available to the scanner whcih would then need to be verified by the tester.






AS/400 Auditing



Bluetooth Specific Testing











Exploit Frameworks


Cisco Specific Testing


Scan & Fingerprint.

Password Guessing.

SNMP Attacks.


Known Bugs.

Configuration Files.


Citrix Specific Testing

Citrix provides remote access services to multiple users across a wide range of platforms. The following information I have put together which will hopefully help you conduct a vulnerability assessment/ penetration test against Citrix




Brute Force

Review Configuration Files


Network Backbone

Generic Toolset

Penetration - An exploit usually relates to the existence of some flaw or vulnerability in an application or operating system that if used could lead to privilege escalation or denial of service against the computer system that is being attacked. Exploits can be compiled and used manually or various engines exist that are essentially at the lowest level pre-compiled point and shoot tools. These engines do also have a number of other extra underlying features for more advanced users.

Password Attacks



Server Specific Tests





VoIP Security

Sniffing Tools

Scanning and Enumeration Tools

Packet Creation and Flooding Tools

Fuzzing Tools

Signaling Manipulation Tools

Media Manipulation Tools

Generic Software Suites


Wireless Penetration

Wireless Assessment. The following information should ideally be obtained/enumerated when carrying out your wireless assessment. All this information is needed to give the tester, (and hence, the customer), a clear and concise picture of the network you are assessing. A brief overview of the network during a pre-site meeting weith the customer should allow you to estimate the timescales required to carry the assessment out.


./redirectpoison interface target_source_ip target_source_port "<contact_information i.e. sip:;line=xtrfgy>"

Wireless Toolkit

WLAN discovery

Physical Security

Building Security

Perimeter Security

Entry Points

Office Waste

Final Report - template


Matt Byrne (

Arvind Doraiswamy (

Lee Lawson (

Nabil OUCHN (