Archive for June, 2010

Client Side Exploits videos

0

Client Side Exploits videos by Dean De Beer and Colin Ames

In penetration testing, the targets for exploitation aren’t always network services that are exposed through a firewall. When you need to find other ways in, your primary targets become the browser, office applications, audio and video players, and the user himself. Dean De Beer and Colin Ames are going to explain this attack methodology and how it’s different from what you’ve learned so far.

Security Assessment and Pentest tools Cheat Sheets

3

Got from my old Bookmarks ,below are some useful Cheat Sheets ,let me know if u found any other cheat sheets i will update the post

Nmap
http://sbdtools.googlecode.com/files/Nmap5%20cheatsheet%20eng%20v1.pdf

Nessus
http://www.secguru.com/link/nessus_nmap_scanning_cheatsheet
Backtrack 4
http://www.corelan.be:8800/index.php/2009/07/04/backtrack-4-cheat-sheet/
misc tools
http://www.sans.org/resources/sec560/misc_tools_sheet_v1.pdf
Metasploit Meterpreter
http://en.wikibooks.org/wiki/Metasploit/MeterpreterClient
http://www.rmccurdy.com/scripts/Metasploit%20meterpreter%20cheat%20sheet%20reference.html


Oracle Security
http://www.red-database-security.com/wp/oracle_cheat.pdf
XSS
http://ha.ckers.org/xss.html
http://openmya.hacker.jp/hasegawa/security/utf7cs.html
http://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet

SQl Injection
http://ha.ckers.org/sqlinjection/
http://ferruh.mavituna.com/sql-injection-cheatsheet-oku/
http://ferruh.mavituna.com/oracle-sql-injection-cheat-sheet-oku/
http://www.irongeek.com/xss-sql-injection-fuzzing-barcode-generator.php

Microsoft SQL,Sybase,MySQL,Oracle,PostgreSQL,DB2,IngresBypass SQL Injection Filters
http://michaeldaw.org/sql-injection-cheat-sheet
http://pentestmonkey.net/cheat-sheets/
Packetlife Cheatsheets

http://packetlife.net/cheatsheets/

Ed Skoudis’ Pentest Cheatsheets

Windows commandline tools
http://www.sans.org/resources/sec560/windows_command_line_sheet_v1.pdf
Netcat Cheat Sheet
http://www.sans.org/resources/sec560/netcat_cheat_sheet_v1.pdf
Useful Attack Tools, Metasploit commands, HPing, FGDump
http://www.sans.org/resources/sec560/misc_tools_sheet_v1.pdf

Reverse Engineering Malware Cheat Sheet

http://zeltser.com/reverse-malware/reverse-malware-cheat-sheet.html

Security Archiecture Cheat Sheet for Internet Applications

http://zeltser.com/security-management/security-architecture-cheat-sheet.html

CEH cheatsheets from Mindcert

http://www.mindcert.com/resources/MindCert_Nmap_MindMap.pdf

http://www.mindcert.com/resources/MindCert_CEH_Enumeration_MindMap.pdf

http://www.mindcert.com/resources/MindCert_CEH_Ethical_Hacking_MindMap.pdf

http://www.mindcert.com/resources/MindCert_CEH_Footprinting_MindMap.pdf

http://www.mindcert.com/resources/MindCert_CEH_Scanning_MindMap.pdf

http://www.mindcert.com/resources/MindCert_CEH_System_Hacking_MindMap.pdf

http://www.mindcert.com/resources/MindCert_CEH_Trojans_MindMap.pdf

http://www.mindcert.com/resources/CCNA_Cisco_IP_Routing.pdf

Using Social Engineering Toolkit while Pentesting

0

When we do an Internal PT few of the times we see all the systems,servers are patched, then there will be such a hard time that we cant find any vulenerabilities to exploit ,This makes the work harder to exploit the network ,then it comes the old Way “Social Engineering” ,

Social Engineering toolkit is a Special toolkit that can be used in PT to take advantage of Human Vulnerabilities.

We will be creating fake website which runs malicious java applet code,the vulnerable malicious java applet code link will be mailed to the Users  so that once they open and execute the link we will get an shell on the remote user system.All the tasks was done on backtrack 4 Final default SET is Installed

Project page http://www.social-engineer.org/

Chkout my Video for the above Steps.

Metasploit MeterpreterClient wiki

0

Detailed metasploit meterpreter core commands

kudos for bond for sharing this link

http://en.wikibooks.org/wiki/Metasploit/MeterpreterClient

Network Scanning Using Nmap Through Proxy server

1

Many times while Penetration testing from the Client Network i have came across a situation in which client has an internal proxy server for accessing everything .
I had to do a network scanning for WAN devices using   NMAP through a proxy server and client  was using ISA server as their proxy server  to achieve there is a  tool knows as ProxyChains which  allows to run any program through HTTP or SOCKS proxy

http://proxychains.sourceforge.net/

how to install and configure proxychains

root@bt:~#apt-get install proxychains  (if ur using any debian distro)
root@bt:~#nano etc/proxychains.conf
Than you will see the proxylist where we can add our proxies:

[ProxyList]
# add proxy here …
# meanwile
# defaults set to “tor”
socks4 127.0.0.1 9050

now add ur ISA server proxy server IP like below

[ProxyList]
# add proxy here …
# meanwile
# defaults set to “tor”
192.168.1.13 8080—>ISA server IP
Socks4 127.0.0.1 9050

save and exit

root@bt:~# proxychains nmap -sV WANIP

BackTrack 4 Development Roadmap

0

Backtrack 5  on Feb 2010 Chk out the BT4 Development raodmap.

http://www.backtrack-linux.org/bt/roadmap/

Wireless Security Assessment for Pentesters(WEPBuster)

1

WEPBuster is script written for Information Security Professional to aid in conducting Wireless Security Assessment for WEP Enabled Wireless Networks.

project page http://code.google.com/p/wepbuster/

wget http://wepbuster.googlecode.com/files/wepbuster-1.0_beta_0.6.tgz

tar -xvf wepbuster-1.0_beta_0.6.tgzcd wepbuster-1.0_beta

perl wepbuster

It was long time i made this video

Discovering Rogue Access Points During Pentest

1

During Wireless Security Assessment finding Rogue Access Points are always a big issue,Today we will see how can we find those Rogue Access Points using Nmap to detect  based on OS version .

This Nmap command can detect Rogue Access Points in ur network if Rogue Access Points are connected to the network.

nmap -PN -n -pT:80,443,23,21,22,U:161,1900,5353 -sU -sV -sS -oA osfinger -O -T4 192.168.0.1/24

Starting Nmap
Interesting ports on 192.168.0.1:
PORT STATE SERVICE VERSION
21/tcp closed ftp
22/tcp filtered ssh
23/tcp closed telnet
80/tcp open http Intoto httpd 1.0
443/tcp filtered https
161/udp open|filtered snmp
1900/udp open|filtered upnp
5353/udp open|filtered zeroconf
MAC Address: 11:22:33:44:55:66(Cisco-Linksys)
Device type: WAP|broadband router
Running: Linksys embedded, Netgear embedded, Netgear VxWorks 5.X
OS details: Linksys WRT54G or WRT54G2, or Netgear WGR614 or WPN824v2 wireless broadband router, Netgear WGT624 WAP, Netgear WGR614v7, WGT624v3, or WPN824v2 WAP (VxWorks 5.4.2)
Network Distance: 1 hop

Interesting ports on 192.168.0.100:
PORT STATE SERVICE VERSION
21/tcp closed ftp
22/tcp closed ssh
23/tcp closed telnet
80/tcp closed http
443/tcp closed https
161/udp closed snmp
1900/udp open|filtered upnp
5353/udp open|filtered zeroconf
MAC Address: 11:33:44:55:66:99 (Intel)
Too many fingerprints match this host to give specific OS details
Network Distance: 1 hop

The above Nmap command scans the network with no ping options set (-PN), and no name resolution (-n). It only scans selected TCP and UDP ports, which I find is a really neat feature to be able to specify independent lists of UDP and TCP ports using the syntax above. I chose the ports listed because they are most frequently found listening on embedded devices.

see the results the first device 192.168.0.1 has interesting ports opened like 21,23,80
MAC Address: 11:22:33:44:55:66(Cisco-Linksys)
Device type: WAP|broadband router
Running: Linksys embedded, Netgear embedded, Netgear VxWorks 5.X
OS details: Linksys WRT54G or WRT54G2, or Netgear WGR614 or WPN824v2 wireless broadband router, Netgear WGT624 WAP, Netgear WGR614v7, WGT624v3, or WPN824v2 WAP (VxWorks 5.4.2)

Blocking Nmap Scans using IPtables on Linux server

0

Below Rules will block few of the Nmap Scans on ur linux server

The default config files of IPtables for RHEL / CentOS / Fedora Linux are located here

  • /etc/sysconfig/iptables -

iptables -A INPUT -p tcp –tcp-flags ALL FIN -j DROP
iptables -A INPUT -p tcp –tcp-flags ALL NONE -j DROP
iptables -A INPUT -p tcp –tcp-flags ALL ALL -j DROP
iptables -A INPUT -p tcp –tcp-flags ALL FIN,PSH,URG -j DROP 

Detecting DNS and HTTP Load Balancers During Pentest

2

During penetration testing  finding the no  of load balancers on the site is always Complicated and clients expects us to determine the same machine with different IP Addresses.below tool works perfect detecting the load balancers.
Load Balancer Detector (LBD), which uses both DNS and HTTP based techniques to detect load balancers. During the tests, we find that the DNS detection works perfectly, however the HTTP based detection techniques, does give false positives at times (which the tool author acknowledges).

code here http://ge.mine.nu/code/lbd

its a script ,save the code in .sh

Usage details

./lbd.sh www.abc.com

 

Go to Top