Penetration testing

Python tools for penetration testers

2

Stumbled upon a  website  which tells about various python tools required for every Vulnerability research, reverse engineering and  penetration testing.

http://dirk-loss.de/python-tools.htm

Network Scanning Using Nmap Through Proxy server

1

Many times while Penetration testing from the Client Network i have came across a situation in which client has an internal proxy server for accessing everything .
I had to do a network scanning for WAN devices using   NMAP through a proxy server and client  was using ISA server as their proxy server  to achieve there is a  tool knows as ProxyChains which  allows to run any program through HTTP or SOCKS proxy

http://proxychains.sourceforge.net/

how to install and configure proxychains

root@bt:~#apt-get install proxychains  (if ur using any debian distro)
root@bt:~#nano etc/proxychains.conf
Than you will see the proxylist where we can add our proxies:

[ProxyList]
# add proxy here …
# meanwile
# defaults set to “tor”
socks4 127.0.0.1 9050

now add ur ISA server proxy server IP like below

[ProxyList]
# add proxy here …
# meanwile
# defaults set to “tor”
192.168.1.13 8080—>ISA server IP
Socks4 127.0.0.1 9050

save and exit

root@bt:~# proxychains nmap -sV WANIP

BackTrack 4 Development Roadmap

0

Backtrack 5  on Feb 2010 Chk out the BT4 Development raodmap.

http://www.backtrack-linux.org/bt/roadmap/

Wireless Security Assessment for Pentesters(WEPBuster)

1

WEPBuster is script written for Information Security Professional to aid in conducting Wireless Security Assessment for WEP Enabled Wireless Networks.

project page http://code.google.com/p/wepbuster/

wget http://wepbuster.googlecode.com/files/wepbuster-1.0_beta_0.6.tgz

tar -xvf wepbuster-1.0_beta_0.6.tgzcd wepbuster-1.0_beta

perl wepbuster

It was long time i made this video

Discovering Rogue Access Points During Pentest

1

During Wireless Security Assessment finding Rogue Access Points are always a big issue,Today we will see how can we find those Rogue Access Points using Nmap to detect  based on OS version .

This Nmap command can detect Rogue Access Points in ur network if Rogue Access Points are connected to the network.

nmap -PN -n -pT:80,443,23,21,22,U:161,1900,5353 -sU -sV -sS -oA osfinger -O -T4 192.168.0.1/24

Starting Nmap
Interesting ports on 192.168.0.1:
PORT STATE SERVICE VERSION
21/tcp closed ftp
22/tcp filtered ssh
23/tcp closed telnet
80/tcp open http Intoto httpd 1.0
443/tcp filtered https
161/udp open|filtered snmp
1900/udp open|filtered upnp
5353/udp open|filtered zeroconf
MAC Address: 11:22:33:44:55:66(Cisco-Linksys)
Device type: WAP|broadband router
Running: Linksys embedded, Netgear embedded, Netgear VxWorks 5.X
OS details: Linksys WRT54G or WRT54G2, or Netgear WGR614 or WPN824v2 wireless broadband router, Netgear WGT624 WAP, Netgear WGR614v7, WGT624v3, or WPN824v2 WAP (VxWorks 5.4.2)
Network Distance: 1 hop

Interesting ports on 192.168.0.100:
PORT STATE SERVICE VERSION
21/tcp closed ftp
22/tcp closed ssh
23/tcp closed telnet
80/tcp closed http
443/tcp closed https
161/udp closed snmp
1900/udp open|filtered upnp
5353/udp open|filtered zeroconf
MAC Address: 11:33:44:55:66:99 (Intel)
Too many fingerprints match this host to give specific OS details
Network Distance: 1 hop

The above Nmap command scans the network with no ping options set (-PN), and no name resolution (-n). It only scans selected TCP and UDP ports, which I find is a really neat feature to be able to specify independent lists of UDP and TCP ports using the syntax above. I chose the ports listed because they are most frequently found listening on embedded devices.

see the results the first device 192.168.0.1 has interesting ports opened like 21,23,80
MAC Address: 11:22:33:44:55:66(Cisco-Linksys)
Device type: WAP|broadband router
Running: Linksys embedded, Netgear embedded, Netgear VxWorks 5.X
OS details: Linksys WRT54G or WRT54G2, or Netgear WGR614 or WPN824v2 wireless broadband router, Netgear WGT624 WAP, Netgear WGR614v7, WGT624v3, or WPN824v2 WAP (VxWorks 5.4.2)

Detecting DNS and HTTP Load Balancers During Pentest

2

During penetration testing  finding the no  of load balancers on the site is always Complicated and clients expects us to determine the same machine with different IP Addresses.below tool works perfect detecting the load balancers.
Load Balancer Detector (LBD), which uses both DNS and HTTP based techniques to detect load balancers. During the tests, we find that the DNS detection works perfectly, however the HTTP based detection techniques, does give false positives at times (which the tool author acknowledges).

code here http://ge.mine.nu/code/lbd

its a script ,save the code in .sh

Usage details

./lbd.sh www.abc.com

 

Learning Penetration Testing skills in Today’s Chaotic World

0
In my previous post i was talking about vulnerable web applications for Beginners today we will see how can we Learn Penetration Testing skills in Today’s Chaotic World below are the few Hacking and Vulnerable Labs/Live CD’s to test ur Penetration Testing skills.

1)http://www.netwars.info/

Netwars is the ultimate online game: an adventure across the Internet. You can play as an analyst, a penetration tester, a defender, or any combination. You earn points by finding keys, moving to higher levels, capturing services such as a website, overcoming obstacles (attack techniques) and protecting resources (defensive techniques). You can see the other players’ scores and your own points scored, live, or on an overall scoreboard.

2)http://www.overthewire.org/wargames/

OverTheWire community can help you to learn and practice security concepts in the form of funfilled games.

3)http://sourceforge.net/projects/lampsecurity/

LAMPSecurity training is designed to be a series of vunlerable virtual machine images along with complementary documentation designed to teach linux,apache,php,mysql security.

4)De-ICE live CDS

These live CDS Intended to provide legal targets in which to practice and learn PenTest skills, these LiveCDs are real servers that contain real-world challenges. Designed by professional penetration testers,each disk provides a learning opportunity to explore the world of penetration testing.
register and downlaod these Live Cd’s from http://heorot.net/forums

de-ice.net-1.100-1.1.iso
de-ice.net-1.110-1.0.iso
de-ice.net-2.100-1.1.iso
hackerdemia-1.1.0.iso
pWnOS.tar.gz

5) http://p0wnlabs.com/

p0wnlabs is your place to hack, experiment and learn by doing.

Join up and you get access to online hacking challenges, exercises and virtual lab environments stocked with hacking challenges for your mind:

  • Map a system
  • Find it’s vulnerabilities
  • 0wn it
  • Try out new hacking tools
  • Learn new hacking tricks
  • Hone your skills
Important:dont try these Live CD’s on production envirnoments make sure u try out in Vmware,If you know any other Live Cd’s or projects please comment i will update the post
Go to Top