Posts tagged Pentest

Discovering Rogue Access Points During Pentest

1

During Wireless Security Assessment finding Rogue Access Points are always a big issue,Today we will see how can we find those Rogue Access Points using Nmap to detect  based on OS version .

This Nmap command can detect Rogue Access Points in ur network if Rogue Access Points are connected to the network.

nmap -PN -n -pT:80,443,23,21,22,U:161,1900,5353 -sU -sV -sS -oA osfinger -O -T4 192.168.0.1/24

Starting Nmap
Interesting ports on 192.168.0.1:
PORT STATE SERVICE VERSION
21/tcp closed ftp
22/tcp filtered ssh
23/tcp closed telnet
80/tcp open http Intoto httpd 1.0
443/tcp filtered https
161/udp open|filtered snmp
1900/udp open|filtered upnp
5353/udp open|filtered zeroconf
MAC Address: 11:22:33:44:55:66(Cisco-Linksys)
Device type: WAP|broadband router
Running: Linksys embedded, Netgear embedded, Netgear VxWorks 5.X
OS details: Linksys WRT54G or WRT54G2, or Netgear WGR614 or WPN824v2 wireless broadband router, Netgear WGT624 WAP, Netgear WGR614v7, WGT624v3, or WPN824v2 WAP (VxWorks 5.4.2)
Network Distance: 1 hop

Interesting ports on 192.168.0.100:
PORT STATE SERVICE VERSION
21/tcp closed ftp
22/tcp closed ssh
23/tcp closed telnet
80/tcp closed http
443/tcp closed https
161/udp closed snmp
1900/udp open|filtered upnp
5353/udp open|filtered zeroconf
MAC Address: 11:33:44:55:66:99 (Intel)
Too many fingerprints match this host to give specific OS details
Network Distance: 1 hop

The above Nmap command scans the network with no ping options set (-PN), and no name resolution (-n). It only scans selected TCP and UDP ports, which I find is a really neat feature to be able to specify independent lists of UDP and TCP ports using the syntax above. I chose the ports listed because they are most frequently found listening on embedded devices.

see the results the first device 192.168.0.1 has interesting ports opened like 21,23,80
MAC Address: 11:22:33:44:55:66(Cisco-Linksys)
Device type: WAP|broadband router
Running: Linksys embedded, Netgear embedded, Netgear VxWorks 5.X
OS details: Linksys WRT54G or WRT54G2, or Netgear WGR614 or WPN824v2 wireless broadband router, Netgear WGT624 WAP, Netgear WGR614v7, WGT624v3, or WPN824v2 WAP (VxWorks 5.4.2)

Detecting DNS and HTTP Load Balancers During Pentest

2

During penetration testing  finding the no  of load balancers on the site is always Complicated and clients expects us to determine the same machine with different IP Addresses.below tool works perfect detecting the load balancers.
Load Balancer Detector (LBD), which uses both DNS and HTTP based techniques to detect load balancers. During the tests, we find that the DNS detection works perfectly, however the HTTP based detection techniques, does give false positives at times (which the tool author acknowledges).

code here http://ge.mine.nu/code/lbd

its a script ,save the code in .sh

Usage details

./lbd.sh www.abc.com

 

Go to Top