Wednesday, May 2, 2012


FOOTPRINTING (Gathering Information)

Review Publicly Available Information
  • Company web pages
  • Source Sifting (website review)
  • SEC Edgar database
  • Business information sites
  • News groups
  • Search engines
  • Big Brother
WHOIS Enumeration
DNS Enumeration
Forward nslookupnslookup hostname
Reverse nslookupnslookup ip_address
Zone Transfer#nslookup
 >server dns_ip_address
set type=any
 >ls -d target_domain
Network Reconnaissance
  • Traceroute
UNIXTraceroute (UDP)traceroute hostname/ip
UNIXTraceroute (ICMP)traceroute -I hostname/ip
WindowsTracert (ICMP)tracert hostname/ip
WindowsTrout or NeoTrace (ICMP)Trout or NeoTrace (GUI)
UNIXtcptraceroute (TCP)(see man page)


Ping Sweeps
BOTHping hostname/IP
BOTHnmap -sP host(s)
Windowssl -n host(s)
WindowsSuperScan (GUI)
Port Scanning
BOTH (TCP)nmap, nmapfe(GUI), nc
BOTH (UDP)nmap, nmapfe(GUI), nc
Windows (TCP)sl, nmap, SuperScan(GUI), nc
Windows (UDP)sl, nmap, nc
Banner Grabbing
Telnettelnet host port
ncnc -v host port
FTPftp host
Web#nc -v host 80
slsl -b host(s)
OS Guessing
NMAPnmap -O host(s)
NMAPnmap -O -p port host(s)


T H E  G O A L
T H E  S Y N T A X
1Discover windows hostssl -bph host(s)
2Enumerate domains on networknet view /domain
3Enumerate hosts in each domainnet view /domain:domain
4Enumerate domain controllersnltest /dsgetdc:domain_name /pdc
nltest /bdc_query:domain_name
5Determine IP of hostsping hostname
6Enumerate host's role in domain (NT 4.0)netdom query \\hostname
7Enumerate NetBIOS tablenbtstat -A x.x.x.x
8Establish a null sessionnet use \\x.x.x.x\ipc$ "" /u:""
9Enumerate local administratorslocal administrators \\x.x.x.x
10Enumerate Group Membersglobal "group_name" \\x.x.x.x
11Enumerate NIC informationgetmac \\x.x.x.x
12Enumerate internal IP informationepdump x.x.x.x
13Enumerate trust relationshipsnltest /server:x.x.x.x /trusted_domains
14Enumerate non-hidden sharesnet view \\x.x.x.x
15Enumerate all sharesDUMPSEC (GUI)
16Enumerate password policyenum -Pc
17All-in-one enumeration toolsDUMPSEC (GUI)
enum -UMNSPGLc
nete /0 (it's a zero)
18SNMP MIB walkIP Network Browser (GUI)
19Query Active Directory (AD) via LDAPldp (GUI)
T H E  G O A L
T H E  S Y N T A X
1Discover Unix hostsnmap -P0 -sT host(s)nmap -P0 -sU -p port(s) host(s)
2Enumerate service banners(refer to "Scanning", step 3)
3Fingerprint target's IP stacknmap -O host(s)nmap -O -p port(s) host(s)
4Identify logged on usersfinger -l @x.x.x.x
rusers -l x.x.x.x
5Enumerate additional users via SMTP#telnet x.x.x.x 25
 vrfy user expn user/group
6Enumerate additional users via TFTP#tftp x.x.x.x
tftp> get /etc/passwd /tmp/passwd.x
tftp> quit
7Enumerate RPC programsrpcinfo -p x.x.x.x
8Enumerate exported NFS file system(s)showmount -e x.x.x.x
9Explore the exported NFS filesystem(s)mount -t nfs x.x.x.x:mount_point /mnt
10SNMP MIB walksnmpwalk x.x.x.x community_string | more


Use the information acquired from the previous steps to:
  • Guess username/password combinations (manually or automate)
  • Obtain user password data (in the clear or ciphered)
  • Exploit a vulnerable service (
  • Hi-jack a session
  • Social engineer
  • etc...
Telnettelnet x.x.x.x
SSHssh x.x.x.x
Rloginrlogin -l user x.x.x.x
Windowsnet use * \\x.x.x.x\share passwd /u:domain\user

or use following awesome framework




Any access is good...but root/Admin is where it's at! A little more digging may reveal a choice privilege escalation exploit! Remember, you may need to be interactive first...

Once access is gained, there is much to do...
  • Disable logging
  • Clear logs and histories
  • Grab password data
  • Add yourself a user account
  • Review system config files
  • Memory contents?
  • etc...

To truly own the machine, one must gain interactive command execution
  • Seek out services like telnet, rlogin, SSH, MS Terminal Services, etc
  • Back channels rarely disappoint
  • NetCat is the Swiss Army knife of hacking (or should we say Leatherman?)
  • Don't forget about PSEXEC across and Admin connection to a Windows host
  • etc...

Expand your influence...
  • Start the methodology over again from your new vantage point
  • Attack trusts
  • Copy over tools to assist in your expansion efforts
  • Crack passwords gathered thus far
  • Rootkits, Trojans, backdoors
  • Keystroke loggers
  • Sniff traffic
  • Memory contents
  • Sensitive files
  • Enumerate ACL's
  • Use port re-direction to circumvent ACL's
  • Hi-jack sessions
  • Re-use passwords elsewhere!
  • etc...

Covering your tracks well allows for extended stays with little interference
  • Disable logging, IDS, and other security mechanisms
  • Hide tools (obscure directory, attributes, streaming, etc.)
  • Rootkits, Trojans, backdoors
  • Covert channels (Loki, httptunnel, etc.)
  • Spoofed sessions (i.e. STerm)
  • etc...



External Antennas
  • Decibel (dB) A decibel is the unit of measure for power ratios describing loss or gain, normally expressed in watts. A decibel is not an absolute value - it is the measurement of power gained or lost between two communicating devices. These units are usually given in terms of the logarithm to Base 10 of a ration
  • dBi value This is the ratio of the gain of an antenna as compared to an isotropic antenna. The greater the dBi value, the higher the gain. If the gain is high, the angle of coverage will be more acute
Disable the TCP/IP Stack in Windows to prevent the wireless card from connecting to any network.
  • Untick the checkbox of the Internet Protocol (TCP/IP) in the properties box of the wireless network card
NetStumbler ( display
  • MAC - Machine Address Code; a unique address for each Ethernet device. Preceding each MAC is a small circular icon showing signal strength
  • SSID - Service Set Identifier; also known as the "Network Name"
  • Name - Access point name. Often blank, as it is not used by all brands of wireless equipment
  • Chan - Channel number the network is operating on. In 802.11b communications, 1 to 14
  • Speed - The reported maximum speed of the network, in megabits per second (Mbps)
  • Vendor - Equipment manufacturer's name or other brand identifier
  • Type - Network type; either AP for access point, or peer for peer-to-peer
  • Encryption - If the wireless traffic is encrypted on the network by the wireless devices, it is marked as WEP, which stands for "Wired Equivalency Privacy"
  • SNR - The RF signal-to-noise ratio; measured in microvolt deciBels (dBm). Only active when in range of a network
  • Signal+ - The maximum RF signal seen from the network device in dBm
  • Noise- - The minimum RF noise reported at the device in dBm
  • SNR+ - The maximum RF signal-to-noise ratio reported at the device in dBm
  • IP Addr - The reported Internet Protocol address, if any
  • Subnet - Any reported network IP subnet, if any
  • Latitude - Latitude as reported by the GPS receiver when NetStumbler saw the network
  • Longitude - Longitude as reported by the GPS receiver when NetStumbler saw the network
  • First Seen - The time when NetStumbler first saw the network
  • Last Seen - The time when NetStumbler last saw the network
  • Signal - The current RF signal level in dBm. Only active when in range of a network
  • Noise - The current RF noise level in dBm. Only active when in range of a network
  • Flags - 802.11 flags from the network in hexadecimal (Base 16) code
  • Beacon Interval - The interval of the beacon broadcast from the AP
  • Distance - The distance to where you were when the best SNR was seen


Default setups of common wireless routers available in the UK:
3Com Office Connect 3CRWE754G72-A3Comhttp://<blank><blank>
Belkin F5D7630-4Abelkin54ghttp://<blank><blank>
BT Voyager 2000BTVOYAGERhttp://
BT Voyager 2100BTVOYAGER2100http://
BT Wireless Network 1250<blank>
Buffalo AirStation 54Mbps<blank>
D-Link DSL-604+defaulthttp://
Intertex IX66 AirSIPwireless_gwhttp://  
Netgear DG814
Netgear DG824MWirelesshttp://
Netgear DG834GNETGEARhttp://  
Linksys WAG-54Glinksyshttp://
SMC ADSL Barricade 7404WBRAhub   
Solwise SAR-110
Solwise SAR-715PVWact1http://
U.S. Robotics SureConnect 9106USR9106http://
Vigor 2600<blank>
Westell WireSpeed 2410Wireless LANhttp://<blank><blank>

No comments:

Post a Comment