Professional Documents
Culture Documents
Basic Pen-Test
Module 3 1-2
Copyright 2005, All rights reserved. Not to be reproduced by any means without prior written consent.
Basic Pen-Test
Module 3 1-3
Copyright 2005, All rights reserved. Not to be reproduced by any means without prior written consent.
Basic Pen-Test
Overview
Chapter 1 Chapter 2 Capture the Flag
Module 3 1-4
Copyright 2005, All rights reserved. Not to be reproduced by any means without prior written consent.
Basic Pen-Test
Module 3 1-5
Copyright 2005, All rights reserved. Not to be reproduced by any means without prior written consent.
Basic Pen-Test
System Hacking Vulnerability Mapping System Hacking: Exploits Escalate privilege Trojan
Module 3 1-6
Copyright 2005, All rights reserved. Not to be reproduced by any means without prior written consent.
Basic Pen-Test
Capture the flag One victim Server Divide into groups 5 Flags to captured Bonus Flag extra point Use whatever resource available
Module 3 1-7
Copyright 2005, All rights reserved. Not to be reproduced by any means without prior written consent.
Basic Pen-Test
Objectives
Give exposure to participants on basic techniques of penetration test Common attacks and exploits used Hand-on training
Module 3 1-8
Copyright 2005, All rights reserved. Not to be reproduced by any means without prior written consent.
Basic Pen-Test
Module 3 1-9
Copyright 2005, All rights reserved. Not to be reproduced by any means without prior written consent.
Basic Pen-Test
To assess possible Risks To make the upper management "security aware Remember 99.9% secure = 100% vulnerable!
Module 3 1-10
Copyright 2005, All rights reserved. Not to be reproduced by any means without prior written consent.
Basic Pen-Test
Module 3 1-11
Is our Information Security Policy correctly enforced ? Can employees compromise workstation security? Are we safe ?" Basic Pen-Test
Copyright 2005, All rights reserved. Not to be reproduced by any means without prior written consent.
Infrastructure
Basic Pen-Test
Module 3 1-13
Copyright 2005, All rights reserved. Not to be reproduced by any means without prior written consent.
Basic Pen-Test
Module 3 1-14
Copyright 2005, All rights reserved. Not to be reproduced by any means without prior written consent.
Basic Pen-Test
Basic Pen-Test
Module 3 1-16
Copyright 2005, All rights reserved. Not to be reproduced by any means without prior written consent.
Basic Pen-Test
Basic Pen-Test
Limited
Full
Location Time
Module 3 1-18
Copyright 2005, All rights reserved. Not to be reproduced by any means without prior written consent.
Basic Pen-Test
Standards
Pete Herzogs's OSSTM - "Open Source Security Testing Methodology Manual"
Very practical approach Checklists of what and in which order to test List of tools
Basic Pen-Test
The OSSTMM
OSSTMM Open-Source Security Testing Methodology Manual Version 2.2 at www.osstmm.org Developed by Pete Herzog, it is a living document on how to perform a penetration test. It defines how to go about performing a pen test, but does not go into the actual tools.
Module 3 1-20
Copyright 2005, All rights reserved. Not to be reproduced by any means without prior written consent.
Basic Pen-Test
Ethical Hacking?
Get Permission First !!! The difference between a hackers and a Security Analyst is PERMISSION Its an Offence under Computer Crime Act 1997
Findings are under strict NDAs (Non Disclosure Agreement) No information gathered during the test
is sent in clear text over the internet is used for personal profit
Code of Ethics
ISACA Code of Professional Ethics ISC2 Code of Ethics
Module 3 1-21
Copyright 2005, All rights reserved. Not to be reproduced by any means without prior written consent.
Basic Pen-Test
Analyzing Applications
Module 3 1-22
Copyright 2005, All rights reserved. Not to be reproduced by any means without prior written consent.
Functional / Structural Analysis Attacking Authentication and Authorization Attacking Data and Back-End Communication Attacking Clients
Basic Pen-Test
Information Gathering
Module 3 1-23
Copyright 2005, All rights reserved. Not to be reproduced by any means without prior written consent.
Basic Pen-Test
Interesting Fact
http://www.zoneh.org/en/defacements
Hundreds of defacement a day
Module 3 1-24
Copyright 2005, All rights reserved. Not to be reproduced by any means without prior written consent.
Basic Pen-Test
Basic Pen-Test
Part I Footprinting
Module 3 1-26
Copyright 2005, All rights reserved. Not to be reproduced by any means without prior written consent.
Basic Pen-Test
Footprinting
Create a complete profile of an organizations security posture Domain names, network blocks, and individual IP addresses Internet, Intranet, remote access, and extranet
Module 3 1-27
Copyright 2005, All rights reserved. Not to be reproduced by any means without prior written consent.
Basic Pen-Test
Footprinting
1. 2. 3. 4. Determine the Scope of Activities Network Enumeration DNS Interrogation Network Reconnaissance
(cont.)
Module 3 1-28
Copyright 2005, All rights reserved. Not to be reproduced by any means without prior written consent.
Basic Pen-Test
Module 3 1-29
Copyright 2005, All rights reserved. Not to be reproduced by any means without prior written consent.
Basic Pen-Test
Example
Module 3 1-30
Copyright 2005, All rights reserved. Not to be reproduced by any means without prior written consent.
Basic Pen-Test
Example
Module 3 1-31
Copyright 2005, All rights reserved. Not to be reproduced by any means without prior written consent.
Basic Pen-Test
Example
(cont.)
Module 3 1-32
Copyright 2005, All rights reserved. Not to be reproduced by any means without prior written consent.
Basic Pen-Test
Example
(cont.)
Module 3 1-33
Copyright 2005, All rights reserved. Not to be reproduced by any means without prior written consent.
Basic Pen-Test
2. Network Enumeration
Organizational Domain Network Person of Contact (POC)
Module 3 1-34
Copyright 2005, All rights reserved. Not to be reproduced by any means without prior written consent.
Basic Pen-Test
IANA
Internet Assigned Number Authority Address space to various registries is listed here http://www.iana.org/assignments/ipv4-addressspace APNIC - Pacific Rim ARIN - North America RIPE NCC - Europe
Module 3 1-35
Copyright 2005, All rights reserved. Not to be reproduced by any means without prior written consent.
Basic Pen-Test
IANA (cont)
Module 3 1-36
Copyright 2005, All rights reserved. Not to be reproduced by any means without prior written consent.
Basic Pen-Test
Organizational Query
InterNIC database whois standard Unix tool
[nazri@ns nazri]$whois "Universiti Teknologi Malaysia"@whois.arin.net [whois.arin.net] Universiti Teknologi Malaysia (JB-HST) JB.UTM.MY Universiti Teknologi Malaysia (KL-HST) KL.UTM.MY Universiti Teknologi Malaysia (NET-UTMNET) UTMNET 161.139.16.2 161.139.168.168 161.139.0.0
Module 3 1-37
Copyright 2005, All rights reserved. Not to be reproduced by any means without prior written consent.
Basic Pen-Test
Network Query
whois <IP-Address>@whois.arin.net whois <IP-Address>@whois.apnic.net whois <IP-Address>@whois.geektools.com
Module 3 1-38
Copyright 2005, All rights reserved. Not to be reproduced by any means without prior written consent.
Basic Pen-Test
Module 3 1-39
Copyright 2005, All rights reserved. Not to be reproduced by any means without prior written consent.
Basic Pen-Test
Module 3 1-40
Copyright 2005, All rights reserved. Not to be reproduced by any means without prior written consent.
Basic Pen-Test
Example
Module 3 1-41
Copyright 2005, All rights reserved. Not to be reproduced by any means without prior written consent.
Basic Pen-Test
Example
Module 3 1-42
Copyright 2005, All rights reserved. Not to be reproduced by any means without prior written consent.
Basic Pen-Test
3. DNS Interrogation
Name server lookup Using NSLookup, we can perform Zone transfer to get information about other server in the DNS Zone transfer nslookup Host Mail Exchange (MX) Records
Module 3 1-43
Copyright 2005, All rights reserved. Not to be reproduced by any means without prior written consent.
Basic Pen-Test
What is DNS?
Domain Name System Translate host names like www.scanassociates.net into numerical IP addresses, like 219.93.36.235 Each node on the tree represents a domain. Everything below a node falls into its domain, ie: chichi.us.com, windy.us.com, them.com
Module 3 1-44
Copyright 2005, All rights reserved. Not to be reproduced by any means without prior written consent.
Basic Pen-Test
Module 3 1-45
Copyright 2005, All rights reserved. Not to be reproduced by any means without prior written consent.
Basic Pen-Test
Zone Transfer
Zone defines network structure of a network Provides info inside the network IP of web server (if any) IP of mail server (if any) IP of test server (if any) IP of other server Using nslookup to copy the Zone from destination
Module 3 1-46
Copyright 2005, All rights reserved. Not to be reproduced by any means without prior written consent.
Basic Pen-Test
nslookup
[root@ns scan]#nslookup Default Server: ns.scan.utm.my Address: 161.139.189.189 > server ns1.host.net.my Default Server: ns1.host.net.my Address: 202.184.190.1 > set type=any > ls -d host.net.my > zone.out
Crafted IP and Host Name Most Linux/Solaris will not accept ls command anymore. BSD still OK! Will work if zone transfer is allowed.
Basic Pen-Test
Module 3 1-47
Copyright 2005, All rights reserved. Not to be reproduced by any means without prior written consent.
nslookup
[root@ns scan]#more zone.out > ls -d host.com.my. [ns1.host.net.my] $ORIGIN host.com.my. @ 6H IN SOA
(cont.)
; ; ; ; ;
6H 6H 6H 6H 6H 6H 6H 6H 6H 6H 6H
IN IN IN IN IN IN IN IN IN IN IN
NS NS A MX A A A A A MX MX
fwgitn ns1.host.net.my. 202.184.190.69 5 @ 202.184.190.1 202.184.190.99 127.0.0.1 202.184.190.69 202.187.32.118 10 test 20 202.187.32.118
Basic Pen-Test
Module 3 1-48
Copyright 2005, All rights reserved. Not to be reproduced by any means without prior written consent.
nslookup
helpdesk1 helpdesk www gsb_oa fwgitn @ serial 2H refresh 30M retry 5D expiry 6H ) minimum
Module 3 1-49
Copyright 2005, All rights reserved. Not to be reproduced by any means without prior written consent.
(cont.)
6H 6H 6H 6H 6H 6H
IN IN IN IN IN IN
A A A A A SOA
; ; ; ; ;
Basic Pen-Test
Online nslookup
http://centralops.net/co/
(cont.)
Module 3 1-50
Copyright 2005, All rights reserved. Not to be reproduced by any means without prior written consent.
Basic Pen-Test
host
[sam@ns1 sam]$ host l mod.gov.my 202.185.193.1
ns.3div.mod.gov.my has address 219.93.4.2 acass.mod.gov.my has address 202.185.193.35 army.mod.gov.my has address 202.185.193.220 btmk.mod.gov.my has address 202.185.193.158 egdms.mod.gov.my has address 202.185.193.24 iqrak.mod.gov.my has address 202.185.193.98 komlek.mod.gov.my has address 202.185.193.165 library.mod.gov.my has address 202.185.193.100 lima.mod.gov.my has address 202.185.193.155 maf.mod.gov.my has address 202.185.193.29 mafca.mod.gov.my has address 202.185.193.102 mdic.mod.gov.my has address 202.185.193.22 moddns.mod.gov.my has address 202.185.193.1 modldap.mod.gov.my has address 202.185.193.17 modmail.mod.gov.my has address 202.185.193.12
Module 3 1-51
Copyright 2005, All rights reserved. Not to be reproduced by any means without prior written consent.
Basic Pen-Test
Testing?
[root@ns HOST]#grep -i test zone.out |wc -l 2
Module 3 1-52
Copyright 2005, All rights reserved. Not to be reproduced by any means without prior written consent.
4. Network Reconnaissance
Module 3 1-53
Copyright 2005, All rights reserved. Not to be reproduced by any means without prior written consent.
Basic Pen-Test
tracerouting
Determine their network topology as well as potential access paths into the network traceroute (UDP) Traceroute I (ICMP)
Module 3 1-54
Copyright 2005, All rights reserved. Not to be reproduced by any means without prior written consent.
Basic Pen-Test
traceroute
traceroute to www.shell.com (134.146.83.23), 30 hops max, 38 byte packets 1 192.168.169.254 (192.168.169.254) 26.150 ms 3.504 ms 1.501 ms 2 202.157.201.57 (202.157.201.57) 258.474 ms 131.664 ms 37.266 ms 3 202.157.193.29 (202.157.193.29) 59.062 ms 38.859 ms 52.235 ms 4 202.157.192.161 (202.157.192.161) 49.355 ms 47.173 ms 118.075 ms 5 202.157.200.5 (202.157.200.5) 247.272 ms 276.970 ms 291.244 ms 6 if-9-0-0.bb1.losangeles2.teleglobe.net (64.86.146.69) 256.115 ms 287.776 ms 234.535 ms 7 if-5-0.core1.losangeles2.teleglobe.net (64.86.80.66) 202.312 ms 317.045 ms 285.051 ms 8 if-3-0.core1.LosAngeles.Teleglobe.net (64.86.83.133) 258.911 ms 261.437 ms 341.887 ms 9 if-6-0.core1.SanJose.Teleglobe.net (207.45.193.85) 248.290 ms 232.595 ms 232.568 ms 10 if-2-0.core2.SanJose.Teleglobe.net (64.86.82.197) 272.511 ms 338.878 ms * 11 ix-4-0.core2.SanJose.teleglobe.net (66.198.96.2) 249.668 ms 237.584 ms 304.125 ms 12 0.so-0-1-0.XL1.SCL2.ALTER.NET (152.63.56.246) 347.472 ms 238.817 ms 358.732 ms 13 0.so-3-0-0.TL1.SAC1.ALTER.NET (152.63.53.250) 231.782 ms 330.669 ms 246.005 ms 14 0.so-7-0-0.IL1.NYC9.ALTER.NET (152.63.9.245) 394.607 ms 361.370 ms 346.364 ms 15 0.so-1-0-0.IR1.NYC12.ALTER.NET (152.63.23.62) 357.346 ms 301.236 ms 304.402 ms 16 so-5-1-0.TR1.AMS2.ALTER.NET (146.188.3.230) 443.982 ms 561.896 ms 398.444 ms 17 so-5-0-0.XR1.AMS6.ALTER.NET (146.188.8.77) 534.686 ms 459.494 ms 470.410 ms 18 pos1-0.gw5.ams6.alter.net (146.188.4.6) 520.899 ms 496.061 ms 482.176 ms 19 shells2-gw.customer.NL.UU.net (213.53.38.194) 548.650 ms 397.988 ms 396.365 ms 20 134.146.0.8 (134.146.0.8) 556.646 ms * 421.775 ms 21 wwwshell.com (134.146.83.23) 447.134 ms 476.217 ms 397.094 ms
Module 3 1-55
Copyright 2005, All rights reserved. Not to be reproduced by any means without prior written consent.
Basic Pen-Test
VisualRoute
www.visualroute.com Graphically map the path to destination
Module 3 1-56
Copyright 2005, All rights reserved. Not to be reproduced by any means without prior written consent.
Basic Pen-Test
http://navy.mod.gov.my
Module 3 1-57
Copyright 2005, All rights reserved. Not to be reproduced by any means without prior written consent.
Basic Pen-Test
Module 3 1-58
Copyright 2005, All rights reserved. Not to be reproduced by any means without prior written consent.
Basic Pen-Test
Network Scanning
Knocking on the walls to find all the doors and windows Determine which system is alive and reachable from the Internet
Module 3 1-59
Copyright 2005, All rights reserved. Not to be reproduced by any means without prior written consent.
Basic Pen-Test
Network Scanning
1. 2. 3. 4. Ping sweeps Port scanning Operating System Detection Automated discovery tools
(cont.)
Module 3 1-60
Copyright 2005, All rights reserved. Not to be reproduced by any means without prior written consent.
Basic Pen-Test
1. Ping Sweeps
Range of IP Address Range of Network Blocks Send ICMP ECHO (Type 8) Nutshell: Quickly send a ping to destination, and destination will reply Able to determine if a host is up or not
Module 3 1-61
Copyright 2005, All rights reserved. Not to be reproduced by any means without prior written consent.
Basic Pen-Test
Ping the specifed host until interrupted. Resolve addresses to hostnames. Number of echo requests to send. Send buffer size. Set Don't Fragment flag in packet. Time To Live. Type Of Service. Record route for count hops. Timestamp for count hops. Loose source route along host-list. Strict source route along host-list. Timeout in milliseconds to wait for each reply.
Basic Pen-Test
Example
F:\>ping 192.168.1.254 Pinging 192.168.1.254 with 32 bytes of data: Reply from 192.168.1.254: bytes=32 time<1ms Reply from 192.168.1.254: bytes=32 time<1ms Reply from 192.168.1.254: bytes=32 time<1ms Reply from 192.168.1.254: bytes=32 time<1ms TTL=255 TTL=255 TTL=255 TTL=255
Ping statistics for 192.168.1.254: Packets: Sent = 4, Received = 4, Lost = 0 (0% loss), Approximate round trip times in milli-seconds: Minimum = 0ms, Maximum = 0ms, Average = 0ms
Module 3 1-63
Copyright 2005, All rights reserved. Not to be reproduced by any means without prior written consent.
Basic Pen-Test
Example
This site blocks ICMP
F:\>ping 202.185.193.1 Pinging 202.185.193.1 with 32 bytes of data: Reply from 202.185.193.1: bytes=32 time=4118ms TTL=243 Request timed out. Request timed out. Request timed out. Ping statistics for 202.185.193.1: Packets: Sent = 4, Received = 1, Lost = 3 (75% loss), Approximate round trip times in milli-seconds: Minimum = 4118ms, Maximum = 4118ms, Average = 4118ms
Module 3 1-64
Copyright 2005, All rights reserved. Not to be reproduced by any means without prior written consent.
Basic Pen-Test
nmap
http://www.insecure.org/ Nmap ("Network Mapper") is an open source utility for network exploration or security auditing Can be used to do Ping Sweep looking for active hosts
Module 3 1-65
Copyright 2005, All rights reserved. Not to be reproduced by any means without prior written consent.
Basic Pen-Test
nmap (cont.)
http://www.insecure.org/ Installation Two options
1. RPM 2. Compile from the source
Module 3 1-66
Copyright 2005, All rights reserved. Not to be reproduced by any means without prior written consent.
Basic Pen-Test
nmap (cont.)
nmap -sP 203.106.5.224-255
Starting nmap V. 2.54BETA22 ( www.insecure.org/nmap/ ) Host Host Host Host Host Host Host (203.106.5.225) appears to be up. (203.106.5.226) appears to be up. (203.106.5.227) appears to be up. (203.106.5.228) appears to be up. (203.106.5.231) appears to be up. (203.106.5.241) appears to be up. (203.106.5.254) appears to be up.
Host (203.106.5.255) seems to be a subnet broadcast address (returned 1 extra pings). Nmap run completed -- 32 IP addresses (7 hosts up) scanned in 72 seconds
Module 3 1-67
Copyright 2005, All rights reserved. Not to be reproduced by any means without prior written consent.
Basic Pen-Test
Host www.scan-associates.net (203.106.5.228) appears to be up. Host Host Host (203.106.5.231) appears to be up. (203.106.5.241) appears to be up. (203.106.5.254) appears to be up.
Module 3 1-68
Copyright 2005, All rights reserved. Not to be reproduced by any means without prior written consent.
Basic Pen-Test
2. Port Scanning
It is a process of looking for running services in a host Telnet, FTP, SSH, WWW are all services We use port scanning to determine if a host is running these services Find port open by a Trojan horse (backdoor)
Module 3 1-69
Copyright 2005, All rights reserved. Not to be reproduced by any means without prior written consent.
Basic Pen-Test
Port Scanning
Favorite Ports www ftp telnet Windows Sharing DNS RPC 80 21 23 139 53 111
(cont.)
Module 3 1-70
Copyright 2005, All rights reserved. Not to be reproduced by any means without prior written consent.
Basic Pen-Test
netcat
Written by Hobbit (hobbit@avian.org) Can be downloaded from many security sides like: http://packetstorm.decepticons.org/ Renown as Swiss army knife Many features Can be used to do port scanning
Module 3 1-71
Copyright 2005, All rights reserved. Not to be reproduced by any means without prior written consent.
Basic Pen-Test
netcat
Default: TCP nc v z -w2 <IP> <Port>-<Port> nc v z -w2 203.106.5.224 1-1024 UDP nc v -u z -w2 203.106.5.224 1-1024
(cont.)
Module 3 1-72
Copyright 2005, All rights reserved. Not to be reproduced by any means without prior written consent.
Basic Pen-Test
Module 3 1-73
Copyright 2005, All rights reserved. Not to be reproduced by any means without prior written consent.
Basic Pen-Test
Module 3 1-74
Copyright 2005, All rights reserved. Not to be reproduced by any means without prior written consent.
Basic Pen-Test
SuperScan
Port scan and fingerprinting User friendly report in html format can do simple password brute force
Module 3 1-75
Copyright 2005, All rights reserved. Not to be reproduced by any means without prior written consent.
Basic Pen-Test
SuperScan
Module 3 1-76
Copyright 2005, All rights reserved. Not to be reproduced by any means without prior written consent.
Basic Pen-Test
SuperScan
Module 3 1-77
Copyright 2005, All rights reserved. Not to be reproduced by any means without prior written consent.
Basic Pen-Test
3. OS Detection
Identify the type of Operating System Useful during vulnerability-mapping phase Technique: Stack Fingerprinting
Module 3 1-78
Copyright 2005, All rights reserved. Not to be reproduced by any means without prior written consent.
Basic Pen-Test
Module 3 1-79
Copyright 2005, All rights reserved. Not to be reproduced by any means without prior written consent.
Basic Pen-Test
nmap
Port scanner + OS Detection nmap O <IP Address> Example: nmap O localhost
Module 3 1-80
Copyright 2005, All rights reserved. Not to be reproduced by any means without prior written consent.
Basic Pen-Test
http://www.netcraft.com
Module 3 1-81
Operating System
Copyright 2005, All rights reserved. Not to be reproduced by any means without prior written consent.
Basic Pen-Test
Module 3 1-82
Copyright 2005, All rights reserved. Not to be reproduced by any means without prior written consent.
Basic Pen-Test
Exercise
telnet www.victim.gov.my 80 Type: HEAD / HTTP/1.0 <enter> <enter>
Module 3 1-83
Copyright 2005, All rights reserved. Not to be reproduced by any means without prior written consent.
Basic Pen-Test
Answer
C:\Documents and Settings\ennie\My Documents>telnet www.mod.gov.my 80 HTTP/1.0 200 OK Date: Tue, 17 May 2005 06:42:23 GMT Content-Type: text/html Server: Apache/1.3.33 (Unix) mod_gzip/1.3.26.1a PHP/4.3.10 mod_ssl/2.8.22 OpenSSL/0.9.7e X-Powered-By: PHP/4.3.10 Via: 1.1 NetCache (NetCache NetApp/5.6.2D4)
Module 3 1-84
Copyright 2005, All rights reserved. Not to be reproduced by any means without prior written consent.
Basic Pen-Test
winfingerprint
http://winfingerprint.sourceforge.net WinFingerPrint Determine OS using SMB Queries -PDC (Primary Domain Controller) -BDC (Backup Domain Controller) -NT MEMBER SERVER/WORKSTATION -SQL SERVER -NOVELL NETWARE SERVER -WINDOWS FOR WORKGROUPS/WINDOWS 9X -DOMAIN\NetBIOS Name Check Service Pack
Module 3 1-85
Copyright 2005, All rights reserved. Not to be reproduced by any means without prior written consent.
Basic Pen-Test
Winfingerprint
(cont.)
Module 3 1-86
Copyright 2005, All rights reserved. Not to be reproduced by any means without prior written consent.
Basic Pen-Test
Module 3 1-87
Copyright 2005, All rights reserved. Not to be reproduced by any means without prior written consent.
Basic Pen-Test
Cheops
Module 3 1-88
Copyright 2005, All rights reserved. Not to be reproduced by any means without prior written consent.
Basic Pen-Test
Module 3 1-89
Copyright 2005, All rights reserved. Not to be reproduced by any means without prior written consent.
Basic Pen-Test
Enumeration
Extract valid account or exported resource names Level of intrusiveness involves active connections and directed queries
Module 3 1-90
Copyright 2005, All rights reserved. Not to be reproduced by any means without prior written consent.
Basic Pen-Test
Enumerated Information
Network Resources and Shares Users and Group Applications and Banners
Module 3 1-91
Copyright 2005, All rights reserved. Not to be reproduced by any means without prior written consent.
Basic Pen-Test
Windows
Domains with net view C:\net view /domain C:\net view /domain:<domain-name> NetBIOS Shares C:\net view \\<host-name> NetBIOS Auditing Tool (NAT)
NetBios Info
nbtdump
Module 3 1-92
Copyright 2005, All rights reserved. Not to be reproduced by any means without prior written consent.
Basic Pen-Test
Windows
User and Group Enumeration C:\nbtstat A <IP-Address> Null Sessions net use \\192.168.1.33\IPC$ /u: Application and Banner Enumeration telnet Netcat
(cont.)
Module 3 1-93
Copyright 2005, All rights reserved. Not to be reproduced by any means without prior written consent.
Basic Pen-Test
Module 3 1-94
Copyright 2005, All rights reserved. Not to be reproduced by any means without prior written consent.
Basic Pen-Test
http://www.netcraft.com
Module 3 1-95
Copyright 2005, All rights reserved. Not to be reproduced by any means without prior written consent.
Basic Pen-Test