Last active
June 30, 2024 14:46
-
-
Save MrMugiwara/db1e58fc9cd2f868c5b75fae94cecb64 to your computer and use it in GitHub Desktop.
Revisions
-
MrMugiwara revised this gist
Jun 22, 2017 . 1 changed file with 21 additions and 22 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -12,17 +12,17 @@ Here are some quick tools and test cases that one can perform on commonly found # Identify live hosts<br> Ping Hping Nmap # Identify OS type<br> Nmap Xprobe2 Banner grabbing using telnet, nc (netcat) # Port scan Nmap full SYN scan with verbose mode and service detection and disabling ping scan. <br>Export normal and greppable output for future use.<br> nmap -Pn -p- -sV X.X.X.X -v -sS -oG nmap_grepable_SYN -oN nmap_normal_SYN # Nmap top 1000 UDP scan with verbose mode and service detection and disabling ping scan. Export normal and greppable output for future use.<br> Nmap -Pn -top-ports=1000 -sV X.X.X.X -v -sS -oG nmap_grepable_UDP -oN nmap_normal_UDP # VA (Vulnerability Assessment)<br> Use nessus with below profile<br> DoS disabled<br> @@ -35,20 +35,19 @@ o Use Nexpose<br> o Use OpenVAS<br> o Use nmap scanner on specific open ports using below command.<br> # For example port 22 (SSH) is open and you want to run all scripts pertaining to SSH then use below command:<br> Nmap -Pn -sS -p22 --script ssh* -v In case if you are not sure about exact script name you can use * in order to run all scripts that starts with the ‘ssh’ keyword.<br> # Audit SSL<br> Use openssl, sslyze tools to find below issues within SSL.<br> Self-signed certificate SSL version 2 and 3 detection Weak hashing algorithm Use of RC4 and CBC ciphers Logjam issue Sweet32 issue Certificate expiry Openssl ChangeCipherSec issue POODLE vulnerability Openssl heartbleed issue<br> · Check for default passwords in server/device/service documentation<br> o Lets say during your port scan or VA you found some services <br> running on the server for example: cisco, brocad fabric OS, sonicwall firewall, apache tomcat manager. <br> @@ -60,7 +59,7 @@ o DNS (53) UDP<br> Check for zone transfer<br> Bruteforce subdomain using fierce tool<br> # Run all nmap scripts using following command: <br> nmap -Pn -sU -p53 --script dns* -v Banner grabbing and finding publicly known exploits<br> # Check for DNS amplification attack<br> o SMTP (25) TCP<br> @@ -70,7 +69,7 @@ o SMTP (25) TCP<br> Banner grabbing and finding publicly known exploits<br> Send modified cryptors and check if SMTP gateway is enable to detect and block it?<br> # Run all nmap script using following command: <br> nmap -Pn -sS -p25 --script smtp* -v o SNMP (161) UDP<br> Check for default community strings ‘public’ & ‘private’ using snmpwalk and snmpenum.pl script.<br> Banner grabbing and finding publicly known exploits<br> -
Jun 22, 2017 . 1 changed file with 12 additions and 13 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -12,18 +12,17 @@ Here are some quick tools and test cases that one can perform on commonly found # Identify live hosts<br> Ping Hping Nmap # Identify OS type<br> Nmap Xprobe2 Banner grabbing using telnet, nc (netcat) # Port scan Nmap full SYN scan with verbose mode and service detection and disabling ping scan. <br>Export normal and greppable output for future use.<br> nmap -Pn -p- -sV X.X.X.X -v -sS -oG nmap_grepable_SYN -oN nmap_normal_SYN # Nmap top 1000 UDP scan with verbose mode and service detection and disabling ping scan. Export normal and greppable output for future use.<br> nmap -Pn -top-ports=1000 -sV X.X.X.X -v -sS -oG nmap_grepable_UDP -oN nmap_normal_UDP # VA (Vulnerability Assessment)<br> Use nessus with below profile<br> DoS disabled<br> @@ -35,8 +34,8 @@ o Banner grabbing using telnet, nc (netcat)<br> o Use Nexpose<br> o Use OpenVAS<br> o Use nmap scanner on specific open ports using below command.<br> # For example port 22 (SSH) is open and you want to run all scripts pertaining to SSH then use below command:<br> Nmap -Pn -sS -p22 --script ssh* -v In case if you are not sure about exact script name you can use * in order to run all scripts that starts with the ‘ssh’ keyword.<br> # Audit SSL<br> Use openssl, sslyze tools to find below issues within SSL.<br> -
Jun 22, 2017 . 1 changed file with 67 additions and 68 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -21,9 +21,9 @@ o Xprobe2<br> o Banner grabbing using telnet, nc (netcat)<br> # Port scan<br> Nmap full SYN scan with verbose mode and service detection and disabling ping scan. Export normal and greppable output for future use.<br> nmap -Pn -p- -sV X.X.X.X -v -sS -oG nmap_grepable_SYN -oN nmap_normal_SYN<br> Nmap top 1000 UDP scan with verbose mode and service detection and disabling ping scan. Export normal and greppable output for future use.<br> nmap -Pn -top-ports=1000 -sV X.X.X.X -v -sS -oG nmap_grepable_UDP -oN nmap_normal_UDP<br> # VA (Vulnerability Assessment)<br> Use nessus with below profile<br> DoS disabled<br> @@ -36,7 +36,7 @@ o Use Nexpose<br> o Use OpenVAS<br> o Use nmap scanner on specific open ports using below command.<br> For example port 22 (SSH) is open and you want to run all scripts pertaining to SSH then use below command:<br> Nmap -Pn -sS -p22 --script ssh* -v<br> In case if you are not sure about exact script name you can use * in order to run all scripts that starts with the ‘ssh’ keyword.<br> # Audit SSL<br> Use openssl, sslyze tools to find below issues within SSL.<br> @@ -60,8 +60,8 @@ o DNS (53) UDP<br> # Examine domain name system (DNS) using dnsenum, nslookup, dig and fierce tool<br> Check for zone transfer<br> Bruteforce subdomain using fierce tool<br> # Run all nmap scripts using following command: <br> nmap -Pn -sU -p53 --script dns* -v Banner grabbing and finding publicly known exploits<br> # Check for DNS amplification attack<br> o SMTP (25) TCP<br> @@ -70,8 +70,8 @@ o SMTP (25) TCP<br> Check for username enumeration using VRFY command<br> Banner grabbing and finding publicly known exploits<br> Send modified cryptors and check if SMTP gateway is enable to detect and block it?<br> # Run all nmap script using following command: <br> nmap -Pn -sS -p25 --script smtp* -v o SNMP (161) UDP<br> Check for default community strings ‘public’ & ‘private’ using snmpwalk and snmpenum.pl script.<br> Banner grabbing and finding publicly known exploits<br> @@ -86,8 +86,8 @@ o SSH (22) TCP<br> Check if that supports sshv1 or not.<br> Bruteforce password using hydra and medusa<br> Check if it supports weak CBC ciphers and hmac algorithms using ssh2-enum-algos.nse nmap script.<br> # Run all nmap scripts using following command:<br> nmap -Pn -sS -p22 --script ssh* -v o Cisco VPN (500) UDP<br> Check for aggressive and main mode enable using ikescan tool.<br> Enumeration using ikeprobe tool<br> @@ -98,97 +98,96 @@ o SMB (445,137,139) TCP<br> Check for SMB related vulnerability using ‘smb-check-vulns’ nmap script.<br> Reference: https://myexploit.wordpress.com/control-smb-445-137-139/<br> o FTP (21) TCP<br> # Run all nmap script using following command:<br> nmap -Pn -sS -p21 --script ftp* -v # Check for cleartext password submission for ftp login<br> # Check for anonymous access using username and password as anonymous:anonymous<br> Bruteforce FTP password using hydra and medusa<br> o Telnet (23) TCP<br> Banner grabbing and finding publicly known exploits<br> Bruteforce telnet password<br> # Run following nmap scripts<br> telnet-brute.nse telnet-encryption.nse telnet-ntlm-info.nse o TFTP (69) UDP<br> # TFTP Enumeration<br> tftp ip_address PUT local_file tftp ip_address GET conf.txt (or other files) tftp – i GET /etc/passwd (old Solaris) Bruteforce TFTP using TFTP bruteforcer tool<br> Run tftp-enum.nse nmap script<br> Banner grabbing and finding publicly known exploits<br> o RPC (111) TCP/UDP<br> # Run following nmap scripts<br> bitcoinrpc-info.nse metasploit-msgrpc-brute.nse metasploit-xmlrpc-brute.nse msrpc-enum.nse nessus-xmlrpc-brute.nse rpcap-brute.nse rpcap-info.nse rpc-grind.nse rpcinfo.nse xmlrpc-methods.nse # Perform RPC enumeration using rcpinfo tool<br> # Check for the NFS folders so that data could be exported using showmount -e command.<br> o NTP (123) UDP<br> # Perform NTP enumeration using below commands:<br> ntpdc -c monlist IP_ADDRESS ntpdc -c sysinfo IP_ADDRESS # Run all nmap scripts using :<br> nmap -Pn -sS -p21 --script ntp* -v o HTTP/HTTPs (443,80,8080,8443) TCP<br> Banner grabbing using burp response<br> Run Nikto and dirb<br> # Run all nmap scripts using following command :<br> nmap -Pn -sS -p21 --script http* -v Banner grabbing and finding publicly known exploits<br> o SQL Server (1433,1434, 3306) TCP<br> Banner grabbing and finding publicly known exploits<br> # Bruteforce and perform other operation using following tools:<br> Piggy SQLping SQLpoke SQLrecon SQLver # Run following nmap scripts:<br> ms-sql-brute.nse ms-sql-config.nse ms-sql-dac.nse ms-sql-dump-hashes.nse ms-sql-empty-password.nse ms-sql-hasdbaccess.nse ms-sql-info.nse ms-sql-ntlm-info.nse ms-sql-query.nse ms-sql-tables.nse ms-sql-xp-cmdshell.nse pgsql-brute.nse # For MYSQL default username is root and password is<br> o Oracle (1521) TCP<br> # Enumeration using following tools<br> Tnsver [host] [port] Tnscmd perl tnscmd.pl -h ip_address perl tnscmd.pl version -h ip_address perl tnscmd.pl status -h ip_address # Enumeration & Bruteforce using below nmap scripts:<br> oracle-brute.nse oracle-brute-stealth.nse oracle-enum-users.nse oracle-sid-brute.nse oracle-tns-version.nse o RDP (3389) TCP<br> # Perform enumeration via connecting and checking login screen. Gather all active user’s name and domain/group name.<br> # Perform RDP cryptography check using RDP-sec-check.pl script.<br> # Run following nmap script:<br> rdp-enum-encryption.nse rdp-vuln-ms12-020.nse o SIP (5060)<br> # Enumeration through following commands:<br> Sipflanker - python sipflanker.py 192.168.1-254 Sipscan - Smap - smap -l IP_Address Banner grabbing and finding publicly known exploits<br> Regards, By MrMugiwara -
Jun 22, 2017 . 1 changed file with 192 additions and 177 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -1,179 +1,194 @@ Hello Dear Reader, <br> there are very few technical network security assessment checklist. <br> So I thought to share my own on this. Have a look and enjoy. <br> Lets talk about the scope first. If you are given a 1000 machines to perform VAPT, then here is your scope. <br> Single machine can have 65535 ports open. Any single port can deploy any service software from the world. <br> For example FTP can be run on smartftp, pureftpd etc.. <br> Any single FTP software version (for example pureftpd 1.0.22) can have number of vulnerabilities available. <br> So if you multiply all of these, then it is impossible for any auditor to go ahead and probe all ports manually and find services manually. <br> Even if he/she is able to do it, it is impossible to check all vulnerabilities that are pertaining to a single port of a single machine. <br> Hence we have to rely on scanners such as nexpose, nessus, openvas, coreimpact etc. <br> Here are some quick tools and test cases that one can perform on commonly found ports in the network penetrations testing.<br> # Identify live hosts<br> o Ping<br> o Hping<br> o Nmap<br> # Identify OS type<br> o Nmap<br> o Xprobe2<br> o Banner grabbing using telnet, nc (netcat)<br> # Port scan<br> Nmap full SYN scan with verbose mode and service detection and disabling ping scan. Export normal and greppable output for future use.<br> nmap -Pn -p- -sV X.X.X.X -v -sS -oG nmap_grepable_SYN -oN nmap_normal_SYN<br> Nmap top 1000 UDP scan with verbose mode and service detection and disabling ping scan. Export normal and greppable output for future use.<br> nmap -Pn -top-ports=1000 -sV X.X.X.X -v -sS -oG nmap_grepable_UDP -oN nmap_normal_UDP<br> # VA (Vulnerability Assessment)<br> Use nessus with below profile<br> DoS disabled<br> Web scan enabled<br> SSL scan on every ports instead of known ports<br> Enable TCP and UDP scan<br> Only give open ports’ list in the configuration that were found by nmap <br> including TCP and UDP rather than full ports in order to save time particularly number of IPs are more and less time for audit and report.<br> o Use Nexpose<br> o Use OpenVAS<br> o Use nmap scanner on specific open ports using below command.<br> For example port 22 (SSH) is open and you want to run all scripts pertaining to SSH then use below command:<br> Nmap -Pn -sS -p22 --script ssh* -v<br> In case if you are not sure about exact script name you can use * in order to run all scripts that starts with the ‘ssh’ keyword.<br> # Audit SSL<br> Use openssl, sslyze tools to find below issues within SSL.<br> Self-signed certificate<br> SSL version 2 and 3 detection<br> Weak hashing algorithm<br> Use of RC4 and CBC ciphers<br> Logjam issue<br> Sweet32 issue<br> Certificate expiry<br> Openssl ChangeCipherSec issue<br> POODLE vulnerability<br> Openssl heartbleed issue<br> · Check for default passwords in server/device/service documentation<br> o Lets say during your port scan or VA you found some services <br> running on the server for example: cisco, brocad fabric OS, sonicwall firewall, apache tomcat manager. <br> Then for these services Google what are the default configuration administrative username and password. <br> Try those in your login and check your luck.<br> · Hunting some common ports<br> o DNS (53) UDP<br> # Examine domain name system (DNS) using dnsenum, nslookup, dig and fierce tool<br> Check for zone transfer<br> Bruteforce subdomain using fierce tool<br> Run all nmap scripts using following command: <br> nmap -Pn -sU -p53 --script dns* -v<br> Banner grabbing and finding publicly known exploits<br> # Check for DNS amplification attack<br> o SMTP (25) TCP<br> Check for SMTP open relay<br> Check for email spoofing<br> Check for username enumeration using VRFY command<br> Banner grabbing and finding publicly known exploits<br> Send modified cryptors and check if SMTP gateway is enable to detect and block it?<br> Run all nmap script using following command: <br> nmap -Pn -sS -p25 --script smtp* -v<br> o SNMP (161) UDP<br> Check for default community strings ‘public’ & ‘private’ using snmpwalk and snmpenum.pl script.<br> Banner grabbing and finding publicly known exploits<br> Perform MIG enumeration.<br> · .1.3.6.1.2.1.1.5 Hostnames<br> · .1.3.6.1.4.1.77.1.4.2 Domain Name<br> · .1.3.6.1.4.1.77.1.2.25 Usernames<br> · .1.3.6.1.4.1.77.1.2.3.1.1 Running Services<br> · .1.3.6.1.4.1.77.1.2.27 Share Information<br> o SSH (22) TCP<br> Banner grabbing and finding publicly known exploits<br> Check if that supports sshv1 or not.<br> Bruteforce password using hydra and medusa<br> Check if it supports weak CBC ciphers and hmac algorithms using ssh2-enum-algos.nse nmap script.<br> Run all nmap scripts using following command:<br> nmap -Pn -sS -p22 --script ssh* -v<br> o Cisco VPN (500) UDP<br> Check for aggressive and main mode enable using ikescan tool.<br> Enumeration using ikeprobe tool<br> # Check for VPN group and try to crack PSK in order to get credentials to login into the VPN service through web panel.<br> o SMB (445,137,139) TCP<br> Check SAMBA service using metasploit use auxiliary/scanner/smb/smb_version<br> Get reverse shell using meterpreter reverse tcp module.<br> Check for SMB related vulnerability using ‘smb-check-vulns’ nmap script.<br> Reference: https://myexploit.wordpress.com/control-smb-445-137-139/<br> o FTP (21) TCP<br> Run all nmap script using following command:<br> nmap -Pn -sS -p21 --script ftp* -v<br> # Check for cleartext password submission for ftp login<br> # Check for anonymous access using username and password as anonymous:anonymous<br> Banner grabbing and finding publicly known exploits<br> Bruteforce FTP password using hydra and medusa<br> o Telnet (23) TCP<br> Banner grabbing and finding publicly known exploits<br> Bruteforce telnet password<br> Run following nmap scripts<br> · telnet-brute.nse<br> · telnet-encryption.nse<br> · telnet-ntlm-info.nse<br> o TFTP (69) UDP<br> # TFTP Enumeration<br> · tftp ip_address PUT local_file<br> · tftp ip_address GET conf.txt (or other files)<br> · tftp – i GET /etc/passwd (old Solaris)<br> Bruteforce TFTP using TFTP bruteforcer tool<br> Run tftp-enum.nse nmap script<br> Banner grabbing and finding publicly known exploits<br> o RPC (111) TCP/UDP<br> Run following nmap scripts<br> · bitcoinrpc-info.nse<br> · metasploit-msgrpc-brute.nse<br> · metasploit-xmlrpc-brute.nse<br> · msrpc-enum.nse<br> · nessus-xmlrpc-brute.nse<br> · rpcap-brute.nse<br> · rpcap-info.nse<br> · rpc-grind.nse<br> · rpcinfo.nse<br> · xmlrpc-methods.nse<br> # Perform RPC enumeration using rcpinfo tool<br> # Check for the NFS folders so that data could be exported using showmount -e command.<br> o NTP (123) UDP<br> # Perform NTP enumeration using below commands:<br> · ntpdc -c monlist IP_ADDRESS<br> · ntpdc -c sysinfo IP_ADDRESS<br> Run all nmap scripts using :<br> nmap -Pn -sS -p21 --script ntp* -v<br> o HTTP/HTTPs (443,80,8080,8443) TCP<br> Banner grabbing using burp response<br> Run Nikto and dirb<br> Run all nmap scripts using following command :<br> nmap -Pn -sS -p21 --script http* -v Banner grabbing and finding publicly known exploits<br> o SQL Server (1433,1434, 3306) TCP<br> Banner grabbing and finding publicly known exploits<br> # Bruteforce and perform other operation using following tools:<br> · Piggy<br> · SQLping<br> · SQLpoke<br> · SQLrecon<br> · SQLver<br> # Run following nmap scripts:<br> · ms-sql-brute.nse<br> · ms-sql-config.nse<br> · ms-sql-dac.nse<br> · ms-sql-dump-hashes.nse<br> · ms-sql-empty-password.nse<br> · ms-sql-hasdbaccess.nse<br> · ms-sql-info.nse<br> · ms-sql-ntlm-info.nse<br> · ms-sql-query.nse<br> · ms-sql-tables.nse<br> · ms-sql-xp-cmdshell.nse<br> · pgsql-brute.nse<br> # For MYSQL default username is root and password is<br> o Oracle (1521) TCP<br> # Enumeration using following tools<br> · Tnsver [host] [port]<br> · Tnscmd<br> perl tnscmd.pl -h ip_address<br> perl tnscmd.pl version -h ip_address<br> perl tnscmd.pl status -h ip_address<br> # Enumeration & Bruteforce using below nmap scripts:<br> · oracle-brute.nse<br> · oracle-brute-stealth.nse<br> · oracle-enum-users.nse<br> · oracle-sid-brute.nse<br> · oracle-tns-version.nse<br> o RDP (3389) TCP<br> # Perform enumeration via connecting and checking login screen. Gather all active user’s name and domain/group name.<br> # Perform RDP cryptography check using RDP-sec-check.pl script.<br> # Run following nmap script:<br> · rdp-enum-encryption.nse<br> · rdp-vuln-ms12-020.nse<br> o SIP (5060)<br> # Enumeration through following commands:<br> · Sipflanker - python sipflanker.py 192.168.1-254<br> · Sipscan - Smap - smap -l IP_Address<br> Banner grabbing and finding publicly known exploits<br> Regards, By MrMugiwara -
Jun 22, 2017 .There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -0,0 +1,179 @@ Hi dear reader, there are very few technical network security assessment checklist. So I thought to share my own on this. Have a look and enjoy. Lets talk about the scope first. If you are given a 1000 machines to perform VAPT, then here is your scope. Single machine can have 65535 ports open. Any single port can deploy any service software from the world. For example FTP can be run on smartftp, pureftpd etc.. Any single FTP software version (for example pureftpd 1.0.22) can have number of vulnerabilities available. So if you multiply all of these, then it is impossible for any auditor to go ahead and probe all ports manually and find services manually. Even if he/she is able to do it, it is impossible to check all vulnerabilities that are pertaining to a single port of a single machine. Hence we have to rely on scanners such as nexpose, nessus, openvas, coreimpact etc. Here are some quick tools and test cases that one can perform on commonly found ports in the network pentest. # Identify live hosts o Ping o Hping o Nmap # Identify OS type o Nmap o Xprobe2 o Banner grabbing using telnet, nc (netcat) # Port scan Nmap full SYN scan with verbose mode and service detection and disabling ping scan. Export normal and greppable output for future use. nmap -Pn -p- -sV X.X.X.X -v -sS -oG nmap_grepable_SYN -oN nmap_normal_SYN Nmap top 1000 UDP scan with verbose mode and service detection and disabling ping scan. Export normal and greppable output for future use. nmap -Pn -top-ports=1000 -sV X.X.X.X -v -sS -oG nmap_grepable_UDP -oN nmap_normal_UDP # VA (Vulnerability Assessment) Use nessus with below profile DoS disabled Web scan enabled SSL scan on every ports instead of known ports Enable TCP and UDP scan Only give open ports’ list in the configuration that were found by nmap including TCP and UDP rather than full ports in order to save time particularly number of IPs are more and less time for audit and report. o Use Nexpose o Use OpenVAS o Use nmap scanner on specific open ports using below command. For example port 22 (SSH) is open and you want to run all scripts pertaining to SSH then use below command: Nmap -Pn -sS -p22 --script ssh* -v In case if you are not sure about exact script name you can use * in order to run all scripts that starts with the ‘ssh’ keyword. # Audit SSL Use openssl, sslyze tools to find below issues within SSL. Self-signed certificate SSL version 2 and 3 detection Weak hashing algorithm Use of RC4 and CBC ciphers Logjam issue Sweet32 issue Certificate expiry Openssl ChangeCipherSec issue POODLE vulnerability Openssl heartbleed issue · Check for default passwords in server/device/service documentation o Lets say during your port scan or VA you found some services running on the server for example: cisco, brocad fabric OS, sonicwall firewall, apache tomcat manager. Then for these services Google what are the default configuration administrative username and password. Try those in your login and check your luck. · Hunting some common ports o DNS (53) UDP # Examine domain name system (DNS) using dnsenum, nslookup, dig and fierce tool Check for zone transfer Bruteforce subdomain using fierce tool Run all nmap scripts using following command: nmap -Pn -sU -p53 --script dns* -v Banner grabbing and finding publicly known exploits # Check for DNS amplification attack o SMTP (25) TCP Check for SMTP open relay Check for email spoofing Check for username enumeration using VRFY command Banner grabbing and finding publicly known exploits Send modified cryptors and check if SMTP gateway is enable to detect and block it? Run all nmap script using following command: nmap -Pn -sS -p25 --script smtp* -v o SNMP (161) UDP Check for default community strings ‘public’ & ‘private’ using snmpwalk and snmpenum.pl script. Banner grabbing and finding publicly known exploits Perform MIG enumeration. · .1.3.6.1.2.1.1.5 Hostnames · .1.3.6.1.4.1.77.1.4.2 Domain Name · .1.3.6.1.4.1.77.1.2.25 Usernames · .1.3.6.1.4.1.77.1.2.3.1.1 Running Services · .1.3.6.1.4.1.77.1.2.27 Share Information o SSH (22) TCP Banner grabbing and finding publicly known exploits Check if that supports sshv1 or not. Bruteforce password using hydra and medusa Check if it supports weak CBC ciphers and hmac algorithms using ssh2-enum-algos.nse nmap script. Run all nmap scripts using following command: nmap -Pn -sS -p22 --script ssh* -v o Cisco VPN (500) UDP Check for aggressive and main mode enable using ikescan tool. Enumeration using ikeprobe tool # Check for VPN group and try to crack PSK in order to get credentials to login into the VPN service through web panel. o SMB (445,137,139) TCP Check SAMBA service using metasploit use auxiliary/scanner/smb/smb_version Get reverse shell using meterpreter reverse tcp module. Check for SMB related vulnerability using ‘smb-check-vulns’ nmap script. Reference: https://myexploit.wordpress.com/control-smb-445-137-139/ o FTP (21) TCP Run all nmap script using following command: nmap -Pn -sS -p21 --script ftp* -v # Check for cleartext password submission for ftp login # Check for anonymous access using username and password as anonymous:anonymous Banner grabbing and finding publicly known exploits Bruteforce FTP password using hydra and medusa o Telnet (23) TCP Banner grabbing and finding publicly known exploits Bruteforce telnet password Run following nmap scripts · telnet-brute.nse · telnet-encryption.nse · telnet-ntlm-info.nse o TFTP (69) UDP # TFTP Enumeration · tftp ip_address PUT local_file · tftp ip_address GET conf.txt (or other files) · tftp – i GET /etc/passwd (old Solaris) Bruteforce TFTP using TFTP bruteforcer tool Run tftp-enum.nse nmap script Banner grabbing and finding publicly known exploits o RPC (111) TCP/UDP Banner grabbing and finding publicly known exploits Run following nmap scripts · bitcoinrpc-info.nse · metasploit-msgrpc-brute.nse · metasploit-xmlrpc-brute.nse · msrpc-enum.nse · nessus-xmlrpc-brute.nse · rpcap-brute.nse · rpcap-info.nse · rpc-grind.nse · rpcinfo.nse · xmlrpc-methods.nse # Perform RPC enumeration using rcpinfo tool # Check for the NFS folders so that data could be exported using showmount -e command. o NTP (123) UDP # Perform NTP enumeration using below commands: · ntpdc -c monlist IP_ADDRESS · ntpdc -c sysinfo IP_ADDRESS Run all nmap scripts using : nmap -Pn -sS -p21 --script ntp* -v o HTTP/HTTPs (443,80,8080,8443) TCP Banner grabbing using burp response Run Nikto and dirb Run all nmap scripts using following command : nmap -Pn -sS -p21 --script http* -v Banner grabbing and finding publicly known exploits o SQL Server (1433,1434, 3306) TCP Banner grabbing and finding publicly known exploits # Bruteforce and perform other operation using following tools: · Piggy · SQLping · SQLpoke · SQLrecon · SQLver # Run following nmap scripts: · ms-sql-brute.nse · ms-sql-config.nse · ms-sql-dac.nse · ms-sql-dump-hashes.nse · ms-sql-empty-password.nse · ms-sql-hasdbaccess.nse · ms-sql-info.nse · ms-sql-ntlm-info.nse · ms-sql-query.nse · ms-sql-tables.nse · ms-sql-xp-cmdshell.nse · pgsql-brute.nse # For MYSQL default username is root and password is o Oracle (1521) TCP # Enumeration using following tools · Tnsver [host] [port] · Tnscmd perl tnscmd.pl -h ip_address perl tnscmd.pl version -h ip_address perl tnscmd.pl status -h ip_address # Enumeration & Bruteforce using below nmap scripts: · oracle-brute.nse · oracle-brute-stealth.nse · oracle-enum-users.nse · oracle-sid-brute.nse · oracle-tns-version.nse o RDP (3389) TCP # Perform enumeration via connecting and checking login screen. Gather all active user’s name and domain/group name. # Perform RDP cryptography check using RDP-sec-check.pl script. # Run following nmap script: · rdp-enum-encryption.nse · rdp-vuln-ms12-020.nse o SIP (5060) # Enumeration through following commands: · Sipflanker - python sipflanker.py 192.168.1-254 · Sipscan - Smap - smap -l IP_Address Banner grabbing and finding publicly known exploits