The Little Geeni

Contents:

 •1       Introduction

•1.1  Abstract

•1.2  Background

  

  

•2       The Tactical Approach

•2.1  Vulnerabilities

•2.2  Methodology and Competition

    

•3       Information Discovery

•3.1  Personnel Discovery

•3.1.1        Search Engines

•3.1.2        Paterva’s Evolution

  

•3.2  Network Discovery

•3.2.1        Discovery Services

•3.2.2        Bounce Messages

•3.2.3        Virtual Hosting

•3.2.4        Outbound DNS

•3.2.5        Direct Contact

  

•3.3  Firewalls and IPS

•3.3.1        Firewall Identification

•3.3.2         IPS Identification

  

•3.4  Application Discovery

  

•3.4.1        Slow and Steady wins the Deface

•3.4.2        Finding Web Apps with W3AF

•3.4.3        Metasploit 3 Discovery Modules

 

•3.5  Client Application Discovery

  

•3.5.1        Browser Finger Printing

•3.5.2        Mail Client Finger Printing

  

•3.6  Process Discovery

  

•3.6.1        Trace Monitoring with IP  IDs

•3.6.2        Usages Monitoring with MS FTP

•3.6.3        Web Site Monitoring with HTTP

  

•4       Information Exploitation

  

•4.1  Introduction

  

•4.2  External Networks

  

•4.2.1        Attacking File Transfers

•4.2.2        Attacking Mail Services

•4.2.3        Attacking Web Servers

•4.2.4        Attacking DNS Servers

•4.2.5        Attacking Database Servers

•4.2.6        Authentication Relays

•4.2.7        Free Hardware

  

  

•4.3  Internal Networks

  

•4.3.1        Net BIOS Names

•4.3.2        DNS Servers

•4.3.3        WINS Servers

•4.3.4        Authentication Relays

  

•4.4  Trust Relationship

  

•4.4.1        NFS Home Directories

•4.4.2        Hijacking SSH

•4.4.3        Hijacking Kerberos

  

  

•5       Bibliography

  

  —————————————————————————————————————————-

  Introduction

 

•1.1            Abstract

Penetration testing often focuses on individual vulnerabilities and

 services. This paper introduces a tactical approach that does not

rely on exploiting known vulnerabilities. Using combination of

new to OLS and obscure techniques, we will walk through the

process of compromising an organization without the use of

Normal exploits code. Many of the to OLS will be made available

as new modules for the Meta spoilt Framework.

 

•1.2            Background

 I have been involved in security auditing and penetration testing for the one years. A common trend among security  is the use of the shelf software to automate the penetration test process. Tools like Nessus, Retina, and Core Impact have replaced manual audits and checklists at Many Organizations. While these to also do a great job of reducing the time and knowledge requirements of the penetration tester, their use can lead to a certain laziness among the security . Many valuable compromise vectors can be missed because they are not part of the banned pro duct. This paper is intended to shine some light on the more obscure and less-used techniques that the authors have depended on many years.

The exploit techniques listed in this paper depend solely on the configuration of  the target and the features of the target platform. No body will be dropped in in the normal sense, but many tips , tricks and interesting attacks will be cover .

  The Tactical Approach

 2.1 Vulnerabilities

 Vulnerabilities are transient. What is found one day may be patched on the next Security software and operating system improvements can make even simple vulnerabilities unusable for a penetration test Instead of treating a network like a list of vulnerabilities, an auditor should consider the applications,

The people, the processes, and the trusts. The key to gaining access is to use what is available to bring you closer to the next goal. Using this approach, even a fully-patched network will provide exploitable targets. Hacking is not about exploits. As many professional auditors know, only one or two real exploits may be used during the a penetration test. The rest of the time

Are spent obtaining passwords, abusing trust relationships, tricking authentication systems, and hijacking services to gain access to more systems A successful attack has everything to do with gaining access and control of data.

 •2.2            Methodology and Competition

  Any security test is a race against time. An auditor faces

competition from real attackers, internal and external, that are not

bound by the same scope and restrictions as themselves. For

example, as a business practice, a security test must not interfere

with production services or modify critical data. Attackers

are opportunists. Whether a server is hosted locally or on a third-

party is not a concern. Their only concern is gaining access to the

data and controls they seek. Anything the auditor does not test, he

must assume someone else will. In this case I want use software

 Testing known as well as the research news in the websites,

magazines, Books which is I mentioned in bibliography.

 

Computer Security Exploitation, Network, Security, Systems, Tactical