Clone of . For those who would prefer to not be tracked by MS.
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

330 lines
23 KiB

  1. ##Network Attacks & Defenses
  2. [Fundamentals That Time Forgot - Jup1t3r - BSides SLC](
  3. TOC
  4. Cull
  5. * [Tools](#tools)
  6. * [Writeups](#writeup)
  7. * [Presentations/Talks](#talks)
  8. * [IPv4 info](#ipv4)
  9. * [IPv6 info](#ipv6)
  10. * [IDS/IPS Evasion](#evasion)
  11. Firewalls,
  12. DMZ
  13. VPN
  14. VLAN
  15. Sort tools into sections
  16. Evilgrade installer injection
  17. Nessus
  18. Nikto
  20. ###Cull
  21. [DNS Dumpster]( is a FREE domain research tool that can discover hosts related to a domain. Finding visible hosts from the attackers perspective is an important part of the security assessment process.)
  22. [More on HNAP - What is it, How to Use it, How to Find it](
  23. [ms15-034.nse Script](
  24. [TCP Catcher](
  25. * TcpCatcher is a free TCP, SOCKS, HTTP and HTTPS proxy monitor server software.
  26. [SSLsplit - transparent and scalable SSL/TLS interception](
  27. * SSLsplit is a tool for man-in-the-middle attacks against SSL/TLS encrypted network connections. Connections are transparently intercepted through a network address translation engine and redirected to SSLsplit. SSLsplit terminates SSL/TLS and initiates a new SSL/TLS connection to the original destination address, while logging all data transmitted. SSLsplit is intended to be useful for network forensics and penetration testing. SSLsplit supports plain TCP, plain SSL, HTTP and HTTPS connections over both IPv4 and IPv6.
  28. [digbit](
  29. * Automatic domain generation for BitSquatting
  30. [[TROOPERS15] Merike Kaeo - Deploying IPv6 Securely - Avoiding Mistakes Others Have Made](
  31. [Bitsquatting: DNS Hijacking without exploitation](
  32. [Enumerating DNSSEC NSEC and NSEC3 Records](
  33. [TCPDump Primer](
  35. [DNS database espionage](
  36. SNMPWalk
  37. [hostmap](
  38. * hostmap is a free, automatic, hostnames and virtual hosts discovery tool written in Ruby by Alessandro Tanasi
  39. [wafw00f]( * WAFW00F allows one to identify and fingerprint Web Application Firewall (WAF) products protecting a website.
  40. [A Curated list of assigned ports relevant to pen testing](
  41. [IANA Complete list of assigned ports](
  42. [DNS Recon](
  43. [WhatWeb](
  44. * WhatWeb identifies websites. Its goal is to answer the question, "What is that Website?". WhatWeb recognises web technologies including content management systems (CMS), blogging platforms, statistic/analytics packages, JavaScript libraries, web servers, and embedded devices. WhatWeb has over 1500 plugins, each to recognise something different. WhatWeb also identifies version numbers, email addresses, account IDs, web framework modules, SQL errors, and more.
  45. [Evading IDS/IPS by Exploiting IPv6 Features - TROOPERS15] Antonios Atlasis, Rafael Schaefer](
  46. ###<a name="tools">Tools</a>
  47. [psexec](
  48. * A rapid psexec style attack with samba tools
  49. * [Blogpost that inspired it](
  50. [Sparty - MS Sharepoint and Frontpage Auditing Tool](
  51. * Sparty is an open source tool written in python to audit web applications using sharepoint and frontpage architecture. The motivation behind this tool is to provide an easy and robust way to scrutinize the security configurations of sharepoint and frontpage based web applications. Due to the complex nature of these web administration software, it is required to have a simple and efficient tool that gathers information, check access permissions, dump critical information from default files and perform automated exploitation if security risks are identified. A number of automated scanners fall short of this and Sparty is a solution to that.
  52. [w3af](
  53. * w3af: web application attack and audit framework, the open source web vulnerability scanner.
  54. [Yersinia](
  55. * Yersinia is a network tool designed to take advantage of some weakeness in different network protocols. It pretends to be a solid framework for analyzing and testing the deployed networks and systems.
  56. [CiscoRouter - tool](
  57. * CiscoRouter is a tool for scanning Cisco-based routers over SSH. Rules can be created using accompanying CiscoRule application (see this repo) and stored in the "rules" directory.
  58. [UPnP Pentest Toolkit](
  59. [Responder](
  60. * Responder is a LLMNR, NBT-NS and MDNS poisoner, with built-in HTTP/SMB/MSSQL/FTP/LDAP rogue authentication server supporting NTLMv1/NTLMv2/LMv2, Extended Security NTLMSSP and Basic HTTP authentication.
  61. [NbtScan](
  62. * This is a command-line tool that scans for open NETBIOS nameservers on a local or remote TCP/IP network, and this is a first step in finding of open shares. It is based on the functionality of the standard Windows tool nbtstat, but it operates on a range of addresses instead of just one. I wrote this tool because the existing tools either didn't do what I wanted or ran only on the Windows platforms: mine runs on just about everything.
  63. [netcat](
  64. * Network Swiss army knife. Ncat�s predecessor. Does everything and the kitchen sink.
  65. [Ncat](
  66. * Ncat is a feature-packed networking utility which reads and writes data across networks from the command line. Ncat was written for the Nmap Project as a much-improved reimplementation of the venerable Netcat. It uses both TCP and UDP for communication and is designed to be a reliable back-end tool to instantly provide network connectivity to other applications and users. Ncat will not only work with IPv4 and IPv6 but provides the user with a virtually limitless number of potential uses.
  67. [Nmap](
  68. * Nmap ("Network Mapper") is a free and open source (license) utility for network discovery and security auditing. Many systems and network administrators also find it useful for tasks such as network inventory, managing service upgrade schedules, and monitoring host or service uptime. Nmap uses raw IP packets in novel ways to determine what hosts are available on the network, what services (application name and version) those hosts are offering, what operating systems (and OS versions) they are running, what type of packet filters/firewalls are in use, and dozens of other characteristics. It was designed to rapidly scan large networks, but works fine against single hosts. Nmap runs on all major computer operating systems, and official binary packages are available for Linux, Windows, and Mac OS X. In addition to the classic command-line Nmap executable, the Nmap suite includes an advanced GUI and results viewer (Zenmap), a flexible data transfer, redirection, and debugging tool (Ncat), a utility for comparing scan results (Ndiff), and a packet generation and response analysis tool (Nping).
  69. [Angry IP Scanner](
  70. * Angry IP Scanner (or simply ipscan) is an open-source and cross-platform network scanner designed to be fast and simple to use. It scans IP addresses and ports as well as has many other features.
  71. [UnicornScan](
  72. * Unicornscan is a new information gathering and correlation engine built for and by members of the security research and testing communities. It was designed to provide an engine that is Scalable, Accurate, Flexible, and Efficient. It is released for the community to use under the terms of the GPL license.
  73. * My note: Use this to mass scan networks. It�s faster than nmap at scanning large host lists and allows you to see live hosts quickly.
  74. [DNSEnum](
  75. * Multithreaded perl script to enumerate DNS information of a domain and to discover non-contiguous ip blocks.
  76. [Enum4Linux](
  77. * Enum4linux is a tool for enumerating information from Windows and Samba systems. It attempts to offer similar functionality to enum.exe formerly available from It is written in Perl and is basically a wrapper around the Samba tools smbclient, rpclient, net and nmblookup. The tool usage can be found below followed by examples, previous versions of the tool can be found at the bottom of the page.
  78. [Onesixtyone](
  79. * onesixtyone is an SNMP scanner which utilizes a sweep technique to achieve very high performance. It can scan an entire class B network in under 13 minutes. It can be used to discover devices responding to well-known community names or to mount a dictionary attack against one or more SNMP devices.
  80. [Hping](
  81. *While hping was mainly used as a security tool in the past, it can be used in many ways by people that don't care about security to test networks and hosts. A subset of the stuff you can do using hping: Firewall testing; Advanced port scanning; Network testing, using different protocols, TOS, fragmentation; Manual path MTU discovery etc.
  82. [TXTDNS](
  83. * TXDNS is a Win32 aggressive multithreaded DNS digger. Capable of placing, on the wire, thousands of DNS queries per minute. TXDNS main goal is to expose a domain namespace trough a number of techniques: Typos: Mised, doouble and transposde keystrokes; TLD/ccSLD rotation; Dictionary attack; Full Brute-force attack using alpha, numeric or alphanumeric charsets; Reverse grinding.
  84. [JXplorer](
  85. * JXplorer is a cross platform LDAP browser and editor. It is a standards compliant general purpose LDAP client that can be used to search, read and edit any standard LDAP directory, or any directory service with an LDAP or DSML interface. It is highly flexible and can be extended and customised in a number of ways. JXplorer is written in java, and the source code and Ant build system are available via svn or as a packaged build for users who want to experiment or further develop the program.
  86. [LDAPMfINER](
  87. * This is a tool I wrote to collect information from different LDAP Server implementation. This was written in C with the Netscape C
  88. [Firewalk](
  89. * Firewalk is an active reconnaissance network security tool that attempts to determine what layer 4 protocols a given IP forwarding device will pass. Firewalk works by sending out TCP or UDP packets with a TTL one greater than the targeted gateway. If the gateway allows the traffic, it will forward the packets to the next hop where they will expire and elicit an ICMP_TIME_EXCEEDED message. If the gateway hostdoes not allow the traffic, it will likely drop the packets on the floor and we will see no response. To get the correct IP TTL that will result in expired packets one beyond the gateway we need to ramp up hop-counts. We do this in the same manner that traceroute works. Once we have the gateway hopcount (at that point the scan is said to be `bound`) we can begin our scan.
  90. [Softera LDAP Browser](
  91. * LDAP Browser that supports most LDAP implementations. Non-free software, 30-day free trial
  92. [SPScan]
  93. * SPScan is a tool written in Ruby that enumerates a SharePoint installation gathering information about the version and installed plugins.
  94. [Tinfoleak](
  95. * tinfoleak is a simple Python script that allow to obtain:
  96. ..* basic information about a Twitter user (name, picture, location, followers, etc.)
  97. ..* devices and operating systems used by the Twitter user
  98. ..* applications and social networks used by the Twitter user
  99. ..* place and geolocation coordinates to generate a tracking map of locations visited
  100. ..* show user tweets in Google Earth!
  101. ..* download all pics from a Twitter user
  102. ..* hashtags used by the Twitter user and when are used (date and time)
  103. ..* user mentions by the the Twitter user and when are occurred (date and time)
  104. ..* topics used by the Twitter user
  105. [hping](
  106. * hping is a command-line oriented TCP/IP packet assembler/analyzer. The interface is inspired to the ping(8) unix command, but hping isn't only able to send ICMP echo requests. It supports TCP, UDP, ICMP and RAW-IP protocols, has a traceroute mode, the ability to send files between a covered channel, and many other features.
  107. [net-creds](
  108. * Thoroughly sniff passwords and hashes from an interface or pcap file. Concatenates fragmented packets and does not rely on ports for service identification
  109. * It sniffs: URLs visited; POST loads sent; HTTP form logins/passwords; HTTP basic auth logins/passwords; HTTP searches; FTP logins/passwords; IRC logins/passwords; POP logins/passwords; IMAP logins/passwords; Telnet logins/passwords; SMTP logins/passwords; SNMP community string; NTLMv1/v2 all supported protocols like HTTP, SMB, LDAP, etc; Kerberos.
  110. [RANCID - Really Awesome New Cisco confIg Differ](
  111. * RANCID monitors a router's (or more generally a device's) configuration, including software and hardware (cards, serial numbers, etc) and uses CVS (Concurrent Version System) or Subversion to maintain history of changes.
  112. * RANCID does this by the very simple process summarized as: login to each device in the router table (router.db), run various commands to get the information that will be saved, cook the output; re-format, remove oscillating or incrementing data, email any differences (sample) from the previous collection to a mail list, and finally commit those changes to the revision control system
  113. [Stenographer](
  114. * Stenographer is a full-packet-capture utility for buffering packets to disk for intrusion detection and incident response purposes. It provides a high-performance implementation of NIC-to-disk packet writing, handles deleting those files as disk fills up, and provides methods for reading back specific sets of packets quickly and easily.
  115. ###MitM Tools
  116. [Ettercap](
  117. Ettercap is a comprehensive suite for man in the middle attacks. It features sniffing of live connections, content filtering on the fly and many other interesting tricks. It supports active and passive dissection of many protocols and includes many features for network and host analysis.
  118. [Dsniff](
  119. dsniff is a collection of tools for network auditing and penetration testing. dsniff, filesnarf, mailsnarf, msgsnarf, urlsnarf, and webspy passively monitor a network for interesting data (passwords, e-mail, files, etc.). arpspoof, dnsspoof, and macof facilitate the interception of network traffic normally unavailable to an attacker (e.g, due to layer-2 switching). sshmitm and webmitm implement active monkey-in-the-middle attacks against redirected SSH and HTTPS sessions by exploiting weak bindings in ad-hoc PKI.
  120. ###Scanners
  121. [SQLMap](
  122. * sqlmap is an open source penetration testing tool that automates the process of detecting and exploiting SQL injection flaws and taking over of database servers. It comes with a powerful detection engine, many niche features for the ultimate penetration tester and a broad range of switches lasting from database fingerprinting, over data fetching from the database, to accessing the underlying file system and executing commands on the operating system via out-of-band connections.
  123. [DNSRecon](
  124. * [Quick Reference Guide](
  125. [WPScan](
  126. * WPScan is a black box WordPress vulnerability scanner.
  127. [Enumerator](
  128. * enumerator is a tool built to assist in automating the often tedious task of enumerating a target or list of targets during a penetration test.
  129. [Unicornscan](
  130. * Unicornscan is a new information gathering and correlation engine built for and by members of the security research and testing communities. It was designed to provide an engine that is Scalable, Accurate, Flexible, and Efficient. It is released for the community to use under the terms of the GPL license.
  131. ####Proxies
  132. [Mallory](
  133. * Mallory is an extensible TCP/UDP man in the middle proxy that is designed to be run as a gateway. Unlike other tools of its kind, Mallory supports modifying non-standard protocols on the fly.
  134. [SSLStrip](
  135. * This tool provides a demonstration of the HTTPS stripping attacks that I presented at Black Hat DC 2009. It will transparently hijack HTTP traffic on a network, watch for HTTPS links and redirects, then map those links into either look-alike HTTP links or homograph-similar HTTPS links. It also supports modes for supplying a favicon which looks like a lock icon, selective logging, and session denial.
  136. [Zed Attack Proxy (ZAP) Community Scripts](
  137. * A collection of ZAP scripts provided by the community - pull requests very welcome!
  138. [Echo Mirage](
  139. * Echo Mirage is a generic network proxy. It uses DLL injection and function hooking techniques to redirect network related function calls so that data transmitted and received by local applications can be observed and modified. Windows encryption and OpenSSL functions are also hooked so that plain text of data being sent and received over an encrypted session is also available. Traffic can be intercepted in real-time, or manipulated with regular expressions and a number of action directives
  140. [Burp Proxy](
  141. * Burp Proxy is an intercepting proxy server for security testing of web applications. It operates as a man-in-the-middle between your browser and the target application
  142. [Phreebird](
  143. * Phreebird is a DNSSEC proxy that operates in front of an existing DNS server (such as BIND, Unbound, PowerDNS, Microsoft DNS, or QIP) and supplements its records with DNSSEC responses. Features of Phreebird include automatic key generation, realtime record signing, support for arbitrary responses, zero configuration, NSEC3 �White Lies�, caching and rate limiting to deter DoS attacks, and experimental support for both Coarse Time over DNS and HTTP Virtual Channels. The suite also contains a large amount of sample code, including support for federated identity over OpenSSH. Finally, �Phreeload� enhances existing OpenSSL applications with DNSSEC support.
  144. ###<a name="talks">Presentations/Talks/Videos</a>
  145. [Mass Scanning the Internet: Tips, Tricks, Results - DEF CON 22 - Graham, Mcmillan, and Tentler](
  146. [DNS May Be Hazardous to Your Health - Robert Stucke](
  147. * Great talk on attacking DNS
  148. [DNS May Be Hazardous to Your Health - Robert Stucke](
  149. * Great talk on attacking DNS
  150. ###<a name="writeup">Writeups & Tutorials</a>
  151. [Enumerating DNSSEC NSEC and NSEC3 Records](
  152. [Event Tracing for Windows and Network Monitor](
  153. * "Event Tracing for Windows, (ETW), has been around for quite a while now as it was introduced in Windows 2000. It's basically instrumented logging that describes what a component is doing. Conceptually, it�s something like the proverbial printf("here1") concept used by programmers, but it is present in retail builds. When you enable logging in a component the result is an ETL (Event Trace Log) file. What�s new is that that Network Monitor can read any ETL file. And with the supplied parsers many network oriented ETW providers can be decoded."
  154. ###<a name="ipv6">IPv6 Related</a>
  155. [Exploiting Tomorrow's Internet Today: Penetration testing with IPv6](
  156. * This paper illustrates how IPv6-enabled systems with link-local and auto-configured addresses can be compromised using existing security tools. While most of the techniques described can apply to "real" IPv6 networks, the focus of this paper is to target IPv6-enabled systems on the local network.
  157. [IPv6 Toolkit](
  158. * SI6 Networks' IPv6 Toolkit
  159. [THC-IPv6](
  160. * A complete tool set to attack the inherent protocol weaknesses of IPV6
  161. and ICMP6, and includes an easy to use packet factory library.
  162. ###<a name="evasion">IDS/IPS Evasion</a>
  163. [Intrusion detection evasion: How Attackers get past the burglar alarm](
  164. * The purpose of this paper is to show methods that attackers can use to fool IDS systems into thinking their attack is legitimate traffic. With techniques like obfuscation, fragmentation, Denial of Service, and application hijacking the attacker can pass traffic under the nose of an IDS to prevent their detection. These are techniques that the next generation of IDS needs to be able to account for and prevent. Since it would be almost impossible to create a product that was not vulnerable to one of these deceptions.
  165. [Beating the IPS](
  166. * This paper introduces various Intrusion Prevention System (IPS) evasion techniques and shows how they can be used to successfully evade detection by widely used products from major security vendors. By manipulating the header, payload, and traffic flow of a well-known attack, it is possible to trick the IPS inspection engines into passing the traffic - allowing the attacker shell access to the target system protected by the IPS.
  167. [Firewall/IDS Evasion and Spoofing](
  168. [IDS/IPS Evasion Techniques - Alan Neville](
  169. [Insertion, Evasion, and Denial of Service: Eluding Network Intrusion Detection](
  170. ###D/DOS
  171. ###Frameworks
  172. [BackDoor Factory](
  173. * The goal of BDF is to patch executable binaries with user desired shellcode and continue normal execution of the prepatched state.
  174. * [Wiki](
  175. * [Video](
  176. [Man-in-the-Middle Framework](
  177. *Framework for Man-In-The-Middle attacks
  178. TCPDump
  179. [Command Examples](