GeneralPenetrationTesting

From Rory.wiki

Contents 1 General Notes 1.1 Juniper VPNs 1.2 SSL VPNs 1.3 Information Gathering 1.4 Windows Hacking 1.5 Configuration Reviews 1.6 NTP 1.7 DNS 2 John the Ripper

General Notes

Juniper VPNs

per this post Juniper SSL VPNs have a predictable url scheme so enumerating the types of login availble is easy. This can be a useful technique as sometimes whilst the main login will be using 2-factor auth a subsidiary one will exist just using username/passwords

The format is

- <host>/dana-na/auth/url_x/

Where x is either default or a numeric value

SSL VPNs

Good hack on VPNs which allow web surfing through them (so called clientless VPNs) is to grab the session cookies of people surfing through them. Need to obfuscate the javascript obfuscator here, as the VPN will probably try to re-write it to stop you . Essentially the concept breaks same origin...

Works ok on Cisco ASA SSL VPNs.

More info here and here

Information Gathering

Lots of good sources of info.

presentation on information gathering

dns and server info

dns and server info

network and other tools

Network tools

Windows Hacking

using sticky keys to get system access

Kon boot utility for bypassing windows (and linux) logins

Configuration Reviews

US military security checklists

Microsoft Windows 2003 Security Guide

IIS 6 Resources

NTP

from here

Commands to get information out of an NTP server (123/UDP). on Ubuntu apt-get install ntp will get them installed.

ntpq -i -n 

gets an interactive prompt up. From there, host <target> then readlist may give info about the server.

also

ntpdc -c sysinfo <target>

can give info. from the server.

DNS

query domain name version

dig @[targetserver] -c CH -t txt version.bind

attempt zone transfer

dig @[targetserver] [targetdomain] -t axfr

John the Ripper

Very useful post on hash formats for John