First, if you’ve never fully researched SNMP (Simple Network Management Protocol), I suggest you go do that now because you’re doing yourself a major disservice by not knowing/using the information that’s available through the use of this protocol… not to mention the amount of remote control you have over a machine if you’re able to [...]
Posts Tagged ‘nmap’
Compromising Hosts With SNMP
Posted: 3rd September 2010 by Matt in hacks, securityTags: change, community, MIB, msfcli, nmap, OID, read, set, SNMP, snmpget, snmpset, snmpwalk, value, write
4
Favorite nmap NSE scripts
Posted: 25th August 2010 by Matt in code, hacks, securityTags: Administrator, attack, brute force, dns-zone-transfer, dnszonetransfer, enum, Enumeration, hack, http-enum, MS08-067, nmap, nse, nsedoc, scripts, smb-brute, smb-check-vulns, smb-enum-users, snmp-netstat, snmp-processes, snmp-win32-services, snmp-win32-shares, snmp-win32-users, transfer, vulnerability
I cannot say enough good things about NSE (Nmap Scripting Engine). I’ve written a couple of posts about it and why I find it so useful, but in this post I’m going to cover some of my favorite scripts that come with the most recent Nmap release (5.35 DC1 (The DefCon release.. oooh. ). The [...]
p0f and (mostly) Passive Finger Printing
Posted: 30th June 2010 by Matt in code, hacks, securityTags: access, ACK, detection, dns, file, file server, fingerprint, firewall, gateway, IDS, interface, network, nmap, os detection, p0f, packet, perl, ports, raw, RawIP, root, routing, RST, sniff, source port, spoof, SQL, steal, syn packet, traffic
Today I was tasked with doing some passive OS detection on a network where I actually had to be somewhat stealthy. I had gotten into the gateway, but I actually needed one of the other boxes on the network in order to get to the file server due to firewalling/routing. I knew they were running [...]
Brute Force with THC Hydra
Posted: 17th June 2010 by Matt in code, hacks, securityTags: Administrator, administrator password, brute force, cisco, Conficker, denial of service, denial of service attack, enum, htpasswd, http, hydra, imap, mysql, ncrack, nmap, parallel connections, passwords, pcanywhere, pop, smbnt, thc, THC Hydra, userlist, vnc
Sometimes the only way in is to resort to password cracking (or, “brute forcing”). I would consider this to be another one of those last resort methods that I use when all else has failed. I don’t like to use brute force methods because they’re noisy and can break stuff. There’s actually a fine line [...]
Detecting Promiscuous Nodes via ARP
Posted: 10th May 2010 by Matt in code, hacks, securityTags: detection, lua, nmap, nse, promiscuous, sniffer
Consider this an “RFC” (request for comment).. because I’m a little puzzled by this, so please, weigh in if you can provide some insight. I read through http://www.securityfriday.com/promiscuous_detection_01.pdf, which is cited as being the document that gave life to nmap’s “sniffer-detect” script. To summarize the document, the idea is is that if you send a [...]
Enumerating Windows users via SMB
Posted: 21st April 2010 by Matt in hacks, securityTags: ad, brute force, hack, hydra, nmap, pdc, pen test
I’m doing a pen test on a Win2k3 server and I’ve thrown the kitchen sink at this box, but to no avail.. so, I decided to result to brute force. First thing I need is a list of users on the box. It’s the PDC running AD, so there should be quite a few. Lets [...]