Hello Dear Reader,
there are very few technical network security assessment checklist.
So I thought to share my own on this. Have a look and enjoy.
Lets talk about the scope first. If you are given a 1000 machines to perform VAPT, then here is your scope.
Single machine can have 65535 ports open. Any single port can deploy any service software from the world.
For example FTP can be run on smartftp, pureftpd etc..
Any single FTP software version (for example pureftpd 1.0.22) can have number of vulnerabilities available.
So if you multiply all of these, then it is impossible for any auditor to go ahead and probe all ports manually and find services manually.
Even if he/she is able to do it, it is impossible to check all vulnerabilities that are pertaining to a single port of a single machine.
Hence we have to rely on scanners such as nexpose, nessus, openvas, coreimpact etc.
Here are some quick tools and test cases that one can perform on commonly found ports in the network penetrations testing.
Ping
Hping
Nmap
Nmap
Xprobe2
Banner grabbing using telnet, nc (netcat)
Port scan Nmap full SYN scan with verbose mode and service detection and disabling ping scan.
Export normal and greppable output for future use.
nmap -Pn -p- -sV X.X.X.X -v -sS -oG nmap_grepable_SYN -oN nmap_normal_SYN
Nmap top 1000 UDP scan with verbose mode and service detection and disabling ping scan. Export normal and greppable output for future use.
Nmap -Pn -top-ports=1000 -sV X.X.X.X -v -sS -oG nmap_grepable_UDP -oN nmap_normal_UDP
Use nessus with below profile
DoS disabled
Web scan enabled
SSL scan on every ports instead of known ports
Enable TCP and UDP scan
Only give open ports’ list in the configuration that were found by nmap
including TCP and UDP rather than full ports in order to save time particularly number of IPs are more and less time for audit and report.
o Use Nexpose
o Use OpenVAS
o Use nmap scanner on specific open ports using below command.
For example port 22 (SSH) is open and you want to run all scripts pertaining to SSH then use below command:
Nmap -Pn -sS -p22 --script ssh* -v
In case if you are not sure about exact script name you can use * in order to run all scripts that starts with the ‘ssh’ keyword.
Self-signed certificate
SSL version 2 and 3 detection
Weak hashing algorithm
Use of RC4 and CBC ciphers
Logjam issue
Sweet32 issue
Certificate expiry
Openssl ChangeCipherSec issue
POODLE vulnerability
Openssl heartbleed issue<br>
· Check for default passwords in server/device/service documentation
o Lets say during your port scan or VA you found some services
running on the server for example: cisco, brocad fabric OS, sonicwall firewall, apache tomcat manager.
Then for these services Google what are the default configuration administrative username and password.
Try those in your login and check your luck.
· Hunting some common ports
o DNS (53) UDP
Check for zone transfer
Bruteforce subdomain using fierce tool
nmap -Pn -sU -p53 --script dns* -v
Banner grabbing and finding publicly known exploits
o SMTP (25) TCP
Check for SMTP open relay
Check for email spoofing
Check for username enumeration using VRFY command
Banner grabbing and finding publicly known exploits
Send modified cryptors and check if SMTP gateway is enable to detect and block it?
nmap -Pn -sS -p25 --script smtp* -v
o SNMP (161) UDP
Check for default community strings ‘public’ & ‘private’ using snmpwalk and snmpenum.pl script.
Banner grabbing and finding publicly known exploits
Perform MIG enumeration.
· .1.3.6.1.2.1.1.5 Hostnames
· .1.3.6.1.4.1.77.1.4.2 Domain Name
· .1.3.6.1.4.1.77.1.2.25 Usernames
· .1.3.6.1.4.1.77.1.2.3.1.1 Running Services
· .1.3.6.1.4.1.77.1.2.27 Share Information
o SSH (22) TCP
Banner grabbing and finding publicly known exploits
Check if that supports sshv1 or not.
Bruteforce password using hydra and medusa
Check if it supports weak CBC ciphers and hmac algorithms using ssh2-enum-algos.nse nmap script.
nmap -Pn -sS -p22 --script ssh* -v
o Cisco VPN (500) UDP
Check for aggressive and main mode enable using ikescan tool.
Enumeration using ikeprobe tool
Check for VPN group and try to crack PSK in order to get credentials to login into the VPN service through web panel.
o SMB (445,137,139) TCP
Check SAMBA service using metasploit use auxiliary/scanner/smb/smb_version
Get reverse shell using meterpreter reverse tcp module.
Check for SMB related vulnerability using ‘smb-check-vulns’ nmap script.
Reference: https://myexploit.wordpress.com/control-smb-445-137-139/
o FTP (21) TCP
nmap -Pn -sS -p21 --script ftp* -v
Bruteforce FTP password using hydra and medusa
o Telnet (23) TCP
Banner grabbing and finding publicly known exploits
Bruteforce telnet password
telnet-brute.nse
telnet-encryption.nse
telnet-ntlm-info.nse
o TFTP (69) UDP
tftp ip_address PUT local_file
tftp ip_address GET conf.txt (or other files)
tftp – i GET /etc/passwd (old Solaris)
Bruteforce TFTP using TFTP bruteforcer tool
Run tftp-enum.nse nmap script
Banner grabbing and finding publicly known exploits
o RPC (111) TCP/UDP
bitcoinrpc-info.nse
metasploit-msgrpc-brute.nse
metasploit-xmlrpc-brute.nse
msrpc-enum.nse
nessus-xmlrpc-brute.nse
rpcap-brute.nse
rpcap-info.nse
rpc-grind.nse
rpcinfo.nse
xmlrpc-methods.nse
o NTP (123) UDP
ntpdc -c monlist IP_ADDRESS
ntpdc -c sysinfo IP_ADDRESS
nmap -Pn -sS -p21 --script ntp* -v
o HTTP/HTTPs (443,80,8080,8443) TCP
Banner grabbing using burp response
Run Nikto and dirb
nmap -Pn -sS -p21 --script http* -v
Banner grabbing and finding publicly known exploits
o SQL Server (1433,1434, 3306) TCP
Banner grabbing and finding publicly known exploits
Piggy
SQLping
SQLpoke
SQLrecon
SQLver
ms-sql-brute.nse
ms-sql-config.nse
ms-sql-dac.nse
ms-sql-dump-hashes.nse
ms-sql-empty-password.nse
ms-sql-hasdbaccess.nse
ms-sql-info.nse
ms-sql-ntlm-info.nse
ms-sql-query.nse
ms-sql-tables.nse
ms-sql-xp-cmdshell.nse
pgsql-brute.nse
o Oracle (1521) TCP
Tnsver [host] [port]
Tnscmd
perl tnscmd.pl -h ip_address
perl tnscmd.pl version -h ip_address
perl tnscmd.pl status -h ip_address
oracle-brute.nse
oracle-brute-stealth.nse
oracle-enum-users.nse
oracle-sid-brute.nse
oracle-tns-version.nse
o RDP (3389) TCP
Perform enumeration via connecting and checking login screen. Gather all active user’s name and domain/group name.
rdp-enum-encryption.nse
rdp-vuln-ms12-020.nse
o SIP (5060)
Sipflanker - python sipflanker.py 192.168.1-254
Sipscan - Smap - smap -l IP_Address
Banner grabbing and finding publicly known exploits
Regards, By MrMugiwara