|
Ethical Hacker Community Forums
|
|
January 08, 2009, 04:43:49 PM
|
 Show Posts
|
|
Pages: [1] 2
|
|
9
|
Ethical Hacking Discussions and Related Certifications / Network Pen Testing / Re: Pentesting. What to do after port scan?
|
on: May 06, 2008, 08:56:11 PM
|
A pretty standard thing to do after a port scan is a vulnerability scan. Try Nessus. You may want to look up some pen testing or ethical hacking methodologies before continuing. Search this forum for "methodology" to get a good start.
I would second BillV's questions and add another. Are these production servers? Even if you have full permission to test production servers, I would never touch them on my first ever attempt at a pen test. Try this out in a lab first. Try to mimic the OS, patch level and running services, etc. Then go through the methodology in your lab.
Hope this helps,
Don
well i have full backups of the servers, perhaps i could take yesterdays backups and load them into vmware? then try to penetrate them? as for a vonerability scan, i would use one of these tools http://backtrack.offensive-security.com/index.php/Tools#Vulnerability_Identification right? Yes i have permision to perform these test. We are a small company and from what started as a job as a web developer has turned into web developer / IT Admin. |
|
|
|
|
11
|
Ethical Hacking Discussions and Related Certifications / Network Pen Testing / Pentesting. What to do after port scan?
|
on: May 05, 2008, 06:37:42 PM
|
Hi all, I am attempting to do some pen testing for the first time. Ok so I have scaned the servers I want to test using nmap, and I now have a list of open ports and the service and version for each port. I know that I need to find an appropriate exploit. But that is where I am stuck. How do I know what one to use? I have been looking through metasploit but there are just so many. Below are the resaults of my port scan I performed. Any advice??? windows server 2k
PORT STATE SERVICE VERSION
7/tcp open echo
9/tcp open discard?
13/tcp open daytime Microsoft Windows USA daytime
17/tcp open qotd Windows qotd
19/tcp open chargen
21/tcp open tcpwrapped
25/tcp open smtp Microsoft ESMTP 5.0.2195.6713
| SMTP: Responded to EHLO command
| ****** Hello [10.0.0.6]
| AUTH GSSAPI NTLM LOGIN
| AUTH=LOGIN
| TURN
| ATRN
| SIZE 2097152
| ETRN
| PIPELINING
| DSN
| ENHANCEDSTATUSCODES
| 8bitmime
| BINARYMIME
| CHUNKING
| VRFY
| Responded to HELP command
| This server supports the following commands:
|_ HELO EHLO STARTTLS RCPT DATA RSET MAIL QUIT HELP AUTH TURN ATRN ETRN BDAT VRFY
53/tcp open domain Microsoft DNS
80/tcp open http Microsoft IIS webserver 5.0
|_ HTML title:
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn
443/tcp open ssl Microsoft IIS SSL
| SSLv2: server still supports SSLv2
| SSL2_RC4_128_WITH_MD5
| SSL2_DES_192_EDE3_CBC_WITH_MD5
| SSL2_RC2_CBC_128_CBC_WITH_MD5
| SSL2_DES_64_CBC_WITH_MD5
| SSL2_RC4_128_EXPORT40_WITH_MD5
|_ SSL2_RC2_CBC_128_CBC_WITH_MD5
445/tcp open microsoft-ds Microsoft Windows 2000 microsoft-ds
1025/tcp open msrpc Microsoft Windows RPC
1026/tcp open msrpc Microsoft Windows RPC
1029/tcp open msrpc Microsoft Windows RPC
3389/tcp open microsoft-rdp Microsoft Terminal Service
6101/tcp open VeritasBackupExec?
6106/tcp open msrpc Microsoft Windows RPC
10000/tcp open backupexec Veritas Backup Exec 9.0
Windows server 2003
PORT STATE SERVICE VERSION
21/tcp open ftp?
25/tcp open smtp Microsoft ESMTP 6.0.3790.3959
| SMTP: Responded to EHLO command
| **.*********.local Hello [10.0.0.15]
| TURN
| SIZE
| ETRN
| PIPELINING
| DSN
| ENHANCEDSTATUSCODES
| 8bitmime
| BINARYMIME
| CHUNKING
| VRFY
| X-EXPS GSSAPI NTLM LOGIN
| X-EXPS=LOGIN
| AUTH GSSAPI NTLM LOGIN
| AUTH=LOGIN
| X-LINK2STATE
| XEXCH50
| Responded to HELP command
| This server supports the following commands:
|_ HELO EHLO STARTTLS RCPT DATA RSET MAIL QUIT HELP AUTH TURN ETRN BDAT VRFY
80/tcp open http Microsoft IIS webserver 6.0
|_ HTML title: Site doesn't have a title.
443/tcp closed https
1723/tcp open pptp Microsoft (Firmware: 3790)
3389/tcp open microsoft-rdp Microsoft Terminal Service
|
|
|
|
|
12
|
Ethical Hacking Discussions and Related Certifications / Network Pen Testing / Re: Help with wpa/wpa2 rainbowcrack?
|
on: April 14, 2008, 07:59:58 PM
|
|
ok, so excluding the fact if they have a default SSID the quickest/only practical way to crack wpa/wpa2 would be to "pipe a custom word list through JTR and use the hybrid mode to generate custom variations of the dictionary words."
I looked into the "for time-memory trade-off" which would only be useful for a default ssid. there would be no point creating rainbow tables for a one off? right? so i think i might download that 33gb file. it might come in handy.
|
|
|
|
|
13
|
Ethical Hacking Discussions and Related Certifications / Network Pen Testing / Re: Help with wpa/wpa2 rainbowcrack?
|
on: April 14, 2008, 06:38:11 PM
|
|
i know it can all be found on google. most of what you just said i found. but it is always good to ask around as well. make sure i am on the right track.
How practical is it really? I am currently generating lm alpha-numeric rainbow tables and with 4 computers it is taking me 2days. and that only allows for passwords up to 8 characters. So realistically, based on those numbers it could take months/years to crack wpa?
and those Rainbow tables for wpa/wpa2 would it really be worth downloading? as if each network has a different SSID? well unless people leave it as the factory default?
|
|
|
|
|
14
|
Ethical Hacking Discussions and Related Certifications / Network Pen Testing / Help with wpa/wpa2 rainbowcrack?
|
on: April 13, 2008, 07:39:50 PM
|
Hi all, I need some help with cracking wpa authentication… Ok, so from what I can understand, unlike wep, wpa/wpa2 needs to be brute forced attacked, dictionary attacked or cracked using hash tables (rainbow crack). From what I have read using hash tables is the quickest way to do it right??? I have read this article http://www.aircrack-ng.org/doku.php?id=cracking_wpa which tells me how to capture the packets, but that article only goes into dictionary attack, which I have found isn’t that effective. I wanted to know if someone could point me into the right direction for some articles on how to do the same thing but using hash tables. Or perhaps give me some advice here? Also, I found a torrent once for some hash tables, one was 35gb and I have lost it and cant find it again. Dose anyone know where I can download some hash tables? Or how do I make my own? |
|
|
|
|
15
|
Ethical Hacking Discussions and Related Certifications / Forensics / Re: Data Recovery....
|
on: March 24, 2008, 06:37:18 PM
|
|
Well my laptop has a 80gb HDD and when the backtrack installer did it thing it cleared all partitions, then created a 1gb one and from what i can see just copied it self from my flash drive.
so at the moment i have a 80gb hard disk, with a 1gb partition with backtrack files on it, and the rest of the space unpartitioned... and i have a spare 300gb external HDD to dump what i can recover on to...
|
|
|
|
|
Loading...
|
Forum 
? 
Tools : Core Impact Essentials
