RootSecurity

Encontrei isto e estou lendo, é bem interessante e tem muitos tópicos bacanas, acredito que seja um Must Have para todos os que trabalham com Pentest/Security

Autores : H D Moore (hdm[at]metasploit.com) ; Valsmith valsmith[at]metasploit.com)
Último Update: 08/09/2007

Título : Tactical Exploitation OR “The Other Way to Pen-Test” OR “Random Pwning Fun Bag”

1.1 Abstract
Penetration testing often focuses on individual vulnerabilities and services. This
paper introduces a tactical approach that does not rely on exploiting known
flaws. The first section of this paper covers information gathering and discovery
techniques, with a concentration on third-party services and new tools. The
second section of this paper combines the information discovery techniques in
the first section with various protocol and implementation weaknesses, in order
to provide clear steps for gaining access to a target network.

Contents
1 Introduction 3
1.1 Abstract . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
1.2 Background . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
1.3 Author Bio – HD Moore . . . . . . . . . . . . . . . . . . . . . . . 4
1.4 Author Bio – Valsmith . . . . . . . . . . . . . . . . . . . . . . . . 4
1.5 Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . . . . 4
2 The Tactical Approach 5
2.1 Vulnerabilties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
2.2 Competition . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
3 Information Discovery 6
3.1 Personnel Discovery . . . . . . . . . . . . . . . . . . . . . . . . . 6
3.1.1 Search Engines . . . . . . . . . . . . . . . . . . . . . . . . 6
3.1.2 Paterva’s Evolution . . . . . . . . . . . . . . . . . . . . . 7
3.2 Network Discovery . . . . . . . . . . . . . . . . . . . . . . . . . . 8
3.2.1 Discovery Services . . . . . . . . . . . . . . . . . . . . . . 8
3.2.2 Bounce Messages . . . . . . . . . . . . . . . . . . . . . . . 9
3.2.3 Virtual Hosting . . . . . . . . . . . . . . . . . . . . . . . . 10
3.2.4 Outbound DNS . . . . . . . . . . . . . . . . . . . . . . . . 10
3.2.5 Direct Contact . . . . . . . . . . . . . . . . . . . . . . . . 11
3.3 Firewalls and IPS . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
3.3.1 Firewall Identification . . . . . . . . . . . . . . . . . . . . 12
3.3.2 IPS Identification . . . . . . . . . . . . . . . . . . . . . . . 12
3.4 Application Discovery . . . . . . . . . . . . . . . . . . . . . . . . 12
3.4.1 Slow and Steady wins the Deface . . . . . . . . . . . . . . 12
3.4.2 Finding Web Apps with W3AF . . . . . . . . . . . . . . . 13
3.4.3 Metasploit 3 Discovery Modules . . . . . . . . . . . . . . 13
3.5 Client Application Discovery . . . . . . . . . . . . . . . . . . . . 14
3.5.1 Browser Fingerprinting . . . . . . . . . . . . . . . . . . . 14
3.5.2 Mail Client Fingerprinting . . . . . . . . . . . . . . . . . . 15
3.5.3 SMB Client Fingerprinting . . . . . . . . . . . . . . . . . 15
3.6 Process Discovery . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
3.6.1 Traffic Monitoring with IP IDs . . . . . . . . . . . . . . . 16
3.6.2 Web Site Monitoring with HTTP . . . . . . . . . . . . . . 17
3.6.3 Usage Monitoring with MS FTP . . . . . . . . . . . . . . 17
4 Information Exploitation 19
4.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
4.2 External Networks . . . . . . . . . . . . . . . . . . . . . . . . . . 19
4.2.1 Attacking File Transfers . . . . . . . . . . . . . . . . . . . 19
4.2.2 Attacking Mail Services . . . . . . . . . . . . . . . . . . . 21
4.2.3 Attacking Web Servers . . . . . . . . . . . . . . . . . . . . 21
4.2.4 Attacking DNS Servers . . . . . . . . . . . . . . . . . . . 21
4.2.5 Attacking Database Servers . . . . . . . . . . . . . . . . . 22
4.2.6 Attacking NTLM Authentication . . . . . . . . . . . . . . 22
4.2.7 Free Hardware . . . . . . . . . . . . . . . . . . . . . . . . 23
4.3 Internal Networks . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
4.3.1 Web Proxy Auto-Discovery Protocol . . . . . . . . . . . . 24
4.3.2 Microsoft DNS Servers . . . . . . . . . . . . . . . . . . . . 24
4.3.3 Microsoft WINS Servers . . . . . . . . . . . . . . . . . . . 25
4.3.4 Exploiting NTLM Relays . . . . . . . . . . . . . . . . . . 25
4.3.5 SMB and Samba . . . . . . . . . . . . . . . . . . . . . . . 26
4.4 Trust Relationships . . . . . . . . . . . . . . . . . . . . . . . . . . 28
4.4.1 NFS Home Directories . . . . . . . . . . . . . . . . . . . . 29
4.4.2 Hijacking SSH . . . . . . . . . . . . . . . . . . . . . . . . 30
4.4.3 Hijacking Kerberos . . . . . . . . . . . . . . . . . . . . . . 31
5 Conclusion 34

Aproveitem este livro maravilhoso escrito por quem realmente entende da coisa =]
http://packetstorm.offensive-security.com/papers/attack/tactical_paper.pdf