pentest

Rexd Client For Linux

I recently encountered the rexd service running on a host I was testing.  This is a really old-school UNIX service which you don’t see much on modern networks (in my experience at least).  It’s well know that it’s insecure: It basically lets you run any command on the host as any user you like with […]

SQL Injection Cheat Sheets Updated

I had some really detailed feedback from Bernardo Damele A. G. on the SQL Injection Cheat Sheets.  I’ve just finished updating the cheat sheets for MSSQL, Oracle, MySQL and PostgreSQL . Thanks a lot Bernardo. If anyone else has suggestions, feel free to mail pentestmonkey at pentestmonkey dot net.

ident-user-enum

ident-user-enum is a simple PERL script to query the ident service (113/TCP) in order to determine the owner of the process listening on each TCP port of a target system. This can help to prioritise target service during a pentest (you might want to attack services running as root first).  Alternatively, the list of usernames […]

Checking the Validity of SSL Certs with Vessl

Deanx has release a tool called Vessl (Verify SSL).  It’s a command-line tool which performs a large number of checks on the validity of SSL certificates. It can check for lots of mundane issue likes expired certs, self signed certificates, etc.  The killer feature for me, though is that it uses a database of PEM […]

Abusing Hardlinks Via NFS

If you’ve been doing network pentesting for a while, you’ll no doubt be aware that there are plenty of ways to configure NFS insecurely.  Here are a few examples: If you export /home and allow read-write access: Attackers can read everyone’s home directories, alter them and probably log in as any user. If an attacker […]

Tennable to Charge for Nessus from August 2008

It seems that Tennable are going to start charging to use Nessus commercially.  The Carnal0wnage blog does a good job of highlighting the pros and cons to this, so I won’t repeat those views here. Maybe now would be a good time for the pentest community to get behind OpenVAS – an open source fork […]

Metasploit Release Database of Weak SSH Keys for Debian OpenSSL Vuln

The metasploit guys have released a database of all 1024-bit DSA and 2048-bit RSA SSH public/private keypairs that could have been generated by x86 Debian/Ubuntu hosts vulnerable to the OpenSSL Predictable Random Number Generator flaw. This opens up the possibility of two practical attacks against weak SSH keys during pentests: If you can read a […]

Tool for Cracking Passphrases on Encrypted SSH Keys

Phrasen|drescher is a tool for those pentests when you’re having trouble owning those last few *nix boxes.  It was released in 2007 but I hadn’t had cause to try it out until recently. If you’ve already gained access to a few *nix boxes, but can’t get into the rest you’ll naturally start trying to enumerate […]

unix-privesc-check

Unix-privesc-checker is a script that runs on Unix systems (tested on Solaris 9, HPUX 11, Various Linuxes, FreeBSD 6.2).  It tries to find misconfigurations that could allow local unprivilged users to escalate privileges to other users or to access local apps (e.g. databases). It is written as a single shell script so it can be […]

Post-Exploitation Without A TTY

This is a follow-up to a topic I touched on breifly before when I talked about the problem of trying to use the SSH client when you don’t have a TTY.  I was recently in a position where I got an interactive shell on a box, discovered the root password but was unable to get […]