pentest
Rexd Client For Linux
I recently encountered the rexd service running on a host I was testing. This is a really old-school UNIX service which you don’t see much on modern networks (in my experience at least). It’s well know that it’s insecure: It basically lets you run any command on the host as any user you like with […]
SQL Injection Cheat Sheets Updated
I had some really detailed feedback from Bernardo Damele A. G. on the SQL Injection Cheat Sheets. I’ve just finished updating the cheat sheets for MSSQL, Oracle, MySQL and PostgreSQL . Thanks a lot Bernardo. If anyone else has suggestions, feel free to mail pentestmonkey at pentestmonkey dot net.
ident-user-enum
ident-user-enum is a simple PERL script to query the ident service (113/TCP) in order to determine the owner of the process listening on each TCP port of a target system. This can help to prioritise target service during a pentest (you might want to attack services running as root first). Alternatively, the list of usernames […]
Checking the Validity of SSL Certs with Vessl
Deanx has release a tool called Vessl (Verify SSL). It’s a command-line tool which performs a large number of checks on the validity of SSL certificates. It can check for lots of mundane issue likes expired certs, self signed certificates, etc. The killer feature for me, though is that it uses a database of PEM […]
Abusing Hardlinks Via NFS
If you’ve been doing network pentesting for a while, you’ll no doubt be aware that there are plenty of ways to configure NFS insecurely. Here are a few examples: If you export /home and allow read-write access: Attackers can read everyone’s home directories, alter them and probably log in as any user. If an attacker […]
Tennable to Charge for Nessus from August 2008
It seems that Tennable are going to start charging to use Nessus commercially. The Carnal0wnage blog does a good job of highlighting the pros and cons to this, so I won’t repeat those views here. Maybe now would be a good time for the pentest community to get behind OpenVAS – an open source fork […]
Tool for Cracking Passphrases on Encrypted SSH Keys
Phrasen|drescher is a tool for those pentests when you’re having trouble owning those last few *nix boxes. It was released in 2007 but I hadn’t had cause to try it out until recently. If you’ve already gained access to a few *nix boxes, but can’t get into the rest you’ll naturally start trying to enumerate […]
unix-privesc-check
Unix-privesc-checker is a script that runs on Unix systems (tested on Solaris 9, HPUX 11, Various Linuxes, FreeBSD 6.2). It tries to find misconfigurations that could allow local unprivilged users to escalate privileges to other users or to access local apps (e.g. databases). It is written as a single shell script so it can be […]
Post-Exploitation Without A TTY
This is a follow-up to a topic I touched on breifly before when I talked about the problem of trying to use the SSH client when you don’t have a TTY. I was recently in a position where I got an interactive shell on a box, discovered the root password but was unable to get […]