Eikonal Blog



  • HTTPS server banner:

      openssl s_client -connect:IPAddress:443

    after connection is established, type in “HEAD / HTTP/1.0” and press enter.


      echo -e "HEAD / HTTP/1.0\n\n" | openssl s_client -quiet -connect IPAddress:443

  • NTTPS server banner

      openssl s_client -connect:IPAddress:563

  • IMAPS server banner:

      openssl s_client -connect:IPAddress:993

  • POP3S server banner:

      openssl s_client -connect:IPAddress:995

  • Identifying SSL cyphers:

      openssl s_client -connect website:443 -cipher EXPORT40
      openssl s_client -connect website:443 -cipher NULL
      openssl s_client -connect website:443 -cipher HIGH

  • Generating password hash four unix:

      openssl passwd -1 -salt QIGCa pippo

    output: $1$QIGCa$/ruJs8AvmrkmzKTzM2TYE.

  • Converting a PKCS12-encoded (or .pfx) certificate to PEM format:

      openssl pkcs12 -in CertFile.p12  -out NewCertFile.pem   -nodes. -cacerts

  • Converting a DER-encoded certificate to PEM format:

      openssl x509  -in CertFile.crt.  -inform DER  -out NewCertName.pem   -outform PEM

  • Download a proxy’s public certificate:

      openssl s_client-connect ProxyHostname:port   proxycert.pem

  • Create a key:

      openssl genrsa -des3 -out server.key 1024

  • Create a CSR (certificate signing request):

      openssl req -new -key server.key -out server.csr

  • Remove a password from a key:

      cp server.key server.key.org
      openssl rsa -in server.key.org -out server.key

  • Sign the CSR and create the certificate:

      openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt
      cat server.crt server.key > certificate.pem

  • Encrypting a file:

      cat INFILE | openssl aes-256-ecb -salt -k PASSWORD > INFILE.ssl

  • Decrypting a file:

      cat INFILE.ssl | openssl aes-256-ecb -d -k PASSWORD > INFILE


Auditing Unix Security





Database security

Database auditing

Misc info


Testing security of web services (Web services security testing)


Security assessments for network infrastructure devices


Nmap options, switches and uses

There are probably many places containing lists of useful nmap commands. I have found these two large lists quite useful:

Please use these sites directly, and this blog post only as a backup/blended copy.

Basic techniques

  • Scan a Single Target:
      nmap [target]
  • Scan Multiple Targets
      # nmap [target1, target2, etc]
  • Scan a List of Targets
      # nmap -iL [list.txt]
  • Scan a Range of Hosts
      # nmap [range of ip addresses]
  • Scan an Entire Subnet
      # nmap [ip address/cdir]
  • Scan Random Hosts
      # nmap -iR [number]
  • Excluding Targets from a Scan
      # nmap [targets] --exclude [targets]
  • Excluding Targets Using a List
      # nmap [targets] --excludefile [list.txt]
  • Perform an Aggressive Scan
      # nmap -A [target]
  • Scan an IPv6 Target
      # nmap -6 [target]

Discovery Options

  • Perform a Ping Only Scan
      # nmap -sP [target]
  • Don�t Ping
      # nmap -PN [target]
  • TCP SYN Ping
      # nmap -PS [target]
  • TCP ACK Ping
      # nmap -PA [target]
  • UDP Ping
      # nmap -PU [target]
  • SCTP INIT Ping
      # nmap -PY [target]
  • ICMP Echo Ping
      # nmap -PE [target]
  • ICMP Timestamp Ping
      # nmap -PP [target]
  • ICMP Address Mask Ping
      # nmap -PM [target]
  • IP Protocol Ping
      # nmap -PO [target]
  • ARP Ping
      # nmap -PR [target]
  • Traceroute
      # nmap --traceroute [target]
  • Force Reverse DNS Resolution
      # nmap -R [target]
  • Disable Reverse DNS Resolution
      # nmap -n [target]
  • Alternative DNS Lookup
      # nmap --system-dns [target]
  • Manually Specify DNS Server(s)
      # nmap --dns-servers [servers] [target]
  • Create a Host List
      # nmap -sL [targets

Advanced Scanning Functions

  • TCP SYN Scan
      # nmap -sS [target]
  • TCP Connect Scan
      # nmap -sT [target]
  • UDP Scan
      # nmap -sU [target]
  • TCP NULL Scan
      # nmap -sN [target]
  • TCP FIN Scan
      # nmap -sF [target]
  • Xmas Scan
      # nmap -sX [target]
  • TCP ACK Scan
      # nmap -sA [target]
  • Custom TCP Scan
      # nmap --scanflags [flags] [target]
  • IP Protocol Scan
      # nmap -sO [target]
  • Send Raw Ethernet Packets
      # nmap --send-eth [target]
  • Send IP Packets
      # nmap --send-ip [target]
  • TCP Connect scanning for localhost and network
      # nmap -v -sT localhost
      # nmap -v -sT
  • >nmap TCP SYN (half-open) scanning:
      # nmap -v -sS localhost
      # nmap -v -sS
  • nmap TCP FIN scanning:
      # nmap -v -sF localhost
      # nmap -v -sF
  • nmap TCP Xmas tree scanning:
      # nmap -v -sX localhost
      # nmap -v -sX

    Useful to see if firewall protecting against this kind of attack or not.

  • nmap TCP Null scanning:
      # nmap -v -sN localhost
      # nmap -v -sN

    Useful to see if firewall protecting against this kind attack or not.

  • nmap TCP Windows scanning:
      # nmap -v -sW localhost
      # nmap -v -sW
  • nmap TCP RPC scanning:
      # nmap -v -sR localhost
      # nmap -v -sR

    Useful to find out RPC (such as portmap) services.

  • nmap UDP scanning:
      # nmap -v -O localhost
      # nmap -v -O

    Useful to find out UDP ports.

  • nmap remote software version scanning:
      # nmap -v -sV localhost
      # nmap -v -sV

    You can also find out what software version opening the port.

Port Scanning Options

  • Perform a Fast Scan
      # nmap -F [target]
  • Scan Specific Ports
      # nmap -p [port(s)] [target]
  • Scan Ports by Name
      # nmap -p [port name(s)] [target]
  • Scan Ports by Protocol
      # nmap -sU -sT -p U:[ports],T:[ports] [target]
  • Scan All Ports
      # nmap -p "*" [target]
  • Scan Top Ports
      # nmap --top-ports [number] [target]
  • Perform a Sequential Port Scan
      # nmap -r [target]

Version Detection

  • Operating System Detection
      # nmap -O [target]
  • Submit TCP/IP Fingerprints
      # www.nmap.org/submit/
  • Attempt to Guess an Unknown OS
      # nmap -O --osscan-guess [target]
  • Service Version Detection
      # nmap -sV  [target]
  • Troubleshooting Version Scans
      # nmap -sV --version-trace [target]
  • Perform a RPC Scan
      # nmap -sR [target]

Timing Options

  • Timing Templates
      # nmap -T[0-5] [target]
  • Set the Packet TTL
      # nmap --ttl [time] [target]
  • Minimum # of Parallel Operations
      # nmap --min-parallelism [number] [target]
  • Maximum # of Parallel Operations
      # nmap --max-parallelism [number] [target]
  • Minimum Host Group Size
      # nmap --min-hostgroup [number] [targets
  • Maximum Host Group Size
      # nmap --max-hostgroup [number] [targets
  • Maximum RTT Timeout
      # nmap --initial-rtt-timeout [time] [target]
  • Initial RTT Timeout
      # nmap --max-rtt-timeout [TTL] [target]
  • Maximum Retries
      # nmap --max-retries [number] [target]
  • Host Timeout
      # nmap --host-timeout [time] [target]
  • Minimum Scan Delay
      # nmap --scan-delay [time] [target]
  • Maximum Scan Delay
      # nmap --max-scan-delay [time] [target]
  • Minimum Packet Rate
      # nmap --min-rate [number] [target]
  • Maximum Packet Rate
      # nmap --max-rate [number] [target]
  • Defeat Reset Rate Limits
      # nmap --defeat-rst-ratelimit [target]

Firewall Evasion Techniques

  • Fragment Packets
      # nmap -f [target]
  • Specify a Specific MTU
      # nmap --mtu [MTU] [target]
  • Use a Decoy
      # nmap -D RND:[number] [target]
  • Idle Zombie Scan
      # nmap -sI [zombie] [target]
  • Manually Specify a Source Port
      # nmap --source-port [port] [target]
  • Append Random Data
      # nmap --data-length [size] [target]
  • Randomize Target Scan Order
      # nmap --randomize-hosts [target]
  • Spoof MAC Address
      # nmap --spoof-mac [MAC|0|vendor] [target]
  • Send Bad Checksums
      # nmap --badsum [target]

Output Options

  • Save Output to a Text File
      # nmap -oN [scan.txt] [target]
  • Save Output to a XML File
      # nmap -oX [scan.xml] [target]
  • Grepable Output
      # nmap -oG [scan.txt] [targets
  • Output All Supported File Types
      # nmap -oA [path/filename] [target]
  • Periodically Display Statistics
      # nmap --stats-every [time] [target]
  • 133t Output
      # nmap -oS [scan.txt] [target]

Troubleshooting and Debugging

  • Getting Help
      # nmap -h
  • Display Nmap Version
      # nmap -V
  • Verbose Output
      # nmap -v [target]
  • Debugging
      # nmap -d [target]
  • Display Port State Reason
      # nmap --reason [target]
  • Only Display Open Ports
      # nmap --open [target]
  • Trace Packets
      # nmap --packet-trace [target]
  • Display Host Networking
      # nmap --iflist
  • Specify a Network Interface
      # nmap -e [interface] [target]

Nmap Scripting Engine

  • Execute Individual Scripts
      # nmap --script [script.nse] [target]
  • Execute Multiple Scripts
      # nmap --script [expression] [target]
  • Script Categories
      # all, auth, default, discovery, external, intrusive, malware, safe, vuln
  • Execute Scripts by Category
      # nmap --script [category] [target]
  • Execute Multiple Script Categories
      # nmap --script [category1,category2,etc
  • Troubleshoot Scripts
      # nmap --script [script] --script-trace [target]
  • Update the Script Database
      # nmap --script-updatedb


  • Comparison Using Ndiff
      # ndiff [scan1.xml] [scan2.xml
  • Ndiff Verbose Mode
      # ndiff -v [scan1.xml] [scan2.xml
  • XML Output Mode
      # ndiff --xml [scan1.xml] [scan2.xml

See also: https://eikonal.wordpress.com/2010/01/29/vulnerability-assessment-tools/ at this blog.


LiveCD distributions for information security

  • a list of Security Live CDs at Knoppix.net – http://www.knoppix.net/wiki/Security_Live_CD
  • BackTrack – Penetration Testing Distribution- http://www.backtrack-linux.org/ | http://en.wikipedia.org/wiki/BackTrack
  • DVWA (Damn Vulnerable Web App) – http://www.dvwa.co.uk/
      Damn Vulnerable Web App (DVWA) is a PHP/MySQL web application that is damn vulnerable. Its main goals are to be an aid for security professionals to test their skills and tools in a legal environment, help web developers better understand the processes of securing web applications and aid teachers/students to teach/learn web application security in a class room environment.
  • NST (Network Security Toolkit) – http://networksecuritytoolkit.org/nst/index.html – a bootable ISO live CD/DVD (NST Live) based on Fedora Linux.
  • OWASP Live CD – http://appseclive.org/ | http://www.owasp.org/index.php/Category:OWASP_Live_CD_Project:

      Welcome to AppSecLive.org! We are an online community focused on, you guessed it, web application security. We welcome all folks from all arenas to join us in discussing everything from tools to techniques relating to the security of the web. AppSecLive.org is also the new home of the OWASP Live CD, which is maintained by Matt Tesauro. This is where you will find support for the OWASP Live CD.
  • Samurai Web Testing Framework – http://samurai.inguardians.com/
      The Samurai Web Testing Framework is a live linux environment that has been pre-configured to function as a web pen-testing environment. The CD contains the best of the open source and free tools that focus on testing and attacking websites. In developing this environment, we have based our tool selection on the tools we use in our security practice. We have included the tools used in all four steps of a web pen-test.
      Starting with reconnaissance, we have included tools such as the Fierce domain scanner and Maltego. For mapping, we have included tools such WebScarab and ratproxy. We then chose tools for discovery. These would include w3af and burp. For exploitation, the final stage, we included BeEF, AJAXShell and much more. This CD also includes a pre-configured wiki, set up to be the central information store during your pen-test.


Stages of checking password crackability

  1. Check if password is empty.
  2. Check if password is equal to the username.
  3. For system (or application) provided accounts, use the Google to find default passwords provided by manufacturers’, and test them against these accounts on your system(s).
  4. Check if password is in the custom assembled corporate dictionary.
  5. Check if password is in the selected language’s dictionary. (see: https://eikonal.wordpress.com/2010/03/29/default-passwords/)
  6. Check if password is a dictionary word + one digit.
  7. Check if password is an 311tized word.
  8. Is password the concatenation of multiple words.
  9. Check in the database of precomputed password hashes.
  10. Desperate measure: brute force cracking.



Filed under: Penetration Testing, VA (Vulnerability Assessment) — Tags: , — sandokan65 @ 12:59



Filed under: infosec, VA (Vulnerability Assessment) — Tags: , — sandokan65 @ 11:53

For years I was using the CIS’ RAT (Router Assessment Tool) to evaluate the security of the configurations of various Cisco devices (firewalls, routers, switches). Then, several years ago, along came Nipper, the(n) free and open source tool doing similar assessment (but finding problems that RAT was not seeing). For several years I was using both tools on the same configurations, combining their results to get a fuller picture.

From the “No good thing stays free for long time” department: Couple of year ago the Nipper’s maker had pulled the Tenable’s Nessus bait-and-switch trick, making Nipper both closed source and commercial (non-free).


Gathering information on a Unix system

Filed under: VA (Vulnerability Assessment) — Tags: , , , , , — sandokan65 @ 14:42
Test Linux AIX HP-UX
ioscan -v
Kernel parameter information
kmtune -l
Network Configuration parameters
ndd -h supported
Network and routing tables.
netstat -in
netstat -rn
General machine information
uname -a
Raid Configuration
/sbin/irdiag -v
System Resources
sar -b <interval> <count>





Filed under: unix, VA (Vulnerability Assessment) — Tags: , — sandokan65 @ 14:30

kmtune.pl – a Perl script wrapping kmtune: http://forums2.itrc.hp.com/service/forums/getattachment.do?attachmentId=4902&ext=.txt. Author: H.Merijn Brand. (Source: http://forums13.itrc.hp.com/service/forums/questionanswer.do?admit=109447627+1269354030577+28353475&threadId=939626).

Local copy:

#!/pro/bin/perl -w

use strict;
use integer;

if (@ARGV) {
    local $" = '/i || m/';
    eval "sub pat { local \$_ = shift; m/@ARGV/i }";
else {
    eval "sub pat { 1 }"

my (%tune, %parm, $PARM, $parm, %ref);

open my $list, "kmtune -l |";
while () {
    my ($p, $v) = split m/:\s+/, $_, 2 or next;
    $v =~ s/\b0X([\dA-Fa-f]+)\b/0x\L$1/g;
    $p eq "Parameter" and $parm = $v, next;

    $tune{$parm}{$p} = $v;

    $p eq "Value" or next;
    if ($v =~ m/^-?(0x[\da-f]+|\d+)$/) {
	$parm{uc $parm} = 0 + $v =~ m/^-?0x/ ? hex $v : $v;
    else {
	#printf STDERR "%-20s: '%s'\n", $p, $v;
	$ref{$parm} = $v;
close $list;

while (keys %ref) {
    foreach my $p (keys %ref) {
	my $up = uc $p;
	my $v  = $tune{$p}{Value};
	#my @r = (m/\b([A-Za-z]\w*)\b/g);
	my $x = 0;
	eval q(
	    $v =~ s/\b([A-Za-z]\w*)\b/exists$parm{uc $1}?$parm{uc $1}:do{$x++,$1}/ge;
	$x and next;
	eval "\$v = $v";
	$parm{$up} = $v;
	delete $ref{$p};

$= = 64;
foreach $parm (sort keys %tune) {
    $tune{$parm}{Default} eq $tune{$parm}{Value} and $tune{$parm}{Default} = "";
    $PARM = uc $parm;
    pat ("$parm $parm{$PARM} $tune{$parm}{Value} $tune{$parm}{Default}\n") and

format STDOUT_TOP =
Parameter            Value hex    Value dec   Function                    Default
-------------------- ------------ ----------- --------------------------- --------------------
format STDOUT =
@<<<<<<<<<<<<<<<<<<>>>>>>>>>> @>>>>>>>>>> ^<<<<<<<<<<<<<<<<<<<<<<<<<< ^<<<<<<<<<<<<<<<<<<<
~~                                            ^<<<<<<<<<<<<<<<<<<<<<<<<<< ^<<<<<<<<<<<<<<<<<<<
					      $tune{$parm}{Value},        $tune{$parm}{Default}


Vulnerability Assessment tools

Information Gathering

Network Scanners and Discovery, Port scanners

Vulnerability Scanners, Integrated VA (Vulnerability Assessment) scanners

Windows Auditing

GOTO: https://eikonal.wordpress.com/2011/01/05/auditing-ms-windows/

Unix Auditing

GOTO: https://eikonal.wordpress.com/2011/07/08/auditing-unix/

Database auditing

GOTO: https://eikonal.wordpress.com/2011/02/24/database-security/

Web Applications and Web Services assessment

Lists of tools:

Application Assessment:

Web services testing:


Using browsers as the webapp testing tools:

Misc info:

  • Book: “The Web Application Hacker’s Handbook: Discovering and Exploiting Security Flaws” by Dafydd Stuttard and Marcus Pinto – http://www.amazon.com/Web-Application-Hackers-Handbook-Discovering/dp/0470170778/
  • The Web Application Security Consortium (WASC): http://www.webappsec.org/ | http://projects.webappsec.org/
  • OSSTMM – “Open Source Security Testing Methodology Manual” by Pete Herzog – http://www.isecom.org/osstmm/
  • OWASP: http://www.owasp.org/index.php/Main_Page
    • OWASP Testing Guide:
  • Top 10 Web Vulnerability Scanners – http://sectools.org/web-scanners.html:

    • #1 – Nikto : A more comprehensive web scanner:
      Nikto is an open source (GPL) web server scanner which performs comprehensive tests against web servers for multiple items, including over 3200 potentially dangerous files/CGIs, versions on over 625 servers, and version specific problems on over 230 servers. Scan items and plugins are frequently updated and can be automatically updated (if desired). It uses Whisker/libwhisker for much of its underlying functionality. It is a great tool, but the value is limited by its infrequent updates. The newest and most critical vulnerabilities are often not detected.
    • #2 – Paros proxy : A web application vulnerability assessment proxy
      A Java based web proxy for assessing web application vulnerability. It supports editing/viewing HTTP/HTTPS messages on-the-fly to change items such as cookies and form fields. It includes a web traffic recorder, web spider, hash calculator, and a scanner for testing common web application attacks such as SQL injection and cross-site scripting.
    • #3 – WebScarab : A framework for analyzing applications that communicate using the HTTP and HTTPS protocols
      In its simplest form, WebScarab records the conversations (requests and responses) that it observes, and allows the operator to review them in various ways. WebScarab is designed to be a tool for anyone who needs to expose the workings of an HTTP(S) based application, whether to allow the developer to debug otherwise difficult problems, or to allow a security specialist to identify vulnerabilities in the way that the application has been designed or implemented.
    • #4 – WebInspect : A Powerful Web Application Scanner
      SPI Dynamics’ WebInspect application security assessment tool helps identify known and unknown vulnerabilities within the Web application layer. WebInspect can also help check that a Web server is configured properly, and attempts common web attacks such as parameter injection, cross-site scripting, directory traversal, and more.
    • #5 – Whisker/libwhisker : Rain.Forest.Puppy’s CGI vulnerability scanner and library
      Libwhisker is a Perl module geared geared towards HTTP testing. It provides functions for testing HTTP servers for many known security holes, particularly the presence of dangerous CGIs. Whisker is a scanner that used libwhisker but is now deprecated in favor of Nikto which also uses libwhisker.
    • #6 – Burpsuite : An integrated platform for attacking web applications
      Burp suite allows an attacker to combine manual and automated techniques to enumerate, analyze, attack and exploit web applications. The various burp tools work together effectively to share information and allow findings identified within one tool to form the basis of an attack using another.
    • #7 – Wikto : Web Server Assessment Tool
      Wikto is a tool that checks for flaws in webservers. It provides much the same functionality as Nikto but adds various interesting pieces of functionality, such as a Back-End miner and close Google integration. Wikto is written for the MS .NET environment and registration is required to download the binary and/or source code.
    • #8 – Acunetix WVS : Commercial Web Vulnerability Scanner
      Acunetix WVS automatically checks web applications for vulnerabilities such as SQL Injections, cross site scripting, arbitrary file creation/deletion, weak password strength on authentication pages. AcuSensor technology detects vulnerabilities which typical black box scanners miss. Acunetix WVS boasts a comfortable GUI, an ability to create professional security audit and compliance reports, and tools for advanced manual webapp testing.
    • #9 – Rational AppScan : Commercial Web Vulnerability Scanner
      AppScan provides security testing throughout the application development lifecycle, easing unit testing and security assurance early in the development phase. Appscan scans for many common vulnerabilities, such as cross site scripting, HTTP response splitting, parameter tampering, hidden field manipulation, backdoors/debug options, buffer overflows and more. Appscan was merged into IBM’s Rational division after IBM purchased it’s original developer (Watchfire) in 2007.
    • #10 – N-Stealth : Web server scanner
      N-Stealth is a commercial web server security scanner. It is generally updated more frequently than free web scanners such as Whisker/libwhisker and Nikto, but do take their web site with a grain of salt. The claims of “30,000 vulnerabilities and exploits” and “Dozens of vulnerability checks are added every day” are highly questionable. Also note that essentially all general VA tools such as Nessus, ISS Internet Scanner, Retina, SAINT, and Sara include web scanning components. They may not all be as up-to-date or flexible though. N-Stealth is Windows only and no source code is provided.
  • Jeremiah Grossman blog on web applicaiton’s security: http://jeremiahgrossman.blogspot.com | RSS – http://feeds.feedburner.com/JeremiahGrossman:
  • “Web Application Testing” by Russ Klanke (at Aggressive Virus Defense blog) – http://aggressivevirusdefense.wordpress.com/2009/08/02/web-application-testing/ – has numerous good links and tips.
  • Browser Security Handbook – http://code.google.com/p/browsersec/wiki/Main
      Browser Security Handbook is meant to provide web application developers, browser engineers, and information security researchers with a one-stop reference to key security properties of contemporary web browsers. Insufficient understanding of these often poorly-documented characteristics is a major contributing factor to the prevalence of several classes of security vulnerabilities.

      The document currently covers several hundred security-relevant characteristics of Microsoft Internet Explorer (versions 6, 7, and 8), Mozilla Firefox (versions 2 and 3), Apple Safari, Opera, Google Chrome, and Android embedded browser.

      Open-source test cases provided alongside with this document permit any other browser implementations to be quickly evaluated in a similar manner.

  • “Web Security Testing Cookbook” by Paco Hope – http://websecuritytesting.com/

(other) Specialized scanners

IPSec security

  • IPSecScan (by NTSecurity.nu) – http://ntsecurity.nu/toolbox/ipsecscan/IPSecScan is a tool that can scan either a single IP address or a range of IP addresses looking for systems that are IPSec enabled.

Wireless Hacking and auditing

VoIP & Telephony auditing

Live CDs

Exploitation Frameworks



Penetration Testing and Exploitation

Network testers

See also: list of (other) security tools (in this blog) – https://eikonal.wordpress.com/2010/07/28/security-tools/.


Network discovery tools

Filed under: infosec, networking, Penetration Testing, VA (Vulnerability Assessment) — Tags: — sandokan65 @ 16:18

Blog at WordPress.com.