http://pentesterscripting.com/ 2010-08-20T22:22:50+00:00 http://pentesterscripting.com/ http://pentesterscripting.com/lib/images/favicon.ico text/html 2010-06-22T07:20:13+00:00 http://pentesterscripting.com/authors?rev=1277191213&do=diff This site is run due to the contributions of the following people: * Kevin Johnson * Frank DiMaggio * Robin Wood * Tom Eston * Chris John Riley * Matias Brutti * Jason Haddix * Aung Khant text/html 2009-10-31T18:02:39+00:00 http://pentesterscripting.com/broken_scripts?rev=1257012159&do=diff We've all done it, started a project and ran out of time before it was finished or hit a bug we just couldn't get past. This section is a place to submit your scripts when you've given up but think what you have so far may be of use to others to either finish off or just to salvage parts for use on other projects. text/html 2009-11-02T23:51:46+00:00 http://pentesterscripting.com/checking_for_ssl_vulnerabilities_on_the_command_line?rev=1257205906&do=diff While Nessus is a wonderful vulnerability scanner, sometimes it is too slow and resource heavy for individual issues. The following 2 equivalent scripts perform checks for the following SSL related Nessus plugins: * 20007: SSL Version 2 (v2) Protocol Detection * 26928: SSL Weak Cipher Suites Supported * 31705: SSL Anonymous Cipher Suites Supported text/html 2009-10-30T01:12:45+00:00 http://pentesterscripting.com/contact_information?rev=1256865165&do=diff This site is run by a collection of people who can be reached via the following ways: * @pentesterscript on Twitter * Scripts can be submitted at scripts @ pentesterscripting.com text/html 2009-10-30T20:01:03+00:00 http://pentesterscripting.com/directory_brute_forcing_using_curl_and_wc?rev=1256932863&do=diff Directory Brute Forcing with common tools: Finding non-linked resources is an important part of any assessment. If you’re working with a scope that limits tools you can install/use, or you want to comb over some could-be false positives from a tools output you can do this by using a bash script. text/html 2010-08-07T17:44:06+00:00 http://pentesterscripting.com/discovery?rev=1281203046&do=diff Discovery is probably one of the most important portions of a penetration test. It is where we try to determine what potential flaws exist in the target. The scripts found in this section will focus on finding these flaws so that they can be used in the exploitation phase of the penetration test. Some examples would be user name harvesting or scanning for routers exposed to the network. text/html 2010-07-04T11:46:47+00:00 http://pentesterscripting.com/exploitation?rev=1278244007&do=diff Exploitation is probably everyone favorite portion of a penetration test. It is where we get to actually launch attacks. The scripts in this section will target vulnerabilities in the target and the leverage these to further our penetration. ---------- TYPO3 CMS Insecure Randomness Exploit - REF: TYPO3-SA-2009-001 Detailed Advisory - c22.cc text/html 2009-11-15T10:49:17+00:00 http://pentesterscripting.com/logo_competition?rev=1258282157&do=diff And the winner is... The deadline has come at last and there is a clear winner, Max Soler. Thanks to all who entered and to those who didn't win, your logo still might be used somewhere as each of the site admins have our own preferred logos (no, we probably won't say which) and so won't be throwing anything away. text/html 2010-06-22T07:17:18+00:00 http://pentesterscripting.com/mapping?rev=1277191038&do=diff Mapping is the part of a penetration test where we attempt to determine what is part of the target. For example, during a web pen-test, we would find all of the functionality of the site during this phase. These scripts will help us fill out our target map. text/html 2010-06-22T07:15:10+00:00 http://pentesterscripting.com/misc?rev=1277190910&do=diff This is a place for miscellaneous scripts that come in useful for day to day testing. ---------- String Encoding in the Shell for miscellaneous obfuscation et al. Password Generators A script to wait for a program to finish before doing something else text/html 2009-11-16T22:02:48+00:00 http://pentesterscripting.com/post_exploitation?rev=1258408968&do=diff Once the process of Exploitation is complete, it is important to gather information from the targeted machine. Post exploitation can be completed in many forms depending on the goal. Scripts in this section will target (localised) information gathering and collection and scripts that use the exploited machine to act as a pivot for further testing. text/html 2009-11-08T23:35:08+00:00 http://pentesterscripting.com/recon?rev=1257723308&do=diff Reconnaissance is the first step that all penetration tests should start with. In this section of the site, we will include scripts that attempt to gather information regarding the target. These scripts could include grabbing data from Google or parsing lists of potential user names from Linked In. text/html 2009-11-06T00:08:06+00:00 http://pentesterscripting.com/reports_and_data_manipulation?rev=1257466086&do=diff At the end of a test you can end up with pages of output from various applications and some how you have to bring it all together into a single report. This section contains scripts to manipulate that output into formats that are easier to include in your reports. text/html 2009-11-06T00:07:38+00:00 http://pentesterscripting.com/sidebar?rev=1257466058&do=diff * Start ---------- * Recon * Mapping * Discovery * Exploitation * Post Exploitation * Broken Scripts * Reports and Data Manipulation * Misc ---------- * About the Site * Authors * Contact Information text/html 2009-11-15T10:49:47+00:00 http://pentesterscripting.com/start?rev=1258282187&do=diff PENTESTER SCRIPTING! Hello! Welcome to the site. Have you found yourself in the predicament of needing to exploit an application/OS/web page? And you think to yourself, “I just did this last week, but I can't remember what I did”. That's the reason for this Wiki/Site. PenTesters young and old, n00b and l33t can gain access to and knowledge of useful scripts/tricks/tips (security related or not) for the purpose of pen-testing. text/html 2009-11-02T23:47:29+00:00 http://pentesterscripting.com/string_encoding_in_the_shell_for_miscellaneous_obfuscation_et_al?rev=1257205649&do=diff Data encoding in the shell is a quick and reliable method to parse input in one type of format to format of another type. This could be done in order to determine how an application has converted input, or to encode your input in such a way as to bypass a security filter. These include some valuable methods such as HEX, HTML, URL, various password representations, common hashes and even some compression encodings. What follows are some of my favourite methods to convert input on the command line… text/html 2009-10-31T12:32:36+00:00 http://pentesterscripting.com/typo3_cms_insecure_randomness_exploit?rev=1256992356&do=diff This script was originally written and used to test and exploit for the TYPO3-SA-2009-001 Insecure Randonmess bug that was discovered in late 2008. Details of this exploit can be found here. This was my first attempt at Python scripting, so it may not be as smooth as some scripty, however it was a lot more productive than the typical Hello World script.