user username
pass password
list
retr msg#
dele msg#
quit

helo hostname
mail from:
rcpt to:
data
Subject:
To:
From:
Insert one blank line
Message contents go here
finish data with ‘cr.cr’ or \r\n.\r\n
quit

Also See: vrfy name and expn name
rset terminates the current mail

Reading Text Files into MS-DOS Environment Variables (Q66292)

——————————————————————–
The information in this article applies to:

Microsoft MS-DOS operating system versions 3.1 , 3.2 , 3.21 , 3.3 , 3.3a , 4.0 , 4.01 , 5.0 , 6.0 , 6.2 , 6.21 , 6.22

——————————————————————–

SUMMARY This article describes the several steps needed to use the results of a query (using the FIND filter) as a replaceable parameter in a one or more batch files. A use for this would be to search for a specific file and then perform some action on or with this file. The file could then be used in one or more batch files as a replaceable parameter.

MORE INFORMATION First, you need to set up a one-line file with the partial command set varname= with no carriage return (CR) or linefeed (LF) at the end (this can be done with COPY CON by pressing CTRL+Z after the equal sign [=] and pressing ENTER).

The file would look like this on the screen: C:\>COPY CON INIT.TXT SET VARNAME=^Z The following steps can be issued from the MS-DOS command prompt or from within a batch file:

Search for a single directory entry and place the results in a text file. dir | find “dos” > textfile

Append the two files into one batch file using the COPY command as follows: copy init.txt+textfile varset.b at

Place the contents of the text file in a variable by running VARSET.BAT.

VARSET.BAT sets an environment variable equal to the directory entry found earlier. This allows the environment variable to be used as a replaceable parameter in later batch files. VARSET.BAT can be called from the command prompt or from within another batch file.

NOTE: This process works for directory names only if MS-DOS 5.0 or 6.0 is being used. Under MS-DOS 5.0 and 6.0, the /B switch must be used when you are searching for a directory name. The following is an example of searching for a directory under MS-DOS 5.0 or 6.0. dir /b | find “dos5″ > textfile NOTE: There is still a 127-character limit to the length of this variable, which includes the variable name and equal sign (=).

http://searchnetworking.techtarget.com/tip/1,289483,sid7_gci952122,00.html?track=NL-86&ad=477393

Penetration testing is basically when you hire (or perform yourself) security consultants to exploit your network the way an attacker would do it, and report the results to you enumerating what holes were found, and how to fix them. It’s basically breaking into your own network to see how others would do it.

While many administrators like to run quick probes and port scans on their systems, this is not a penetration test — a penetration tester will use a variety of specialized methods and tools from the underground to attempt to gain access to the network. Depending on what level of testing you have asked for, the tester may even go so far as to call up employees and try to social engineer their passwords out of them (social engineering involves fooling a mark into revealing information they should not reveal).

An example of social engineering could be an attacker pretending to be someone from the IT department and asking a user to reset his password. Penetration testing is probably the only honest way to figure out what security problems your network faces. It can be done by an administrator who is security aware, but it is usually better to pay an outside consultant who will do a more thorough job.

I find there’s a lack of worthwhile information online about penetration testing — nobody really goes about describing a good pen test, and what you should and shouldn’t do. So I’ve hand picked a couple of good papers on the subject and then given you a list of my favorite tools, and the way I like to perform a pen-test.

This is by no means the only way to do things, it’s like subnetting — everyone has their own method — this is just a systematic approach that works very well as a set of guidelines. Depending on how much information you are given about the targets as well as what level of testing you’re allowed to do, this method can be adapted.

Penetration testing resources I consider the following works essential reading for anyone who is interested in performing pen-tests, whether for yourself or if you’re planning a career in security:

‘Penetration Testing Methodology – For Fun And Profit’ — http://downloads.securityfocus.com/library/pen.pdf

An Approach To Systematic Network Auditing – Mixter — http://mixter.void.ru/

‘Penetration Testing – The Third Party Hacker’ – Jessica Lowery — http://www.sans.org/rr/papers/index.php?id=264

‘Penetration Testing – Technical Overview’ – Timothy P. Layton Sr. — http://www.sans.org

Testing preparation I don’t like working from laptops unless it’s absolutely imperative, like when you have to do a test from the inside. For the external tests I use a Windows XP machine with Cygwin (www.cygwin.com) and VMware (www.vmware.com) most Linux exploits compile fine under cygwin, if they don’t then I shove them into vmware where I have virtual machines of Red Hat, Mandrake and Win2k boxes. In case that doesn’t work, the system also dual boots Red Hat 9 and often I’ll just work everything out from there.

The advantage of using a Microsoft platform often comes from the fact that 90% of your targets may be Microsoft systems. However the flexibility under Linux is incomparable, it is truly the operating system (OS) of choice for any serious hacker, and as a result, for any serious security professional. There is no best OS for penetration testing — it depends on what you need to test at a point in time. That’s one of the main reasons for having so many different operating systems set up, because you’re very likely to be switching between them for different tasks.

If I don’t have the option of using my own machine, I like to choose any Linux variant. I keep my pen-tests strictly to the network level, there is no social engineering involved or any real physical access testing other than basic server room security and workstation lockdown (I don’t go diving in dumpsters for passwords or scamming employees).

I try as far as possible to determine the Rules Of Engagement with an administrator or some other technically adept person with the right authorization, not a corporate type. This is very important because if you do something that ends up causing trouble on the network, it’s going to make you look very unprofessional. It’s always better to have it done clearly in writing — this is what you are allowed to do.

I would recommend this even if you’re an administrator conducting an in-house test. You can get fired just for scanning your own network if it’s against your corporate policy. If you’re an outside tester, offer to allow one of their people to be present for your testing if they want. This is recommended as they will ultimately be fixing most of these problems and being in-house people they will be able to put the results of the test in perspective to the managers.

Penetration tools I start by visiting the target Web site, running a whois, DNS zone transfer (if possible) and other regular techniques which are used to gather as much network and generic information about the target. I also like to pick up names and e-mail addresses of important people in the company — the CEO, technical contacts etc. You can even run a search in the newsgroups for @victim.com to see all the public news postings they have made. This is useful as a lot of administrators frequent bulletin boards for help. All this information goes into a textfile. Keeping notes is critically important — it’s very easy to forget some minor detail that you should include in your end report.

Nmap – Workhorse port scanner with version scanning, multiple scan types, OS fingerprinting and firewall evasion tricks. When used smartly, Nmap can find any Internet facing host on a network.

Nessus – Free vulnerability scanner, usually finds something on every host. It’s not too stealthy though and will show up in logs (this is something I don’t have to worry about too much).

Retina – A very good commercial vulnerability scanner, I stopped using this after I started working with Nessus but it’s very quick and good. Plus its vulnerability database is very up-to-date.

Nikto – This is a Web server vulnerability scanner. I use my own hacked up version of this Perl program that uses the libwhisker module. It has quite a few IDS evasion modes and is pretty fast. It is not that subtle though, which is why I modified it to be a bit more stealthy.

Cisco Scanner – This is a small little Windows utility I found that scans IP ranges for routers with the default password of ‘cisco’. It has turned up some surprising results in the past and just goes to show how even small little tools can be very useful. I am planning to write a little script that will scan IP ranges looking for different types of equipment with default passwords.

Sophie Script – A little Perl script coupled with user2sid and sid2user (two windows programs) that can find all the usernames on a Windows box.

Legion – This is a Windows file share scanner by the erstwhile Rhino9 security group. It is fast and allows you to map the drive right from in the software.

Pwdump2 – Dumps the content of the Windows password sam file for loading into a password cracker.

L0phtcrack 3.0 – Cracks the passwords I get from the above or from its own internal SAM dump. It can also sniff the network for password hashes or obtain them via remote registry. I have not tried the latest version of the software, but it is very highly rated.

Netcat – This is a TCP/UDP connection backend tool, and I am lost without this! Half of my scripts rely on it. There is also an encrypted version called cryptcat that might be useful if you are walking around an IDS. Netcat can do anything with a TCP or UDP connection and it serves as my replacement to telnet as well.

Hping2 – A custom packet creation utility, great for testing firewall rules among other things.

SuperScan – This is a Windows based port scanner with a lot of nice options. Its fast, and has a lot of other neat little tools like NetBIOS enumeration and common tools such as whois, zone transfers etc.

Ettercap – When sniffing a switched network, a conventional network sniffer will not work. Ettercap poisons the ARP cache of the hosts you want to sniff so that they send packets to you and you can sniff them. It also allows you to inject data into connections and kill connections among other things.

Brutus – This is a fairly generic protocol brute forcing tool. It can bruteforce HTTP, FTP, Telnet and many other login authentication systems. This is a Windows tool, however I prefer Hydra for Linux.

This is my collection of exploits in source and binary form. I sort them in subdirectories by operating system, then depending on how they attack – Remote / Local and then according to what they attack – BIND / SMTP / HTTP / FTP / SSH, etc. The binary filenames are arbitrary but the source filenames instantly tell me the name of the exploit and the version of the software vulnerable. This is essential when you’re short on time and you need to ‘pick one’. I don’t include DoS or DDoS exploits, there isn’t anyone I know who would authorize you to take down a production system. Don’t do it — and tell them so.

Presenting reports This is the critical part — it’s about presenting what you found to people who probably don’t understand a word of what your job is. You have to show them that there are some security problems in your network, and this is how serious they might be.

A lot of people end the pen-test after the scanning stage. Unless someone specifically tells me to do this, I believe it is important you exploit the system to at least level 1. This is important because there is a very big difference in saying something is vulnerable and actually seeing that the vulnerability is executable. Not to mention when dealing with a corporate type, seeing ‘I gained access to the server’ usually gets more attention than ‘the server is vulnerable to …’

After you’re done, make a very detailed chronological report of everything you did, including which tools you used, what version they are, and anything else you did without using tools (I.E. SQL injection). Give gory technical details in annexes — make sure the main document has an executive summary and lots of pie charts that they can understand. Try and include figures and statistics for whatever you can.

To cater to the administrators, provide a report for each host you tested and make sure you provide a link to a site with a patch or fix for every security hole that you point out. Try to provide a link to a site with detailed information about the hole preferably bugtraq or some well-known source — many administrators are very interested in these things and appreciate it.

 @for %%i in (list...) do call pathoperate.bat %%i   

operate.bat:

pathpsexec %1 -u domuser -p pw

Just for completeness, here is the definition of a memory leak:

Memory leaks occur when a program fails to release previously allocated computer memory to the system handling physical memory when it is no longer needed. It is usually a component of the operating system which is responsible for managing memory, and so the result of this error is usually an ever growing amount of memory being used by the system as a whole, not merely the erroneous process/program. Eventually, all (or ‘too much’) of the available memory has been allocated (and not returned) and the entire system (or critical subsystems) will stop working correctly. This is a common problem of C and C++ due primarily to their reliance on pointer operations which are insufficiently carefully designed), so many tools and utilities exist to help detect these problems in C. Few if any would have been needed had more care been given to this point in the design of these languages.

This utility appears to run on client machines (or servers in our case) and monitors for leaked memory and cleans it up: http://www.memoryoptimizer.com/pc_performance/memokit_special2.asp?ban=google_memory_leak

This one looks to be about the same: http://www.liutilities.com/products/speedupmypc/features/

I haven’t fully digested this, but it looks like it has some info… see the UMHD about halfway down as well as the IIS5 leak… http://www.iisfaq.com/default.aspx?View=P117&P=1

This is from NT4, but still might be promising: http://www.jsiinc.com/SUBA/tip0000/rh0088.htm

More good info here: http://labmice.techtarget.com/troubleshooting/memoryleaks.htm

And here: http://www.jsiinc.com/SUBH/tip3900/rh3973.htm

And here: http://www.jsiinc.com/SUBE/tip2300/rh2364.htm