penetration testing boot camp
TRANSCRIPT
Configure SSH ServerLinux Remote Service
Connect Kali Remotely
•First SSH need to be install/update
# apt-get install openssh-server
# service ssh start
Verify that the server is up and listening using the “netstat” command
#netstat -antp |grep ssh
Now connect with “putty.exe” to your SSH linux servers (Kali/ ubuntu / redhat / centos)
SSHD | SSH Server
FOOT PRINTING AND RECONNAISSANCE
•What is Foorprinting
•Active & Passive Intelligence
•Reconnaissance Tools
Let’s Get Start into
Footprinting refers to uncovering and collecting as much information
as possible about target network
What is Footprinting
Active & Passive IntelligencePassive
•From ordinary public traffic•Google search (email, cell# etc)•Browser company’s WebPages•Viewing message boards (experts-exchange.com, etc)•Facebook, Twitter, orkut etc•Default configurations & passwords sites
Active
•Network Scan•Vulnerability Scan•Ping Sweep•Social Engineering•Phishing
Passive Recon Resources•Social Media (facebook, twitter, orkut, forums etc)
•Whois, iptools.com, domaintools.com
•Netcraft
•Webpage source
•Mirror Sites (httrack, wget, Sam Spade, Archive.org)
•Tracert /traceroute (windows or Linux) send echo request actually
•DNS: nslookup, -set type (query)-zone transfers-HINFO
•Robots.txt•Service Banner Grabbing (on ports) via Telnet (HEAD / HTTP/1.0) “ENTER TWICE”
Active Recon Resources•DNS
•Nessus (Vulnerability Scanner)
•Nikto (Back Track 5R3)
•Email Tracking (http://www.ipaddresslocation.org/)
•Google Hacking (Search) (www.exploit-db.com)-Intitle-Intext-Inurl-Filetype-Link
Active Recon Resources
•inurl:ftp "password" filetype:xls
•site:example.com inurl:ftp "password" filetype:xls
You should also be performing focused searches that locate all major document typessuch as .pdf, .doc, .txt, .xls
Active Recon Resources•dig (Domain Information Groper) Alternative to nslookup
# dig example.com#dig +qr example.com any (find out their name servers)
Zone Transfer using DIG# dig @ns1.example.com example.com axfr
Listing the DNS version (restrict by default by administrators)#dig +nocmd txt chaos VERSION.BIND @ns1.example.com +noall +answer
Reverse DNS Lookup#dig –x ipaddress
Tracing the Path#dig +trace example.com
Active Recon Resources•Fierce (DNS brute forcing with fierce)
Goto
# cd /pentest/enumeration/dns/fierce
# ./fierce –dns example.com
Active Recon Resources•Metagofil (a powerful metadata gathering tool)
BackTrack has the Metagoofil Blackhat Arsenal Edition installed by default.Open up a terminal and type the following:
# cd /pentest/enumeration/google/metagoofil
# ./metagoofil.py –h
#metagoofil.py -d example.com -t doc,pdf –l 200 -n 50 –o /mnt -f results.html
Active Recon Resourcessome tools that would assist you in finding more information:
Countermeasures
•Trash Securely
•Router/IDS/Firewalls to allow only certain apps/ports/rules
•Refuse malicious traffic
•Lockdown ports & Protocols
•Web service info avoid to leakage
•Disallow sensitive directories
•Evaluate your services before posting on public
•Listen carefully and reply only limited and specific answers
Scanning
•What is Scanning
•CEH Scanning Methodology
•Scanning Terms
•3-way handshake
Let’s Get Start into
• Port scanning is the process of checking for open TCP or UDPports on a remote machine. Please note that port scanning is illegal in many countries and should not be performed outside the labs. This is active probing or phase, which involves more direct interaction with the target servers. It is vital that we understand the implications of port scanning, as well as the impact that certain port scans can have on a network.
•Scanning refers to a set of procedures for identifying hosts, ports and services in a network
•Scanning is one step of intelligence gathering for an attacker to create a profile of the target organization
What is Scanning
•Checking Live Systems
•Check Open Ports
•Banner Grabbing
•Prepare Proxies
•Scan for Vulnerabilities
•Draw Network Diagram
Scanning Methodology
Scanning Terms
•Network Scanning
•Port Scanning
•Vulnerability Scanning
TCP 3-Way HandShake
Scanning Tools
•Nmap
•Fping (ping sweep)
•Hping 3
•Nikto
•OpenVAS
•Netdiscover
Scanning Tools: Nmap•Nmap online http://nmap-online.com/
-nmap –sP 192.168.2.0/24 (scan with pingsweep)-nmap –sP –vv 192.168.2.0/24 (scan with verbose)-nmap –sP 192.168.2.0/24 –vv > scanresult.txt (save scan with output file)-nmap –Pn 192.168.2.0/24 (treat all online, disable host discovery)-nmap –D <forge ip> <target ip> (scan with fake IP address)-nmap –Pn –sP domain.com (scan if IDS or Firewall block ICMP)-nmap –sT 192.168.2.0/24 (scan with 3way handshake mostly in pen testing)-nmap –sU 192.168.2.0/24 (scan UDP)-nmap -sL 72.249.151.31 (Reverse DNS List Scan )-nmap -sT -p- -PN 192.168.2.1-254 (TCP scan, all ports, assume all host alive)-nmap –iL myiplist.txt (scan hosts provided by text file)-nmap –sV (version scanning)-nmap -O (OS Detection)-nmap -p 139 192.168.1.* (Single port with complete IP range)
Scanning Tools
• fping fping –a –g 192.168.2.1 192.168.2.1 > mylivehosts.txt
• nc.exe # nc -vv -z -w2 192.168.0.10 24-26
• Unicornscan# unicornscan 192.168.0.110
#unicornscan 192.168.0.0/24:139
Scanning Tools: Hping3
ICMP Pinghping3 -1 192.168.15.1
SYN Pinghping3 -S –p 80 –c 1 192.168.15.1
Port Scanhping3 --scan 1-130,150-200 –S 192.168.15.1 -V
Scanning Tools: OpenVAS
http://www.backtrack-linux.org/wiki/index.php/OpenVas
•Configure firewall and IDS rules to detect and block probes/search
•Block unwanted ports at the firewall
•Hide sensitive information from public view
•Use custom rules set to lock down the network
•Filter inbound ICMP message types and all outbound ICMP type 3 unreachable messages at boarder routers and firewalls
•Ensure that routing and filtering mechanisms cannot be bypassed using specific source ports or source-routing techniques
•Understand the network configuration and its accessible ports by launching TCP and UDP port scans along with ICMP probes against your own IP address space
Countermeasures
•If a commercial firewall is in use, ensure that:
•The latest service pack is installed
•The Anti-spoofing rules have been correctly defined
•Fastmode services are not used in Check Point Firewall-1 environment
Countermeasures
Enumeration
•What is Enumeration
•NetBIOS Enumeration
•SNMP Enumeration
•LDP with Domain Controller
Let’s Get Start into
Enumeration is defined as the process of extracting user names, machine names, network resources, shares, and services from a system
Enumeration techniques are conducted in a intranet (LAN) environment
The type of information enumerated by intruders:
Network resources and shares
Users and groups
Applications and banners
Auditing settings
What is Enumeration
NetBIOS Enumeration: Superscan4
SNMP Enumeration: Look@lan
LDAP Enumeration: LDP.exe
•NetBIOS Enumeration : use strong password
•SNMP Enumeration: use SNMP v3 have encryption
•LDAP Enumeration: By default allow for everyone, restrict for authorized only
Countermeasures
System Hacking
• Password cracking techniques / types & cracking
Let’s Get Start into
Password cracking techniques
Dictionary Attacks - A dictionary file a loaded into the cracking application that runs against user accounts
Brute Forcing Attacks- The program tries every combination of characters until the password is broken
Hybrid Attack – It works like a dictionary attacks, but adds some numbers and symbols to the words from the dictionary and tries to crack the password
Syllable Attack – It is the combination of both brute force attack and the dictionary attack
Rule-Based Attack – This attack is used when the attacker get some information about the password
Understanding different types of passwords
Only letters - HIJKLMNO
Only numbers - 758904
Only special characters - $@$!0
Letters and numbers - ax15oog
Only letters and special characters - m@roon$
Only numbers and special characters - @#47$
Letters, numbers, and special characters - E1n$8$
Passwords Attacks
Passive Online
Wire Sniffing
Man-in-the-Middle
Active Online
Password Guessing
Trojan/Spyware/Keyloggers
Passwords Attacks
Offline Attacks
Pre-computed Hashes
Rainbow Tables
Non – Electronic Attacks
Shoulder Surfing
Social Engineering
Dumpster Diving
Password Cracking Tools (2000 / XP / 2003 / Vista / 7 / 2008)
-Offline NT password re-setter
-Cain & Abel
-Ettercap (MITM) Back Track 5
-Pwdump6 / Fgdump (dump hashes)
-L0phtCrack (LC6)
-Ophcrack (rainbow tables) http://ophcrack.sourceforge.net
-Elcomsoft Advanced Password Recovery Bundle
-Back Track 5 – dump hashes and crack
Back Track 5 – Dump windows hashes and crack
1) Mount windows NTFS partition ( fdisk –l )
2) create temp folder
3) Mount windows HDD ( mount /dev/sda1 /mountfolder )
4) Bkhive /winhash/WINDOWS/system32/config/system syskey.txt
5) samdump2 /mnt/mountfolder/windows/system32/config/SAM syskey.txt > hashes.txt
6) nano or vi editor to check the contents (optional)
7) john /hashfolder/hashes.txt -w:/dicfolder/wordfile.txt
Password cracked
Password cracking tools (2000 / XP / 2003 / Vista / 7 / 2008)
- THC-Hydra (back track 5)
-Medusa (back track 5)
# medusa -h 172.19.0.1 -u "admin" -P wordlist.txt -M http-h the host you want to attack-u the username you want to try. If there is no username use ""-P the wordlist you want to use-M the module you want to use
Here is the list of modules included with Back Track 5 & 5R1 Final:# ls /usr/local/lib/medusa/modules/
Password cracking tools (2000 / XP / 2003 / Vista / 7 / 2008)
-John the Ripper-Recover Keys-Windows Password Crackers-Proactive System Password Recovery-Password Unlocker Bundle-Windows Password Reset Professional-Windows Password Reset Standard-Windows Password Unlocker-Win Password-Passware Kit Enterprise-RockXP-Passwords Pro-LSA Secret View-LCP
Stealing Passwords Using USB Drive
Insert USB into victim’s computer and extract the necessary information
Microsoft Authentication
SAM Database: Windows stores users passwords in the Security Accounts Manager database (SAM) or in the Active Directory database in domains. Passwords are never stored in clear text passwords are hashed and the results are stored in the SAM
NTLM Authentication: The NTLM authentication protocol consists of two authentication protocols. NTLM and LM authentication protocol. These protocols use different hashing methods to securely store a user’s password in the SAM database.
Kerberos: Microsoft has upgraded its default authentication protocol to Kerberos, a considerably more secure option than NTLM
More info http://en.wikipedia.org/w/index.php?title=Special%3ASearch&search=Ntlm+hash
Hash Passwords Stored in Windows SAM
Algorithms – well defined instructions for calculating the functions
Kerberos – (2003 / vista / 7 / 2008)
Greatest security works only on Active Directory 2003 and above
Microsoft Remote Desktop Service – BSoD a.k.a Crashing (XP, 2003, 7, 2008 R2)
Hands-on with - RDPKill
Password Cracking Countermeasures
-Strongest passwords should be implemented to protect against passwordcracking.
-Systems should enforce 8–12-character alphanumeric passwords.
-Password length & complexity should be set
-To protect against cracking of the hashing algorithm for passwords stored on the server, you must take care to physically isolate and protect the server.
-The system administrator can use the SYSKEY utility in Windows to further protect hashes stored on the server’s hard disk.
-The server logs should also be monitored for brute-force attacks on useraccounts.
Password Cracking Countermeasures
System administrators can implement the following security precautions to decrease the effectiveness of a brute-force password-cracking attempt:
-Never leave a default password.
-Never use a password that can be found in a dictionary.
-Never use a password related to the hostname, domain name, or anything else that can be found with Whois.
-Never use a password related to your hobbies, pets, relatives, or date of birth.
-As a last resort, use a word that has more than 21 characters
-Passwords should expire after a certain amount of time so that users are forced to change them.
Escalating Privileges
Escalating privileges basically means adding more rights or permissions to a user
account. Simply said, escalating privileges makes a regular user account into an
administrator account
Escalating Privileges
Sticky Keys – work on all windowsSticky Keys is an accessibility features in Windows OS to aid users who have physical disabilities. Press shift key 5 times at the logon screen and the sticky key dialog show up
The program that launches the sticky keys is located at c:\windows\system32\sethc.exe
If we replace the sethc.exe with cmd.exe and then press 5 times shift key at logon screen we will get a command prompt with admin privileges
How Defend against Privilege Escalation?
-User encryption techniques to protect sensitive data
-Restrict the interactive logon privilege
-Run users and applications on the least privilege
-Implement multi-factor authentication and authorization
-Patch the system regularly
-Run services as unprivileged accounts
Keyloggers
-Keystroke loggers are programs or hardware devices that monitor each keystroke as user types on a keyboard, logs on to a file or transmits them to a remote location
-Keyloggers are placed between the keyboard hardware and the operating systems
-Legitimate applications for keyloggers include in office and industrial settings to monitor employees computer activities and in home environments where parents can monitor and spy on children's activity
Keyloggers
Keyloggers
Actual Spy (monitoring systems)www.actualspy.com
-Design for hidden computer monitoring-Actual Spy is capable of catching all keystrokes, capturing the screen, logging the programs being run and closed, and monitoring the clipboard contents
Features
-Log all keystrokes-Makes screenshots within the specified time interval-Saves the applications running and closing-Watches clipboard contents-Records all print activity-Records disk changes-Records internet connections-Records all websites visited
Keyloggers
Hardware Keyloggers
http://keyllama.com
http://keykatcher.com
USB Spyware
Video Spyware
IP Webcam (Android)
How to hide files – NTFS Alternate Data Stream (ADS)
-NTFS Alternate Data Stream (ADS) is a windows hidden stream which contains metadata for the files such as attributes, word count, author name, and access and modification time of the file
-ADS is the ability to split data into existing files without changing or altering their functionality, size, or display to the file browsing utilities
-ADS allows an attacker to inject malicious code on a breached system and executes them without being detected by the user
How to hide files – NTFS Alternate Data Stream (ADS)
How to create
Notepad is stream compliant application
Launch c:\notepad myfile.txt:private.txtClick Yes to create the new file and write lines then save
View the file size
To modify the stream data, open file is quite similar like above
notepad myfile.txt:private.txt
Steganography Technologies
Image Steganography
In image Steganography, the information is hidden in image files of different formats such as .PNG, .JPG, .BMP, etc.
Image Steganography tools replace redundant bits of image data with the message in such a way that the effect can not be detected by human eyes
Download Images Steganography Tools
http://www.stegoarchive.com
Demo - Image Hide
Steganography Technologies
more Steganography
- Document- Video- Audio- Folder
Steganography Technologies
Spam/Email Steganography – Spam Mimic
online
http://www.spammimic.com
Skype Logview
http://www.nirsoft.net/utils/skype_log_view.html
Covering Your Tracks
-Once intruders have successfully gained administrator access on a system, they will try to cover the tracks to avoid their detection
-When all the information of interest has been stripped off from the target, the intruder installs several backdoors so that he or she can gain easy access in the future
Covering Your Tracks
Why Cover Tracks?
-They can attack again
- They can cover the tracks to avoid their detection
- They can install backdoors to gain access in future
Tool:
CCleaner
Ettercap Packet Sniffing
Ettercap Packet Sniffing
ettercap -T -M arp -i eth0 /192.168.1.8/ /192.168.1.1/ (computer to router)
ettercap -T -M arp -i eth0 // // (all computers)
ettercap -T -M arp -i eth0 // // -w file.cap (all computers with save data in file)
q and ctrl+c to dc
cat test.cap | grep -a http
Ettercap Packet & Driftnet
driftnet -i eth0
ettercap -T -Q -M arp -i eth0 // //
Ettercap PacketHTTP arp poisioning
DHCP Spoofing
Port Stealing
HTTPs Sniffing/usr/local/etc/etter.conf ( uncomment in “linux” section – 2nd row)echo "1" > /proc/sys/net/ipv4/ip_forward
Filters/usr/local/share/ettercapConverter = convert ettercap filters example files to .ef
Ettercap PacketEttercap – IronGeek dangerous filterhttp://www.irongeek.com/i.php?page=security/ettercapfilter
Copy above script in file and convert to .ef (etterfilter filename –o newfile.ef)
Pluginsdns spoofingisolateDoS_attack & find_ipgateway_discoversearch promiscarp_copPassive OS Fingerprints
Web Hacking
(1) Installing WebGoat and run(2) Install Tamper Data addon in firefox(3) Run Burpsuite
In OWASP>
Access control flaws > bypass a path based Access Control Scheme >/../../../../conf/server.xml
Injection Flaws > string SQL injectionX’ or ‘a’=’a
Improper Error Handling
Parameter Tampering
OWASP – WebGoat WebGoat OWASP Web/SQL/App Hacking Practitioner
CSS – Cross Site Script & SQLStored XSS
Stored XSS revisited
Reflected XSS (search staff)"><script>alert("Teste")</script>
String SQL injection (Smith’ or ‘a’ = ‘a) with Temper Data
Deface Website
Webdav Shell Maker