Friday, July 3, 2015

War Driving

Wireless networking is the most popular and fast growing technology, from home networking to the enterprise networking, wireless network now become a way of life and way of networking. As more wireless network are deployed, the need to secure them increase. But this is totally illegal and its only for educational purposes.
 
Here we are going to discuss about mapping a wireless network and exploit it.
War Driving also known as access point mapping, is a act for searching, locating and possibly exploit the Wireless LAN while driving on a vehicle.

Requirement
The requirement for effective wardriving is based on both hardware and software.

 Hardware:  
  • Portable Computer (Laptop and Netbook etc.) or PDA (Personal digital assistance) 
  • A Wireless NIC card
  • An Antenna 
  • A handheld GPS unit (Optional)
  • GPS data Cable (Optional) 
  • A pigtail to connect NIC to external antenna software: 
  • A software program for wardriving is freely available on Internet.
  • NetStumbler or inSSIDer for Windows
  • Kismet for Linux, FreeBSD, NetBSD, OpenBSD, DragonFly BSD 
This is not enough there is need to discuss on how to choose wireless NIC and antenna for wardriving. The IEEE 802.11 is a family of standards, each one defining and specifying parts of the standard.
  • 802.11b, using the 2.4 GHz radio spectrum and 11 Mbps max data rate.
  • 802.11a, using the 5 GHz radio spectrum and 54 Mbps max data rate. 
  • 802.11g, using the 2.4 GHz radio spectrum and 54 Mbps max data rate.
802.11b cards are the most easiest to install and it supported by most wardriving tools (software's). 

 Even we can use some android tools to do this job, Eg. WIFI Collector which can grab the following details:
  • Time
  • Latitude
  • Longitude
  • Vendor's Name
  • Wifi Name
  • Wifi Security : wep / wpa / wpa2 / open
  • WPS True | False
  • Signal Strength 
From this information a cracker can use the open networks and do any illegal things. 

Posted by at No comments:

Web Application Security Testing

Web Application Security Testing

security is vitally important in software applications. More and more people are using the Internet and computers to perform everyday tasks. Software is everywhere, in your cell phone, car, airplanes, televisions, and don't forget - your home computers. More and more of these appliances are being connected to the Internet. Everyday services, including banking, stock trading and taxes are all moving to an online approach. Today's software is being produced faster than ever. The majority of people using these software applications are unaware about security. With shrinking budgets, tight schedules, and without the knowledge of security testing, software vulnerabilities are everywhere. Software applications are being used by people all over the world. Hence application security testing and especially web application security testing is a must for software products to succeed in today's world.
Security testing, which aims to eliminate the aspects of systems that do not relate to application functionality but to the confidentiality, integrity, and availability of applications, is commonly referred as "nonfunctional requirements (NFR) testing." NFR testing, which is used to determine the quality, se­curity, and resiliency aspects of software, is based on the belief that nonfunctional requirements represent not what software is meant to do, but how the software might do it.
Security testing, when done properly, goes deeper and even beyond the functional testing/black-box probing on the presentation layer. By identifying risks in the system and creating tests driven by those risks, a software security tester can properly focus on areas of code in which an attack is likely to succeed. Software security is about making software behave in the presence of a malicious attack, even though in the real world, software failures usually happen spontaneously — that is, without intentional mischief.
The OWASP (Open Web Application Security Project) Top Ten is a list of the 10 most dangerous current Web application security flaws, which are listed below.
  • Injection
  • Cross-Site Scripting
  • Broken Authentication and Session Management
  • Insecure Direct Object References
  • Cross-Site Request Forgery (CSRF)
  • Security Misconfiguration
  • Failure to Restrict URL Access
  • Invalidated Redirects and Forwards
  • Insecure Cryptographic Storage
  • Insufficient Transport Layer Protection
Security testing takes a different mindset than functional QA testing. A security tester must think of how to break and abuse the application in the same way a black hat hacker or malicious user would. Trying to do something that will cause problems to the underlying code, thinking out of the box, will help the tester considerably in becoming more security oriented.
One of the most prevalent security-related issues to deal with is Input Validation. A functional quality assurance engineer can typically devise a variety of methods to verify the functionality of a feature or component. But a security tester needs to go deeper — he has to think like a malicious user, consider the cases that shouldn't be allowed, input things typical users would not attempt, and try to twist and break that application in any way possible. There are also many open source and licensed automation tools (Acuntix, Zed Attack proxy, Websecurify, etc.) available on the market which perform the dynamic analysis and penetration testing of web application to discover vulnerabilities such as:
  • Client Certificate
  • Proxy-Chaining
  • Local and Remote File Include
  • Cross-Site Scripting
  • SQL injection
  • Information Disclosure Problems
  • Session Security Problems, etc.
If the program is vulnerable to overflows, a lack of input checks, or lacks proper encryption, it will quickly become known for its instability, and product sales will drop dramatically. Customers will purchase alternate products that perform the same task and that have been carefully checked by multiple tests. Thus, as more and more vital data is stored in web applications, and the number of transactions on the web increases, proper and robust security testing of web applications is becoming very important. Web application security testing is the process of determining if confidential data stays confidential, i.e. it is not exposed to individuals/entities for which it is not intended - this is enabled through specialized testing techniques like web application penetration testing - and users can perform only those tasks they are authorized to perform, e.g. a user should not be able to deny the functionality of the web site to other users nor be able to change the functionality of the web application in an unintended way. Hence, web application security and stability cannot be limited to the testing phase only, but must be a consistent and persistent endeavor right from the design phase itself.
Posted by at 1 comment:

Dos- SMURF

 Smurf Attacks


Smurf attacks are popular Denial of Service (DoS) network attacks, likely named because of its use of a large number of small ICMP packets.
The goal of this network attack is to create a crushing amount of traffic. This attack strategy came about as a function of ICMP (Internet Control Message Protocol) and the network broadcast address.

   If an attacker has a large network segment that he is aware of, he can send a ping or an ICMP Echo Request to that broadcast address. Each host on that network should take that because the broadcast address was used, though the Echo Request is actually destined for itself.
An Internet Control Message Protocol (ICMP) Smurf attack is a brute-force attack on the direct broadcast feature that is built in to the IP protocol.
                     
                         What is Smurf DOS Attack and How to do it with BackTrack 5R3 

Today i am going to Show you, How to do it on the network.
Requirement :- Backtrack5R3 installed on the VirtualBox
Click on Application > BackTrack > Stress Testing > network Stress testing



then select the Smurf6


Find your interface information with ifconfig command.



then enter the command like root@bt:~#smurf6 etho VictimIP-address




Countermeasures :-
1. On Cisco Router  use the router(config)#autosecure command.
2. On the Cisco Router, use the router(config)#no ip-directed broadcast command.
Posted by at No comments:

Denial Of Service

DOS - Introduction


A Denial of Service Attack (DoS Attack) is an attempt to make a computer resource unavailable to its intended users. Although the means to carry out, motives for, and targets of a DoS attack may vary, it generally consists of the concerted efforts of a person or people to prevent an Internet site or service from functioning efficiently or at all, temporarily or indefinitely. Perpetrators of DoS attacks typically target sites or services hosted on high profile web servers such as banks, credit card payment gateways, and even root nameservers. The term is generally used with regards to computer networks, but is not limited to this field, for example, it is also used in reference to CPU resource management. There are two general forms of DoS attacks: those that crash services and those that flood services.

Symptoms
Unusually slow network performance (opening files or accessing web sites)
Unavailability of a Particular web site
Inability to access any web site
Dramatic increase in the number of spam emails received
Goal of the Attack
Primary Goals include:
Consumption of computational resources, such as bandwidth, disk space, or processor time
Disruption of configuration information, such as routing information.
Disruption of state information, such as unsolicited resetting of TCP sessions.
Disruption of physical network components.
Obstructing the communication media between the intended users and the victim so that they can no longer communicate adequately.

ICMP Flood
A Smurf attack is one particular variant of a flooding DoS attack on the public Internet. It relies on misconfigured network devices that allow packets to be sent to all computer hosts on a particular network via the broadcast address of the network, rather than a specific machine. The network then serves as a smurf amplifier. In such an attack, the perpetrators will send large numbers of IP packets with the source address faked to appear to be the address of the victim. The network's bandwidth is quickly used up, preventing legitimate packets from getting through to their destination. To combat Denial of Service attacks on the Internet, services like the Smurf Amplifier Registry have given network service providers the ability to identify misconfigured networks and to take appropriate action such as filtering.
Ping flood is based on sending the victim an overwhelming number of ping packets, usually using the "ping" command from unix-like hosts (the -t flag on Windows systems has a far less malignant function). It is very simple to launch, the primary requirement being access to greater bandwidth than the victim.

ICMP Flood
SYN flood sends a flood of TCP/SYN packets, often with a forged sender address. Each of these packets is handled like a connection request, causing the server to spawn a half-open connection, by sending back a TCP/SYN-ACK packet, and waiting for a packet in response from the sender address. However, because the sender address is forged, the response never comes. These half-open connections saturate the number of available connections the server is able to make, keeping it from responding to legitimate requests until after the attack ends.

Teardrop attacks
A Teardrop attack involves sending mangled IP fragments with overlapping, over- sized payloads to the target machine. This can crash various operating systems due to a bug in their TCP/IP fragmentation re-assembly code. Windows 3.1x, Windows 95 and Windows NT operating systems, as well as versions of Linux prior to versions 2.0.32 and 2.1.63 are vulnerable to this attack.
Around September 2009, a vulnerability in Vista was referred to as a "teardrop attack", but the attack targeted SMB2 which is a higher layer than the TCP packets that teardrop used.

Peer-to-peer Attacks
Attackers have found a way to exploit a number of bugs in peer-to-peer servers to initiate DDoS attacks. The most aggressive of these peer-to-peer-DDoS attacks exploits DC++. Peer-to-peer attacks are different from regular botnet-based attacks. With peer-to-peer there is no botnet and the attacker does not have to communicate with the clients it subverts. Instead, the attacker acts as a 'puppet master,' instructing clients of large peer-to-peer file sharing hubs to disconnect from their peer-to-peer network and to connect to the victim's website instead. As a result, several thousand computers may aggressively try to connect to a target website. While a typical web server can handle a few hundred connections/sec before performance begins to degrade, most web servers fail almost instantly under five or six thousand connections/sec. With a moderately big peer-to-peer attack a site could potentially be hit with up to 750,000 connections in a short order. The targeted web server will be plugged up by the incoming connections.

Peer-to-peer Attacks
While peer-to-peer attacks are easy to identify with signatures, the large number of IP addresses that need to be blocked (often over 250,000 during the course of a big attack) means that this type of attack can overwhelm mitigation defenses. Even if a mitigation device can keep blocking IP addresses, there are other problems to consider. For instance, there is a brief moment where the connection is opened on the server side before the signature itself comes through. Only once the connection is opened to the server can the identifying signature be sent and detected, and the connection torn down. Even tearing down connections takes server resources and can harm the server.
This method of attack can be prevented by specifying in the p2p protocol which ports are allowed or not. If port 80 is not allowed, the possibilities for attack on websites can be very limited.

Permanent DOS Attacks
A permanent denial-of-service (PDoS), also known loosely as phlashing, is an attack that damages a system so badly that it requires replacement or reinstallation of hardware. Unlike the distributed denial-of-service attack, a PDoS attack exploits security flaws which allow remote administration on the management interfaces of the victim's hardware, such as routers, printers, or other networking hardware. The attacker uses these vulnerabilities to replace a device's firmware with a modified, corrupt, or defective firmware image—a process which when done legitimately is known as flashing. This therefore "bricks" the device, rendering it unusable for its original purpose until it can be repaired or replaced.

Application level Floods
On IRC, IRC floods are a common electronic warfare weapon.
Various DoS-causing exploits such as buffer overflow can cause server-running software to get confused and fill the disk space or consume all available memory or CPU time.
Other kinds of DoS rely primarily on brute force, flooding the target with an overwhelming flux of packets, oversaturating its connection bandwidth or depleting the target's system resources. Bandwidth-saturating floods rely on the attacker having higher bandwidth available than the victim; a common way of achieving this today is via Distributed Denial of Service, employing a botnet. Other floods may use specific packet types or connection requests to saturate finite resources by, for example, occupying the maximum number of open connections or filling the victim's disk space with logs.
A "banana attack" is another particular type of DoS. It involves redirecting outgoing messages from the client back onto the client, preventing outside access, as well as flooding the client with the sent packets.

Nuke
A Nuke is an old denial-of-service attack against computer networks consisting of fragmented or otherwise invalid ICMP packets sent to the target, achieved by using a modified ping utility to repeatedly send this corrupt data, thus slowing down the affected computer until it comes to a complete stop.
A specific example of a nuke attack that gained some prominence is the WinNuke, which exploited the vulnerability in the NetBIOS handler in Windows 95. A string of out-of-band data was sent to TCP port 139 of the victim's machine, causing it to lock up and display a Blue Screen of Death (BSOD).

DDos
A distributed denial of service attack (DDoS) occurs when multiple systems flood the bandwidth or resources of a targeted system, usually one or more web servers. These systems are compromised by attackers using a variety of methods.
Malware can carry DDoS attack mechanisms; one of the better-known examples of this was MyDoom. Its DoS mechanism was triggered on a specific date and time. This type of DDoS involved hardcoding the target IP address prior to release of the malware and no further interaction was necessary to launch the attack.
A system may also be compromised with a trojan, allowing the attacker to download a zombie agent (or the trojan may contain one). Attackers can also break into systems using automated tools that exploit flaws in programs that listen for connections from remote hosts. This scenario primarily concerns systems acting as servers on the web.

DDos
Stacheldraht is a classic example of a DDoS tool. It utilizes a layered structure where the attacker uses a client program to connect to handlers, which are compromised systems that issue commands to the zombie agents, which in turn facilitate the DDoS attack. Agents are compromised via the handlers by the attacker, using automated routines to exploit vulnerabilities in programs that accept remote connections running on the targeted remote hosts. Each handler can control up to a thousand agents.
These collections of systems compromisers are known as botnets. DDoS tools like stacheldraht still use classic DoS attack methods centered on IP spoofing and amplification like smurf attacks and fraggle attacks (these are also known as bandwidth consumption attacks). SYN floods (also known as resource starvation attacks) may also be used. Newer tools can use DNS servers for DoS purposes. See next section.

DDos
Simple attacks such as SYN floods may appear with a wide range of source IP addresses, giving the appearance of a well distributed DDoS. These flood attacks do not require completion of the TCP three way handshake and attempt to exhaust the destination SYN queue or the server bandwidth. Because the source IP addresses can be trivially spoofed, an attack could come from a limited set of sources, or may even originate from a single host. Stack enhancements such as syn cookies may be effective mitigation against SYN queue flooding, however complete bandwidth exhaustion may require involvement
Unlike MyDoom's DDoS mechanism, botnets can be turned against any IP address. Script kiddies use them to deny the availability of well known websites to legitimate users. More sophisticated attackers use DDoS tools for the purposes of extortion — even against their business rivals.

DDos
It is important to note the difference between a DDoS and DoS attack. If an attacker mounts an attack from a single host it would be classified as a DoS attack. In fact, any attack against availability would be classed as a Denial of Service attack. On the other hand, if an attacker uses a thousand systems to simultaneously launch smurf attacks against a remote host, this would be classified as a DDoS attack.
The major advantages to an attacker of using a distributed denial-of-service attack are that multiple machines can generate more attack traffic than one machine, multiple attack machines are harder to turn off than one attack machine, and that the behavior of each attack machine can be stealthier, making it harder to track down and shut down. These attacker advantages cause challenges for defense mechanisms. For example, merely purchasing more incoming bandwidth than the current volume of the attack might not help, because the attacker might be able to simply add more attack machines.

Reflected Attack
A distributed reflected denial of service attack (DRDoS) involves sending forged requests of some type to a very large number of computers that will reply to the requests. Using Internet protocol spoofing, the source address is set to that of the targeted victim, which means all the replies will go to (and flood) the target.
ICMP Echo Request attacks (Smurf Attack) can be considered one form of reflected attack, as the flooding host(s) send Echo Requests to the broadcast addresses of mis-configured networks, thereby enticing many hosts to send Echo Reply packets to the victim. Some early DDoS programs implemented a distributed form of this attack.
Many services can be exploited to act as reflectors, some harder to block than others. DNS amplification attacks involve a new mechanism that increased the amplification effect, using a much larger list of DNS servers than seen earlier.

Degradation-of-service Attacks
"Pulsing" zombies are compromised computers that are directed to launch intermittent and short-lived floodings of victim websites with the intent of merely slowing it rather than crashing it. This type of attack, referred to as "degradation-of- service" rather than "denial-of-service", can be more difficult to detect than regular zombie invasions and can disrupt and hamper connection to websites for prolonged periods of time, potentially causing more damage than concentrated floods. Exposure of degradation-of-service attacks is complicated further by the matter of discerning whether the attacks really are attacks or just healthy and likely desired increases in website traffic.

Countermeasures
Firewalls
Firewalls have simple rules such as to allow or deny protocols, ports or IP addresses. Some DoS attacks are too complex for today's firewalls, e.g. if there is an attack on port 80 (web service), firewalls cannot prevent that attack because they cannot distinguish good traffic from DoS attack traffic. Additionally, firewalls are too deep in the network hierarchy. Routers may be affected even before the firewall gets the traffic. Nonetheless, firewalls can effectively prevent users from launching simple flooding type attacks from machines behind the firewall.
Some stateful firewalls like OpenBSD's pF, can act as a proxy for connections, the handshake is validated (with the client) instead of simply forwarding the packet to the destination. It is available for other BSDs as well. In that context, it is called "synproxy".

Countermeasures
Switches
Most switches have some rate-limiting and ACL capability. Some switches provide automatic and/or system-wide rate limiting, traffic shaping, delayed binding (TCP splicing), deep packet inspection and Bogon filtering (bogus IP filtering) to detect and remediate denial of service attacks through automatic rate filtering and WAN Link failover and balancing.
These schemes will work as long as the DoS attacks are something that can be prevented by using them. For example SYN flood can be prevented using delayed binding or TCP splicing. Similarly content based DoS can be prevented using deep packet inspection. Attacks originating from dark addresses or going to dark addresses can be prevented using Bogon filtering. Automatic rate filtering can work as long as you have set rate-thresholds correctly and granularly. Wan-link failover will work as long as both links have DoS/DDoS prevention mechanism.

Countermeasures
Routers
Similar to switches, routers have some rate-limiting and ACL capability. They, too, are manually set. Most routers can be easily overwhelmed under DoS attack. If you add rules to take flow statistics out of the router during the DoS attacks, they further slow down and complicate the matter. Cisco IOS has features that prevent flooding, i.e. example settings.
Application front end Hardware
Application front end hardware is intelligent hardware placed on the network before traffic reaches the servers. It can be used on networks in conjunction with routers and switches. Application front end hardware analyzes data packets as they enter the system, and then identifies them as priority, regular, or dangerous. There are more than 25 bandwidth management vendors. Hardware acceleration is key to bandwidth management. Look for granularity of bandwidth management, hardware acceleration, and automation while selecting an appliance.

Countermeasures
IPS based prevention
Intrusion-prevention systems (IPS) are effective if the attacks have signatures associated with them. However, the trend among the attacks is to have legitimate content but bad intent. Intrusion-prevention systems which work on content recognition cannot block behavior-based DoS attacks.
An ASIC based IPS can detect and block denial of service attacks because they have the processing power and the granularity to analyze the attacks and act like a circuit breaker in an automated way.
A rate-based IPS (RBIPS) must analyze traffic granularly and continuously monitor the traffic pattern and determine if there is traffic anomaly. It must let the legitimate traffic flow while blocking the DoS attack traffic.

Countermeasures
Prevention via proactive testing
Test platforms such as Mu Dynamics' Service Analyzer are available to perform simulated denial-of-service attacks that can be used to evaluate defensive mechanisms such IPS, RBIPS, as well as the popular denial-of-service mitigation products from Arbor Networks. An example of proactive testing of denial-of-service throttling capabilities in a switch was performed in 2008: The Juniper EX 4200 switch with integrated denial-of-service throttling was tested by Network Test and the resulting review was published in Network World.
Blackholing/Sinkholing
With blackholing, all the traffic to the attacked DNS or IP address is sent to a "black hole" (null interface, non-existent server, ...). To be more efficient and avoid affecting your network connectivity, it can be managed by the ISP.

Countermeasures
Clean Pipes
All traffic is passed through a "cleaning center" via a proxy, which separates "bad" traffic (DDoS and also other common internet attacks) and only sends good traffic beyond to the server. The provider needs central connectivity to the Internet to manage this kind of service.
Prolexic and Verisign are examples of providers of this service.
Posted by at No comments:

Packet Sniffing and Packet Injection

Packet Sniffing and Packet Injecting



Packet Sniffing with Wireshark

Open wireshark by navigating the application menu or by typing “wireshark” in the console.

Once WireShark is open, Click Interface List
(1). A second window will open with a list of interfaces that can capture packets. Notice our monitor device mon0 is there from when we set it earlier. Click on start
(2) and WireShark will begin to capture packets and display them in the window. These are wireless packets which your wireless card (in my case the Alfa One Adapter), are sniffing out of the air.

Now lets sniff packets from our own access point. To do this, we are going to use airodump-ng. Airodump-ng is used to capture wireless packets which have WEP encryption with the idea that you will use aircrack-ng (don’t worry, we’ll get to that soon). But for this time around, lets turn off the encryption on our wireless access point.

Now open up the terminal and type:

airodump-ng --bssid 5C:D9:98:6A:64:8A mon0

Note: 5C:D9:98:6A:64:8A is the MAC address of my wireless access point. To find yours, go to your wireless router web interface and look for status. There you should find the wireless mac address of your router.

After airodump-ng finishes, you will see your access point with the channel it is running on.

Now we have to lock on to our access point by setting our wireless card to the channel of our access point. To do this, type:

iwconfig mon0 channel 6

(Where “6” is the channel of your access point.)

Now fire up wireshark, sniff for packet with your mon0 interface. Now type in the filter box:

(wlan.bssid == MAC ADDRESS HERE) && (wlan.fc.type_subtype == 0x20)

Now we will be sniffing only data packets from our access point.

Packet Injecting

First we want to see only non-beacon packets in wireshark. So open wireshark and type in your filter box:

bssid == 5C:D9:98:6A:64:8A) && !(wlan.fc.type_subtype == 0x08).

Note: Replace 5C:D9:98:6A:64:8A with your own mac address.

Then open the terminal and type:

aireplay-ng -9 -e "wifi-name" -a 5C:D9:98:6A:64:8A mon0

Note: Replace wifi-name with the name of your SSID and 5C:D9:98:6A:64:8A with your own mac address.

If you go back to wireshark, you should see some packets that were injected. These are just random packets that do not have any real effect.
Posted by at No comments:

Scanning with NMAP

  1. Start Zenmap
    • Instructions:
      1. zenmap
  1. Perform a quick scan by doing the following:

      • Replace 192.168.1.110 with Damn Vulnerable WXP-SP2's IP Address obtained from (Section 3, Step 6).
    • Instructions:
      1. Target: 192.168.1.110
      1. Profile:  Select Quick Scan
      1. Click the Scan Button.
  1. Output Analysis
      1. Nmap's quick scan displays the following basic network metrics:
        • If the host is up.
        • How many ports are closed.
        • Which ports are open and their service name.
          • e.g., 21 (ftp)
        • Also, the MAC address is display with Nmap's guess of the OS being VMware.
Zenmap Intense Scan
  1. Perform Intense Scan
      • Replace 192.168.1.110 with Damn Vulnerable WXP-SP2 IP Address obtained from (Section 3, Step 6).
    • Instructions:
      1. Target: 192.168.1.110
      1. Profile:  Select Intense Scan
      1. Click the Scan Button. 
  1. Version Analysis
      1. Notice the results are more verbose.
      1. The actual version of the service was added to service name.
        • You can use this information to investigate possible exploits.
        • For Example, Microsofts ISS http 5.1 webserver.

Section 7. Nmap Network Scan
  1.   Subnet Ping Scan
      • Obtained the subnet mask of your Damn Vulnerable WXP-SP2 from (Section 3, Step 6).
    • Instructions:
      1. Change Target to the subnet address of Damn Vulnerable WXP-SP2.
        • In my case, 192.168.1.0/24
        • Notice, that I replaced the last octet of my IP address with a 0.
        • The /24 represents the subnet mask.
      1. Change Profile to: Ping Scan
      1. Click Scan
  1. Topology Analysis
    • Instructions:
      1. Click on the Topology Tab.
      1. Click on Fisheye
      1. Click on Controls
        • This will allow you to increase the size of the network rings.
      1. Click on the Zoom Arrow
    • Note(FYI):
      • This will give you a visual representation of how your network is laid out.
      • When presenting a customer or management with a penetration testing analysis, this would be a good picture to throw into the report
Performing NMAP Scans
  1. Perform Quick NMAP Scan
    • Instructions(FYI):
      • Replace 192.168.1.110 with Damn Vulnerable WXP-SP2 IP Address obtained from (Section 3, Step 6)
    • Instructions:
      1. nmap -T4 -F 192.168.1.110 | tee /var/tmp/nmap.quick.txt
        • nmap - is the NMAP scanner.
        • | tee /var/tmp/nmap.quick.txt - View output and sent it to file nmap.quick.txt.
  1. Perform Intense NMAP Scan
    • Instructions(FYI):
      • Replace 192.168.1.110 with Damn Vulnerable WXP-SP2 IP Address obtained from (Section 3, Step 6)
    • Instructions:
      1. nmap -p 1-65535 -T4 -A -v 192.168.1.110 | tee /var/tmp/nmap.intense.txt
        • nmap - is the NMAP scanner.
        • | tee /var/tmp/nmap.intense.txt - View output and sent it to file nmap.intense.txt.

Proof of Lab
  1. Proof of Lab
    • Proof Of Lab Instructions:
      1. Do a PrtScn of the below commands
      1. Paste into a word document
      1. Upload to Moodle
    • Instructions
      1. ls -l /var/tmp/nmap*
      1. date
      1. echo "Your Name"
        • Put in your actual name in place of "Your Name"
        • e.g., echo "John Gray"
Posted by at No comments:

Phases of Hacking

The Phases of Ethical Hacking

The process of ethical hacking can be broken down into five distinct phases. Later in this book, hacking software programs and tools will be categorized into each of these steps.
An ethical hacker follows processes similar to those of a malicious hacker. The steps to gain and maintain entry into a computer system are similar no matter what the hacker’s intentions are.

   Phases of hacking
Phase 1: Passive and Active Reconnaissance
Passive reconnaissance involves gathering information about a potential target without the targeted individual’s or company’s knowledge. Passive reconnaissance can be as simple as watching a building to identify what time employees enter the building and when they leave. However, most reconnaissance is done sitting in front of a computer.
When hackers are looking for information on a potential target, they commonly run an Internet search on an individual or company to gain information. I’m sure many of you have performed the same search on your own name or a potential employer, or just to gather information on a topic. This process when used to gather information regarding a TOE is generally called information gathering. Social engineering and dumpster diving are also considered passive information-gathering methods. These two methods will be discussed in more detail later in this chapter.
Sniffing the network is another means of passive reconnaissance and can yield useful information such as IP address ranges, naming conventions, hidden servers or networks, and other available services on the system or network. Sniffing network traffic is similar to building monitoring: a hacker watches the flow of data to see what time certain transactions take place and where the traffic is going. Sniffing network traffic is a common hook for many ethical hackers. Once they use some of the hacking tools and are able to see all the data that is transmitted in the clear over the communication networks, they are eager to learn and see more.
Sniffing tools are simple and easy to use and yield a great deal of valuable information. An entire chapter in this book (Chapter 6, “Gathering Data from Networks: Sniffers”) is dedicated to these tools, which literally let you see all the data that is transmitted on the network. Many times this includes usernames and passwords and other sensitive data. This is usually quite an eye-opening experience for many network administrators and security professionals and leads to serious security concerns.
Active reconnaissance involves probing the network to discover individual hosts, IP addresses, and services on the network. This process involves more risk of detection than passive reconnaissance and is sometimes called rattling the doorknobs. Active reconnaissance can give a hacker an indication of security measures in place (is the front door locked?), but the process also increases the chance of being caught or at least raising suspicion. Many software tools that perform active reconnaissance can be traced back to the computer that is running the tools, thus increasing the chance of detection for the hacker.
Both passive and active reconnaissance can lead to the discovery of useful information to use in an attack. For example, it’s usually easy to find the type of web server and the operating system (OS) version number that a company is using. This information may enable a hacker to find a vulnerability in that OS version and exploit the vulnerability to gain more access.

Phase 2: Scanning

Scanning involves taking the information discovered during reconnaissance and using it to examine the network. Tools that a hacker may employ during the scanning phase include
  • Dialers
    Port scanners
    Internet Control Message Protocol (ICMP) scanners
  • Ping sweeps
  • Network mappers
  • Simple Network Management Protocol (SNMP) sweepers
  • Vulnerability scanners 

  • Computer names
  • Operating system (OS)
  • Installed software 
  • IP addresses
  • User accounts
Phase 3: Gaining Access

Phase 3 is when the real hacking takes place. Vulnerabilities exposed during the reconnaissance and scanning phase are now exploited to gain access to the target system. The hacking attack can be delivered to the target system via a local area network (LAN), either wired or wireless; local access to a PC; the Internet; or offline. Examples include stackbased buffer overflows, denial of service, and session hijacking. These topics will be discussed in later chapters. Gaining access is known in the hacker world as owning the system because once a system has been hacked, the hacker has control and can use that system as they wish.

Phase 4: Maintaining Access

Once a hacker has gained access to a target system, they want to keep that access for future exploitation and attacks. Sometimes, hackers harden the system from other hackers or security personnel by securing their exclusive access with backdoors, rootkits, and Trojans. Once the hacker owns the system, they can use it as a base to launch additional attacks. In this case, the owned system is sometimes referred to as a zombie system.

Phase 5: Covering Tracks

Once hackers have been able to gain and maintain access, they cover their tracks to avoid detection by security personnel, to continue to use the owned system, to remove evidence of hacking, or to avoid legal action. Hackers try to remove all traces of the attack, such as log  files or intrusion detection system (IDS) alarms. Examples of activities during this phase of the attack include
  • Steganography
  • Using a tunneling protocol
  • Altering log files
Steganography, using tunneling protocols, and altering log files for purposes of hacking will be discussed in later chapters.

Identifying Types of Hacking Technologies

Many methods and tools exist for locating vulnerabilities, running exploits, and compromising systems. Once vulnerabilities are found in a system, a hacker can exploit that vulnerability and install malicious software. Trojans, backdoors, and rootkits are all forms of malicious software, or malware. Malware is installed on a hacked system after a vulnerability has been exploited.
Buffer overflows and SQL injection are two other methods used to gain access into computer systems. Buffer overflows and SQL
These technologies and attack methods will each be discussed in later chapters. Many are so complex that an entire chapter is devoted to explaining the attack and applicable technologies.
Most hacking tools exploit weaknesses in one of the following four areas:

Operating Systems    Many system administrators install operating systems with the default
settings, resulting in potential vulnerabilities that remain unpatched.

Applications    Applications usually aren’t thoroughly tested for vulnerabilities when developers are writing the code, which can leave many programming flaws that a hacker can exploit. Most application development is “feature-driven,” meaning programmers are under a deadline to turn out the most robust application in the shortest amount of time.

Shrink-Wrap Code    Many off-the-shelf programs come with extra features the common user isn’t aware of, and these features can be used to exploit the system. The macros in Microsoft Word, for example, can allow a hacker to execute programs from within the application.

Misconfigurations    Systems can also be misconfigured or left at the lowest common security settings to increase ease of use for the user; this may result in vulnerability and an attack.
Posted by at No comments:

Types Of Hackers

 
White Hats

White hats are the good guys, the ethical hackers who use their hacking skills for defensive purposes. White-hat hackers are usually security professionals with knowledge of hacking and the hacker toolset and who use this knowledge to locate weaknesses and implement countermeasures. White-hat hackers are prime candidates for the exam. White hats are those who hack with permission from the data owner. It is critical to get permission prior to beginning any hacking activity. This is what makes a security professional a white hat versus a malicious hacker who cannot be trusted.

Black Hats

Black hats are the bad guys: the malicious hackers or crackers who use their skills for illegal or malicious purposes. They break into or otherwise violate the system integrity of remote systems, with malicious intent. Having gained unauthorized access, black-hat hackers destroy vital data, deny legitimate users service, and just cause problems for their targets. Black-hat hackers and crackers can easily be differentiated from white-hat hackers because their actions are malicious. This is the traditional definition of a hacker and what most people consider a hacker to be.

Gray Hats

Gray hats are hackers who may work offensively or defensively, depending on the situation. This is the dividing line between hacker and cracker. Gray-hat hackers may just be interested in hacking tools and technologies and are not malicious black hats. Gray hats are self-proclaimed ethical hackers, who are interested in hacker tools mostly from a curiosity standpoint. They may want to highlight security problems in a system or educate victims so they secure their systems properly. These hackers are doing their “victims” a favor. For instance, if a weakness is discovered in a service offered by an investment bank, the hacker is doing the bank a favor by giving the bank a chance to rectify the vulnerability. From a more controversial point of view, some people consider the act of hacking itself to be unethical, like breaking and entering. But the belief that “ethical” hacking excludes destruction at least moderates the behavior of people who see themselves as “benign” hackers. According to this view, it may be one of the highest forms of “hackerly” courtesy to break into a system and then explain to the system operator exactly how it was done and how the hole can be plugged; the hacker is acting as an unpaid—and unsolicited—tiger team (a group that conducts security audits for hire). This approach has gotten many ethical hackers in legal trouble. Make sure you know the law and your legal liabilities when engaging in ethical hacking activity. Many self-proclaimed ethical hackers are trying to break into the security field as consultants. Most companies don’t look favorably on someone who appears on their doorstep with confidential data and offers to “fix” the security holes “for a price.” Responses range from “thank you for this information, we’ll fix the problem” to calling the police to arrest the self-proclaimed ethical hacker. The difference between white hats and gray hats is that permission word. Although gray hats might have good intentions, without the correct permission they can no longer be considered ethical. Now that you understand the types of hackers, let’s look at what hackers do. This may seem simple—they hack into computer systems—but sometimes it’s not that simple or nebulous. There is a process that should be followed and information that needs to be documented.
Posted by at No comments:

Ethical Hacking - An Introduction


HACKERS IN REAL

The realm of hackers and how they operate is unknown to most computer and security professionals. Hackers use specialized computer software tools to gain access to information. By learning the same skills and employing the software tools used by hackers, you will be able to defend your computer networks and systems against malicious attacks.
The goal of this first chapter is to introduce you to the world of the hacker and to define the terminology used in discussing computer security. To be able to defend against malicious hackers, security professionals must first understand how to employ ethical hacking techniques. This book will detail the tools and techniques used by hackers so that you can use those tools to identify potential risks in your systems. This book will guide you through the hacking process as a good guy.
Most ethical hackers are in the business of hacking for profit, an activity known as penetration testing, or pen testing for short. Pen testing is usually conducted by a security professional to identify security risks and vulnerabilities in systems and networks. The purpose of identifying risks and vulnerabilities is so that a countermeasure can be put in place and the risk mitigated to some degree. Ethical hackers are in the business of hacking and as such need to conduct themselves in a professional manner.
Additionally, state, country, or international laws must be understood and carefully considered prior to using hacking software and techniques. Staying within the law is a must for the ethical hacker. An ethical hacker is acting as a security professional when performing pen tests and must always act in a professional manner.

Defining Ethical Hacking

The next section will explain the purpose of ethical hacking and exactly what ethical hackers do. As mentioned earlier, ethical hackers must always act in a professional manner to differentiate themselves from malicious hackers. Gaining the trust of the client and taking all precautions to do no harm to their systems during a pen test are critical to being a professional. Another key component of ethical hacking is to always gain permission from the data owner prior to accessing the computer system. This is one of the ways ethical hackers can overcome the stereotype of hackers and gain the trust of clients.
The goals ethical hackers are trying to achieve in their hacking attempts will be explained as well in this section.

Understanding the Purpose of Ethical Hacking
When I tell people that I am an ethical hacker, I usually hear snickers and comments like “That’s an oxymoron.” Many people ask, “Can hacking be ethical?” Yes! That best describes what I do as a security professional. I use the same software tools and techniques as malicious hackers to find the security weakness in computer networks and systems. Then I apply the necessary fix or patch to prevent the malicious hacker from gaining access to the data. This is a never-ending cycle as new weaknesses are constantly being discovered in computer systems and patches are created by the software vendors to mitigate the risk of attack.
Ethical hackers are usually security professionals or network penetration testers who use their hacking skills and tool sets for defensive and protective purposes. Ethical hackers who are security professionals test their network and systems security for vulnerabilities using the same tools that a hacker might use to compromise the network. Any computer professional can learn the skills of ethical hacking.
The term cracker describes a hacker who uses their hacking skills and tool set for destructive or offensive purposes such as disseminating viruses or performing denial-of service (DoS) attacks to compromise or bring down systems and networks. No longer just looking for fun, these hackers are sometimes paid to damage corporate reputations or steal or reveal credit card information, while slowing business processes and compromising the integrity of the organization.
Posted by at No comments:
Subscribe to: Posts (Atom)