Important Tools by steps Flashcards
Locating Databases on the NW
SQLPing 3.0 is designed to discover DBs
SQLRecon
After locating a database, SQLPing can be used to crack PWs
WiFi
WEP //use ciphertext plaintext attack //use Kali Linux to sniff and crack PWs
Cracking WEP
intercept as many IVs as possible through sniffing, analyze packets, retrieve key
make take a while, to speed up, perform packet injection
1) Start wireless interface on the attacking system in monitor mode on the specific access point channel; this mode is used to listen to packets in the air
2) probe the target NW with wireless device to determine if packet injection can be performed
3) select tool such as aireplay-ng to perform fake authentication with access point
4) Start WiFi sniffing tool to capture IVs such as aireplay-ng, ARP requests can be intercepted and reinjected back into NW causing more packet generation
5) Run a tool such as Cain and Able or aircrack-ng to extract encryption keys from IVs
AirPcap //used to sniff wireless frames in ways that standard WiFi cannot //good for auditing wireless NWs
Cracking WPA
REAVER //free in Kali, one of the best tools for cracking WPA
Types of attacks on WPA and WPA2
OFFLINE ATTACK //close proximity to access point to observe handshake between client and access point; can capture handshake and recover keys by recording and cracking them offline
DEAUTHENTICATION ATTACK //forcing a reconect
BRUTE-FORCE WPA KEYS //keep trying username and PW combinations over and over again, tools such as aircrack-ng, aireplay-ng, KisMAC
Using Raspberry Pi //can be used to breach a NW //can be used to do reverse SSH tunneling, where device opens a connection from inside NW out to attacker to bypass firewall restrictions
WARDRIVING //driving around area with computing device to detect wireless clients and APs
Site Survey Tools KisMAC,NetStumbler, Kismet, WaveStumbler, InSSIDer
//common for these types of tools to connect to GPS to pinpoint location
Warflying // Warballooning //Warwalking //warchalking
ROGUE ACCESS POINTS //attacker installs new AP completely unsecure behind company firewall
MAC SPOOFING //for APs that use Mac filtering, you can use Mac Spoofing; Mac filtering is used to blacklist or whitelist MAC addresses of clients; attacker can spoof address of an apprived client or switch their MAC to a client that is not blocked
Tools SMAC, ifconfig, changemac.sh
AD HOC //use of WiFi adapter to connect direct to another wireless-enabled system; two systems can interact with each other; main threat is users do not know the difference between infrastructure and ad hoc NW and so may attach to an unsecure NW
MISCONFIGURATION
CLIENT MISASSOCIATION //WiFi propagate though walls and structures; client attches to AP that is on a NW other than theirs, accidentally or unintentionally;
PROMISCUOUS CLIENT //offers irresistibly strong signal intentionally for malicious purposes
JAMMING ATTACKS //works on any type of wireless NW, essentially DoS attack; can use a specifically designed HW device that can transmit signals that interfere with 802.11 NWs
HONEYSPOT ATTACK //attacker sets up rogue access point in range of several legit ones
HW device WiFi Pineapple from Hak5
Ways to Locate Wireless NWs (helpful in Wardriving)
Open Signal //app that can be used at http://opensignal.com or mobile device
Wefi //wefi.com
//JiWire
After connecting to the target NW, next is to perform TRAFFIC ANALYSIS
Tools Kismet, Airmagnet, Wireshark with AirPcap, CommView
Some BLUETOOTH attacks include:
leaking calendar, address book, activate cameras, microphones, control a phone to make calls, connect to internet
Wi-Fi jamming to perform DoS on wireless NW
Evading IDS, IPS, Firewalls, etc
1) NIDS //inspect every packet entering the NW for malicious activity and to throw an alert if found; can monitor from router to host; can be in form of dedicated computer or black box design (dedicated device)
2) HIDS //host-based IDS// installed on server or computer //monitoring activities on a specific system or host; detects misuse of system, insider abuse
3) LFM IDS //Log file monitors //monitors log files created by NW services, identifies malicious events; (tool: swatch)
4) FILE INTEGRITY CHECKING MECHANISMS //checks for trojans or altered files indicating an intruder has been there (tools: tripwire)
EVADING FIREWALLS
**Tools: command-line tool called firewalk
can use packet crafters or port redirection to evade configuration on firewall
IDS Evasion Techniques
DoS vs IDS //use enumeration techniques and system hacking to determine what resources are under load or are vital to proper functioning of IDS, now clog up resources to make IDS not function properly
OBFUSCATING //IDS relies on reading information, if we manipulate info so that IDS cannot understand it but the target can; can be done through manual manipulation of code or use of an OBFUSCATOR;
(One example that is successful against older IDSs is use of Unicode; by changing standard code such as HTTP requests/responses to their unicode equiv, web server understands but IDS does not)
CRYING WOLF //as the story states, an attacker can target the IDS with an actual attack causing IDS to alert owner; if done repeatedly, but nothing happening on the system, owner will eventually ignore it; (will become false positives to the owner) eventually attacker will actually strike
SESSION SPLICING //some IDSs do not reassemble or rebuild sessions before analyzing traffic; possible to tamper with fragment packets in a way IDS cannot analyze them and forwards them to host //adjust fragmentation so IDS takes longer to reassemble fragments or adjust fragments such that when reassembled they overlap causing problems for IDS
(Fun with flags: TCP uses flags to describe status of packet)
BOGUS RST //RST is used to end 2 way communications between endpoints; in addition checksums are used to verify integrity of packet to ensure what was received was sent originally; an attacker can alter checksum, IDS will not process packet, and the traffic passes by IDS without raising an alert
SENSE OF URGENCY //URG flag used to mark data urgent; all info before is ignored to process urgent data; some IDSs do not take previous data into account and let it pass
ENCRYPTION //MOST EFFECTIVE, some IDSs cannot process encrypted traffic and let it pass
Evading Firewalls
IP ADDRESS SPOOFING //pretending to be a trusted source
SOURCE ROUTING //attacker designates the route a packet should take (a way to prevent this is to configure router to ignore any source routing attempts)
FRAGMENTATION //attacker uses IP fragmentation technique to create extremely small fragments and force into TCP header info into next fragment; IDS ignores TCP flags, only checks first octet
IP ADDRESS TO ACCESS WEBSITES //use of IP address in place of URL; Some firewalls only look at URLs instead of actual IP addresses;
Tools: host2ip //converts URLs to IP addresses
USING ICMP TUNNELING //ICMP protocol defines format and structure of packet, but not what is carried in it so malicious code can be put in there
*Tools: Loki, Ncovert, 007shell //tunnels commands in ICMP packet
USING ACK TUNNELING //some firewalls do not check packets that have ACK bit configured; the reason is bc ACK packets are used to respond to previous, assumed legit traffic already approved; An attacker can send packets with ACK flag set using tool such as AckCmd
HTTP TUNNELING //most easiest since HTTP is already allowed through many firewalls as normal operation;
Tools to exploit HTTP: HTTPTunnel
Testing firewall
1) Footprint the target
2) perform port scanning
3) perform banner grabbing against open ports
4) attempt firewalking
5) disable trusted hosts
6) perform ip address spoofing
7) perform source routing
8) substitute an ip address for a url
9) perform a fragmentation attack
10) use an anonymizer
11) make use of a proxy server to bypass a firewall
12) use icmp tunneling
13) use ack tunneling
Testing IDS
1) disable trusted hosts
2) attempt insertion attack
3) implement evasion techniques
4) perform dos
5) use code obfuscation
6) perform false positive generation technique
7) attempt a unicode attack
8) perform a fragmentation attack
Physical Security
Encryption of hard drives, USBs etc
Tools such as PGP, TrueCrypt, Microsoft BitLocker
Basic components used to pick locks are:
TENSION WRENCHES //small, angled, flathead screwdrivers
PICKS //similar to dentist picks
Technique to pick:
SCRAPING //tension held on lock by tension wrench while pins are scraped quickly; Pins are then placed in mechanical bind and stuck in the unlocked position
available at sties such as wallofsheep.com
