SlideShare a Scribd company logo
Configure SSH Server
Linux Remote Service
Connect Kali Remotely
•First SSH need to be install/update
# apt-get install openssh-server
# service ssh start
Verify that the server is up and listening using the “netstat” command
#netstat -antp |grep ssh
Now connect with “putty.exe” to your SSH linux servers (Kali/ ubuntu / redhat /
centos)
SSHD | SSH Server
FOOT PRINTING AND
RECONNAISSANCE
•What is Foorprinting
•Active & Passive Intelligence
•Reconnaissance Tools
Let’s Get Start into
Footprinting refers to uncovering and collecting as much information
as possible about target network
What is Footprinting
Active & Passive Intelligence
Passive
•From ordinary public traffic
•Google search (email, cell# etc)
•Browser company’s WebPages
•Viewing message boards (experts-exchange.com, etc)
•Facebook, Twitter, orkut etc
•Default configurations & passwords sites
Active
•Network Scan
•Vulnerability Scan
•Ping Sweep
•Social Engineering
•Phishing
Passive Recon Resources
•Social Media (facebook, twitter, orkut, forums etc)
•Whois, iptools.com, domaintools.com
•Netcraft
•Webpage source
•Mirror Sites (httrack, wget, Sam Spade, Archive.org)
•Tracert /traceroute (windows or Linux) send echo request actually
•DNS: nslookup,
-set type (query)
-zone transfers
-HINFO
•Robots.txt
•Service Banner Grabbing (on ports) via Telnet (HEAD / HTTP/1.0) “ENTER TWICE”
Active Recon Resources
•DNS
•Nessus (Vulnerability Scanner)
•Nikto (Back Track 5R3)
•Email Tracking (http://www.ipaddresslocation.org/)
•Google Hacking (Search) (www.exploit-db.com)
-Intitle
-Intext
-Inurl
-Filetype
-Link
Active Recon Resources
•inurl:ftp "password" filetype:xls
•site:example.com inurl:ftp "password" filetype:xls
You should also be performing focused searches that locate all major document types
such as .pdf, .doc, .txt, .xls
Active Recon Resources
•dig (Domain Information Groper) Alternative to nslookup
# dig example.com
#dig +qr example.com any (find out their name servers)
Zone Transfer using DIG
# dig @ns1.example.com example.com axfr
Listing the DNS version (restrict by default by administrators)
#dig +nocmd txt chaos VERSION.BIND @ns1.example.com +noall +answer
Reverse DNS Lookup
#dig –x ipaddress
Tracing the Path
#dig +trace example.com
Active Recon Resources
•Fierce (DNS brute forcing with fierce)
Goto
# cd /pentest/enumeration/dns/fierce
# ./fierce –dns example.com
Active Recon Resources
•Metagofil (a powerful metadata gathering tool)
BackTrack has the Metagoofil Blackhat Arsenal Edition installed by default.
Open up a terminal and type the following:
# cd /pentest/enumeration/google/metagoofil
# ./metagoofil.py –h
#metagoofil.py -d example.com -t doc,pdf –l 200 -n 50 –o /mnt -f results.html
Active Recon Resources
some tools that would assist you in finding more information:
Countermeasures
•Trash Securely
•Router/IDS/Firewalls to allow only certain apps/ports/rules
•Refuse malicious traffic
•Lockdown ports & Protocols
•Web service info avoid to leakage
•Disallow sensitive directories
•Evaluate your services before posting on public
•Listen carefully and reply only limited and specific answers
Scanning
•What is Scanning
•CEH Scanning Methodology
•Scanning Terms
•3-way handshake
Let’s Get Start into
• Port scanning is the process of checking for open TCP or UDP
ports on a remote machine. Please note that port scanning is illegal
in many countries and should not be performed outside the labs. This
is active probing or phase, which involves more direct interaction
with the target servers. It is vital that we understand the implications
of port scanning, as well as the impact that certain port scans can
have on a network.
•Scanning refers to a set of procedures for identifying hosts, ports
and services in a network
•Scanning is one step of intelligence gathering for an attacker to
create a profile of the target organization
What is Scanning
•Checking Live Systems
•Check Open Ports
•Banner Grabbing
•Prepare Proxies
•Scan for Vulnerabilities
•Draw Network Diagram
Scanning Methodology
Scanning Terms
•Network Scanning
•Port Scanning
•Vulnerability Scanning
TCP 3-Way HandShake
Scanning Tools
•Nmap
•Fping (ping sweep)
•Hping 3
•Nikto
•OpenVAS
•Netdiscover
Scanning Tools: Nmap
•Nmap online
http://nmap-online.com/
-nmap –sP 192.168.2.0/24 (scan with pingsweep)
-nmap –sP –vv 192.168.2.0/24 (scan with verbose)
-nmap –sP 192.168.2.0/24 –vv > scanresult.txt (save scan with output file)
-nmap –Pn 192.168.2.0/24 (treat all online, disable host discovery)
-nmap –D <forge ip> <target ip> (scan with fake IP address)
-nmap –Pn –sP domain.com (scan if IDS or Firewall block ICMP)
-nmap –sT 192.168.2.0/24 (scan with 3way handshake mostly in pen testing)
-nmap –sU 192.168.2.0/24 (scan UDP)
-nmap -sL 72.249.151.31 (Reverse DNS List Scan )
-nmap -sT -p- -PN 192.168.2.1-254 (TCP scan, all ports, assume all host alive)
-nmap –iL myiplist.txt (scan hosts provided by text file)
-nmap –sV (version scanning)
-nmap -O (OS Detection)
-nmap -p 139 192.168.1.* (Single port with complete IP range)
Scanning Tools
• fping
fping –a –g 192.168.2.1 192.168.2.1 > mylivehosts.txt
• nc.exe
# nc -vv -z -w2 192.168.0.10 24-26
• Unicornscan
# unicornscan 192.168.0.110
#unicornscan 192.168.0.0/24:139
Scanning Tools: Hping3
ICMP Ping
hping3 -1 192.168.15.1
SYN Ping
hping3 -S –p 80 –c 1 192.168.15.1
Port Scan
hping3 --scan 1-130,150-200 –S 192.168.15.1 -V
Scanning Tools: OpenVAS
http://www.backtrack-linux.org/wiki/index.php/OpenVas
•Configure firewall and IDS rules to detect and block probes/search
•Block unwanted ports at the firewall
•Hide sensitive information from public view
•Use custom rules set to lock down the network
•Filter inbound ICMP message types and all outbound ICMP type 3 unreachable
messages at boarder routers and firewalls
•Ensure that routing and filtering mechanisms cannot be bypassed using specific
source ports or source-routing techniques
•Understand the network configuration and its accessible ports by launching TCP
and UDP port scans along with ICMP probes against your own IP address space
Countermeasures
•If a commercial firewall is in use, ensure that:
•The latest service pack is installed
•The Anti-spoofing rules have been correctly defined
•Fastmode services are not used in Check Point Firewall-1 environment
Countermeasures
Enumeration
•What is Enumeration
•NetBIOS Enumeration
•SNMP Enumeration
•LDP with Domain Controller
Let’s Get Start into
Enumeration is defined as the process of extracting user names, machine
names, network resources, shares, and services from a system
Enumeration techniques are conducted in a intranet (LAN) environment
The type of information enumerated by intruders:
Network resources and shares
Users and groups
Applications and banners
Auditing settings
What is Enumeration
NetBIOS Enumeration: Superscan4
SNMP Enumeration: Look@lan
LDAP Enumeration: LDP.exe
•NetBIOS Enumeration : use strong password
•SNMP Enumeration: use SNMP v3 have encryption
•LDAP Enumeration: By default allow for everyone, restrict for
authorized only
Countermeasures
System Hacking
• Password cracking techniques / types & cracking
Let’s Get Start into
Password cracking techniques
Dictionary Attacks - A dictionary file a loaded into the cracking application
that runs against user accounts
Brute Forcing Attacks- The program tries every combination of characters
until the password is broken
Hybrid Attack – It works like a dictionary attacks, but adds some numbers and
symbols to the words from the dictionary and tries to crack the password
Syllable Attack – It is the combination of both brute force attack and the
dictionary attack
Rule-Based Attack – This attack is used when the attacker get some
information about the password
Understanding different types of passwords
Only letters - HIJKLMNO
Only numbers - 758904
Only special characters - $@$!0
Letters and numbers - ax15oog
Only letters and special characters - m@roon$
Only numbers and special characters - @#47$
Letters, numbers, and special characters - E1n$8$
Passwords Attacks
Passive Online
Wire Sniffing
Man-in-the-Middle
Active Online
Password Guessing
Trojan/Spyware/Keyloggers
Passwords Attacks
Offline Attacks
Pre-computed Hashes
Rainbow Tables
Non – Electronic Attacks
Shoulder Surfing
Social Engineering
Dumpster Diving
Password Cracking Tools (2000 / XP / 2003 / Vista / 7 / 2008)
-Offline NT password re-setter
-Cain & Abel
-Ettercap (MITM) Back Track 5
-Pwdump6 / Fgdump (dump hashes)
-L0phtCrack (LC6)
-Ophcrack (rainbow tables) http://ophcrack.sourceforge.net
-Elcomsoft Advanced Password Recovery Bundle
-Back Track 5 – dump hashes and crack
Back Track 5 – Dump windows hashes and crack
1) Mount windows NTFS partition ( fdisk –l )
2) create temp folder
3) Mount windows HDD ( mount /dev/sda1 /mountfolder )
4) Bkhive /winhash/WINDOWS/system32/config/system syskey.txt
5) samdump2 /mnt/mountfolder/windows/system32/config/SAM syskey.txt >
hashes.txt
6) nano or vi editor to check the contents (optional)
7) john /hashfolder/hashes.txt -w:/dicfolder/wordfile.txt
Password cracked
Password cracking tools (2000 / XP / 2003 / Vista / 7 / 2008)
- THC-Hydra (back track 5)
-Medusa (back track 5)
# medusa -h 172.19.0.1 -u "admin" -P wordlist.txt -M http
-h the host you want to attack
-u the username you want to try. If there is no username use ""
-P the wordlist you want to use
-M the module you want to use
Here is the list of modules included with Back Track 5 & 5R1 Final:
# ls /usr/local/lib/medusa/modules/
Password cracking tools (2000 / XP / 2003 / Vista / 7 / 2008)
-John the Ripper
-Recover Keys
-Windows Password Crackers
-Proactive System Password Recovery
-Password Unlocker Bundle
-Windows Password Reset Professional
-Windows Password Reset Standard
-Windows Password Unlocker
-Win Password
-Passware Kit Enterprise
-RockXP
-Passwords Pro
-LSA Secret View
-LCP
Stealing Passwords Using USB Drive
Insert USB into victim’s computer and extract the necessary information
Microsoft Authentication
SAM Database: Windows stores users passwords in the Security Accounts Manager
database (SAM) or in the Active Directory database in domains. Passwords are never
stored in clear text passwords are hashed and the results are stored in the SAM
NTLM Authentication: The NTLM authentication protocol consists of two
authentication protocols. NTLM and LM authentication protocol. These protocols
use different hashing methods to securely store a user’s password in the SAM
database.
Kerberos: Microsoft has upgraded its default authentication protocol to Kerberos, a
considerably more secure option than NTLM
More info
http://en.wikipedia.org/w/index.php?title=Special%3ASearch&search=Ntlm+hash
Hash Passwords Stored in Windows SAM
Algorithms – well defined instructions for calculating the functions
Kerberos – (2003 / vista / 7 / 2008)
Greatest security works only on Active Directory 2003 and above
Microsoft Remote Desktop Service – BSoD a.k.a Crashing (XP, 2003, 7, 2008 R2)
Hands-on with - RDPKill
Password Cracking Countermeasures
-Strongest passwords should be implemented to protect against password
cracking.
-Systems should enforce 8–12-character alphanumeric passwords.
-Password length & complexity should be set
-To protect against cracking of the hashing algorithm for passwords stored on the
server, you must take care to physically isolate and protect the server.
-The system administrator can use the SYSKEY utility in Windows to further protect
hashes stored on the server’s hard disk.
-The server logs should also be monitored for brute-force attacks on user
accounts.
Password Cracking Countermeasures
System administrators can implement the following security precautions to decrease
the effectiveness of a brute-force password-cracking attempt:
-Never leave a default password.
-Never use a password that can be found in a dictionary.
-Never use a password related to the hostname, domain name, or anything else that
can be found with Whois.
-Never use a password related to your hobbies, pets, relatives, or date of birth.
-As a last resort, use a word that has more than 21 characters
-Passwords should expire after a certain amount of time so that users are forced to
change them.
Escalating Privileges
Escalating privileges basically means adding more rights or permissions to a user
account. Simply said, escalating privileges makes a regular user account into an
administrator account
Escalating Privileges
Sticky Keys – work on all windows
Sticky Keys is an accessibility features in Windows OS to aid users who have physical
disabilities. Press shift key 5 times at the logon screen and the sticky key dialog show
up
The program that launches the sticky keys is located at
c:windowssystem32sethc.exe
If we replace the sethc.exe with cmd.exe and then press 5 times shift key at logon
screen we will get a command prompt with admin privileges
How Defend against Privilege Escalation?
-User encryption techniques to protect sensitive data
-Restrict the interactive logon privilege
-Run users and applications on the least privilege
-Implement multi-factor authentication and authorization
-Patch the system regularly
-Run services as unprivileged accounts
Keyloggers
-Keystroke loggers are programs or hardware devices that monitor each keystroke as
user types on a keyboard, logs on to a file or transmits them to a remote location
-Keyloggers are placed between the keyboard hardware and the operating systems
-Legitimate applications for keyloggers include in office and industrial settings to
monitor employees computer activities and in home environments where parents
can monitor and spy on children's activity
Keyloggers
Keyloggers
Actual Spy (monitoring systems)
www.actualspy.com
-Design for hidden computer monitoring
-Actual Spy is capable of catching all keystrokes, capturing the screen, logging the
programs being run and closed, and monitoring the clipboard contents
Features
-Log all keystrokes
-Makes screenshots within the specified time interval
-Saves the applications running and closing
-Watches clipboard contents
-Records all print activity
-Records disk changes
-Records internet connections
-Records all websites visited
Keyloggers
Hardware Keyloggers
http://keyllama.com
http://keykatcher.com
USB Spyware
Video Spyware
IP Webcam (Android)
How to hide files – NTFS Alternate Data Stream (ADS)
-NTFS Alternate Data Stream (ADS) is a windows hidden stream which contains
metadata for the files such as attributes, word count, author name, and access and
modification time of the file
-ADS is the ability to split data into existing files without changing or altering their
functionality, size, or display to the file browsing utilities
-ADS allows an attacker to inject malicious code on a breached system and executes
them without being detected by the user
How to hide files – NTFS Alternate Data Stream (ADS)
How to create
Notepad is stream compliant application
Launch c:notepad myfile.txt:private.txt
Click Yes to create the new file and write lines then save
View the file size
To modify the stream data, open file is quite similar like above
notepad myfile.txt:private.txt
Steganography Technologies
Image Steganography
In image Steganography, the information is hidden in image files of different formats
such as .PNG, .JPG, .BMP, etc.
Image Steganography tools replace redundant bits of image data with the message
in such a way that the effect can not be detected by human eyes
Download Images Steganography Tools
http://www.stegoarchive.com
Demo - Image Hide
Steganography Technologies
more Steganography
- Document
- Video
- Audio
- Folder
Steganography Technologies
Spam/Email Steganography – Spam Mimic
online
http://www.spammimic.com
Skype Logview
http://www.nirsoft.net/utils/skype_log_view.html
Covering Your Tracks
-Once intruders have successfully gained administrator access on a system, they will
try to cover the tracks to avoid their detection
-When all the information of interest has been stripped off from the target, the
intruder installs several backdoors so that he or she can gain easy access in the
future
Covering Your Tracks
Why Cover Tracks?
-They can attack again
- They can cover the tracks to avoid their detection
- They can install backdoors to gain access in future
Tool:
CCleaner
Ettercap Packet Sniffing
Ettercap Packet Sniffing
ettercap -T -M arp -i eth0 /192.168.1.8/ /192.168.1.1/ (computer to router)
ettercap -T -M arp -i eth0 // // (all computers)
ettercap -T -M arp -i eth0 // // -w file.cap (all computers with save data in file)
q and ctrl+c to dc
cat test.cap | grep -a http
Ettercap Packet & Driftnet
driftnet -i eth0
ettercap -T -Q -M arp -i eth0 // //
Ettercap Packet
HTTP arp poisioning
DHCP Spoofing
Port Stealing
HTTPs Sniffing
/usr/local/etc/etter.conf ( uncomment in “linux” section – 2nd row)
echo "1" > /proc/sys/net/ipv4/ip_forward
Filters
/usr/local/share/ettercap
Converter = convert ettercap filters example files to .ef
Ettercap Packet
Ettercap – IronGeek dangerous filter
http://www.irongeek.com/i.php?page=security/ettercapfilter
Copy above script in file and convert to .ef (etterfilter filename –o newfile.ef)
Plugins
dns spoofing
isolate
DoS_attack & find_ip
gateway_discover
search promisc
arp_cop
Passive OS Fingerprints
Web Hacking
(1) Installing WebGoat and run
(2) Install Tamper Data addon in firefox
(3) Run Burpsuite
In OWASP>
Access control flaws > bypass a path based Access Control Scheme >
/../../../../conf/server.xml
Injection Flaws > string SQL injection
X’ or ‘a’=’a
Improper Error Handling
Parameter Tampering
OWASP – WebGoat
WebGoat OWASP Web/SQL/App Hacking Practitioner
CSS – Cross Site Script & SQL
Stored XSS
Stored XSS revisited
Reflected XSS (search staff)
"><script>alert("Teste")</script>
String SQL injection (Smith’ or ‘a’ = ‘a) with Temper Data
Deface Website
Webdav Shell Maker

More Related Content

What's hot

Snort-IPS-Tutorial
Snort-IPS-TutorialSnort-IPS-Tutorial
Snort-IPS-Tutorial
Vladimir Koychev
 
CNIT 50: 6. Command Line Packet Analysis Tools
CNIT 50: 6. Command Line Packet Analysis ToolsCNIT 50: 6. Command Line Packet Analysis Tools
CNIT 50: 6. Command Line Packet Analysis Tools
Sam Bowne
 
Using metasploit
Using metasploitUsing metasploit
Using metasploit
CyberRad
 
Backtrack
BacktrackBacktrack
Dynamic Port Scanning
Dynamic Port ScanningDynamic Port Scanning
Dynamic Port Scanning
amiable_indian
 
Nmap scripting engine
Nmap scripting engineNmap scripting engine
Nmap scripting engine
n|u - The Open Security Community
 
Dynamic Port Scanning
Dynamic Port ScanningDynamic Port Scanning
Dynamic Port Scanning
amiable_indian
 
Nmap Hacking Guide
Nmap Hacking GuideNmap Hacking Guide
Nmap Hacking Guide
Aryan G
 
MacOS forensics and anti-forensics (DC Lviv 2019) presentation
MacOS forensics and anti-forensics (DC Lviv 2019) presentationMacOS forensics and anti-forensics (DC Lviv 2019) presentation
MacOS forensics and anti-forensics (DC Lviv 2019) presentation
OlehLevytskyi1
 
Hacking the swisscom modem
Hacking the swisscom modemHacking the swisscom modem
Hacking the swisscom modem
Cyber Security Alliance
 
Nmap for Scriptors
Nmap for ScriptorsNmap for Scriptors
Hacking With Nmap - Scanning Techniques
Hacking With Nmap - Scanning TechniquesHacking With Nmap - Scanning Techniques
Hacking With Nmap - Scanning Techniques
amiable_indian
 
Fileextraction with suricata
Fileextraction with suricataFileextraction with suricata
Fileextraction with suricata
MrArora Arjuna
 
Backtrack os 5
Backtrack os 5Backtrack os 5
Backtrack os 5
Ayush Goyal
 
Wireless security beyond password cracking by Mohit Ranjan
Wireless security beyond password cracking by Mohit RanjanWireless security beyond password cracking by Mohit Ranjan
Wireless security beyond password cracking by Mohit Ranjan
OWASP Delhi
 
SSH Tunneling Recipes
SSH Tunneling RecipesSSH Tunneling Recipes
SSH Tunneling Recipes
OSOCO
 
Ch 5: Port Scanning
Ch 5: Port ScanningCh 5: Port Scanning
Ch 5: Port Scanning
Sam Bowne
 
Snort
SnortSnort
Snort
bala150985
 
NMAP
NMAPNMAP
Penetration Testing Resource Guide
Penetration Testing Resource Guide Penetration Testing Resource Guide
Penetration Testing Resource Guide
Bishop Fox
 

What's hot (20)

Snort-IPS-Tutorial
Snort-IPS-TutorialSnort-IPS-Tutorial
Snort-IPS-Tutorial
 
CNIT 50: 6. Command Line Packet Analysis Tools
CNIT 50: 6. Command Line Packet Analysis ToolsCNIT 50: 6. Command Line Packet Analysis Tools
CNIT 50: 6. Command Line Packet Analysis Tools
 
Using metasploit
Using metasploitUsing metasploit
Using metasploit
 
Backtrack
BacktrackBacktrack
Backtrack
 
Dynamic Port Scanning
Dynamic Port ScanningDynamic Port Scanning
Dynamic Port Scanning
 
Nmap scripting engine
Nmap scripting engineNmap scripting engine
Nmap scripting engine
 
Dynamic Port Scanning
Dynamic Port ScanningDynamic Port Scanning
Dynamic Port Scanning
 
Nmap Hacking Guide
Nmap Hacking GuideNmap Hacking Guide
Nmap Hacking Guide
 
MacOS forensics and anti-forensics (DC Lviv 2019) presentation
MacOS forensics and anti-forensics (DC Lviv 2019) presentationMacOS forensics and anti-forensics (DC Lviv 2019) presentation
MacOS forensics and anti-forensics (DC Lviv 2019) presentation
 
Hacking the swisscom modem
Hacking the swisscom modemHacking the swisscom modem
Hacking the swisscom modem
 
Nmap for Scriptors
Nmap for ScriptorsNmap for Scriptors
Nmap for Scriptors
 
Hacking With Nmap - Scanning Techniques
Hacking With Nmap - Scanning TechniquesHacking With Nmap - Scanning Techniques
Hacking With Nmap - Scanning Techniques
 
Fileextraction with suricata
Fileextraction with suricataFileextraction with suricata
Fileextraction with suricata
 
Backtrack os 5
Backtrack os 5Backtrack os 5
Backtrack os 5
 
Wireless security beyond password cracking by Mohit Ranjan
Wireless security beyond password cracking by Mohit RanjanWireless security beyond password cracking by Mohit Ranjan
Wireless security beyond password cracking by Mohit Ranjan
 
SSH Tunneling Recipes
SSH Tunneling RecipesSSH Tunneling Recipes
SSH Tunneling Recipes
 
Ch 5: Port Scanning
Ch 5: Port ScanningCh 5: Port Scanning
Ch 5: Port Scanning
 
Snort
SnortSnort
Snort
 
NMAP
NMAPNMAP
NMAP
 
Penetration Testing Resource Guide
Penetration Testing Resource Guide Penetration Testing Resource Guide
Penetration Testing Resource Guide
 

Viewers also liked

Anatomy Of Hack
Anatomy Of HackAnatomy Of Hack
Anatomy Of Hack
Agnel Chittilappilly
 
CTAP
CTAPCTAP
Scanning Techniques
Scanning TechniquesScanning Techniques
Scanning Techniques
Mohammad Golpayegani
 
Policy Round table 2: Climate Change and Food Security
Policy Round table 2: Climate Change and Food Security Policy Round table 2: Climate Change and Food Security
Policy Round table 2: Climate Change and Food Security
FAO
 
NSE7
NSE7NSE7
Introduction to security
Introduction to securityIntroduction to security
Introduction to security
Mostafa Elgamala
 
CTAP
CTAPCTAP
Ceh v5 module 02 footprinting
Ceh v5 module 02 footprintingCeh v5 module 02 footprinting
Ceh v5 module 02 footprinting
Vi Tính Hoàng Nam
 
Elebda3.net 4395
Elebda3.net 4395Elebda3.net 4395
Elebda3.net 4395
Riadh Briki
 
Ceh v5 module 04 enumeration
Ceh v5 module 04 enumerationCeh v5 module 04 enumeration
Ceh v5 module 04 enumeration
Vi Tính Hoàng Nam
 
Network Scanning Phases and Supporting Tools
Network Scanning Phases and Supporting ToolsNetwork Scanning Phases and Supporting Tools
Network Scanning Phases and Supporting Tools
Joseph Bugeja
 
Wi fi in arabic
Wi fi in arabicWi fi in arabic
Wi fi in arabic
hasan_399_81
 
Ceh v5 module 20 buffer overflow
Ceh v5 module 20 buffer overflowCeh v5 module 20 buffer overflow
Ceh v5 module 20 buffer overflow
Vi Tính Hoàng Nam
 
Faculty of Engineering - Tanta University- Programmong world
Faculty of Engineering - Tanta University- Programmong worldFaculty of Engineering - Tanta University- Programmong world
Faculty of Engineering - Tanta University- Programmong world
Mostafa Elgamala
 
Linux02 install SSh
Linux02 install SShLinux02 install SSh
Linux02 install SSh
Jainul Musani
 
Cisco network security Chapter7
Cisco network security Chapter7Cisco network security Chapter7
Cisco network security Chapter7
Khalid Al-wajeh
 
Fortinet & VMware integration
Fortinet & VMware integrationFortinet & VMware integration
Fortinet & VMware integration
VMUG IT
 
Introduction to security
Introduction to securityIntroduction to security
Introduction to security
Mostafa Elgamala
 
Fortinet sandboxing
Fortinet sandboxingFortinet sandboxing
Fortinet sandboxing
Nick Straughan
 

Viewers also liked (20)

Anatomy Of Hack
Anatomy Of HackAnatomy Of Hack
Anatomy Of Hack
 
CTAP
CTAPCTAP
CTAP
 
Scanning Techniques
Scanning TechniquesScanning Techniques
Scanning Techniques
 
Policy Round table 2: Climate Change and Food Security
Policy Round table 2: Climate Change and Food Security Policy Round table 2: Climate Change and Food Security
Policy Round table 2: Climate Change and Food Security
 
NSE7
NSE7NSE7
NSE7
 
Introduction to security
Introduction to securityIntroduction to security
Introduction to security
 
CTAP
CTAPCTAP
CTAP
 
Ceh v5 module 02 footprinting
Ceh v5 module 02 footprintingCeh v5 module 02 footprinting
Ceh v5 module 02 footprinting
 
Elebda3.net 4395
Elebda3.net 4395Elebda3.net 4395
Elebda3.net 4395
 
Ceh v5 module 04 enumeration
Ceh v5 module 04 enumerationCeh v5 module 04 enumeration
Ceh v5 module 04 enumeration
 
Network Scanning Phases and Supporting Tools
Network Scanning Phases and Supporting ToolsNetwork Scanning Phases and Supporting Tools
Network Scanning Phases and Supporting Tools
 
Wi fi in arabic
Wi fi in arabicWi fi in arabic
Wi fi in arabic
 
Ceh v5 module 20 buffer overflow
Ceh v5 module 20 buffer overflowCeh v5 module 20 buffer overflow
Ceh v5 module 20 buffer overflow
 
Faculty of Engineering - Tanta University- Programmong world
Faculty of Engineering - Tanta University- Programmong worldFaculty of Engineering - Tanta University- Programmong world
Faculty of Engineering - Tanta University- Programmong world
 
IT
ITIT
IT
 
Linux02 install SSh
Linux02 install SShLinux02 install SSh
Linux02 install SSh
 
Cisco network security Chapter7
Cisco network security Chapter7Cisco network security Chapter7
Cisco network security Chapter7
 
Fortinet & VMware integration
Fortinet & VMware integrationFortinet & VMware integration
Fortinet & VMware integration
 
Introduction to security
Introduction to securityIntroduction to security
Introduction to security
 
Fortinet sandboxing
Fortinet sandboxingFortinet sandboxing
Fortinet sandboxing
 

Similar to Penetration Testing Boot CAMP

Intro To Hacking
Intro To HackingIntro To Hacking
Intro To Hacking
nayakslideshare
 
snort.ppt
snort.pptsnort.ppt
snort.ppt
Senthil Vit
 
Hacking Fundamentals - Jen Johnson , Miria Grunick
Hacking Fundamentals - Jen Johnson , Miria GrunickHacking Fundamentals - Jen Johnson , Miria Grunick
Hacking Fundamentals - Jen Johnson , Miria Grunick
amiable_indian
 
Threat hunting on the wire
Threat hunting on the wireThreat hunting on the wire
Threat hunting on the wire
InfoSec Addicts
 
DC612 Day - Hands on Penetration Testing 101
DC612 Day - Hands on Penetration Testing 101DC612 Day - Hands on Penetration Testing 101
DC612 Day - Hands on Penetration Testing 101
dc612
 
Modul 2 - Footprinting Scanning Enumeration.ppt
Modul 2 - Footprinting Scanning Enumeration.pptModul 2 - Footprinting Scanning Enumeration.ppt
Modul 2 - Footprinting Scanning Enumeration.ppt
cemporku
 
modul2-footprintingscanningenumeration.pdf
modul2-footprintingscanningenumeration.pdfmodul2-footprintingscanningenumeration.pdf
modul2-footprintingscanningenumeration.pdf
tehkotak4
 
BlueHat v17 || Dyre to Trickbot: An Inside Look at TLS-Encrypted Command-And-...
BlueHat v17 || Dyre to Trickbot: An Inside Look at TLS-Encrypted Command-And-...BlueHat v17 || Dyre to Trickbot: An Inside Look at TLS-Encrypted Command-And-...
BlueHat v17 || Dyre to Trickbot: An Inside Look at TLS-Encrypted Command-And-...
BlueHat Security Conference
 
Open source network forensics and advanced pcap analysis
Open source network forensics and advanced pcap analysisOpen source network forensics and advanced pcap analysis
Open source network forensics and advanced pcap analysis
GTKlondike
 
RIoT (Raiding Internet of Things) by Jacob Holcomb
RIoT  (Raiding Internet of Things)  by Jacob HolcombRIoT  (Raiding Internet of Things)  by Jacob Holcomb
RIoT (Raiding Internet of Things) by Jacob Holcomb
Priyanka Aash
 
BackTrack 4 R2 - SFISSA Presentation
BackTrack 4 R2 - SFISSA PresentationBackTrack 4 R2 - SFISSA Presentation
BackTrack 4 R2 - SFISSA Presentation
Jorge Orchilles
 
Database Firewall with Snort
Database Firewall with SnortDatabase Firewall with Snort
Database Firewall with Snort
Narudom Roongsiriwong, CISSP
 
ch11.ppt
ch11.pptch11.ppt
ch11.ppt
contactatkmdp
 
Security Onion
Security OnionSecurity Onion
Security Onion
johndegruyter
 
Securitytools
SecuritytoolsSecuritytools
Securitytools
Richmond Adebiaye
 
CNIT 152: 9 Network Evidence
CNIT 152: 9 Network Evidence CNIT 152: 9 Network Evidence
CNIT 152: 9 Network Evidence
Sam Bowne
 
Threats, Vulnerabilities & Security measures in Linux
Threats, Vulnerabilities & Security measures in LinuxThreats, Vulnerabilities & Security measures in Linux
Threats, Vulnerabilities & Security measures in Linux
Amitesh Bharti
 
Introduction to Malware Analysis
Introduction to Malware AnalysisIntroduction to Malware Analysis
Introduction to Malware Analysis
Andrew McNicol
 
an_introduction_to_network_analyzers_new.ppt
an_introduction_to_network_analyzers_new.pptan_introduction_to_network_analyzers_new.ppt
an_introduction_to_network_analyzers_new.ppt
Iwan89629
 
MMIX Peering Forum and MMNOG 2020: Packet Analysis for Network Security
MMIX Peering Forum and MMNOG 2020: Packet Analysis for Network SecurityMMIX Peering Forum and MMNOG 2020: Packet Analysis for Network Security
MMIX Peering Forum and MMNOG 2020: Packet Analysis for Network Security
APNIC
 

Similar to Penetration Testing Boot CAMP (20)

Intro To Hacking
Intro To HackingIntro To Hacking
Intro To Hacking
 
snort.ppt
snort.pptsnort.ppt
snort.ppt
 
Hacking Fundamentals - Jen Johnson , Miria Grunick
Hacking Fundamentals - Jen Johnson , Miria GrunickHacking Fundamentals - Jen Johnson , Miria Grunick
Hacking Fundamentals - Jen Johnson , Miria Grunick
 
Threat hunting on the wire
Threat hunting on the wireThreat hunting on the wire
Threat hunting on the wire
 
DC612 Day - Hands on Penetration Testing 101
DC612 Day - Hands on Penetration Testing 101DC612 Day - Hands on Penetration Testing 101
DC612 Day - Hands on Penetration Testing 101
 
Modul 2 - Footprinting Scanning Enumeration.ppt
Modul 2 - Footprinting Scanning Enumeration.pptModul 2 - Footprinting Scanning Enumeration.ppt
Modul 2 - Footprinting Scanning Enumeration.ppt
 
modul2-footprintingscanningenumeration.pdf
modul2-footprintingscanningenumeration.pdfmodul2-footprintingscanningenumeration.pdf
modul2-footprintingscanningenumeration.pdf
 
BlueHat v17 || Dyre to Trickbot: An Inside Look at TLS-Encrypted Command-And-...
BlueHat v17 || Dyre to Trickbot: An Inside Look at TLS-Encrypted Command-And-...BlueHat v17 || Dyre to Trickbot: An Inside Look at TLS-Encrypted Command-And-...
BlueHat v17 || Dyre to Trickbot: An Inside Look at TLS-Encrypted Command-And-...
 
Open source network forensics and advanced pcap analysis
Open source network forensics and advanced pcap analysisOpen source network forensics and advanced pcap analysis
Open source network forensics and advanced pcap analysis
 
RIoT (Raiding Internet of Things) by Jacob Holcomb
RIoT  (Raiding Internet of Things)  by Jacob HolcombRIoT  (Raiding Internet of Things)  by Jacob Holcomb
RIoT (Raiding Internet of Things) by Jacob Holcomb
 
BackTrack 4 R2 - SFISSA Presentation
BackTrack 4 R2 - SFISSA PresentationBackTrack 4 R2 - SFISSA Presentation
BackTrack 4 R2 - SFISSA Presentation
 
Database Firewall with Snort
Database Firewall with SnortDatabase Firewall with Snort
Database Firewall with Snort
 
ch11.ppt
ch11.pptch11.ppt
ch11.ppt
 
Security Onion
Security OnionSecurity Onion
Security Onion
 
Securitytools
SecuritytoolsSecuritytools
Securitytools
 
CNIT 152: 9 Network Evidence
CNIT 152: 9 Network Evidence CNIT 152: 9 Network Evidence
CNIT 152: 9 Network Evidence
 
Threats, Vulnerabilities & Security measures in Linux
Threats, Vulnerabilities & Security measures in LinuxThreats, Vulnerabilities & Security measures in Linux
Threats, Vulnerabilities & Security measures in Linux
 
Introduction to Malware Analysis
Introduction to Malware AnalysisIntroduction to Malware Analysis
Introduction to Malware Analysis
 
an_introduction_to_network_analyzers_new.ppt
an_introduction_to_network_analyzers_new.pptan_introduction_to_network_analyzers_new.ppt
an_introduction_to_network_analyzers_new.ppt
 
MMIX Peering Forum and MMNOG 2020: Packet Analysis for Network Security
MMIX Peering Forum and MMNOG 2020: Packet Analysis for Network SecurityMMIX Peering Forum and MMNOG 2020: Packet Analysis for Network Security
MMIX Peering Forum and MMNOG 2020: Packet Analysis for Network Security
 

Penetration Testing Boot CAMP

  • 1. Configure SSH Server Linux Remote Service Connect Kali Remotely
  • 2. •First SSH need to be install/update # apt-get install openssh-server # service ssh start Verify that the server is up and listening using the “netstat” command #netstat -antp |grep ssh Now connect with “putty.exe” to your SSH linux servers (Kali/ ubuntu / redhat / centos) SSHD | SSH Server
  • 4. •What is Foorprinting •Active & Passive Intelligence •Reconnaissance Tools Let’s Get Start into
  • 5. Footprinting refers to uncovering and collecting as much information as possible about target network What is Footprinting
  • 6. Active & Passive Intelligence Passive •From ordinary public traffic •Google search (email, cell# etc) •Browser company’s WebPages •Viewing message boards (experts-exchange.com, etc) •Facebook, Twitter, orkut etc •Default configurations & passwords sites Active •Network Scan •Vulnerability Scan •Ping Sweep •Social Engineering •Phishing
  • 7. Passive Recon Resources •Social Media (facebook, twitter, orkut, forums etc) •Whois, iptools.com, domaintools.com •Netcraft •Webpage source •Mirror Sites (httrack, wget, Sam Spade, Archive.org) •Tracert /traceroute (windows or Linux) send echo request actually •DNS: nslookup, -set type (query) -zone transfers -HINFO •Robots.txt •Service Banner Grabbing (on ports) via Telnet (HEAD / HTTP/1.0) “ENTER TWICE”
  • 8. Active Recon Resources •DNS •Nessus (Vulnerability Scanner) •Nikto (Back Track 5R3) •Email Tracking (http://www.ipaddresslocation.org/) •Google Hacking (Search) (www.exploit-db.com) -Intitle -Intext -Inurl -Filetype -Link
  • 9. Active Recon Resources •inurl:ftp "password" filetype:xls •site:example.com inurl:ftp "password" filetype:xls You should also be performing focused searches that locate all major document types such as .pdf, .doc, .txt, .xls
  • 10. Active Recon Resources •dig (Domain Information Groper) Alternative to nslookup # dig example.com #dig +qr example.com any (find out their name servers) Zone Transfer using DIG # dig @ns1.example.com example.com axfr Listing the DNS version (restrict by default by administrators) #dig +nocmd txt chaos VERSION.BIND @ns1.example.com +noall +answer Reverse DNS Lookup #dig –x ipaddress Tracing the Path #dig +trace example.com
  • 11. Active Recon Resources •Fierce (DNS brute forcing with fierce) Goto # cd /pentest/enumeration/dns/fierce # ./fierce –dns example.com
  • 12. Active Recon Resources •Metagofil (a powerful metadata gathering tool) BackTrack has the Metagoofil Blackhat Arsenal Edition installed by default. Open up a terminal and type the following: # cd /pentest/enumeration/google/metagoofil # ./metagoofil.py –h #metagoofil.py -d example.com -t doc,pdf –l 200 -n 50 –o /mnt -f results.html
  • 13. Active Recon Resources some tools that would assist you in finding more information:
  • 14. Countermeasures •Trash Securely •Router/IDS/Firewalls to allow only certain apps/ports/rules •Refuse malicious traffic •Lockdown ports & Protocols •Web service info avoid to leakage •Disallow sensitive directories •Evaluate your services before posting on public •Listen carefully and reply only limited and specific answers
  • 16. •What is Scanning •CEH Scanning Methodology •Scanning Terms •3-way handshake Let’s Get Start into
  • 17. • Port scanning is the process of checking for open TCP or UDP ports on a remote machine. Please note that port scanning is illegal in many countries and should not be performed outside the labs. This is active probing or phase, which involves more direct interaction with the target servers. It is vital that we understand the implications of port scanning, as well as the impact that certain port scans can have on a network. •Scanning refers to a set of procedures for identifying hosts, ports and services in a network •Scanning is one step of intelligence gathering for an attacker to create a profile of the target organization What is Scanning
  • 18. •Checking Live Systems •Check Open Ports •Banner Grabbing •Prepare Proxies •Scan for Vulnerabilities •Draw Network Diagram Scanning Methodology
  • 19. Scanning Terms •Network Scanning •Port Scanning •Vulnerability Scanning
  • 21. Scanning Tools •Nmap •Fping (ping sweep) •Hping 3 •Nikto •OpenVAS •Netdiscover
  • 22. Scanning Tools: Nmap •Nmap online http://nmap-online.com/ -nmap –sP 192.168.2.0/24 (scan with pingsweep) -nmap –sP –vv 192.168.2.0/24 (scan with verbose) -nmap –sP 192.168.2.0/24 –vv > scanresult.txt (save scan with output file) -nmap –Pn 192.168.2.0/24 (treat all online, disable host discovery) -nmap –D <forge ip> <target ip> (scan with fake IP address) -nmap –Pn –sP domain.com (scan if IDS or Firewall block ICMP) -nmap –sT 192.168.2.0/24 (scan with 3way handshake mostly in pen testing) -nmap –sU 192.168.2.0/24 (scan UDP) -nmap -sL 72.249.151.31 (Reverse DNS List Scan ) -nmap -sT -p- -PN 192.168.2.1-254 (TCP scan, all ports, assume all host alive) -nmap –iL myiplist.txt (scan hosts provided by text file) -nmap –sV (version scanning) -nmap -O (OS Detection) -nmap -p 139 192.168.1.* (Single port with complete IP range)
  • 23. Scanning Tools • fping fping –a –g 192.168.2.1 192.168.2.1 > mylivehosts.txt • nc.exe # nc -vv -z -w2 192.168.0.10 24-26 • Unicornscan # unicornscan 192.168.0.110 #unicornscan 192.168.0.0/24:139
  • 24. Scanning Tools: Hping3 ICMP Ping hping3 -1 192.168.15.1 SYN Ping hping3 -S –p 80 –c 1 192.168.15.1 Port Scan hping3 --scan 1-130,150-200 –S 192.168.15.1 -V
  • 26. •Configure firewall and IDS rules to detect and block probes/search •Block unwanted ports at the firewall •Hide sensitive information from public view •Use custom rules set to lock down the network •Filter inbound ICMP message types and all outbound ICMP type 3 unreachable messages at boarder routers and firewalls •Ensure that routing and filtering mechanisms cannot be bypassed using specific source ports or source-routing techniques •Understand the network configuration and its accessible ports by launching TCP and UDP port scans along with ICMP probes against your own IP address space Countermeasures
  • 27. •If a commercial firewall is in use, ensure that: •The latest service pack is installed •The Anti-spoofing rules have been correctly defined •Fastmode services are not used in Check Point Firewall-1 environment Countermeasures
  • 29. •What is Enumeration •NetBIOS Enumeration •SNMP Enumeration •LDP with Domain Controller Let’s Get Start into
  • 30. Enumeration is defined as the process of extracting user names, machine names, network resources, shares, and services from a system Enumeration techniques are conducted in a intranet (LAN) environment The type of information enumerated by intruders: Network resources and shares Users and groups Applications and banners Auditing settings What is Enumeration
  • 34. •NetBIOS Enumeration : use strong password •SNMP Enumeration: use SNMP v3 have encryption •LDAP Enumeration: By default allow for everyone, restrict for authorized only Countermeasures
  • 36. • Password cracking techniques / types & cracking Let’s Get Start into
  • 37. Password cracking techniques Dictionary Attacks - A dictionary file a loaded into the cracking application that runs against user accounts Brute Forcing Attacks- The program tries every combination of characters until the password is broken Hybrid Attack – It works like a dictionary attacks, but adds some numbers and symbols to the words from the dictionary and tries to crack the password Syllable Attack – It is the combination of both brute force attack and the dictionary attack Rule-Based Attack – This attack is used when the attacker get some information about the password
  • 38. Understanding different types of passwords Only letters - HIJKLMNO Only numbers - 758904 Only special characters - $@$!0 Letters and numbers - ax15oog Only letters and special characters - m@roon$ Only numbers and special characters - @#47$ Letters, numbers, and special characters - E1n$8$
  • 39. Passwords Attacks Passive Online Wire Sniffing Man-in-the-Middle Active Online Password Guessing Trojan/Spyware/Keyloggers
  • 40. Passwords Attacks Offline Attacks Pre-computed Hashes Rainbow Tables Non – Electronic Attacks Shoulder Surfing Social Engineering Dumpster Diving
  • 41. Password Cracking Tools (2000 / XP / 2003 / Vista / 7 / 2008) -Offline NT password re-setter -Cain & Abel -Ettercap (MITM) Back Track 5 -Pwdump6 / Fgdump (dump hashes) -L0phtCrack (LC6) -Ophcrack (rainbow tables) http://ophcrack.sourceforge.net -Elcomsoft Advanced Password Recovery Bundle -Back Track 5 – dump hashes and crack
  • 42. Back Track 5 – Dump windows hashes and crack 1) Mount windows NTFS partition ( fdisk –l ) 2) create temp folder 3) Mount windows HDD ( mount /dev/sda1 /mountfolder ) 4) Bkhive /winhash/WINDOWS/system32/config/system syskey.txt 5) samdump2 /mnt/mountfolder/windows/system32/config/SAM syskey.txt > hashes.txt 6) nano or vi editor to check the contents (optional) 7) john /hashfolder/hashes.txt -w:/dicfolder/wordfile.txt Password cracked
  • 43. Password cracking tools (2000 / XP / 2003 / Vista / 7 / 2008) - THC-Hydra (back track 5) -Medusa (back track 5) # medusa -h 172.19.0.1 -u "admin" -P wordlist.txt -M http -h the host you want to attack -u the username you want to try. If there is no username use "" -P the wordlist you want to use -M the module you want to use Here is the list of modules included with Back Track 5 & 5R1 Final: # ls /usr/local/lib/medusa/modules/
  • 44. Password cracking tools (2000 / XP / 2003 / Vista / 7 / 2008) -John the Ripper -Recover Keys -Windows Password Crackers -Proactive System Password Recovery -Password Unlocker Bundle -Windows Password Reset Professional -Windows Password Reset Standard -Windows Password Unlocker -Win Password -Passware Kit Enterprise -RockXP -Passwords Pro -LSA Secret View -LCP
  • 45. Stealing Passwords Using USB Drive Insert USB into victim’s computer and extract the necessary information
  • 46. Microsoft Authentication SAM Database: Windows stores users passwords in the Security Accounts Manager database (SAM) or in the Active Directory database in domains. Passwords are never stored in clear text passwords are hashed and the results are stored in the SAM NTLM Authentication: The NTLM authentication protocol consists of two authentication protocols. NTLM and LM authentication protocol. These protocols use different hashing methods to securely store a user’s password in the SAM database. Kerberos: Microsoft has upgraded its default authentication protocol to Kerberos, a considerably more secure option than NTLM More info http://en.wikipedia.org/w/index.php?title=Special%3ASearch&search=Ntlm+hash
  • 47. Hash Passwords Stored in Windows SAM
  • 48. Algorithms – well defined instructions for calculating the functions Kerberos – (2003 / vista / 7 / 2008) Greatest security works only on Active Directory 2003 and above
  • 49. Microsoft Remote Desktop Service – BSoD a.k.a Crashing (XP, 2003, 7, 2008 R2) Hands-on with - RDPKill
  • 50. Password Cracking Countermeasures -Strongest passwords should be implemented to protect against password cracking. -Systems should enforce 8–12-character alphanumeric passwords. -Password length & complexity should be set -To protect against cracking of the hashing algorithm for passwords stored on the server, you must take care to physically isolate and protect the server. -The system administrator can use the SYSKEY utility in Windows to further protect hashes stored on the server’s hard disk. -The server logs should also be monitored for brute-force attacks on user accounts.
  • 51. Password Cracking Countermeasures System administrators can implement the following security precautions to decrease the effectiveness of a brute-force password-cracking attempt: -Never leave a default password. -Never use a password that can be found in a dictionary. -Never use a password related to the hostname, domain name, or anything else that can be found with Whois. -Never use a password related to your hobbies, pets, relatives, or date of birth. -As a last resort, use a word that has more than 21 characters -Passwords should expire after a certain amount of time so that users are forced to change them.
  • 52. Escalating Privileges Escalating privileges basically means adding more rights or permissions to a user account. Simply said, escalating privileges makes a regular user account into an administrator account
  • 53. Escalating Privileges Sticky Keys – work on all windows Sticky Keys is an accessibility features in Windows OS to aid users who have physical disabilities. Press shift key 5 times at the logon screen and the sticky key dialog show up The program that launches the sticky keys is located at c:windowssystem32sethc.exe If we replace the sethc.exe with cmd.exe and then press 5 times shift key at logon screen we will get a command prompt with admin privileges
  • 54. How Defend against Privilege Escalation? -User encryption techniques to protect sensitive data -Restrict the interactive logon privilege -Run users and applications on the least privilege -Implement multi-factor authentication and authorization -Patch the system regularly -Run services as unprivileged accounts
  • 55. Keyloggers -Keystroke loggers are programs or hardware devices that monitor each keystroke as user types on a keyboard, logs on to a file or transmits them to a remote location -Keyloggers are placed between the keyboard hardware and the operating systems -Legitimate applications for keyloggers include in office and industrial settings to monitor employees computer activities and in home environments where parents can monitor and spy on children's activity
  • 57. Keyloggers Actual Spy (monitoring systems) www.actualspy.com -Design for hidden computer monitoring -Actual Spy is capable of catching all keystrokes, capturing the screen, logging the programs being run and closed, and monitoring the clipboard contents Features -Log all keystrokes -Makes screenshots within the specified time interval -Saves the applications running and closing -Watches clipboard contents -Records all print activity -Records disk changes -Records internet connections -Records all websites visited
  • 61. How to hide files – NTFS Alternate Data Stream (ADS) -NTFS Alternate Data Stream (ADS) is a windows hidden stream which contains metadata for the files such as attributes, word count, author name, and access and modification time of the file -ADS is the ability to split data into existing files without changing or altering their functionality, size, or display to the file browsing utilities -ADS allows an attacker to inject malicious code on a breached system and executes them without being detected by the user
  • 62. How to hide files – NTFS Alternate Data Stream (ADS) How to create Notepad is stream compliant application Launch c:notepad myfile.txt:private.txt Click Yes to create the new file and write lines then save View the file size To modify the stream data, open file is quite similar like above notepad myfile.txt:private.txt
  • 63. Steganography Technologies Image Steganography In image Steganography, the information is hidden in image files of different formats such as .PNG, .JPG, .BMP, etc. Image Steganography tools replace redundant bits of image data with the message in such a way that the effect can not be detected by human eyes Download Images Steganography Tools http://www.stegoarchive.com Demo - Image Hide
  • 64. Steganography Technologies more Steganography - Document - Video - Audio - Folder
  • 65. Steganography Technologies Spam/Email Steganography – Spam Mimic online http://www.spammimic.com
  • 67. Covering Your Tracks -Once intruders have successfully gained administrator access on a system, they will try to cover the tracks to avoid their detection -When all the information of interest has been stripped off from the target, the intruder installs several backdoors so that he or she can gain easy access in the future
  • 68. Covering Your Tracks Why Cover Tracks? -They can attack again - They can cover the tracks to avoid their detection - They can install backdoors to gain access in future Tool: CCleaner
  • 69. Ettercap Packet Sniffing Ettercap Packet Sniffing ettercap -T -M arp -i eth0 /192.168.1.8/ /192.168.1.1/ (computer to router) ettercap -T -M arp -i eth0 // // (all computers) ettercap -T -M arp -i eth0 // // -w file.cap (all computers with save data in file) q and ctrl+c to dc cat test.cap | grep -a http
  • 70. Ettercap Packet & Driftnet driftnet -i eth0 ettercap -T -Q -M arp -i eth0 // //
  • 71. Ettercap Packet HTTP arp poisioning DHCP Spoofing Port Stealing HTTPs Sniffing /usr/local/etc/etter.conf ( uncomment in “linux” section – 2nd row) echo "1" > /proc/sys/net/ipv4/ip_forward Filters /usr/local/share/ettercap Converter = convert ettercap filters example files to .ef
  • 72. Ettercap Packet Ettercap – IronGeek dangerous filter http://www.irongeek.com/i.php?page=security/ettercapfilter Copy above script in file and convert to .ef (etterfilter filename –o newfile.ef) Plugins dns spoofing isolate DoS_attack & find_ip gateway_discover search promisc arp_cop Passive OS Fingerprints
  • 74. (1) Installing WebGoat and run (2) Install Tamper Data addon in firefox (3) Run Burpsuite In OWASP> Access control flaws > bypass a path based Access Control Scheme > /../../../../conf/server.xml Injection Flaws > string SQL injection X’ or ‘a’=’a Improper Error Handling Parameter Tampering OWASP – WebGoat WebGoat OWASP Web/SQL/App Hacking Practitioner
  • 75. CSS – Cross Site Script & SQL Stored XSS Stored XSS revisited Reflected XSS (search staff) "><script>alert("Teste")</script> String SQL injection (Smith’ or ‘a’ = ‘a) with Temper Data