Wireshark is one of the top packet sniffing software available for free.
Wireshark can be downloaded from their website.
The wireshark GUI has customisable colours and filters to easily sniff for specific packets. To use wireshark, simply run it, select your network interface to sniff on and click start. Different types of packet are given different colours - by default, green is TCP traffic, dark blue is DNS traffic, light blue is UDP traffic and black identifies TCP packets with problems – but we can change this colour codes (they were actually intended to be changed. Choose “View > Colour Rules…”).
Use the filter to find specific packets, for example to display only DNS packets type dns in the filter, etc. To configure filters, choose “Analyze > Display Filters”.
If you right click on a packet and click “Follow TCP Stream” you can view the entire conversation between 2 hosts. If you select a packet, you can view a lot of details about it. You can also save all the data collected into a file for analysing later.
Wireshark can be used to capture and view all unencrypted data sent over a network. Of course, we can’t capture passwords from HTTPS because they are encrypted, but passwords in HTTP, FTP and more can easily be viewed, as well as everything else.
Ettercap is a program especially great for performing Man In The Middle (MITM) attacks, such as DNS spoofing, ARP cache poisoning, etc. It comes installed by default on Kali but you can download it using this command:
Ettercap can be used to sniff for packets on a network which can reveal passwords and more. Check out the social engineering section for one use of ettercap. It is pretty self-explanatory to use.
Significantly, we can capture LDAP (Lightweight Directory Access Protocol) Packets over a network while sniffing to find usernames and passwords on the network as they are being authenticated. This is an easy way to get administrator access.
This is where the fun begins. Exploiting is where we actually attack a machine in order to “own” it. We attempt to use weaknesses in the way programs are coded to get us into the computer – that is why we had to scan for open ports and find the software running on them.
The latest vulnerabilities and exploits can be found from Microsoft’s TechNet, and SecurityFocus.
Common types of vulnerability:
OS Vulnerabilities: OS exploits are used to gain access to the system. Most OS holes exist from default configuration, services and applications.
Webserver Vulnerabilities: Can gain root access, website defacement, DoS(put the server down), theft or alteration data on server, or further penetration into the network.
Database Vulnerabilities
TCP Stack Vulnerabilities
Application Vulnerabilities. Examples: buffer overflow, weak authentication mechanisms, poor data validation, and poor error checking.
The metasploit framework is one of the best tools you could ever wish for in this section (although it is constantly combatted by antivirus). It is basically a database of hundreds and hundreds of exploits for different operating systems and software. It comes installed by default on Kali linux and backtrack.
There are 2 main parts to exploiting: The Exploit and the Payload. The exploit is the method of gaining some unauthorized ability on the target box (to execute the payload), and the payload is the code which does whatever we want (e.g. give us access). The most common payload to use is the meterpreter which is a bit like a RAT, and gives us a lot of control via the command line. There are reverse and bind payloads - Reverse payloads are left on the attacker machine and they connect back to you (which generally stops the client’s firewall blocking the connection). Payloads can be made persistent by dumping them into registry. For future sessions to be established, you will need to start the listener manually. Bind payloads bind to the victim machine and through them attacker enters. Connection is not reverse but direct (which may be blocked by the clients firewall).
Different exploits depend on the vulnerabilities we have found in a target machine.
Basic usage:
Once we have found a vulnerability, find an exploit for it:
Select the exploit using the “use” command:
Code:
use (exploit name)
After setting the exploit itself, you need to see which options it uses. They have to be set manually. Some of them though do not need to be set. You can check if it is required by looking under "Required" option.
Code:
Show Options
Example options required are RHost (remote host, the target), RPort (remote port, set by default), SRVHost and SRVPort.
Set the options like this:
Code:
set rhost 192.168.0.12
We need to set a payload that will be delivered. Find a payload with this command:
Code:
Show Payloads
Then select the payload to use:
Code:
Set Payload (Payload name)
Payloads may require options too, set in the same way as above. For example, a common payload windows/meterpreter/reverse_tcp requires LHost (Local host, our machine) in order to connect back (it is a reverse payload).
Then run the exploit using:
Code:
exploit
If we were using a meterpreter payload like reverse_tcp, we then end up with a meterpreter shell to execute commands on the victim’s machine.
You might also be interested in a GUI for metasploit called Armitage (which also comes installed on Kali by default).
You should also have a good idea about how exploits actually work rather than just using metasploit like a skid. If you learn how to code exploits, you could actually code an exploit noone else has discovered yet (called a 0day). Zero day exploits are worth huge amounts because noone knows about them and therefore noone has patched it
Some other exploitation tools are available too, for example beef (the browser exploitation framework),
Once we have exploited and gained access, we do not always have much access (especially when we use a client-side attack). The next step is privilege escalation. The getsystem command in the meterpreter can escalate privileges, or we can sometimes pivot from an unprivileged system to another on the network with more access. Often, privilege escalation methods are exploits themselves. We try to gain root or administrator access.
When we have access, we can do whatever our initial purpose of attack was – for example stealing data
After we have access, we also then install a backdoor or something similar (netcat, meterpreter, command shell, tunnelshell, etc) to ensure we can connect back again later (even if the vulnerability we initially exploited is patched).
Finally, we must erase our presence from logs, remove any software we uploaded, removing our command history, etc, to ensure that we are not caught. The meterpreter has a clearev command that removes the event logs on Windows systems.
To exploit systems, we need a connection to them. Usually it is a lot harder to exploit systems over the internet than if we have a direct connection to them via a LAN. Obviously, the only way to hack into an Ethernet LAN is to walk up and plug in. Here is how to gain access to a wireless LAN.
Wi-Fi can be less secure than wired connections (such as Ethernet) because an intruder does not need a physical connection. Web pages that use SSL are secure but unencrypted internet access can easily be detected by intruders, because all data is being sent flying around the local area and can be intercepted with sniffing. Because of this, Wi-Fi has adopted various encryption technologies. The early encryption WEP, proved easy to break. Higher quality protocols (WPA, WPA2) were added later.
WEP encryption is very weak and easy to crack. Most wireless networks today use stronger encryption – WPA and WPA2. WPA2 uses a stronger encryption algorithm, AES, that's very difficult to crack—but not impossible. When a user connects to a WPA2 Access point, the client and AP use a "4 way handshake" to authenticate the client. This is how we can crack the encryption: if we can capture the 4 way handshake, we can crack the password.
Reaver is a great tool for cracking wireless passwords. Just use a command like this:
Code:
reaver -i mon0 -f -c (Channel #) -b (Target BSSID) -vv -x 60
That will probably take a few hours to finish.
A really l33t hack is to setup a fake access point with the exact same ESSID and BSSID and channel as a legitimate one, and then boost the signal strength of yours. By default, clients will connect to the access point with the best signal strength – AKA yours! You can then easily sniff all traffic, steal credentials, spoof addresses, etc! I explain how to do this in my DOS attack on a router in a later post. Check the Denial of Service section for the link.
Website exploitation is a specific case of exploitation, where we attack vulnerabilities in webpages hosted on webservers.
There are numerous different methods to directly attack a website. We can use this to modify/deface websites, gain access to privileged areas, steal usernames and passwords, take control of the webserver, etc. I have provided a lot of links in this section because there are already a lot of good tutorials on most website exploitation methods.
Cross Site Scripting (XSS):
XSS enables attackers to inject client-side script (like javascript code) into Web pages viewed by other users.
Similar to this is cross frame scripting (XFS).
SQL Injection:
SQL injection basically takes advantage of weaknesses in the way a page deals with an SQL database, to get around authentication or to access/modify/delete databases. You need to be familiar with SQL commands to use it well, plus you must have a good understanding of how websites are coded (in HTML/php).
tutorials (Click to View)
Blind SQL injection is nearly identical to normal SQL Injection, the only difference being the way the data is retrieved from the database. When the database does not output data to the web page, an attacker is forced to steal data by asking the database a series of true or false questions. This makes exploiting the SQL Injection vulnerability more difficult, but not impossible.
There are also tools available which can perform SQL injection automatically, like Havij. This can be very useful for beginners, but it will never be able to be creative like a true hacker will be.
Shells:
After using SQL injection to find admin passwords for example, we then find the login page for the administrator. You can use admin finding tools for this. Log in, and then you can deface the site, etc. Usually we would upload a shell to the webserver somewhere so we can execute commands remotely. The most common shell is the c99 shell, which gives us heaps of abilities. There is even a c99 shell uploaded to Hackforums under the extras section .
Remote File Inclusion (RFI):
Remote file inclusion, as its name suggests, allows an attacker to include a remote file (usually through a script on the web server). The vulnerability occurs due to the use of user-supplied input without proper validation. This can lead to something as minimal as outputting the contents of the file or more serious events such as code execution on the web server, code execution on the client-side such as JavaScript which can lead to other attacks such as cross site scripting (XSS), Denial of service (DoS) or data theft/manipulation.
Local File Inclusion (LFI):
Local File Inclusion is similar to a Remote File Inclusion vulnerability except instead of including remote files, only local files i.e. files on the current server can be included. The vulnerability is also due to the use of user-supplied input without proper validation.
Tamperdata is a useful plugin for firefox which allows you to view and edit HTTP headers on a site. Firebug also allows you to perform a lot of useful functions on a w
Most secure programs do not store passwords in plaintext, rather they encrypt them to a hash (a string of numbers and letters). This makes it much harder to discover the password. A common example of this is windows, where all user passwords are stored as hashes in the SAM file. There are numerous programs available to “dump” the hashes, for example pwdump, but the hashes are no use to us – we want the passwords themselves! We must crack the hash. Some encryption algorithms are reversible (here is a good site for reversible encryption/decryption), but others are not.
The common methods for cracking irreversible hashes are:
Dictionary attacks (testing whether words from a common password list generate the same hash)
Rainbow tables (a precomputed table of hashes)
Brute force attacks (trying every possible combination of characters until the correct password is found).
Dictionary and Rainbow table attacks are much faster than brute force, but their reliability is dependent on the size of the dictionary/table. Large tables can be huge in size, for example 20GB or more. Crunch is a tool you can use to generate your own wordlists for dictionary attacks.Popular brute force tools include THC Hydra and Brutus. Hashcat is a cool tool you can check out for cracking hashes with the CPU and GPU.
There is a useful operating system/program called OPHCrack which you can boot from a flash drive or CD onto a windows computer, and use rainbow tables to attempt to crack the passwords on the computer.
There are also some websites available to crack hashes online, but because they are a free service, they do not dedicate huge amounts of processing power to cracking the hash and may not be successful on more complex passwords. Example: OnlineHashCrack
A really easy way to get administrator access to a windows computer is to boot up linux on it from a flash drive, go to the windows folder, and create a copy of cmd. Rename the copy utilman, replacing the old utilman (you might want to keep a backup for later). Then, on windows, simply open up Ease of Access utilities on the logon screen and you will in fact get a cmd window with admin access. From there, create a new account using the net user /ADD command, and then add it to the net localgroup Administrators /ADD. Easy!
If you just want cmd access on a computer, simply make a batch file with cmd or command as the only text inside it, and then run it!
Cryptography is a complex subject, but very interesting, and it is the basis for cryptocurrencies like bitcoin, and the basis for crypters!
Keyloggers:
Keyloggers are simple programs which silently log keystrokes in the background on an infected computer. They can be used to steal passwords, banking information, etc from victims. For this reason, they are very popular. Keyloggers are a type of spyware. Some example keyloggers are Syslogger and Project Neptune. Use KeyScrambler to prevent keyloggers from monitoring your keystrokes.
RATs:
RATs (Remote Administration Tools / Remote Access Trojans) are more complex programs which attempt hide themselves on an infected computer while providing a lot of functionality to the owner. There are 2 parts to a RAT – the client and the server. The server is the software which is installed onto victim computers while the client is used by the owner to access the servers, retrieve files, view the webcam, control the computer remotely and more. Most RATs also include a keylogger. RATs are a type of trojan. Common RATs include Darkcomet (free), Cerberus (free), Imminent Monitor (paid), and Netwire (paid). Here is a great tutorial on setting up the most popular free RAT – Darkcomet 5.3.1.
Tips on keeping infected users for longer: User dynamic IP addresses with no-ip, make sure the server is FUD and configured correctly, and maybe even infect boxes with multiple RATs at once.
Crypters:
Crypters are software that are used to encrypt/disguise a RAT, Keylogger or other virus to ensure that antivirus software does not detect it. The best way to get a crypter is buy a private one or code your own. Crypters must usually be purchased privately, for example in the buyers’ bay of HF, because public crypters usually become detected very soon after their release. If you want to code your own, there are a lot of useful tutorials on hackforums. Check out the c++ section, because it is one of the most popular languages for coding crypters in.
Antivirus is the RATters worst enemy. Here is a useful script which is designed to kill antivirus software. Just put that code into notepad, and save it with a .bat extension. When this is run, it will kill antivirus software on the computer. It is quite an old script, I didn’t write it, and so all credits go to the writer. You can add to it more if you want to make it more functional. Getting a user to run this on their computer before downloading a RAT or keylogger is a very powerful combination – an alternative to a crypter.
There are other types of malicious programs coded for different purposes, which include:
Adware: Adware (short for advertising-supported software) is a type of malware that automatically delivers advertisements.
Ransomware: Ransomware is a form of malware that essentially holds a computer system captive while demanding a ransom. The malware restricts user access to the computer either by encrypting files on the hard drive (a cryptolocker) or locking down the system and displaying messages that are intended to force the user to pay the malware creator to remove the restrictions and regain access to their computer.
Rootkits: A Rootkit is software which usually edits some core files of an operating system, in order to hide itself and malware. Rootkits can be very hard to get rid of, because they can be embedded extremely deep in the OS.
Trojans: A Trojan horse, commonly known as a “Trojan,” is a type of malware that disguises itself as a normal file or program to trick users into downloading and installing malware.
Virus: A virus is a form of malware that is capable of copying itself and spreading to other computers. Viruses often spread to other computers by attaching themselves to various programs and executing code when a user launches one of those infected programs.
Bacteria: A program which replicates itself in order to fill up memory, RAM and CPU.
Worm: Computer worms are among the most common types of malware. They spread over computer networks by exploiting operating system vulnerabilities, and execute a “payload” on infected computers which does something malicious.
Another type of malicious program is a Bot, which can be used to automatically perform tasks such as spam, etc.
TIP TO AVOID INFECTION: If you are downloading suspicious files, use a virtual machine or sandboxie to run the program in, and keep your computer safe from infection.
0 comments:
Post a Comment