SlideShare ist ein Scribd-Unternehmen logo

Penetration Testing Boot CAMP

Als PPTX, PDF herunterladen
S
Shaikh Jamal Uddin l CISM, QRadar, Hack Card Recovery Expert
1 von 76
Configure SSH Server Linux Remote Service Connect Kali Remotely
•First SSH need to be install/update # apt-get install openssh-server # service ssh start Verify that the server is up and listening using the “netstat” command #netstat -antp |grep ssh Now connect with “putty.exe” to your SSH linux servers (Kali/ ubuntu / redhat / centos) SSHD | SSH Server
FOOT PRINTING AND RECONNAISSANCE
•What is Foorprinting •Active & Passive Intelligence •Reconnaissance Tools Let’s Get Start into
Footprinting refers to uncovering and collecting as much information as possible about target network What is Footprinting
Active & Passive Intelligence Passive •From ordinary public traffic •Google search (email, cell# etc) •Browser company’s WebPages •Viewing message boards (experts-exchange.com, etc) •Facebook, Twitter, orkut etc •Default configurations & passwords sites Active •Network Scan •Vulnerability Scan •Ping Sweep •Social Engineering •Phishing
Passive Recon Resources •Social Media (facebook, twitter, orkut, forums etc) •Whois, iptools.com, domaintools.com •Netcraft •Webpage source •Mirror Sites (httrack, wget, Sam Spade, Archive.org) •Tracert /traceroute (windows or Linux) send echo request actually •DNS: nslookup, -set type (query) -zone transfers -HINFO •Robots.txt •Service Banner Grabbing (on ports) via Telnet (HEAD / HTTP/1.0) “ENTER TWICE”
Active Recon Resources •DNS •Nessus (Vulnerability Scanner) •Nikto (Back Track 5R3) •Email Tracking (http://www.ipaddresslocation.org/) •Google Hacking (Search) (www.exploit-db.com) -Intitle -Intext -Inurl -Filetype -Link
Active Recon Resources •inurl:ftp "password" filetype:xls •site:example.com inurl:ftp "password" filetype:xls You should also be performing focused searches that locate all major document types such as .pdf, .doc, .txt, .xls
Active Recon Resources •dig (Domain Information Groper) Alternative to nslookup # dig example.com #dig +qr example.com any (find out their name servers) Zone Transfer using DIG # dig @ns1.example.com example.com axfr Listing the DNS version (restrict by default by administrators) #dig +nocmd txt chaos VERSION.BIND @ns1.example.com +noall +answer Reverse DNS Lookup #dig –x ipaddress Tracing the Path #dig +trace example.com
Active Recon Resources •Fierce (DNS brute forcing with fierce) Goto # cd /pentest/enumeration/dns/fierce # ./fierce –dns example.com
Active Recon Resources •Metagofil (a powerful metadata gathering tool) BackTrack has the Metagoofil Blackhat Arsenal Edition installed by default. Open up a terminal and type the following: # cd /pentest/enumeration/google/metagoofil # ./metagoofil.py –h #metagoofil.py -d example.com -t doc,pdf –l 200 -n 50 –o /mnt -f results.html
Active Recon Resources some tools that would assist you in finding more information:
Countermeasures •Trash Securely •Router/IDS/Firewalls to allow only certain apps/ports/rules •Refuse malicious traffic •Lockdown ports & Protocols •Web service info avoid to leakage •Disallow sensitive directories •Evaluate your services before posting on public •Listen carefully and reply only limited and specific answers
Scanning
•What is Scanning •CEH Scanning Methodology •Scanning Terms •3-way handshake Let’s Get Start into
• Port scanning is the process of checking for open TCP or UDP ports on a remote machine. Please note that port scanning is illegal in many countries and should not be performed outside the labs. This is active probing or phase, which involves more direct interaction with the target servers. It is vital that we understand the implications of port scanning, as well as the impact that certain port scans can have on a network. •Scanning refers to a set of procedures for identifying hosts, ports and services in a network •Scanning is one step of intelligence gathering for an attacker to create a profile of the target organization What is Scanning
•Checking Live Systems •Check Open Ports •Banner Grabbing •Prepare Proxies •Scan for Vulnerabilities •Draw Network Diagram Scanning Methodology
Scanning Terms •Network Scanning •Port Scanning •Vulnerability Scanning
TCP 3-Way HandShake
Scanning Tools •Nmap •Fping (ping sweep) •Hping 3 •Nikto •OpenVAS •Netdiscover
Scanning Tools: Nmap •Nmap online http://nmap-online.com/ -nmap –sP 192.168.2.0/24 (scan with pingsweep) -nmap –sP –vv 192.168.2.0/24 (scan with verbose) -nmap –sP 192.168.2.0/24 –vv > scanresult.txt (save scan with output file) -nmap –Pn 192.168.2.0/24 (treat all online, disable host discovery) -nmap –D <forge ip> <target ip> (scan with fake IP address) -nmap –Pn –sP domain.com (scan if IDS or Firewall block ICMP) -nmap –sT 192.168.2.0/24 (scan with 3way handshake mostly in pen testing) -nmap –sU 192.168.2.0/24 (scan UDP) -nmap -sL 72.249.151.31 (Reverse DNS List Scan ) -nmap -sT -p- -PN 192.168.2.1-254 (TCP scan, all ports, assume all host alive) -nmap –iL myiplist.txt (scan hosts provided by text file) -nmap –sV (version scanning) -nmap -O (OS Detection) -nmap -p 139 192.168.1.* (Single port with complete IP range)
Scanning Tools • fping fping –a –g 192.168.2.1 192.168.2.1 > mylivehosts.txt • nc.exe # nc -vv -z -w2 192.168.0.10 24-26 • Unicornscan # unicornscan 192.168.0.110 #unicornscan 192.168.0.0/24:139
Scanning Tools: Hping3 ICMP Ping hping3 -1 192.168.15.1 SYN Ping hping3 -S –p 80 –c 1 192.168.15.1 Port Scan hping3 --scan 1-130,150-200 –S 192.168.15.1 -V
Scanning Tools: OpenVAS http://www.backtrack-linux.org/wiki/index.php/OpenVas
•Configure firewall and IDS rules to detect and block probes/search •Block unwanted ports at the firewall •Hide sensitive information from public view •Use custom rules set to lock down the network •Filter inbound ICMP message types and all outbound ICMP type 3 unreachable messages at boarder routers and firewalls •Ensure that routing and filtering mechanisms cannot be bypassed using specific source ports or source-routing techniques •Understand the network configuration and its accessible ports by launching TCP and UDP port scans along with ICMP probes against your own IP address space Countermeasures
•If a commercial firewall is in use, ensure that: •The latest service pack is installed •The Anti-spoofing rules have been correctly defined •Fastmode services are not used in Check Point Firewall-1 environment Countermeasures
Enumeration
•What is Enumeration •NetBIOS Enumeration •SNMP Enumeration •LDP with Domain Controller Let’s Get Start into
Enumeration is defined as the process of extracting user names, machine names, network resources, shares, and services from a system Enumeration techniques are conducted in a intranet (LAN) environment The type of information enumerated by intruders: Network resources and shares Users and groups Applications and banners Auditing settings What is Enumeration
NetBIOS Enumeration: Superscan4
SNMP Enumeration: Look@lan
LDAP Enumeration: LDP.exe
•NetBIOS Enumeration : use strong password •SNMP Enumeration: use SNMP v3 have encryption •LDAP Enumeration: By default allow for everyone, restrict for authorized only Countermeasures
System Hacking
• Password cracking techniques / types & cracking Let’s Get Start into
Password cracking techniques Dictionary Attacks - A dictionary file a loaded into the cracking application that runs against user accounts Brute Forcing Attacks- The program tries every combination of characters until the password is broken Hybrid Attack – It works like a dictionary attacks, but adds some numbers and symbols to the words from the dictionary and tries to crack the password Syllable Attack – It is the combination of both brute force attack and the dictionary attack Rule-Based Attack – This attack is used when the attacker get some information about the password
Understanding different types of passwords Only letters - HIJKLMNO Only numbers - 758904 Only special characters - $@$!0 Letters and numbers - ax15oog Only letters and special characters - m@roon$ Only numbers and special characters - @#47$ Letters, numbers, and special characters - E1n$8$
Passwords Attacks Passive Online Wire Sniffing Man-in-the-Middle Active Online Password Guessing Trojan/Spyware/Keyloggers
Passwords Attacks Offline Attacks Pre-computed Hashes Rainbow Tables Non – Electronic Attacks Shoulder Surfing Social Engineering Dumpster Diving
Password Cracking Tools (2000 / XP / 2003 / Vista / 7 / 2008) -Offline NT password re-setter -Cain & Abel -Ettercap (MITM) Back Track 5 -Pwdump6 / Fgdump (dump hashes) -L0phtCrack (LC6) -Ophcrack (rainbow tables) http://ophcrack.sourceforge.net -Elcomsoft Advanced Password Recovery Bundle -Back Track 5 – dump hashes and crack
Back Track 5 – Dump windows hashes and crack 1) Mount windows NTFS partition ( fdisk –l ) 2) create temp folder 3) Mount windows HDD ( mount /dev/sda1 /mountfolder ) 4) Bkhive /winhash/WINDOWS/system32/config/system syskey.txt 5) samdump2 /mnt/mountfolder/windows/system32/config/SAM syskey.txt > hashes.txt 6) nano or vi editor to check the contents (optional) 7) john /hashfolder/hashes.txt -w:/dicfolder/wordfile.txt Password cracked
Password cracking tools (2000 / XP / 2003 / Vista / 7 / 2008) - THC-Hydra (back track 5) -Medusa (back track 5) # medusa -h 172.19.0.1 -u "admin" -P wordlist.txt -M http -h the host you want to attack -u the username you want to try. If there is no username use "" -P the wordlist you want to use -M the module you want to use Here is the list of modules included with Back Track 5 & 5R1 Final: # ls /usr/local/lib/medusa/modules/
Password cracking tools (2000 / XP / 2003 / Vista / 7 / 2008) -John the Ripper -Recover Keys -Windows Password Crackers -Proactive System Password Recovery -Password Unlocker Bundle -Windows Password Reset Professional -Windows Password Reset Standard -Windows Password Unlocker -Win Password -Passware Kit Enterprise -RockXP -Passwords Pro -LSA Secret View -LCP
Stealing Passwords Using USB Drive Insert USB into victim’s computer and extract the necessary information
Microsoft Authentication SAM Database: Windows stores users passwords in the Security Accounts Manager database (SAM) or in the Active Directory database in domains. Passwords are never stored in clear text passwords are hashed and the results are stored in the SAM NTLM Authentication: The NTLM authentication protocol consists of two authentication protocols. NTLM and LM authentication protocol. These protocols use different hashing methods to securely store a user’s password in the SAM database. Kerberos: Microsoft has upgraded its default authentication protocol to Kerberos, a considerably more secure option than NTLM More info http://en.wikipedia.org/w/index.php?title=Special%3ASearch&search=Ntlm+hash
Hash Passwords Stored in Windows SAM
Algorithms – well defined instructions for calculating the functions Kerberos – (2003 / vista / 7 / 2008) Greatest security works only on Active Directory 2003 and above
Microsoft Remote Desktop Service – BSoD a.k.a Crashing (XP, 2003, 7, 2008 R2) Hands-on with - RDPKill
Password Cracking Countermeasures -Strongest passwords should be implemented to protect against password cracking. -Systems should enforce 8–12-character alphanumeric passwords. -Password length & complexity should be set -To protect against cracking of the hashing algorithm for passwords stored on the server, you must take care to physically isolate and protect the server. -The system administrator can use the SYSKEY utility in Windows to further protect hashes stored on the server’s hard disk. -The server logs should also be monitored for brute-force attacks on user accounts.
Password Cracking Countermeasures System administrators can implement the following security precautions to decrease the effectiveness of a brute-force password-cracking attempt: -Never leave a default password. -Never use a password that can be found in a dictionary. -Never use a password related to the hostname, domain name, or anything else that can be found with Whois. -Never use a password related to your hobbies, pets, relatives, or date of birth. -As a last resort, use a word that has more than 21 characters -Passwords should expire after a certain amount of time so that users are forced to change them.
Escalating Privileges Escalating privileges basically means adding more rights or permissions to a user account. Simply said, escalating privileges makes a regular user account into an administrator account
Escalating Privileges Sticky Keys – work on all windows Sticky Keys is an accessibility features in Windows OS to aid users who have physical disabilities. Press shift key 5 times at the logon screen and the sticky key dialog show up The program that launches the sticky keys is located at c:windowssystem32sethc.exe If we replace the sethc.exe with cmd.exe and then press 5 times shift key at logon screen we will get a command prompt with admin privileges
How Defend against Privilege Escalation? -User encryption techniques to protect sensitive data -Restrict the interactive logon privilege -Run users and applications on the least privilege -Implement multi-factor authentication and authorization -Patch the system regularly -Run services as unprivileged accounts
Keyloggers -Keystroke loggers are programs or hardware devices that monitor each keystroke as user types on a keyboard, logs on to a file or transmits them to a remote location -Keyloggers are placed between the keyboard hardware and the operating systems -Legitimate applications for keyloggers include in office and industrial settings to monitor employees computer activities and in home environments where parents can monitor and spy on children's activity
Keyloggers
Keyloggers Actual Spy (monitoring systems) www.actualspy.com -Design for hidden computer monitoring -Actual Spy is capable of catching all keystrokes, capturing the screen, logging the programs being run and closed, and monitoring the clipboard contents Features -Log all keystrokes -Makes screenshots within the specified time interval -Saves the applications running and closing -Watches clipboard contents -Records all print activity -Records disk changes -Records internet connections -Records all websites visited
Keyloggers Hardware Keyloggers http://keyllama.com http://keykatcher.com
USB Spyware
Video Spyware IP Webcam (Android)
How to hide files – NTFS Alternate Data Stream (ADS) -NTFS Alternate Data Stream (ADS) is a windows hidden stream which contains metadata for the files such as attributes, word count, author name, and access and modification time of the file -ADS is the ability to split data into existing files without changing or altering their functionality, size, or display to the file browsing utilities -ADS allows an attacker to inject malicious code on a breached system and executes them without being detected by the user
How to hide files – NTFS Alternate Data Stream (ADS) How to create Notepad is stream compliant application Launch c:notepad myfile.txt:private.txt Click Yes to create the new file and write lines then save View the file size To modify the stream data, open file is quite similar like above notepad myfile.txt:private.txt
Steganography Technologies Image Steganography In image Steganography, the information is hidden in image files of different formats such as .PNG, .JPG, .BMP, etc. Image Steganography tools replace redundant bits of image data with the message in such a way that the effect can not be detected by human eyes Download Images Steganography Tools http://www.stegoarchive.com Demo - Image Hide
Steganography Technologies more Steganography - Document - Video - Audio - Folder
Steganography Technologies Spam/Email Steganography – Spam Mimic online http://www.spammimic.com
Skype Logview http://www.nirsoft.net/utils/skype_log_view.html
Covering Your Tracks -Once intruders have successfully gained administrator access on a system, they will try to cover the tracks to avoid their detection -When all the information of interest has been stripped off from the target, the intruder installs several backdoors so that he or she can gain easy access in the future
Covering Your Tracks Why Cover Tracks? -They can attack again - They can cover the tracks to avoid their detection - They can install backdoors to gain access in future Tool: CCleaner
Ettercap Packet Sniffing Ettercap Packet Sniffing ettercap -T -M arp -i eth0 /192.168.1.8/ /192.168.1.1/ (computer to router) ettercap -T -M arp -i eth0 // // (all computers) ettercap -T -M arp -i eth0 // // -w file.cap (all computers with save data in file) q and ctrl+c to dc cat test.cap | grep -a http
Ettercap Packet & Driftnet driftnet -i eth0 ettercap -T -Q -M arp -i eth0 // //
Ettercap Packet HTTP arp poisioning DHCP Spoofing Port Stealing HTTPs Sniffing /usr/local/etc/etter.conf ( uncomment in “linux” section – 2nd row) echo "1" > /proc/sys/net/ipv4/ip_forward Filters /usr/local/share/ettercap Converter = convert ettercap filters example files to .ef
Ettercap Packet Ettercap – IronGeek dangerous filter http://www.irongeek.com/i.php?page=security/ettercapfilter Copy above script in file and convert to .ef (etterfilter filename –o newfile.ef) Plugins dns spoofing isolate DoS_attack & find_ip gateway_discover search promisc arp_cop Passive OS Fingerprints
Web Hacking
(1) Installing WebGoat and run (2) Install Tamper Data addon in firefox (3) Run Burpsuite In OWASP> Access control flaws > bypass a path based Access Control Scheme > /../../../../conf/server.xml Injection Flaws > string SQL injection X’ or ‘a’=’a Improper Error Handling Parameter Tampering OWASP – WebGoat WebGoat OWASP Web/SQL/App Hacking Practitioner
CSS – Cross Site Script & SQL Stored XSS Stored XSS revisited Reflected XSS (search staff) "><script>alert("Teste")</script> String SQL injection (Smith’ or ‘a’ = ‘a) with Temper Data
Deface Website Webdav Shell Maker

Empfohlen

Introduction to Dynamic Malware Analysis ...Or am I "Cuckoo for Malware?"
Introduction to Dynamic Malware Analysis ...Or am I "Cuckoo for Malware?"Introduction to Dynamic Malware Analysis ...Or am I "Cuckoo for Malware?"
Introduction to Dynamic Malware Analysis ...Or am I "Cuckoo for Malware?"Lane Huff
 
Network Penetration Testing Toolkit - Nmap, Netcat, and Metasploit Basics
Network Penetration Testing Toolkit - Nmap, Netcat, and Metasploit BasicsNetwork Penetration Testing Toolkit - Nmap, Netcat, and Metasploit Basics
Network Penetration Testing Toolkit - Nmap, Netcat, and Metasploit BasicsBishop Fox
 
Introduction to Snort Rule Writing
Introduction to Snort Rule WritingIntroduction to Snort Rule Writing
Introduction to Snort Rule WritingCisco DevNet
 
Access over Ethernet: Insecurites in AoE
Access over Ethernet: Insecurites in AoEAccess over Ethernet: Insecurites in AoE
Access over Ethernet: Insecurites in AoEamiable_indian
 
Backtrack
BacktrackBacktrack
Backtrackn|u - The Open Security Community
 
BackTrack5 - Linux
BackTrack5 - LinuxBackTrack5 - Linux
BackTrack5 - Linuxmariuszantal
 
Automated Malware Analysis and Cyber Security Intelligence
Automated Malware Analysis and Cyber Security IntelligenceAutomated Malware Analysis and Cyber Security Intelligence
Automated Malware Analysis and Cyber Security IntelligenceJason Choi
 
Chapter 3 footprinting
Chapter 3 footprintingChapter 3 footprinting
Chapter 3 footprintingSetia Juli Irzal Ismail
 

Empfohlen

Introduction to Dynamic Malware Analysis ...Or am I "Cuckoo for Malware?"
Introduction to Dynamic Malware Analysis ...Or am I "Cuckoo for Malware?"Introduction to Dynamic Malware Analysis ...Or am I "Cuckoo for Malware?"
Introduction to Dynamic Malware Analysis ...Or am I "Cuckoo for Malware?"Lane Huff
 
Network Penetration Testing Toolkit - Nmap, Netcat, and Metasploit Basics
Network Penetration Testing Toolkit - Nmap, Netcat, and Metasploit BasicsNetwork Penetration Testing Toolkit - Nmap, Netcat, and Metasploit Basics
Network Penetration Testing Toolkit - Nmap, Netcat, and Metasploit BasicsBishop Fox
 
Introduction to Snort Rule Writing
Introduction to Snort Rule WritingIntroduction to Snort Rule Writing
Introduction to Snort Rule WritingCisco DevNet
 
Access over Ethernet: Insecurites in AoE
Access over Ethernet: Insecurites in AoEAccess over Ethernet: Insecurites in AoE
Access over Ethernet: Insecurites in AoEamiable_indian
 
Backtrack
BacktrackBacktrack
Backtrackn|u - The Open Security Community
 
BackTrack5 - Linux
BackTrack5 - LinuxBackTrack5 - Linux
BackTrack5 - Linuxmariuszantal
 
Automated Malware Analysis and Cyber Security Intelligence
Automated Malware Analysis and Cyber Security IntelligenceAutomated Malware Analysis and Cyber Security Intelligence
Automated Malware Analysis and Cyber Security IntelligenceJason Choi
 
Chapter 3 footprinting
Chapter 3 footprintingChapter 3 footprinting
Chapter 3 footprintingSetia Juli Irzal Ismail
 
Snort-IPS-Tutorial
Snort-IPS-TutorialSnort-IPS-Tutorial
Snort-IPS-TutorialVladimir Koychev
 
CNIT 50: 6. Command Line Packet Analysis Tools
CNIT 50: 6. Command Line Packet Analysis ToolsCNIT 50: 6. Command Line Packet Analysis Tools
CNIT 50: 6. Command Line Packet Analysis ToolsSam Bowne
 
Using metasploit
Using metasploitUsing metasploit
Using metasploitCyberRad
 
Backtrack
BacktrackBacktrack
BacktrackOne97 Communications Limited
 
Dynamic Port Scanning
Dynamic Port ScanningDynamic Port Scanning
Dynamic Port Scanningamiable_indian
 
Nmap scripting engine
Nmap scripting engineNmap scripting engine
Nmap scripting enginen|u - The Open Security Community
 
Dynamic Port Scanning
Dynamic Port ScanningDynamic Port Scanning
Dynamic Port Scanningamiable_indian
 
Nmap Hacking Guide
Nmap Hacking GuideNmap Hacking Guide
Nmap Hacking GuideAryan G
 
MacOS forensics and anti-forensics (DC Lviv 2019) presentation
MacOS forensics and anti-forensics (DC Lviv 2019) presentationMacOS forensics and anti-forensics (DC Lviv 2019) presentation
MacOS forensics and anti-forensics (DC Lviv 2019) presentationOlehLevytskyi1
 
Hacking the swisscom modem
Hacking the swisscom modemHacking the swisscom modem
Hacking the swisscom modemCyber Security Alliance
 
Nmap for Scriptors
Nmap for ScriptorsNmap for Scriptors
Nmap for Scriptorsn|u - The Open Security Community
 
Hacking With Nmap - Scanning Techniques
Hacking With Nmap - Scanning TechniquesHacking With Nmap - Scanning Techniques
Hacking With Nmap - Scanning Techniquesamiable_indian
 
Fileextraction with suricata
Fileextraction with suricataFileextraction with suricata
Fileextraction with suricataMrArora Arjuna
 
Backtrack os 5
Backtrack os 5Backtrack os 5
Backtrack os 5Ayush Goyal
 
Wireless security beyond password cracking by Mohit Ranjan
Wireless security beyond password cracking by Mohit RanjanWireless security beyond password cracking by Mohit Ranjan
Wireless security beyond password cracking by Mohit RanjanOWASP Delhi
 
SSH Tunneling Recipes
SSH Tunneling RecipesSSH Tunneling Recipes
SSH Tunneling RecipesOSOCO
 
Ch 5: Port Scanning
Ch 5: Port ScanningCh 5: Port Scanning
Ch 5: Port ScanningSam Bowne
 
Snort
SnortSnort
Snortbala150985
 
NMAP
NMAPNMAP
NMAPPrateekAryan1
 
Penetration Testing Resource Guide
Penetration Testing Resource Guide Penetration Testing Resource Guide
Penetration Testing Resource Guide Bishop Fox
 
Anatomy Of Hack
Anatomy Of HackAnatomy Of Hack
Anatomy Of HackAgnel Chittilappilly
 
CTAP
CTAPCTAP
CTAPLan & Wan Solutions
 

Weitere ähnliche Inhalte

Was ist angesagt?

CNIT 50: 6. Command Line Packet Analysis Tools
CNIT 50: 6. Command Line Packet Analysis ToolsCNIT 50: 6. Command Line Packet Analysis Tools
CNIT 50: 6. Command Line Packet Analysis ToolsSam Bowne
 
Using metasploit
Using metasploitUsing metasploit
Using metasploitCyberRad
 
Nmap Hacking Guide
Nmap Hacking GuideNmap Hacking Guide
Nmap Hacking GuideAryan G
 
MacOS forensics and anti-forensics (DC Lviv 2019) presentation
MacOS forensics and anti-forensics (DC Lviv 2019) presentationMacOS forensics and anti-forensics (DC Lviv 2019) presentation
MacOS forensics and anti-forensics (DC Lviv 2019) presentationOlehLevytskyi1
 
Hacking With Nmap - Scanning Techniques
Hacking With Nmap - Scanning TechniquesHacking With Nmap - Scanning Techniques
Hacking With Nmap - Scanning Techniquesamiable_indian
 
Fileextraction with suricata
Fileextraction with suricataFileextraction with suricata
Fileextraction with suricataMrArora Arjuna
 
Wireless security beyond password cracking by Mohit Ranjan
Wireless security beyond password cracking by Mohit RanjanWireless security beyond password cracking by Mohit Ranjan
Wireless security beyond password cracking by Mohit RanjanOWASP Delhi
 
SSH Tunneling Recipes
SSH Tunneling RecipesSSH Tunneling Recipes
SSH Tunneling RecipesOSOCO
 
Ch 5: Port Scanning
Ch 5: Port ScanningCh 5: Port Scanning
Ch 5: Port ScanningSam Bowne
 
Penetration Testing Resource Guide
Penetration Testing Resource Guide Penetration Testing Resource Guide
Penetration Testing Resource Guide Bishop Fox
 

Was ist angesagt? (20)

Snort-IPS-Tutorial
Snort-IPS-TutorialSnort-IPS-Tutorial
Snort-IPS-Tutorial
 
CNIT 50: 6. Command Line Packet Analysis Tools
CNIT 50: 6. Command Line Packet Analysis ToolsCNIT 50: 6. Command Line Packet Analysis Tools
CNIT 50: 6. Command Line Packet Analysis Tools
 
Using metasploit
Using metasploitUsing metasploit
Using metasploit
 
Backtrack
BacktrackBacktrack
Backtrack
 
Dynamic Port Scanning
Dynamic Port ScanningDynamic Port Scanning
Dynamic Port Scanning
 
Nmap scripting engine
Nmap scripting engineNmap scripting engine
Nmap scripting engine
 
Dynamic Port Scanning
Dynamic Port ScanningDynamic Port Scanning
Dynamic Port Scanning
 
Nmap Hacking Guide
Nmap Hacking GuideNmap Hacking Guide
Nmap Hacking Guide
 
MacOS forensics and anti-forensics (DC Lviv 2019) presentation
MacOS forensics and anti-forensics (DC Lviv 2019) presentationMacOS forensics and anti-forensics (DC Lviv 2019) presentation
MacOS forensics and anti-forensics (DC Lviv 2019) presentation
 
Hacking the swisscom modem
Hacking the swisscom modemHacking the swisscom modem
Hacking the swisscom modem
 
Nmap for Scriptors
Nmap for ScriptorsNmap for Scriptors
Nmap for Scriptors
 
Hacking With Nmap - Scanning Techniques
Hacking With Nmap - Scanning TechniquesHacking With Nmap - Scanning Techniques
Hacking With Nmap - Scanning Techniques
 
Fileextraction with suricata
Fileextraction with suricataFileextraction with suricata
Fileextraction with suricata
 
Backtrack os 5
Backtrack os 5Backtrack os 5
Backtrack os 5
 
Wireless security beyond password cracking by Mohit Ranjan
Wireless security beyond password cracking by Mohit RanjanWireless security beyond password cracking by Mohit Ranjan
Wireless security beyond password cracking by Mohit Ranjan
 
SSH Tunneling Recipes
SSH Tunneling RecipesSSH Tunneling Recipes
SSH Tunneling Recipes
 
Ch 5: Port Scanning
Ch 5: Port ScanningCh 5: Port Scanning
Ch 5: Port Scanning
 
Snort
SnortSnort
Snort
 
NMAP
NMAPNMAP
NMAP
 
Penetration Testing Resource Guide
Penetration Testing Resource Guide Penetration Testing Resource Guide
Penetration Testing Resource Guide
 

Andere mochten auch

Policy Round table 2: Climate Change and Food Security
Policy Round table 2: Climate Change and Food Security Policy Round table 2: Climate Change and Food Security
Policy Round table 2: Climate Change and Food Security FAO
 
Elebda3.net 4395
Elebda3.net 4395Elebda3.net 4395
Elebda3.net 4395Riadh Briki
 
Network Scanning Phases and Supporting Tools
Network Scanning Phases and Supporting ToolsNetwork Scanning Phases and Supporting Tools
Network Scanning Phases and Supporting ToolsJoseph Bugeja
 
Ceh v5 module 20 buffer overflow
Ceh v5 module 20 buffer overflowCeh v5 module 20 buffer overflow
Ceh v5 module 20 buffer overflowVi Tính Hoàng Nam
 
Faculty of Engineering - Tanta University- Programmong world
Faculty of Engineering - Tanta University- Programmong worldFaculty of Engineering - Tanta University- Programmong world
Faculty of Engineering - Tanta University- Programmong worldMostafa Elgamala
 
Cisco network security Chapter7
Cisco network security Chapter7Cisco network security Chapter7
Cisco network security Chapter7Khalid Al-wajeh
 
Fortinet & VMware integration
Fortinet & VMware integrationFortinet & VMware integration
Fortinet & VMware integrationVMUG IT
 

Andere mochten auch (20)

Anatomy Of Hack
Anatomy Of HackAnatomy Of Hack
Anatomy Of Hack
 
CTAP
CTAPCTAP
CTAP
 
Scanning Techniques
Scanning TechniquesScanning Techniques
Scanning Techniques
 
Policy Round table 2: Climate Change and Food Security
Policy Round table 2: Climate Change and Food Security Policy Round table 2: Climate Change and Food Security
Policy Round table 2: Climate Change and Food Security
 
NSE7
NSE7NSE7
NSE7
 
Introduction to security
Introduction to securityIntroduction to security
Introduction to security
 
CTAP
CTAPCTAP
CTAP
 
Ceh v5 module 02 footprinting
Ceh v5 module 02 footprintingCeh v5 module 02 footprinting
Ceh v5 module 02 footprinting
 
Elebda3.net 4395
Elebda3.net 4395Elebda3.net 4395
Elebda3.net 4395
 
Ceh v5 module 04 enumeration
Ceh v5 module 04 enumerationCeh v5 module 04 enumeration
Ceh v5 module 04 enumeration
 
Network Scanning Phases and Supporting Tools
Network Scanning Phases and Supporting ToolsNetwork Scanning Phases and Supporting Tools
Network Scanning Phases and Supporting Tools
 
Wi fi in arabic
Wi fi in arabicWi fi in arabic
Wi fi in arabic
 
Ceh v5 module 20 buffer overflow
Ceh v5 module 20 buffer overflowCeh v5 module 20 buffer overflow
Ceh v5 module 20 buffer overflow
 
Faculty of Engineering - Tanta University- Programmong world
Faculty of Engineering - Tanta University- Programmong worldFaculty of Engineering - Tanta University- Programmong world
Faculty of Engineering - Tanta University- Programmong world
 
IT
ITIT
IT
 
Linux02 install SSh
Linux02 install SShLinux02 install SSh
Linux02 install SSh
 
Cisco network security Chapter7
Cisco network security Chapter7Cisco network security Chapter7
Cisco network security Chapter7
 
Fortinet & VMware integration
Fortinet & VMware integrationFortinet & VMware integration
Fortinet & VMware integration
 
Introduction to security
Introduction to securityIntroduction to security
Introduction to security
 
Fortinet sandboxing
Fortinet sandboxingFortinet sandboxing
Fortinet sandboxing
 

Ähnlich wie Penetration Testing Boot CAMP

Hacking Fundamentals - Jen Johnson , Miria Grunick
Hacking Fundamentals - Jen Johnson , Miria GrunickHacking Fundamentals - Jen Johnson , Miria Grunick
Hacking Fundamentals - Jen Johnson , Miria Grunickamiable_indian
 
Threat hunting on the wire
Threat hunting on the wireThreat hunting on the wire
Threat hunting on the wireInfoSec Addicts
 
DC612 Day - Hands on Penetration Testing 101
DC612 Day - Hands on Penetration Testing 101DC612 Day - Hands on Penetration Testing 101
DC612 Day - Hands on Penetration Testing 101dc612
 
Modul 2 - Footprinting Scanning Enumeration.ppt
Modul 2 - Footprinting Scanning Enumeration.pptModul 2 - Footprinting Scanning Enumeration.ppt
Modul 2 - Footprinting Scanning Enumeration.pptcemporku
 
modul2-footprintingscanningenumeration.pdf
modul2-footprintingscanningenumeration.pdfmodul2-footprintingscanningenumeration.pdf
modul2-footprintingscanningenumeration.pdftehkotak4
 
BlueHat v17 || Dyre to Trickbot: An Inside Look at TLS-Encrypted Command-And-...
BlueHat v17 || Dyre to Trickbot: An Inside Look at TLS-Encrypted Command-And-...BlueHat v17 || Dyre to Trickbot: An Inside Look at TLS-Encrypted Command-And-...
BlueHat v17 || Dyre to Trickbot: An Inside Look at TLS-Encrypted Command-And-...BlueHat Security Conference
 
Open source network forensics and advanced pcap analysis
Open source network forensics and advanced pcap analysisOpen source network forensics and advanced pcap analysis
Open source network forensics and advanced pcap analysisGTKlondike
 
RIoT (Raiding Internet of Things) by Jacob Holcomb
RIoT (Raiding Internet of Things) by Jacob HolcombRIoT (Raiding Internet of Things) by Jacob Holcomb
RIoT (Raiding Internet of Things) by Jacob HolcombPriyanka Aash
 
BackTrack 4 R2 - SFISSA Presentation
BackTrack 4 R2 - SFISSA PresentationBackTrack 4 R2 - SFISSA Presentation
BackTrack 4 R2 - SFISSA PresentationJorge Orchilles
 
CNIT 152: 9 Network Evidence
CNIT 152: 9 Network Evidence CNIT 152: 9 Network Evidence
CNIT 152: 9 Network Evidence Sam Bowne
 
Threats, Vulnerabilities & Security measures in Linux
Threats, Vulnerabilities & Security measures in LinuxThreats, Vulnerabilities & Security measures in Linux
Threats, Vulnerabilities & Security measures in LinuxAmitesh Bharti
 
Introduction to Malware Analysis
Introduction to Malware AnalysisIntroduction to Malware Analysis
Introduction to Malware AnalysisAndrew McNicol
 
an_introduction_to_network_analyzers_new.ppt
an_introduction_to_network_analyzers_new.pptan_introduction_to_network_analyzers_new.ppt
an_introduction_to_network_analyzers_new.pptIwan89629
 
MMIX Peering Forum and MMNOG 2020: Packet Analysis for Network Security
MMIX Peering Forum and MMNOG 2020: Packet Analysis for Network SecurityMMIX Peering Forum and MMNOG 2020: Packet Analysis for Network Security
MMIX Peering Forum and MMNOG 2020: Packet Analysis for Network SecurityAPNIC
 

Ähnlich wie Penetration Testing Boot CAMP (20)

Intro To Hacking
Intro To HackingIntro To Hacking
Intro To Hacking
 
snort.ppt
snort.pptsnort.ppt
snort.ppt
 
Hacking Fundamentals - Jen Johnson , Miria Grunick
Hacking Fundamentals - Jen Johnson , Miria GrunickHacking Fundamentals - Jen Johnson , Miria Grunick
Hacking Fundamentals - Jen Johnson , Miria Grunick
 
Threat hunting on the wire
Threat hunting on the wireThreat hunting on the wire
Threat hunting on the wire
 
DC612 Day - Hands on Penetration Testing 101
DC612 Day - Hands on Penetration Testing 101DC612 Day - Hands on Penetration Testing 101
DC612 Day - Hands on Penetration Testing 101
 
Modul 2 - Footprinting Scanning Enumeration.ppt
Modul 2 - Footprinting Scanning Enumeration.pptModul 2 - Footprinting Scanning Enumeration.ppt
Modul 2 - Footprinting Scanning Enumeration.ppt
 
modul2-footprintingscanningenumeration.pdf
modul2-footprintingscanningenumeration.pdfmodul2-footprintingscanningenumeration.pdf
modul2-footprintingscanningenumeration.pdf
 
BlueHat v17 || Dyre to Trickbot: An Inside Look at TLS-Encrypted Command-And-...
BlueHat v17 || Dyre to Trickbot: An Inside Look at TLS-Encrypted Command-And-...BlueHat v17 || Dyre to Trickbot: An Inside Look at TLS-Encrypted Command-And-...
BlueHat v17 || Dyre to Trickbot: An Inside Look at TLS-Encrypted Command-And-...
 
Open source network forensics and advanced pcap analysis
Open source network forensics and advanced pcap analysisOpen source network forensics and advanced pcap analysis
Open source network forensics and advanced pcap analysis
 
RIoT (Raiding Internet of Things) by Jacob Holcomb
RIoT (Raiding Internet of Things) by Jacob HolcombRIoT (Raiding Internet of Things) by Jacob Holcomb
RIoT (Raiding Internet of Things) by Jacob Holcomb
 
BackTrack 4 R2 - SFISSA Presentation
BackTrack 4 R2 - SFISSA PresentationBackTrack 4 R2 - SFISSA Presentation
BackTrack 4 R2 - SFISSA Presentation
 
Database Firewall with Snort
Database Firewall with SnortDatabase Firewall with Snort
Database Firewall with Snort
 
ch11.ppt
ch11.pptch11.ppt
ch11.ppt
 
Security Onion
Security OnionSecurity Onion
Security Onion
 
Securitytools
SecuritytoolsSecuritytools
Securitytools
 
CNIT 152: 9 Network Evidence
CNIT 152: 9 Network Evidence CNIT 152: 9 Network Evidence
CNIT 152: 9 Network Evidence
 
Threats, Vulnerabilities & Security measures in Linux
Threats, Vulnerabilities & Security measures in LinuxThreats, Vulnerabilities & Security measures in Linux
Threats, Vulnerabilities & Security measures in Linux
 
Introduction to Malware Analysis
Introduction to Malware AnalysisIntroduction to Malware Analysis
Introduction to Malware Analysis
 
an_introduction_to_network_analyzers_new.ppt
an_introduction_to_network_analyzers_new.pptan_introduction_to_network_analyzers_new.ppt
an_introduction_to_network_analyzers_new.ppt
 
MMIX Peering Forum and MMNOG 2020: Packet Analysis for Network Security
MMIX Peering Forum and MMNOG 2020: Packet Analysis for Network SecurityMMIX Peering Forum and MMNOG 2020: Packet Analysis for Network Security
MMIX Peering Forum and MMNOG 2020: Packet Analysis for Network Security
 

Penetration Testing Boot CAMP

  • 1. Configure SSH Server Linux Remote Service Connect Kali Remotely
  • 2. •First SSH need to be install/update # apt-get install openssh-server # service ssh start Verify that the server is up and listening using the “netstat” command #netstat -antp |grep ssh Now connect with “putty.exe” to your SSH linux servers (Kali/ ubuntu / redhat / centos) SSHD | SSH Server
  • 4. •What is Foorprinting •Active & Passive Intelligence •Reconnaissance Tools Let’s Get Start into
  • 5. Footprinting refers to uncovering and collecting as much information as possible about target network What is Footprinting
  • 6. Active & Passive Intelligence Passive •From ordinary public traffic •Google search (email, cell# etc) •Browser company’s WebPages •Viewing message boards (experts-exchange.com, etc) •Facebook, Twitter, orkut etc •Default configurations & passwords sites Active •Network Scan •Vulnerability Scan •Ping Sweep •Social Engineering •Phishing
  • 7. Passive Recon Resources •Social Media (facebook, twitter, orkut, forums etc) •Whois, iptools.com, domaintools.com •Netcraft •Webpage source •Mirror Sites (httrack, wget, Sam Spade, Archive.org) •Tracert /traceroute (windows or Linux) send echo request actually •DNS: nslookup, -set type (query) -zone transfers -HINFO •Robots.txt •Service Banner Grabbing (on ports) via Telnet (HEAD / HTTP/1.0) “ENTER TWICE”
  • 8. Active Recon Resources •DNS •Nessus (Vulnerability Scanner) •Nikto (Back Track 5R3) •Email Tracking (http://www.ipaddresslocation.org/) •Google Hacking (Search) (www.exploit-db.com) -Intitle -Intext -Inurl -Filetype -Link
  • 9. Active Recon Resources •inurl:ftp "password" filetype:xls •site:example.com inurl:ftp "password" filetype:xls You should also be performing focused searches that locate all major document types such as .pdf, .doc, .txt, .xls
  • 10. Active Recon Resources •dig (Domain Information Groper) Alternative to nslookup # dig example.com #dig +qr example.com any (find out their name servers) Zone Transfer using DIG # dig @ns1.example.com example.com axfr Listing the DNS version (restrict by default by administrators) #dig +nocmd txt chaos VERSION.BIND @ns1.example.com +noall +answer Reverse DNS Lookup #dig –x ipaddress Tracing the Path #dig +trace example.com
  • 11. Active Recon Resources •Fierce (DNS brute forcing with fierce) Goto # cd /pentest/enumeration/dns/fierce # ./fierce –dns example.com
  • 12. Active Recon Resources •Metagofil (a powerful metadata gathering tool) BackTrack has the Metagoofil Blackhat Arsenal Edition installed by default. Open up a terminal and type the following: # cd /pentest/enumeration/google/metagoofil # ./metagoofil.py –h #metagoofil.py -d example.com -t doc,pdf –l 200 -n 50 –o /mnt -f results.html
  • 13. Active Recon Resources some tools that would assist you in finding more information:
  • 14. Countermeasures •Trash Securely •Router/IDS/Firewalls to allow only certain apps/ports/rules •Refuse malicious traffic •Lockdown ports & Protocols •Web service info avoid to leakage •Disallow sensitive directories •Evaluate your services before posting on public •Listen carefully and reply only limited and specific answers
  • 16. •What is Scanning •CEH Scanning Methodology •Scanning Terms •3-way handshake Let’s Get Start into
  • 17. • Port scanning is the process of checking for open TCP or UDP ports on a remote machine. Please note that port scanning is illegal in many countries and should not be performed outside the labs. This is active probing or phase, which involves more direct interaction with the target servers. It is vital that we understand the implications of port scanning, as well as the impact that certain port scans can have on a network. •Scanning refers to a set of procedures for identifying hosts, ports and services in a network •Scanning is one step of intelligence gathering for an attacker to create a profile of the target organization What is Scanning
  • 18. •Checking Live Systems •Check Open Ports •Banner Grabbing •Prepare Proxies •Scan for Vulnerabilities •Draw Network Diagram Scanning Methodology
  • 19. Scanning Terms •Network Scanning •Port Scanning •Vulnerability Scanning
  • 21. Scanning Tools •Nmap •Fping (ping sweep) •Hping 3 •Nikto •OpenVAS •Netdiscover
  • 22. Scanning Tools: Nmap •Nmap online http://nmap-online.com/ -nmap –sP 192.168.2.0/24 (scan with pingsweep) -nmap –sP –vv 192.168.2.0/24 (scan with verbose) -nmap –sP 192.168.2.0/24 –vv > scanresult.txt (save scan with output file) -nmap –Pn 192.168.2.0/24 (treat all online, disable host discovery) -nmap –D <forge ip> <target ip> (scan with fake IP address) -nmap –Pn –sP domain.com (scan if IDS or Firewall block ICMP) -nmap –sT 192.168.2.0/24 (scan with 3way handshake mostly in pen testing) -nmap –sU 192.168.2.0/24 (scan UDP) -nmap -sL 72.249.151.31 (Reverse DNS List Scan ) -nmap -sT -p- -PN 192.168.2.1-254 (TCP scan, all ports, assume all host alive) -nmap –iL myiplist.txt (scan hosts provided by text file) -nmap –sV (version scanning) -nmap -O (OS Detection) -nmap -p 139 192.168.1.* (Single port with complete IP range)
  • 23. Scanning Tools • fping fping –a –g 192.168.2.1 192.168.2.1 > mylivehosts.txt • nc.exe # nc -vv -z -w2 192.168.0.10 24-26 • Unicornscan # unicornscan 192.168.0.110 #unicornscan 192.168.0.0/24:139
  • 24. Scanning Tools: Hping3 ICMP Ping hping3 -1 192.168.15.1 SYN Ping hping3 -S –p 80 –c 1 192.168.15.1 Port Scan hping3 --scan 1-130,150-200 –S 192.168.15.1 -V
  • 26. •Configure firewall and IDS rules to detect and block probes/search •Block unwanted ports at the firewall •Hide sensitive information from public view •Use custom rules set to lock down the network •Filter inbound ICMP message types and all outbound ICMP type 3 unreachable messages at boarder routers and firewalls •Ensure that routing and filtering mechanisms cannot be bypassed using specific source ports or source-routing techniques •Understand the network configuration and its accessible ports by launching TCP and UDP port scans along with ICMP probes against your own IP address space Countermeasures
  • 27. •If a commercial firewall is in use, ensure that: •The latest service pack is installed •The Anti-spoofing rules have been correctly defined •Fastmode services are not used in Check Point Firewall-1 environment Countermeasures
  • 29. •What is Enumeration •NetBIOS Enumeration •SNMP Enumeration •LDP with Domain Controller Let’s Get Start into
  • 30. Enumeration is defined as the process of extracting user names, machine names, network resources, shares, and services from a system Enumeration techniques are conducted in a intranet (LAN) environment The type of information enumerated by intruders: Network resources and shares Users and groups Applications and banners Auditing settings What is Enumeration
  • 34. •NetBIOS Enumeration : use strong password •SNMP Enumeration: use SNMP v3 have encryption •LDAP Enumeration: By default allow for everyone, restrict for authorized only Countermeasures
  • 36. • Password cracking techniques / types & cracking Let’s Get Start into
  • 37. Password cracking techniques Dictionary Attacks - A dictionary file a loaded into the cracking application that runs against user accounts Brute Forcing Attacks- The program tries every combination of characters until the password is broken Hybrid Attack – It works like a dictionary attacks, but adds some numbers and symbols to the words from the dictionary and tries to crack the password Syllable Attack – It is the combination of both brute force attack and the dictionary attack Rule-Based Attack – This attack is used when the attacker get some information about the password
  • 38. Understanding different types of passwords Only letters - HIJKLMNO Only numbers - 758904 Only special characters - $@$!0 Letters and numbers - ax15oog Only letters and special characters - m@roon$ Only numbers and special characters - @#47$ Letters, numbers, and special characters - E1n$8$
  • 39. Passwords Attacks Passive Online Wire Sniffing Man-in-the-Middle Active Online Password Guessing Trojan/Spyware/Keyloggers
  • 40. Passwords Attacks Offline Attacks Pre-computed Hashes Rainbow Tables Non – Electronic Attacks Shoulder Surfing Social Engineering Dumpster Diving
  • 41. Password Cracking Tools (2000 / XP / 2003 / Vista / 7 / 2008) -Offline NT password re-setter -Cain & Abel -Ettercap (MITM) Back Track 5 -Pwdump6 / Fgdump (dump hashes) -L0phtCrack (LC6) -Ophcrack (rainbow tables) http://ophcrack.sourceforge.net -Elcomsoft Advanced Password Recovery Bundle -Back Track 5 – dump hashes and crack
  • 42. Back Track 5 – Dump windows hashes and crack 1) Mount windows NTFS partition ( fdisk –l ) 2) create temp folder 3) Mount windows HDD ( mount /dev/sda1 /mountfolder ) 4) Bkhive /winhash/WINDOWS/system32/config/system syskey.txt 5) samdump2 /mnt/mountfolder/windows/system32/config/SAM syskey.txt > hashes.txt 6) nano or vi editor to check the contents (optional) 7) john /hashfolder/hashes.txt -w:/dicfolder/wordfile.txt Password cracked
  • 43. Password cracking tools (2000 / XP / 2003 / Vista / 7 / 2008) - THC-Hydra (back track 5) -Medusa (back track 5) # medusa -h 172.19.0.1 -u "admin" -P wordlist.txt -M http -h the host you want to attack -u the username you want to try. If there is no username use "" -P the wordlist you want to use -M the module you want to use Here is the list of modules included with Back Track 5 & 5R1 Final: # ls /usr/local/lib/medusa/modules/
  • 44. Password cracking tools (2000 / XP / 2003 / Vista / 7 / 2008) -John the Ripper -Recover Keys -Windows Password Crackers -Proactive System Password Recovery -Password Unlocker Bundle -Windows Password Reset Professional -Windows Password Reset Standard -Windows Password Unlocker -Win Password -Passware Kit Enterprise -RockXP -Passwords Pro -LSA Secret View -LCP
  • 45. Stealing Passwords Using USB Drive Insert USB into victim’s computer and extract the necessary information
  • 46. Microsoft Authentication SAM Database: Windows stores users passwords in the Security Accounts Manager database (SAM) or in the Active Directory database in domains. Passwords are never stored in clear text passwords are hashed and the results are stored in the SAM NTLM Authentication: The NTLM authentication protocol consists of two authentication protocols. NTLM and LM authentication protocol. These protocols use different hashing methods to securely store a user’s password in the SAM database. Kerberos: Microsoft has upgraded its default authentication protocol to Kerberos, a considerably more secure option than NTLM More info http://en.wikipedia.org/w/index.php?title=Special%3ASearch&search=Ntlm+hash
  • 47. Hash Passwords Stored in Windows SAM
  • 48. Algorithms – well defined instructions for calculating the functions Kerberos – (2003 / vista / 7 / 2008) Greatest security works only on Active Directory 2003 and above
  • 49. Microsoft Remote Desktop Service – BSoD a.k.a Crashing (XP, 2003, 7, 2008 R2) Hands-on with - RDPKill
  • 50. Password Cracking Countermeasures -Strongest passwords should be implemented to protect against password cracking. -Systems should enforce 8–12-character alphanumeric passwords. -Password length & complexity should be set -To protect against cracking of the hashing algorithm for passwords stored on the server, you must take care to physically isolate and protect the server. -The system administrator can use the SYSKEY utility in Windows to further protect hashes stored on the server’s hard disk. -The server logs should also be monitored for brute-force attacks on user accounts.
  • 51. Password Cracking Countermeasures System administrators can implement the following security precautions to decrease the effectiveness of a brute-force password-cracking attempt: -Never leave a default password. -Never use a password that can be found in a dictionary. -Never use a password related to the hostname, domain name, or anything else that can be found with Whois. -Never use a password related to your hobbies, pets, relatives, or date of birth. -As a last resort, use a word that has more than 21 characters -Passwords should expire after a certain amount of time so that users are forced to change them.
  • 52. Escalating Privileges Escalating privileges basically means adding more rights or permissions to a user account. Simply said, escalating privileges makes a regular user account into an administrator account
  • 53. Escalating Privileges Sticky Keys – work on all windows Sticky Keys is an accessibility features in Windows OS to aid users who have physical disabilities. Press shift key 5 times at the logon screen and the sticky key dialog show up The program that launches the sticky keys is located at c:windowssystem32sethc.exe If we replace the sethc.exe with cmd.exe and then press 5 times shift key at logon screen we will get a command prompt with admin privileges
  • 54. How Defend against Privilege Escalation? -User encryption techniques to protect sensitive data -Restrict the interactive logon privilege -Run users and applications on the least privilege -Implement multi-factor authentication and authorization -Patch the system regularly -Run services as unprivileged accounts
  • 55. Keyloggers -Keystroke loggers are programs or hardware devices that monitor each keystroke as user types on a keyboard, logs on to a file or transmits them to a remote location -Keyloggers are placed between the keyboard hardware and the operating systems -Legitimate applications for keyloggers include in office and industrial settings to monitor employees computer activities and in home environments where parents can monitor and spy on children's activity
  • 57. Keyloggers Actual Spy (monitoring systems) www.actualspy.com -Design for hidden computer monitoring -Actual Spy is capable of catching all keystrokes, capturing the screen, logging the programs being run and closed, and monitoring the clipboard contents Features -Log all keystrokes -Makes screenshots within the specified time interval -Saves the applications running and closing -Watches clipboard contents -Records all print activity -Records disk changes -Records internet connections -Records all websites visited
  • 61. How to hide files – NTFS Alternate Data Stream (ADS) -NTFS Alternate Data Stream (ADS) is a windows hidden stream which contains metadata for the files such as attributes, word count, author name, and access and modification time of the file -ADS is the ability to split data into existing files without changing or altering their functionality, size, or display to the file browsing utilities -ADS allows an attacker to inject malicious code on a breached system and executes them without being detected by the user
  • 62. How to hide files – NTFS Alternate Data Stream (ADS) How to create Notepad is stream compliant application Launch c:notepad myfile.txt:private.txt Click Yes to create the new file and write lines then save View the file size To modify the stream data, open file is quite similar like above notepad myfile.txt:private.txt
  • 63. Steganography Technologies Image Steganography In image Steganography, the information is hidden in image files of different formats such as .PNG, .JPG, .BMP, etc. Image Steganography tools replace redundant bits of image data with the message in such a way that the effect can not be detected by human eyes Download Images Steganography Tools http://www.stegoarchive.com Demo - Image Hide
  • 64. Steganography Technologies more Steganography - Document - Video - Audio - Folder
  • 65. Steganography Technologies Spam/Email Steganography – Spam Mimic online http://www.spammimic.com
  • 67. Covering Your Tracks -Once intruders have successfully gained administrator access on a system, they will try to cover the tracks to avoid their detection -When all the information of interest has been stripped off from the target, the intruder installs several backdoors so that he or she can gain easy access in the future
  • 68. Covering Your Tracks Why Cover Tracks? -They can attack again - They can cover the tracks to avoid their detection - They can install backdoors to gain access in future Tool: CCleaner
  • 69. Ettercap Packet Sniffing Ettercap Packet Sniffing ettercap -T -M arp -i eth0 /192.168.1.8/ /192.168.1.1/ (computer to router) ettercap -T -M arp -i eth0 // // (all computers) ettercap -T -M arp -i eth0 // // -w file.cap (all computers with save data in file) q and ctrl+c to dc cat test.cap | grep -a http
  • 70. Ettercap Packet & Driftnet driftnet -i eth0 ettercap -T -Q -M arp -i eth0 // //
  • 71. Ettercap Packet HTTP arp poisioning DHCP Spoofing Port Stealing HTTPs Sniffing /usr/local/etc/etter.conf ( uncomment in “linux” section – 2nd row) echo "1" > /proc/sys/net/ipv4/ip_forward Filters /usr/local/share/ettercap Converter = convert ettercap filters example files to .ef
  • 72. Ettercap Packet Ettercap – IronGeek dangerous filter http://www.irongeek.com/i.php?page=security/ettercapfilter Copy above script in file and convert to .ef (etterfilter filename –o newfile.ef) Plugins dns spoofing isolate DoS_attack & find_ip gateway_discover search promisc arp_cop Passive OS Fingerprints
  • 74. (1) Installing WebGoat and run (2) Install Tamper Data addon in firefox (3) Run Burpsuite In OWASP> Access control flaws > bypass a path based Access Control Scheme > /../../../../conf/server.xml Injection Flaws > string SQL injection X’ or ‘a’=’a Improper Error Handling Parameter Tampering OWASP – WebGoat WebGoat OWASP Web/SQL/App Hacking Practitioner
  • 75. CSS – Cross Site Script & SQL Stored XSS Stored XSS revisited Reflected XSS (search staff) "><script>alert("Teste")</script> String SQL injection (Smith’ or ‘a’ = ‘a) with Temper Data